[svn-upgrade] new version strongswan (4.5.0)

152 files changed, 12003 insertions, 1787 deletions

diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 9859b75cf..99a520852 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c
index 10d48cf67..f13e33492 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.c
+++ b/src/libstrongswan/plugins/aes/aes_crypter.c
@@ -1331,11 +1331,8 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char
     state_out(out_blk, b0);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv,
-					chunk_t *decrypted)
+METHOD(crypter_t, decrypt, void,
+	private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	int pos;
 	const u_int32_t *iv_i;
@@ -1376,12 +1373,8 @@ static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv,
 	}
 }
 
-
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *encrypted)
+METHOD(crypter_t, encrypt, void,
+	private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	int pos;
 	const u_int32_t *iv_i;
@@ -1417,26 +1410,26 @@ static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv,
 	}
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size (private_aes_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_aes_crypter_t *this)
 {
 	return AES_BLOCK_SIZE;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size (private_aes_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_aes_crypter_t *this)
+{
+	return AES_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_aes_crypter_t *this)
 {
 	return this->key_size;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key (private_aes_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_aes_crypter_t *this, chunk_t key)
 {
 	u_int32_t    *kf, *kt, rci, f = 0;
 	u_int8_t *in_key = key.ptr;
@@ -1498,8 +1491,8 @@ static void set_key (private_aes_crypter_t *this, chunk_t key)
 	}
 
 	if(!f)
-    {
-		u_int32_t    i;
+	{
+		u_int32_t i;
 
 		kt = this->aes_d_key + nc * this->aes_Nrnd;
 		kf = this->aes_e_key;
@@ -1517,15 +1510,13 @@ static void set_key (private_aes_crypter_t *this, chunk_t key)
 			cpy(kt, kf);
 #endif
 			kt -= 2 * nc;
-        }
+		}
 		cpy(kt, kf);
-    }
+	}
 }
 
-/**
- * Implementation of crypter_t.destroy and aes_crypter_t.destroy.
- */
-static void destroy (private_aes_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_aes_crypter_t *this)
 {
 	free(this);
 }
@@ -1541,36 +1532,38 @@ aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo, size_t key_size)
 	{
 		return NULL;
 	}
-
-	this = malloc_thing(private_aes_crypter_t);
+	switch (key_size)
+	{
+		case 0:
+			key_size = 16;
+			break;
+		case 32:
+		case 24:
+		case 16:
+			break;
+		default:
+			return NULL;
+	}
 
 	#if !defined(FIXED_TABLES)
 	if(!tab_gen) { gen_tabs(); tab_gen = 1; }
 	#endif
 
-	this->key_size = key_size;
-	switch(key_size)
-	{
-	case 32:        /* bytes */
-		this->aes_Nkey = 8;
-		break;
-	case 24:        /* bytes */
-		this->aes_Nkey = 6;
-		break;
-	case 16:        /* bytes */
-		this->aes_Nkey = 4;
-		break;
-	default:
-		free(this);
-		return NULL;
-	}
-
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.key_size = key_size,
+		.aes_Nkey = key_size / 4,
+	);
+
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.h b/src/libstrongswan/plugins/aes/aes_crypter.h
index 061d72fd6..473772f04 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.h
+++ b/src/libstrongswan/plugins/aes/aes_crypter.h
@@ -32,9 +32,9 @@ typedef struct aes_crypter_t aes_crypter_t;
 struct aes_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c
index 1e920f8cc..22b47e334 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.c
+++ b/src/libstrongswan/plugins/aes/aes_plugin.c
@@ -31,10 +31,8 @@ struct private_aes_plugin_t {
 	aes_plugin_t public;
 };
 
-/**
- * Implementation of aes_plugin_t.destroy
- */
-static void destroy(private_aes_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_aes_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 								(crypter_constructor_t)aes_crypter_create);
@@ -46,9 +44,15 @@ static void destroy(private_aes_plugin_t *this)
  */
 plugin_t *aes_plugin_create()
 {
-	private_aes_plugin_t *this = malloc_thing(private_aes_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_aes_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 							 (crypter_constructor_t)aes_crypter_create);
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index c95e7b778..9f65f4ffb 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index d40b437bb..bd3c1ac75 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -31,10 +31,8 @@ struct private_agent_plugin_t {
 	agent_plugin_t public;
 };
 
-/**
- * Implementation of agent_plugin_t.agenttroy
- */
-static void destroy(private_agent_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_agent_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
 							   (builder_function_t)agent_private_key_open);
@@ -46,11 +44,17 @@ static void destroy(private_agent_plugin_t *this)
  */
 plugin_t *agent_plugin_create()
 {
-	private_agent_plugin_t *this = malloc_thing(private_agent_plugin_t);
+	private_agent_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)agent_private_key_open);
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 51ddbecc6..0864f4118 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -205,7 +205,7 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 		{
 			break;;
 		}
-		if (pubkey && !private_key_belongs_to(&this->public.interface, pubkey))
+		if (pubkey && !private_key_belongs_to(&this->public.key, pubkey))
 		{
 			continue;
 		}
@@ -221,11 +221,9 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 	return FALSE;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_agent_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	u_int32_t len, flags;
 	char buf[2048];
@@ -294,36 +292,28 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	return TRUE;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static key_type_t get_type(private_agent_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_agent_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static bool decrypt(private_agent_private_key_t *this,
-					chunk_t crypto, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_agent_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "private key decryption not supported by ssh-agent");
 	return FALSE;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static size_t get_keysize(private_agent_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_agent_private_key_t *this)
 {
-	return this->key_size;
+	return this->key_size * 8;
 }
 
-/**
- * Implementation of agent_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_agent_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_agent_private_key_t *this)
 {
 	chunk_t key, n, e;
 
@@ -336,20 +326,15 @@ static public_key_t* get_public_key(private_agent_private_key_t *this)
 						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_agent_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_agent_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	return FALSE;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_agent_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_agent_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e, key;
 
@@ -366,19 +351,15 @@ static bool get_fingerprint(private_agent_private_key_t *this,
 			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
 }
 
-/**
- * Implementation of agent_private_key.get_ref.
- */
-static private_agent_private_key_t* get_ref(private_agent_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_agent_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static void destroy(private_agent_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_agent_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -420,20 +401,25 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 		return FALSE;
 	}
 
-	this = malloc_thing(private_agent_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.belongs_to = private_key_belongs_to,
+				.equals = private_key_equals,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	this->socket = open_connection(path);
 	if (this->socket < 0)
@@ -441,9 +427,6 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 		free(this);
 		return NULL;
 	}
-	this->key = chunk_empty;
-	this->ref = 1;
-
 	if (!read_key(this, pubkey))
 	{
 		destroy(this);
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.h b/src/libstrongswan/plugins/agent/agent_private_key.h
index 3d9500c1a..0623f2bb9 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.h
+++ b/src/libstrongswan/plugins/agent/agent_private_key.h
@@ -34,7 +34,7 @@ struct agent_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 6a82ce94a..d310843ac 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
index fb856ed37..784c07eaf 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
@@ -68,8 +68,6 @@ typedef struct private_blowfish_crypter_t private_blowfish_crypter_t;
 
 /**
  * Class implementing the Blowfish symmetric encryption algorithm.
- *
- * @ingroup crypters
  */
 struct private_blowfish_crypter_t {
 
@@ -89,11 +87,9 @@ struct private_blowfish_crypter_t {
 	u_int32_t key_size;
 };
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
-					chunk_t *decrypted)
+METHOD(crypter_t, decrypt, void,
+	private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
+	chunk_t *decrypted)
 {
 	u_int8_t *in, *out;
 
@@ -114,11 +110,9 @@ static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
 	free(iv.ptr);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *encrypted)
+METHOD(crypter_t, encrypt, void,
+	private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
+	chunk_t *encrypted)
 {
 	u_int8_t *in, *out;
 
@@ -139,34 +133,32 @@ static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
 	free(iv.ptr);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size (private_blowfish_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_blowfish_crypter_t *this)
 {
 	return BLOWFISH_BLOCK_SIZE;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size (private_blowfish_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_blowfish_crypter_t *this)
+{
+	return BLOWFISH_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_blowfish_crypter_t *this)
 {
 	return this->key_size;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key (private_blowfish_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_blowfish_crypter_t *this, chunk_t key)
 {
 	BF_set_key(&this->schedule, key.len , key.ptr);
 }
 
-/**
- * Implementation of crypter_t.destroy and blowfish_crypter_t.destroy.
- */
-static void destroy (private_blowfish_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_blowfish_crypter_t *this)
 {
 	free(this);
 }
@@ -174,7 +166,8 @@ static void destroy (private_blowfish_crypter_t *this)
 /*
  * Described in header
  */
-blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t key_size)
+blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo,
+											size_t key_size)
 {
 	private_blowfish_crypter_t *this;
 
@@ -183,15 +176,20 @@ blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t
 		return NULL;
 	}
 
-	this = malloc_thing(private_blowfish_crypter_t);
-
-	this->key_size = key_size;
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.key_size = key_size ?: 16,
+	);
+
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
index 71cc09cd0..70dcae66e 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
@@ -32,9 +32,9 @@ typedef struct blowfish_crypter_t blowfish_crypter_t;
 struct blowfish_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
index f9fb605b3..6ab093d7b 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -32,10 +32,8 @@ struct private_blowfish_plugin_t {
 	blowfish_plugin_t public;
 };
 
-/**
- * Implementation of blowfish_plugin_t.destroy
- */
-static void destroy(private_blowfish_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_blowfish_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 								(crypter_constructor_t)blowfish_crypter_create);
@@ -47,9 +45,15 @@ static void destroy(private_blowfish_plugin_t *this)
  */
 plugin_t *blowfish_plugin_create()
 {
-	private_blowfish_plugin_t *this = malloc_thing(private_blowfish_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_blowfish_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
 							 (crypter_constructor_t)blowfish_crypter_create);
diff --git a/src/libstrongswan/plugins/ccm/Makefile.am b/src/libstrongswan/plugins/ccm/Makefile.am
new file mode 100644
index 000000000..bca1f0735
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ccm.la
+else
+plugin_LTLIBRARIES = libstrongswan-ccm.la
+endif
+
+libstrongswan_ccm_la_SOURCES = \
+	ccm_plugin.h ccm_plugin.c \
+	ccm_aead.h ccm_aead.c
+
+libstrongswan_ccm_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
new file mode 100644
index 000000000..017d75c48
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/ccm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ccm_la_LIBADD =
+am_libstrongswan_ccm_la_OBJECTS = ccm_plugin.lo ccm_aead.lo
+libstrongswan_ccm_la_OBJECTS = $(am_libstrongswan_ccm_la_OBJECTS)
+libstrongswan_ccm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_ccm_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ccm_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ccm_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_ccm_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ccm_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ccm.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ccm.la
+libstrongswan_ccm_la_SOURCES = \
+	ccm_plugin.h ccm_plugin.c \
+	ccm_aead.h ccm_aead.c
+
+libstrongswan_ccm_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ccm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/ccm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) 
+	$(libstrongswan_ccm_la_LINK) $(am_libstrongswan_ccm_la_rpath) $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ccm_aead.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ccm_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c
new file mode 100644
index 000000000..7fee2b3c4
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.c
@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ccm_aead.h"
+
+#define BLOCK_SIZE 16
+#define SALT_SIZE 3
+#define IV_SIZE 8
+#define NONCE_SIZE (SALT_SIZE + IV_SIZE) /* 11 */
+#define Q_SIZE (BLOCK_SIZE - NONCE_SIZE - 1) /* 4 */
+
+typedef struct private_ccm_aead_t private_ccm_aead_t;
+
+/**
+ * Private data of an ccm_aead_t object.
+ */
+struct private_ccm_aead_t {
+
+	/**
+	 * Public ccm_aead_t interface.
+	 */
+	ccm_aead_t public;
+
+	/**
+	 * Underlying CBC crypter.
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * Length of the integrity check value
+	 */
+	size_t icv_size;
+
+	/**
+	 * salt to add to nonce
+	 */
+	u_char salt[SALT_SIZE];
+};
+
+/**
+ * First block with control information
+ */
+typedef struct __attribute__((packed)) {
+	BITFIELD4(u_int8_t,
+		/* size of p length field q, as q-1 */
+		q_len: 3,
+		/* size of our ICV t, as (t-2)/2 */
+		t_len: 3,
+		/* do we have associated data */
+		assoc: 1,
+		reserved: 1,
+	) flags;
+	/* nonce value */
+	struct __attribute__((packed)) {
+		u_char salt[SALT_SIZE];
+		u_char iv[IV_SIZE];
+	} nonce;
+	/* lenght of plain text, q */
+	u_char q[Q_SIZE];
+} b0_t;
+
+/**
+ * Counter block
+ */
+typedef struct __attribute__((packed)) {
+	BITFIELD3(u_int8_t,
+		/* size of p length field q, as q-1 */
+		q_len: 3,
+		zero: 3,
+		reserved: 2,
+	) flags;
+	/* nonce value */
+	struct __attribute__((packed)) {
+		u_char salt[SALT_SIZE];
+		u_char iv[IV_SIZE];
+	} nonce;
+	/* counter value */
+	u_char i[Q_SIZE];
+} ctr_t;
+
+/**
+ * Build the first block B0
+ */
+static void build_b0(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					 chunk_t iv, char *out)
+{
+	b0_t *block = (b0_t*)out;
+
+	block->flags.reserved = 0;
+	block->flags.assoc = assoc.len ? 1 : 0;
+	block->flags.t_len = (this->icv_size - 2) / 2;
+	block->flags.q_len = Q_SIZE - 1;
+	memcpy(block->nonce.salt, this->salt, SALT_SIZE);
+	memcpy(block->nonce.iv, iv.ptr, IV_SIZE);
+	htoun32(block->q, plain.len);
+}
+
+/**
+ * Build a counter block for counter i
+ */
+static void build_ctr(private_ccm_aead_t *this, u_int32_t i, chunk_t iv,
+					  char *out)
+{
+	ctr_t *ctr = (ctr_t*)out;
+
+	ctr->flags.reserved = 0;
+	ctr->flags.zero = 0;
+	ctr->flags.q_len = Q_SIZE - 1;
+	memcpy(ctr->nonce.salt, this->salt, SALT_SIZE);
+	memcpy(ctr->nonce.iv, iv.ptr, IV_SIZE);
+	htoun32(ctr->i, i);
+}
+
+/**
+ * En-/Decrypt data
+ */
+static void crypt_data(private_ccm_aead_t *this, chunk_t iv,
+					   chunk_t in, chunk_t out)
+{
+	char ctr[BLOCK_SIZE];
+	char zero[BLOCK_SIZE];
+	char block[BLOCK_SIZE];
+
+	build_ctr(this, 1, iv, ctr);
+	memset(zero, 0, BLOCK_SIZE);
+
+	while (in.len > 0)
+	{
+		memcpy(block, ctr, BLOCK_SIZE);
+		this->crypter->encrypt(this->crypter, chunk_from_thing(block),
+							   chunk_from_thing(zero), NULL);
+		chunk_increment(chunk_from_thing(ctr));
+
+		if (in.ptr != out.ptr)
+		{
+			memcpy(out.ptr, in.ptr, min(in.len, BLOCK_SIZE));
+		}
+		memxor(out.ptr, block, min(in.len, BLOCK_SIZE));
+		in = chunk_skip(in, BLOCK_SIZE);
+		out = chunk_skip(out, BLOCK_SIZE);
+	}
+}
+
+/**
+ * En-/Decrypt the ICV
+ */
+static void crypt_icv(private_ccm_aead_t *this, chunk_t iv, char *icv)
+{
+	char ctr[BLOCK_SIZE];
+	char zero[BLOCK_SIZE];
+
+	build_ctr(this, 0, iv, ctr);
+	memset(zero, 0, BLOCK_SIZE);
+
+	this->crypter->encrypt(this->crypter, chunk_from_thing(ctr),
+						   chunk_from_thing(zero), NULL);
+	memxor(icv, ctr, this->icv_size);
+}
+
+/**
+ * Create the ICV
+ */
+static void create_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					   chunk_t iv, char *icv)
+{
+	char zero[BLOCK_SIZE];
+	chunk_t chunk;
+	char *pos;
+	int r, len;
+
+	memset(zero, 0, BLOCK_SIZE);
+
+	/* calculate number of blocks, including b0 */
+	r = 1;
+	if (assoc.len)
+	{	/* assoc gets a 2 byte length header, gets padded to BLOCK_SIZE */
+		r += (2 + assoc.len + BLOCK_SIZE - 1) / BLOCK_SIZE;
+	}
+	/* plain text gets padded to BLOCK_SIZE */
+	r += (plain.len + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+	/* concatenate data to a new chunk */
+	chunk = chunk_alloc(r * BLOCK_SIZE);
+	/* write control block */
+	build_b0(this, plain, assoc, iv, chunk.ptr);
+	pos = chunk.ptr + BLOCK_SIZE;
+	/* append associated data, with length header */
+	if (assoc.len)
+	{
+		/* currently we support two byte headers only (up to 2^16-2^8 bytes) */
+		htoun16(pos, assoc.len);
+		memcpy(pos + 2, assoc.ptr, assoc.len);
+		pos += 2 + assoc.len;
+		/* padding */
+		len = (BLOCK_SIZE - ((2 + assoc.len) % BLOCK_SIZE)) % BLOCK_SIZE;
+		memset(pos, 0, len);
+		pos += len;
+	}
+	/* write plain data */
+	memcpy(pos, plain.ptr, plain.len);
+	pos += plain.len;
+	/* padding */
+	len = (BLOCK_SIZE - (plain.len % BLOCK_SIZE)) % BLOCK_SIZE;
+
+	memset(pos, 0, len);
+
+	/* encrypt inline with CBC, zero IV */
+	this->crypter->encrypt(this->crypter, chunk, chunk_from_thing(zero), NULL);
+	/* copy last icv_size bytes as ICV to output */
+	memcpy(icv, chunk.ptr + chunk.len - BLOCK_SIZE, this->icv_size);
+
+	/* encrypt the ICV value */
+	crypt_icv(this, iv, icv);
+
+	free(chunk.ptr);
+}
+
+/**
+ * Verify the ICV
+ */
+static bool verify_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					   chunk_t iv, char *icv)
+{
+	char buf[this->icv_size];
+
+	create_icv(this, plain, assoc, iv, buf);
+
+	return memeq(buf, icv, this->icv_size);
+}
+
+METHOD(aead_t, encrypt, void,
+	private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(plain.len + this->icv_size);
+		create_icv(this, plain, assoc, iv, encrypted->ptr + plain.len);
+		crypt_data(this, iv, plain, *encrypted);
+	}
+	else
+	{
+		create_icv(this, plain, assoc, iv, plain.ptr + plain.len);
+		crypt_data(this, iv, plain, plain);
+	}
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_ccm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	if (encrypted.len < this->icv_size)
+	{
+		return FALSE;
+	}
+	encrypted.len -= this->icv_size;
+	if (plain)
+	{
+		*plain = chunk_alloc(encrypted.len);
+		crypt_data(this, iv, encrypted, *plain);
+		return verify_icv(this, *plain, assoc, iv,
+						  encrypted.ptr + encrypted.len);
+	}
+	else
+	{
+		crypt_data(this, iv, encrypted, encrypted);
+		return verify_icv(this, encrypted, assoc, iv,
+						  encrypted.ptr + encrypted.len);
+	}
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return 1;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return IV_SIZE;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
+}
+
+METHOD(aead_t, set_key, void,
+	private_ccm_aead_t *this, chunk_t key)
+{
+	memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
+	key.len -= SALT_SIZE;
+	this->crypter->set_key(this->crypter, key);
+}
+
+METHOD(aead_t, destroy, void,
+	private_ccm_aead_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_ccm_aead_t *this;
+	size_t icv_size;
+
+	switch (key_size)
+	{
+		case 0:
+			key_size = 16;
+			break;
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return NULL;
+	}
+	switch (algo)
+	{
+		case ENCR_AES_CCM_ICV8:
+			algo = ENCR_AES_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_AES_CCM_ICV12:
+			algo = ENCR_AES_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_AES_CCM_ICV16:
+			algo = ENCR_AES_CBC;
+			icv_size = 16;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV8:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV12:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV16:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 16;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.aead = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_icv_size = _get_icv_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+		.icv_size = icv_size,
+	);
+
+	if (!this->crypter)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h
new file mode 100644
index 000000000..d5e302f94
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ccm_aead ccm_aead
+ * @{ @ingroup ccm
+ */
+
+#ifndef CCM_AEAD_H_
+#define CCM_AEAD_H_
+
+#include <crypto/aead.h>
+
+typedef struct ccm_aead_t ccm_aead_t;
+
+/**
+ * Counter with Cipher Block Chaining-Message Authentication Code (CCM).
+ *
+ * Implements CCM as specified in NIST 800-38B, using AEAD semantics from
+ * RFC 5282, based on RFC4309.
+ */
+struct ccm_aead_t {
+
+	/**
+	 * Implements aead_t interface.
+	 */
+	aead_t aead;
+};
+
+/**
+ * Create a ccm_aead instance.
+ *
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement, a CCM mode
+ * @return				aead, NULL if not supported
+ */
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** CCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.c b/src/libstrongswan/plugins/ccm/ccm_plugin.c
new file mode 100644
index 000000000..5fc3b14d7
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_plugin.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ccm_plugin.h"
+
+#include <library.h>
+
+#include "ccm_aead.h"
+
+typedef struct private_ccm_plugin_t private_ccm_plugin_t;
+
+/**
+ * private data of ccm_plugin
+ */
+struct private_ccm_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	ccm_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_ccm_plugin_t *this)
+{
+	lib->crypto->remove_aead(lib->crypto,
+					(aead_constructor_t)ccm_aead_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ccm_plugin_create()
+{
+	private_ccm_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+	);
+
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16,
+					(aead_constructor_t)ccm_aead_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.h b/src/libstrongswan/plugins/ccm/ccm_plugin.h
new file mode 100644
index 000000000..9a3252012
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ccm ccm
+ * @ingroup plugins
+ *
+ * @defgroup ccm_plugin ccm_plugin
+ * @{ @ingroup ccm
+ */
+
+#ifndef CCM_PLUGIN_H_
+#define CCM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ccm_plugin_t ccm_plugin_t;
+
+/**
+ * Plugin providing CCM mode operation.
+ */
+struct ccm_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** CCM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/ctr/Makefile.am b/src/libstrongswan/plugins/ctr/Makefile.am
new file mode 100644
index 000000000..893171aab
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ctr.la
+else
+plugin_LTLIBRARIES = libstrongswan-ctr.la
+endif
+
+libstrongswan_ctr_la_SOURCES = \
+	ctr_plugin.h ctr_plugin.c \
+	ctr_ipsec_crypter.h ctr_ipsec_crypter.c
+
+libstrongswan_ctr_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
new file mode 100644
index 000000000..b51f57113
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/ctr
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ctr_la_LIBADD =
+am_libstrongswan_ctr_la_OBJECTS = ctr_plugin.lo ctr_ipsec_crypter.lo
+libstrongswan_ctr_la_OBJECTS = $(am_libstrongswan_ctr_la_OBJECTS)
+libstrongswan_ctr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_ctr_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ctr_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ctr_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_ctr_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ctr_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ctr.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ctr.la
+libstrongswan_ctr_la_SOURCES = \
+	ctr_plugin.h ctr_plugin.c \
+	ctr_ipsec_crypter.h ctr_ipsec_crypter.c
+
+libstrongswan_ctr_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ctr/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/ctr/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) 
+	$(libstrongswan_ctr_la_LINK) $(am_libstrongswan_ctr_la_rpath) $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctr_ipsec_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctr_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c
new file mode 100644
index 000000000..ddcae423b
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ctr_ipsec_crypter.h"
+
+typedef struct private_ctr_ipsec_crypter_t private_ctr_ipsec_crypter_t;
+
+/**
+ * Private data of an ctr_ipsec_crypter_t object.
+ */
+struct private_ctr_ipsec_crypter_t {
+
+	/**
+	 * Public ctr_ipsec_crypter_t interface.
+	 */
+	ctr_ipsec_crypter_t public;
+
+	/**
+	 * Underlying CBC crypter
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * counter state
+	 */
+	struct {
+		char nonce[4];
+		char iv[8];
+		u_int32_t counter;
+	} __attribute__((packed)) state;
+};
+
+/**
+ * Do the CTR crypto operation
+ */
+static void crypt_ctr(private_ctr_ipsec_crypter_t *this,
+					  chunk_t in, chunk_t out)
+{
+	size_t is, bs;
+	chunk_t state;
+
+	is = this->crypter->get_iv_size(this->crypter);
+	bs = sizeof(this->state);
+
+	this->state.counter = htonl(1);
+	state = chunk_create((char*)&this->state, bs);
+
+	while (in.len > 0)
+	{
+		char iv[is], block[bs];
+
+		memset(iv, 0, is);
+		memcpy(block, state.ptr, bs);
+		this->crypter->encrypt(this->crypter,
+						chunk_create(block, bs), chunk_create(iv, is), NULL);
+		chunk_increment(state);
+
+		if (in.ptr != out.ptr)
+		{
+			memcpy(out.ptr, in.ptr, min(in.len, bs));
+		}
+		memxor(out.ptr, block, min(in.len, bs));
+		in = chunk_skip(in, bs);
+		out = chunk_skip(out, bs);
+	}
+}
+
+METHOD(crypter_t, crypt, void,
+	private_ctr_ipsec_crypter_t *this, chunk_t in, chunk_t iv, chunk_t *out)
+{
+	memcpy(this->state.iv, iv.ptr, sizeof(this->state.iv));
+
+	if (out)
+	{
+		*out = chunk_alloc(in.len);
+		crypt_ctr(this, in, *out);
+	}
+	else
+	{
+		crypt_ctr(this, in, in);
+	}
+}
+
+METHOD(crypter_t, get_block_size, size_t,
+	private_ctr_ipsec_crypter_t *this)
+{
+	return 1;
+}
+
+METHOD(crypter_t, get_iv_size, size_t,
+	private_ctr_ipsec_crypter_t *this)
+{
+	return sizeof(this->state.iv);
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_ctr_ipsec_crypter_t *this)
+{
+	return this->crypter->get_key_size(this->crypter)
+			+ sizeof(this->state.nonce);
+}
+
+METHOD(crypter_t, set_key, void,
+	private_ctr_ipsec_crypter_t *this, chunk_t key)
+{
+	memcpy(this->state.nonce, key.ptr + key.len - sizeof(this->state.nonce),
+		   sizeof(this->state.nonce));
+	key.len -= sizeof(this->state.nonce);
+	this->crypter->set_key(this->crypter, key);
+}
+
+METHOD(crypter_t, destroy, void,
+	private_ctr_ipsec_crypter_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ctr_ipsec_crypter_t *ctr_ipsec_crypter_create(encryption_algorithm_t algo,
+											  size_t key_size)
+{
+	private_ctr_ipsec_crypter_t *this;
+
+	switch (algo)
+	{
+		case ENCR_AES_CTR:
+			algo = ENCR_AES_CBC;
+			break;
+		case ENCR_CAMELLIA_CTR:
+			algo = ENCR_CAMELLIA_CBC;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _crypt,
+				.decrypt = _crypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+	);
+
+	if (!this->crypter)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
new file mode 100644
index 000000000..db21aec3b
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ctr_ipsec_crypter ctr_ipsec_crypter
+ * @{ @ingroup ctr
+ */
+
+#ifndef CTR_IPSEC_CRYPTER_H_
+#define CTR_IPSEC_CRYPTER_H_
+
+#include <crypto/crypters/crypter.h>
+
+typedef struct ctr_ipsec_crypter_t ctr_ipsec_crypter_t;
+
+/**
+ * Counter Mode wrapper for encryption algorithms, IPsec variant (RFC3686).
+ */
+struct ctr_ipsec_crypter_t {
+
+	/**
+	 * Implements crypter_t interface.
+	 */
+	crypter_t crypter;
+};
+
+/**
+ * Create a ctr_ipsec_crypter instance.
+ */
+ctr_ipsec_crypter_t *ctr_ipsec_crypter_create();
+
+/**
+ * Create a ctr_ipsec_crypter instance.
+ *
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement, a counter mode
+ * @return				crypter, NULL if not supported
+ */
+ctr_ipsec_crypter_t *ctr_ipsec_crypter_create(encryption_algorithm_t algo,
+											  size_t key_size);
+
+#endif /** CTR_IPSEC_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.c b/src/libstrongswan/plugins/ctr/ctr_plugin.c
new file mode 100644
index 000000000..5e47f23ec
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_plugin.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ctr_plugin.h"
+
+#include <library.h>
+
+#include "ctr_ipsec_crypter.h"
+
+typedef struct private_ctr_plugin_t private_ctr_plugin_t;
+
+/**
+ * private data of ctr_plugin
+ */
+struct private_ctr_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	ctr_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_ctr_plugin_t *this)
+{
+	lib->crypto->remove_crypter(lib->crypto,
+					(crypter_constructor_t)ctr_ipsec_crypter_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ctr_plugin_create()
+{
+	private_ctr_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
+					(crypter_constructor_t)ctr_ipsec_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
+					(crypter_constructor_t)ctr_ipsec_crypter_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.h b/src/libstrongswan/plugins/ctr/ctr_plugin.h
new file mode 100644
index 000000000..7b2f901dc
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ctr ctr
+ * @ingroup plugins
+ *
+ * @defgroup ctr_plugin ctr_plugin
+ * @{ @ingroup ctr
+ */
+
+#ifndef CTR_PLUGIN_H_
+#define CTR_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ctr_plugin_t ctr_plugin_t;
+
+/**
+ * Plugin providing CTR mode operation of symmetric encryption algorithms.
+ */
+struct ctr_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** CTR_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index fc3b0ab1a..9cc99063c 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 2341c9052..4835f6461 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -166,10 +166,12 @@ curl_fetcher_t *curl_fetcher_create()
 	private_curl_fetcher_t *this;
 
 	INIT(this,
-		.public.interface = {
-			.fetch = _fetch,
-			.set_option = _set_option,
-			.destroy = _destroy,
+		.public = {
+			.interface = {
+				.fetch = _fetch,
+				.set_option = _set_option,
+				.destroy = _destroy,
+			},
 		},
 		.curl = curl_easy_init(),
 	);
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 319baa04c..0e8fa7315 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index 142e79613..7d9fbe852 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -1416,11 +1416,8 @@ static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long len
 	tin[0]=tin[1]=0;
 }
 
-/**
- * Implementation of crypter_t.decrypt for DES.
- */
-static void decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-					chunk_t *decrypted)
+METHOD(crypter_t, decrypt, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1437,11 +1434,8 @@ static void decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 }
 
 
-/**
- * Implementation of crypter_t.decrypt for DES.
- */
-static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-						chunk_t *encrypted)
+METHOD(crypter_t, encrypt, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1457,11 +1451,8 @@ static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 					 data.len, this->ks, &ivb, DES_ENCRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for DES (ECB).
- */
-static void decrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-						chunk_t *decrypted)
+METHOD(crypter_t, decrypt_ecb, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	u_int8_t *out;
 
@@ -1475,11 +1466,8 @@ static void decrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 					 data.len, this->ks, DES_DECRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for DES (ECB).
- */
-static void encrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-						chunk_t *encrypted)
+METHOD(crypter_t, encrypt_ecb, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	u_int8_t *out;
 
@@ -1493,11 +1481,8 @@ static void encrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 					 data.len, this->ks, DES_ENCRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for 3DES.
- */
-static void decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *decrypted)
+METHOD(crypter_t, decrypt3, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1514,11 +1499,8 @@ static void decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 						 &ivb, DES_DECRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for 3DES.
- */
-static void encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *encrypted)
+METHOD(crypter_t, encrypt3, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1535,44 +1517,40 @@ static void encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 						  &ivb, DES_ENCRYPT);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size (private_des_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_des_crypter_t *this)
 {
 	return sizeof(des_cblock);
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size (private_des_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_des_crypter_t *this)
+{
+	return sizeof(des_cblock);
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_des_crypter_t *this)
 {
 	return this->key_size;
 }
 
-/**
- * Implementation of crypter_t.set_key for DES.
- */
-static void set_key(private_des_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_des_crypter_t *this, chunk_t key)
 {
 	des_set_key((des_cblock*)(key.ptr), &this->ks);
 }
 
-/**
- * Implementation of crypter_t.set_key for 3DES.
- */
-static void set_key3(private_des_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key3, void,
+	private_des_crypter_t *this, chunk_t key)
 {
 	des_set_key((des_cblock*)(key.ptr) + 0, &this->ks3[0]);
 	des_set_key((des_cblock*)(key.ptr) + 1, &this->ks3[1]);
 	des_set_key((des_cblock*)(key.ptr) + 2, &this->ks3[2]);
 }
 
-/**
- * Implementation of crypter_t.destroy and des_crypter_t.destroy.
- */
-static void destroy(private_des_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_des_crypter_t *this)
 {
 	free(this);
 }
@@ -1582,33 +1560,39 @@ static void destroy(private_des_crypter_t *this)
  */
 des_crypter_t *des_crypter_create(encryption_algorithm_t algo)
 {
-	private_des_crypter_t *this = malloc_thing(private_des_crypter_t);
-
-	/* functions of crypter_t interface */
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
+	private_des_crypter_t *this;
+
+	INIT(this,
+		.public = {
+			.crypter = {
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* use functions depending on algorithm */
 	switch (algo)
 	{
 		case ENCR_DES:
 			this->key_size = sizeof(des_cblock);
-			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
+			this->public.crypter.set_key = _set_key;
+			this->public.crypter.encrypt = _encrypt;
+			this->public.crypter.decrypt = _decrypt;
 			break;
 		case ENCR_3DES:
 			this->key_size = 3 * sizeof(des_cblock);
-			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key3;
-			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt3;
-			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt3;
+			this->public.crypter.set_key = _set_key3;
+			this->public.crypter.encrypt = _encrypt3;
+			this->public.crypter.decrypt = _decrypt3;
 			break;
 		case ENCR_DES_ECB:
 			this->key_size = sizeof(des_cblock);
-			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt_ecb;
-			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt_ecb;
+			this->public.crypter.set_key = _set_key;
+			this->public.crypter.encrypt = _encrypt_ecb;
+			this->public.crypter.decrypt = _decrypt_ecb;
 			break;
 		default:
 			free(this);
diff --git a/src/libstrongswan/plugins/des/des_crypter.h b/src/libstrongswan/plugins/des/des_crypter.h
index cffbd4ce3..07215d0c5 100644
--- a/src/libstrongswan/plugins/des/des_crypter.h
+++ b/src/libstrongswan/plugins/des/des_crypter.h
@@ -32,9 +32,9 @@ typedef struct des_crypter_t des_crypter_t;
 struct des_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index afc82e8d4..43b457ce2 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -31,10 +31,8 @@ struct private_des_plugin_t {
 	des_plugin_t public;
 };
 
-/**
- * Implementation of des_plugin_t.destroy
- */
-static void destroy(private_des_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_des_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 								(crypter_constructor_t)des_crypter_create);
@@ -46,9 +44,15 @@ static void destroy(private_des_plugin_t *this)
  */
 plugin_t *des_plugin_create()
 {
-	private_des_plugin_t *this = malloc_thing(private_des_plugin_t);
+	private_des_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
 							 (crypter_constructor_t)des_crypter_create);
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 73f81f4db..7f4529211 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
index 125047b05..bc0ee30ae 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
@@ -50,9 +50,9 @@ plugin_t *dnskey_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)dnskey_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)dnskey_public_key_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 4ed8276c4..7e2a1ccdf 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.am b/src/libstrongswan/plugins/gcm/Makefile.am
new file mode 100644
index 000000000..ec733fbcc
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-gcm.la
+else
+plugin_LTLIBRARIES = libstrongswan-gcm.la
+endif
+
+libstrongswan_gcm_la_SOURCES = \
+	gcm_plugin.h gcm_plugin.c \
+	gcm_aead.h gcm_aead.c
+
+libstrongswan_gcm_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
new file mode 100644
index 000000000..a4de9ea77
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/gcm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_gcm_la_LIBADD =
+am_libstrongswan_gcm_la_OBJECTS = gcm_plugin.lo gcm_aead.lo
+libstrongswan_gcm_la_OBJECTS = $(am_libstrongswan_gcm_la_OBJECTS)
+libstrongswan_gcm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_gcm_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_gcm_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_gcm_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_gcm_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_gcm_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gcm.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gcm.la
+libstrongswan_gcm_la_SOURCES = \
+	gcm_plugin.h gcm_plugin.c \
+	gcm_aead.h gcm_aead.c
+
+libstrongswan_gcm_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/gcm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/gcm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) 
+	$(libstrongswan_gcm_la_LINK) $(am_libstrongswan_gcm_la_rpath) $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcm_aead.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcm_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c
new file mode 100644
index 000000000..0d7d91dbf
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.c
@@ -0,0 +1,425 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcm_aead.h"
+
+#include <limits.h>
+
+#define BLOCK_SIZE 16
+#define NONCE_SIZE 12
+#define IV_SIZE 8
+#define SALT_SIZE (NONCE_SIZE - IV_SIZE)
+
+typedef struct private_gcm_aead_t private_gcm_aead_t;
+
+/**
+ * Private data of an gcm_aead_t object.
+ */
+struct private_gcm_aead_t {
+
+	/**
+	 * Public gcm_aead_t interface.
+	 */
+	gcm_aead_t public;
+
+	/**
+	 * Underlying CBC crypter.
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * Size of the integrity check value
+	 */
+	size_t icv_size;
+
+	/**
+	 * Salt value
+	 */
+	char salt[SALT_SIZE];
+
+	/**
+	 * GHASH subkey H
+	 */
+	char h[BLOCK_SIZE];
+};
+
+/**
+ * Find a suiteable word size and network order conversion functions
+ */
+#if ULONG_MAX == 18446744073709551615UL && defined(htobe64)
+#	define htobeword htobe64
+#	define bewordtoh be64toh
+#	define SHIFT_WORD_TYPE u_int64_t
+#else
+#	define htobeword htonl
+#	define bewordtoh ntohl
+#	define SHIFT_WORD_TYPE u_int32_t
+#endif
+
+/**
+ * Bitshift a block right by one bit
+ */
+static void sr_block(char *block)
+{
+	int i;
+	SHIFT_WORD_TYPE *word = (SHIFT_WORD_TYPE*)block;
+
+	for (i = 0; i < BLOCK_SIZE / sizeof(*word); i++)
+	{
+		word[i] = bewordtoh(word[i]);
+	}
+	for (i = BLOCK_SIZE / sizeof(*word) - 1; i >= 0; i--)
+	{
+		word[i] >>= 1;
+		if (i != 0)
+		{
+			word[i] |= word[i - 1] << (sizeof(*word) * 8 - 1);
+		}
+	}
+	for (i = 0; i < BLOCK_SIZE / sizeof(*word); i++)
+	{
+		word[i] = htobeword(word[i]);
+	}
+}
+
+/**
+ * Naive implementation of block multiplication in GF128, no tables
+ */
+static void mult_block(char *x, char *y, char *res)
+{
+	char z[BLOCK_SIZE], v[BLOCK_SIZE], r;
+	int bit, byte;
+
+	r = 0xE1;
+	memset(z, 0, BLOCK_SIZE);
+	memcpy(v, y, BLOCK_SIZE);
+
+	for (byte = 0; byte < BLOCK_SIZE; byte++)
+	{
+		for (bit = 7; bit >= 0; bit--)
+		{
+			if (x[byte] & (1 << bit))
+			{
+				memxor(z, v, BLOCK_SIZE);
+			}
+			if (v[BLOCK_SIZE - 1] & 0x01)
+			{
+				sr_block(v);
+				v[0] ^= r;
+			}
+			else
+			{
+				sr_block(v);
+			}
+		}
+	}
+	memcpy(res, z, BLOCK_SIZE);
+}
+
+/**
+ * GHASH function
+ */
+static void ghash(private_gcm_aead_t *this, chunk_t x, char *res)
+{
+	char y[BLOCK_SIZE];
+
+	memset(y, 0, BLOCK_SIZE);
+
+	while (x.len)
+	{
+		memxor(y, x.ptr, BLOCK_SIZE);
+		mult_block(y, this->h, y);
+		x = chunk_skip(x, BLOCK_SIZE);
+	}
+	memcpy(res, y, BLOCK_SIZE);
+}
+
+/**
+ * GCTR function, en-/decrypts x inline
+ */
+static void gctr(private_gcm_aead_t *this, char *icb, chunk_t x)
+{
+	char cb[BLOCK_SIZE], iv[BLOCK_SIZE], tmp[BLOCK_SIZE];
+
+	memset(iv, 0, BLOCK_SIZE);
+	memcpy(cb, icb, BLOCK_SIZE);
+
+	while (x.len)
+	{
+		memcpy(tmp, cb, BLOCK_SIZE);
+		this->crypter->encrypt(this->crypter, chunk_from_thing(tmp),
+							   chunk_from_thing(iv), NULL);
+		memxor(x.ptr, tmp, min(BLOCK_SIZE, x.len));
+		chunk_increment(chunk_from_thing(cb));
+		x = chunk_skip(x, BLOCK_SIZE);
+	}
+}
+
+/**
+ * Generate the block J0
+ */
+static void create_j(private_gcm_aead_t *this, char *iv, char *j)
+{
+	memcpy(j, this->salt, SALT_SIZE);
+	memcpy(j + SALT_SIZE, iv, IV_SIZE);
+	htoun32(j + SALT_SIZE + IV_SIZE, 1);
+}
+
+/**
+ * Create GHASH subkey H
+ */
+static void create_h(private_gcm_aead_t *this, char *h)
+{
+	char zero[BLOCK_SIZE];
+
+	memset(zero, 0, BLOCK_SIZE);
+	memset(h, 0, BLOCK_SIZE);
+
+	this->crypter->encrypt(this->crypter, chunk_create(h, BLOCK_SIZE),
+						   chunk_from_thing(zero), NULL);
+}
+
+/**
+ * Encrypt/decrypt
+ */
+static void crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out)
+{
+	char icb[BLOCK_SIZE];
+
+	memcpy(icb, j, BLOCK_SIZE);
+	chunk_increment(chunk_from_thing(icb));
+
+	out.len = in.len;
+	if (in.ptr != out.ptr)
+	{
+		memcpy(out.ptr, in.ptr, in.len);
+	}
+	gctr(this, icb, out);
+}
+
+/**
+ * Create ICV
+ */
+static void create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
+					   char *j, char *icv)
+{
+	size_t assoc_pad, crypt_pad;
+	chunk_t chunk;
+	char s[BLOCK_SIZE], *pos;
+
+	assoc_pad = (BLOCK_SIZE - (assoc.len % BLOCK_SIZE)) % BLOCK_SIZE;
+	crypt_pad = (BLOCK_SIZE - (crypt.len % BLOCK_SIZE)) % BLOCK_SIZE;
+
+	/* concatenate data to a new chunk */
+	chunk = chunk_alloc(assoc.len + assoc_pad +
+						crypt.len + crypt_pad + BLOCK_SIZE);
+	pos = chunk.ptr;
+	/* add associated data */
+	memcpy(pos, assoc.ptr, assoc.len);
+	pos += assoc.len;
+	memset(pos, 0, assoc_pad);
+	pos += assoc_pad;
+	/* add encrypted data */
+	memcpy(pos, crypt.ptr, crypt.len);
+	pos += crypt.len;
+	memset(pos, 0, crypt_pad);
+	pos += crypt_pad;
+	/* write associated len */
+	memset(pos, 0, 4);
+	pos += 4;
+	htoun32(pos, assoc.len * 8);
+	pos += 4;
+	/* write encrypted length */
+	memset(pos, 0, 4);
+	pos += 4;
+	htoun32(pos, crypt.len * 8);
+	pos += 4;
+
+	ghash(this, chunk, s);
+	free(chunk.ptr);
+	gctr(this, j, chunk_from_thing(s));
+
+	memcpy(icv, s, this->icv_size);
+}
+
+/**
+ * Verify the ICV value
+ */
+static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
+					   char *j, char *icv)
+{
+	char tmp[this->icv_size];
+
+	create_icv(this, assoc, crypt, j, tmp);
+
+	return memeq(tmp, icv, this->icv_size);
+}
+
+METHOD(aead_t, encrypt, void,
+	private_gcm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	char j[BLOCK_SIZE];
+
+	create_j(this, iv.ptr, j);
+
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(plain.len + this->icv_size);
+		crypt(this, j, plain, *encrypted);
+		create_icv(this, assoc,
+				   chunk_create(encrypted->ptr, encrypted->len - this->icv_size),
+				   j, encrypted->ptr + encrypted->len - this->icv_size);
+	}
+	else
+	{
+		crypt(this, j, plain, plain);
+		create_icv(this, assoc, plain, j, plain.ptr + plain.len);
+	}
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_gcm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	char j[BLOCK_SIZE];
+
+	if (encrypted.len < this->icv_size)
+	{
+		return FALSE;
+	}
+
+	create_j(this, iv.ptr, j);
+
+	encrypted.len -= this->icv_size;
+	if (!verify_icv(this, assoc, encrypted, j, encrypted.ptr + encrypted.len))
+	{
+		return FALSE;
+	}
+	if (plain)
+	{
+		*plain = chunk_alloc(encrypted.len);
+		crypt(this, j, encrypted, *plain);
+	}
+	else
+	{
+		crypt(this, j, encrypted, encrypted);
+	}
+	return TRUE;
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return 1;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return IV_SIZE;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
+}
+
+METHOD(aead_t, set_key, void,
+	private_gcm_aead_t *this, chunk_t key)
+{
+	memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
+	key.len -= SALT_SIZE;
+	this->crypter->set_key(this->crypter, key);
+	create_h(this, this->h);
+}
+
+METHOD(aead_t, destroy, void,
+	private_gcm_aead_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_gcm_aead_t *this;
+	size_t icv_size;
+
+	switch (key_size)
+	{
+		case 0:
+			key_size = 16;
+			break;
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return NULL;
+	}
+	switch (algo)
+	{
+		case ENCR_AES_GCM_ICV8:
+			algo = ENCR_AES_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_AES_GCM_ICV12:
+			algo = ENCR_AES_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_AES_GCM_ICV16:
+			algo = ENCR_AES_CBC;
+			icv_size = 16;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.aead = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_icv_size = _get_icv_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+		.icv_size = icv_size,
+	);
+
+	if (!this->crypter)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h
new file mode 100644
index 000000000..db4be2442
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcm_aead gcm_aead
+ * @{ @ingroup gcm
+ */
+
+#ifndef GCM_AEAD_H_
+#define GCM_AEAD_H_
+
+#include <crypto/aead.h>
+
+typedef struct gcm_aead_t gcm_aead_t;
+
+/**
+ * Galois/Counter Mode (GCM).
+ *
+ * Implements GCM as specified in NIST 800-38D, using AEAD semantics from
+ * RFC 5282, based on RFC4106.
+ */
+struct gcm_aead_t {
+
+	/**
+	 * Implements aead_t interface.
+	 */
+	aead_t aead;
+};
+
+/**
+ * Create a gcm_aead instance.
+ *
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement, a gcm mode
+ * @return				aead, NULL if not supported
+ */
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** GCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c
new file mode 100644
index 000000000..061001b30
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcm_plugin.h"
+
+#include <library.h>
+
+#include "gcm_aead.h"
+
+typedef struct private_gcm_plugin_t private_gcm_plugin_t;
+
+/**
+ * private data of gcm_plugin
+ */
+struct private_gcm_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	gcm_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_gcm_plugin_t *this)
+{
+	lib->crypto->remove_aead(lib->crypto,
+					(aead_constructor_t)gcm_aead_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *gcm_plugin_create()
+{
+	private_gcm_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+	);
+
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8,
+					(aead_constructor_t)gcm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12,
+					(aead_constructor_t)gcm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16,
+					(aead_constructor_t)gcm_aead_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.h b/src/libstrongswan/plugins/gcm/gcm_plugin.h
new file mode 100644
index 000000000..52676708e
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcm gcm
+ * @ingroup plugins
+ *
+ * @defgroup gcm_plugin gcm_plugin
+ * @{ @ingroup gcm
+ */
+
+#ifndef GCM_PLUGIN_H_
+#define GCM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct gcm_plugin_t gcm_plugin_t;
+
+/**
+ * Plugin providing GCM mode operation.
+ */
+struct gcm_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** GCM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 09131c4be..00c49c487 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
index 5dbdde32c..599481911 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -40,15 +40,43 @@ struct private_gcrypt_crypter_t {
 	 * gcrypt algorithm identifier
 	 */
 	int alg;
+
+	/**
+	 * are we using counter mode?
+	 */
+	bool ctr_mode;
+
+	/**
+	 * counter state
+	 */
+	struct {
+		char nonce[4];
+		char iv[8];
+		u_int32_t counter;
+	} __attribute__((packed)) ctr;
 };
 
 /**
- * Implementation of crypter_t.decrypt.
+ * Set the IV for en/decryption
  */
-static void decrypt(private_gcrypt_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst)
+static void set_iv(private_gcrypt_crypter_t *this, chunk_t iv)
+{
+	if (this->ctr_mode)
+	{
+		memcpy(this->ctr.iv, iv.ptr, sizeof(this->ctr.iv));
+		this->ctr.counter = htonl(1);
+		gcry_cipher_setctr(this->h, &this->ctr, sizeof(this->ctr));
+	}
+	else
+	{
+		gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	}
+}
+
+METHOD(crypter_t, decrypt, void,
+	private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	set_iv(this, iv);
 
 	if (dst)
 	{
@@ -61,13 +89,10 @@ static void decrypt(private_gcrypt_crypter_t *this, chunk_t data,
 	}
 }
 
-/**
- * Implementation of crypter_t.encrypt.
- */
-static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, encrypt, void,
+	private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	set_iv(this, iv);
 
 	if (dst)
 	{
@@ -80,40 +105,60 @@ static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
 	}
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size(private_gcrypt_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_gcrypt_crypter_t *this)
 {
 	size_t len = 0;
 
+	if (this->ctr_mode)
+	{	/* counter mode does not need any padding */
+		return 1;
+	}
 	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
 	return len;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size(private_gcrypt_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_gcrypt_crypter_t *this)
+{
+	size_t len = 0;
+
+	if (this->ctr_mode)
+	{
+		return sizeof(this->ctr.iv);
+	}
+	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
+	return len;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_gcrypt_crypter_t *this)
 {
 	size_t len = 0;
 
 	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_KEYLEN, NULL, &len);
+	if (this->ctr_mode)
+	{
+		return len + sizeof(this->ctr.nonce);
+	}
 	return len;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key(private_gcrypt_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_gcrypt_crypter_t *this, chunk_t key)
 {
+	if (this->ctr_mode)
+	{
+		/* last 4 bytes are the nonce */
+		memcpy(this->ctr.nonce, key.ptr + key.len - sizeof(this->ctr.nonce),
+			   sizeof(this->ctr.nonce));
+		key.len -= sizeof(this->ctr.nonce);
+	}
 	gcry_cipher_setkey(this->h, key.ptr, key.len);
 }
 
-/**
- * Implementation of crypter_t.destroy.
- */
-static void destroy (private_gcrypt_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_gcrypt_crypter_t *this)
 {
 	gcry_cipher_close(this->h);
 	free(this);
@@ -149,18 +194,19 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 			gcrypt_alg = GCRY_CIPHER_CAST5;
 			break;
 		case ENCR_BLOWFISH:
-			if (key_size != 16)
+			if (key_size != 16 && key_size != 0)
 			{	/* gcrypt currently supports 128 bit blowfish only */
 				return NULL;
 			}
 			gcrypt_alg = GCRY_CIPHER_BLOWFISH;
 			break;
-		/* case ENCR_AES_CTR:
-			mode = GCRY_CIPHER_MODE_CTR; */
+		case ENCR_AES_CTR:
+			mode = GCRY_CIPHER_MODE_CTR;
 			/* fall */
 		case ENCR_AES_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_AES128;
 					break;
@@ -174,13 +220,14 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 					return NULL;
 			}
 			break;
-		/* case ENCR_CAMELLIA_CTR:
-			mode = GCRY_CIPHER_MODE_CTR; */
+		case ENCR_CAMELLIA_CTR:
+			mode = GCRY_CIPHER_MODE_CTR;
 			/* fall */
 		case ENCR_CAMELLIA_CBC:
 			switch (key_size)
 			{
 #ifdef HAVE_GCRY_CIPHER_CAMELLIA
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_CAMELLIA128;
 					break;
@@ -198,6 +245,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		case ENCR_SERPENT_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_SERPENT128;
 					break;
@@ -214,6 +262,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		case ENCR_TWOFISH_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_TWOFISH128;
 					break;
@@ -228,9 +277,22 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_crypter_t);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.alg = gcrypt_alg,
+		.ctr_mode = mode == GCRY_CIPHER_MODE_CTR,
+	);
 
-	this->alg = gcrypt_alg;
 	err = gcry_cipher_open(&this->h, gcrypt_alg, mode, 0);
 	if (err)
 	{
@@ -239,14 +301,6 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		free(this);
 		return NULL;
 	}
-
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *))encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *))decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *))get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *))get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t))set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *))destroy;
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
index ce0ead4a8..e565e28c7 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
@@ -33,7 +33,7 @@ struct gcrypt_crypter_t {
 	/**
 	 * The crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index 08d6239ad..6c4665da2 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -73,10 +73,8 @@ struct private_gcrypt_dh_t {
 	size_t p_len;
 };
 
-/**
- * Implementation of gcrypt_dh_t.set_other_public_value.
- */
-static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_gcrypt_dh_t *this, chunk_t value)
 {
 	gcry_mpi_t p_min_1;
 	gcry_error_t err;
@@ -134,18 +132,14 @@ static chunk_t export_mpi(gcry_mpi_t value, size_t len)
 	return chunk;
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_my_public_value.
- */
-static void get_my_public_value(private_gcrypt_dh_t *this, chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_gcrypt_dh_t *this, chunk_t *value)
 {
 	*value = export_mpi(this->ya, this->p_len);
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_gcrypt_dh_t *this, chunk_t *secret)
 {
 	if (!this->zz)
 	{
@@ -155,18 +149,14 @@ static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret)
 	return SUCCESS;
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_gcrypt_dh_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_gcrypt_dh_t *this)
 {
 	return this->group;
 }
 
-/**
- * Implementation of gcrypt_dh_t.destroy.
- */
-static void destroy(private_gcrypt_dh_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_gcrypt_dh_t *this)
 {
 	gcry_mpi_release(this->p);
 	gcry_mpi_release(this->xa);
@@ -178,42 +168,37 @@ static void destroy(private_gcrypt_dh_t *this)
 }
 
 /*
- * Described in header.
+ * Generic internal constructor
  */
-gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
+gcrypt_dh_t *create_generic(diffie_hellman_group_t group, size_t exp_len,
+							chunk_t g, chunk_t p)
 {
 	private_gcrypt_dh_t *this;
-	diffie_hellman_params_t *params;
 	gcry_error_t err;
 	chunk_t random;
 	rng_t *rng;
 
-	params = diffie_hellman_get_params(group);
-	if (!params)
-	{
-		return NULL;
-	}
-
-	this = malloc_thing(private_gcrypt_dh_t);
-
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-
-	this->group = group;
-	this->p_len = params->prime.len;
-	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG,
-						params->prime.ptr, params->prime.len, NULL);
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+		.p_len = p.len,
+	);
+	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG, p.ptr, p.len, NULL);
 	if (err)
 	{
 		DBG1(DBG_LIB, "importing mpi modulus failed: %s", gpg_strerror(err));
 		free(this);
 		return NULL;
 	}
-	err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG,
-						params->generator.ptr, params->generator.len, NULL);
+	err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG, g.ptr, g.len, NULL);
 	if (err)
 	{
 		DBG1(DBG_LIB, "importing mpi generator failed: %s", gpg_strerror(err));
@@ -225,7 +210,7 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (rng)
 	{	/* prefer external randomizer */
-		rng->allocate_bytes(rng, params->exp_len, &random);
+		rng->allocate_bytes(rng, exp_len, &random);
 		rng->destroy(rng);
 		err = gcry_mpi_scan(&this->xa, GCRYMPI_FMT_USG,
 							random.ptr, random.len, NULL);
@@ -241,21 +226,49 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	}
 	else
 	{	/* fallback to gcrypt internal randomizer, shouldn't ever happen */
-		this->xa = gcry_mpi_new(params->exp_len * 8);
-		gcry_mpi_randomize(this->xa, params->exp_len * 8, GCRY_STRONG_RANDOM);
+		this->xa = gcry_mpi_new(exp_len * 8);
+		gcry_mpi_randomize(this->xa, exp_len * 8, GCRY_STRONG_RANDOM);
 	}
-	if (params->exp_len == this->p_len)
+	if (exp_len == this->p_len)
 	{
 		/* achieve bitsof(p)-1 by setting MSB to 0 */
-		gcry_mpi_clear_bit(this->xa, params->exp_len * 8 - 1);
+		gcry_mpi_clear_bit(this->xa, exp_len * 8 - 1);
 	}
 
 	this->ya = gcry_mpi_new(this->p_len * 8);
-	this->yb = NULL;
-	this->zz = NULL;
 
 	gcry_mpi_powm(this->ya, this->g, this->xa, this->p);
 
 	return &this->public;
 }
 
+
+/*
+ * Described in header.
+ */
+gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
+{
+
+	diffie_hellman_params_t *params;
+
+	params = diffie_hellman_get_params(group);
+	if (!params)
+	{
+		return NULL;
+	}
+	return create_generic(group, params->exp_len,
+						  params->generator, params->prime);
+}
+
+/*
+ * Described in header.
+ */
+gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group,
+									 chunk_t g, chunk_t p)
+{
+	if (group == MODP_CUSTOM)
+	{
+		return create_generic(group, p.len, g, p);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
index 95b68dcd0..a70958dc4 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
@@ -44,5 +44,16 @@ struct gcrypt_dh_t {
  */
 gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group);
 
+/**
+ * Creates a new gcrypt_dh_t object for MODP_CUSTOM.
+ *
+ * @param group			MODP_CUSTOM
+ * @param g				generator
+ * @param p				prime
+ * @return				gcrypt_dh_t object, NULL if not supported
+ */
+gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group,
+									 chunk_t g, chunk_t p);
+
 #endif /** GCRYPT_DH_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 39609c16c..96c87614f 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -37,27 +37,20 @@ struct private_gcrypt_hasher_t {
 	gcry_md_hd_t hd;
 };
 
-/**
- * Implementation of hasher_t.get_hash_size.
- */
-static size_t get_hash_size(private_gcrypt_hasher_t *this)
+METHOD(hasher_t, get_hash_size, size_t,
+	private_gcrypt_hasher_t *this)
 {
 	return gcry_md_get_algo_dlen(gcry_md_get_algo(this->hd));
 }
 
-/**
- * Implementation of hasher_t.reset.
- */
-static void reset(private_gcrypt_hasher_t *this)
+METHOD(hasher_t, reset, void,
+	private_gcrypt_hasher_t *this)
 {
 	gcry_md_reset(this->hd);
 }
 
-/**
- * Implementation of hasher_t.get_hash.
- */
-static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
-					 u_int8_t *hash)
+METHOD(hasher_t, get_hash, void,
+	private_gcrypt_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	gcry_md_write(this->hd, chunk.ptr, chunk.len);
 	if (hash)
@@ -67,11 +60,8 @@ static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.allocate_hash.
- */
-static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
-						  chunk_t *hash)
+METHOD(hasher_t, allocate_hash, void,
+	private_gcrypt_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
@@ -84,10 +74,8 @@ static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.destroy.
- */
-static void destroy (private_gcrypt_hasher_t *this)
+METHOD(hasher_t, destroy, void,
+	private_gcrypt_hasher_t *this)
 {
 	gcry_md_close(this->hd);
 	free(this);
@@ -132,7 +120,17 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_hasher_t);
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	err = gcry_md_open(&this->hd, gcrypt_alg, 0);
 	if (err)
@@ -143,12 +141,6 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 		return NULL;
 	}
 
-	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
-	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
-	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
-	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
-	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
index 708ccaafb..a7542bcdd 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
@@ -33,7 +33,7 @@ struct gcrypt_hasher_t {
 	/**
 	 * The hasher_t interface.
 	 */
-	hasher_t hasher_interface;
+	hasher_t hasher;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 039036b2c..590add5c8 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -93,10 +93,8 @@ static struct gcry_thread_cbs thread_functions = {
 	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
 };
 
-/**
- * Implementation of gcrypt_plugin_t.destroy
- */
-static void destroy(private_gcrypt_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_gcrypt_plugin_t *this)
 {
 	lib->crypto->remove_hasher(lib->crypto,
 					(hasher_constructor_t)gcrypt_hasher_create);
@@ -106,6 +104,8 @@ static void destroy(private_gcrypt_plugin_t *this)
 					(rng_constructor_t)gcrypt_rng_create);
 	lib->crypto->remove_dh(lib->crypto,
 					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->remove_dh(lib->crypto,
+					(dh_constructor_t)gcrypt_dh_create_custom);
 	lib->creds->remove_builder(lib->creds,
 					(builder_function_t)gcrypt_rsa_private_key_gen);
 	lib->creds->remove_builder(lib->creds,
@@ -139,9 +139,13 @@ plugin_t *gcrypt_plugin_create()
 	}
 	gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
 
-	this = malloc_thing(private_gcrypt_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* hashers */
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
@@ -172,8 +176,14 @@ plugin_t *gcrypt_plugin_create()
 					(crypter_constructor_t)gcrypt_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
+					(crypter_constructor_t)gcrypt_crypter_create);
+#ifdef HAVE_GCRY_CIPHER_CAMELLIA
 	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
+					(crypter_constructor_t)gcrypt_crypter_create);
+#endif /* HAVE_GCRY_CIPHER_CAMELLIA */
 	lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC,
@@ -210,13 +220,15 @@ plugin_t *gcrypt_plugin_create()
 					(dh_constructor_t)gcrypt_dh_create);
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+					(dh_constructor_t)gcrypt_dh_create_custom);
 
 	/* RSA */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 					(builder_function_t)gcrypt_rsa_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE,
 					(builder_function_t)gcrypt_rsa_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
 					(builder_function_t)gcrypt_rsa_public_key_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
index d0d252572..d29755de9 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
@@ -35,11 +35,8 @@ struct private_gcrypt_rng_t {
 	rng_quality_t quality;
 };
 
-/**
- * Implementation of gcrypt_rng_t.get_bytes.
- */
-static void get_bytes(private_gcrypt_rng_t *this, size_t bytes,
-					  u_int8_t *buffer)
+METHOD(rng_t, get_bytes, void,
+	private_gcrypt_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	switch (this->quality)
 	{
@@ -55,20 +52,15 @@ static void get_bytes(private_gcrypt_rng_t *this, size_t bytes,
 	}
 }
 
-/**
- * Implementation of gcrypt_rng_t.allocate_bytes.
- */
-static void allocate_bytes(private_gcrypt_rng_t *this, size_t bytes,
-						   chunk_t *chunk)
+METHOD(rng_t, allocate_bytes, void,
+	private_gcrypt_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(bytes);
 	get_bytes(this, chunk->len, chunk->ptr);
 }
 
-/**
- * Implementation of gcrypt_rng_t.destroy.
- */
-static void destroy(private_gcrypt_rng_t *this)
+METHOD(rng_t, destroy, void,
+	private_gcrypt_rng_t *this)
 {
 	free(this);
 }
@@ -90,13 +82,16 @@ gcrypt_rng_t *gcrypt_rng_create(rng_quality_t quality)
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_rng_t);
-
-	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
-	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
-	this->public.rng.destroy = (void (*) (rng_t *))destroy;
-
-	this->quality = quality;
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+		.quality = quality,
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index b8e86aba0..38ce2cd6c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -192,19 +192,15 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 	return !!signature->len;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static key_type_t get_type(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *sig)
+METHOD(private_key_t, sign, bool,
+	private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *sig)
 {
 	switch (scheme)
 	{
@@ -229,17 +225,21 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche
 	}
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static bool decrypt(private_gcrypt_rsa_private_key_t *this,
-					chunk_t encrypted, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_gcrypt_rsa_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t encrypted, chunk_t *plain)
 {
 	gcry_error_t err;
 	gcry_sexp_t in, out;
 	chunk_t padded;
 	u_char *pos = NULL;;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	err = gcry_sexp_build(&in, NULL, "(enc-val(flags)(rsa(a %b)))",
 						  encrypted.len, encrypted.ptr);
 	if (err)
@@ -277,18 +277,14 @@ static bool decrypt(private_gcrypt_rsa_private_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_keysize.
- */
-static size_t get_keysize(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_gcrypt_rsa_private_key_t *this)
 {
-	return gcry_pk_get_nbits(this->key) / 8;
+	return gcry_pk_get_nbits(this->key);
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	chunk_t n, e;
 	public_key_t *public;
@@ -304,11 +300,9 @@ static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
 	return public;
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_gcrypt_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t cn, ce, cp, cq, cd, cu, cexp1 = chunk_empty, cexp2 = chunk_empty;
 	gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2;
@@ -385,11 +379,9 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_gcrypt_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -409,19 +401,15 @@ static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_ref.
- */
-static private_key_t* get_ref(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static void destroy(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -434,25 +422,29 @@ static void destroy(private_gcrypt_rsa_private_key_t *this)
 /**
  * Internal generic constructor
  */
-static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty()
+static private_gcrypt_rsa_private_key_t *create_empty()
 {
-	private_gcrypt_rsa_private_key_t *this = malloc_thing(private_gcrypt_rsa_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-
-	this->key = NULL;
-	this->ref = 1;
+	private_gcrypt_rsa_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
@@ -493,7 +485,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type,
 		DBG1(DBG_LIB, "building S-expression failed: %s", gpg_strerror(err));
 		return NULL;
 	}
-	this = gcrypt_rsa_private_key_create_empty();
+	this = create_empty();
 	err = gcry_pk_genkey(&this->key, param);
 	gcry_sexp_release(param);
 	if (err)
@@ -552,7 +544,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type,
 		break;
 	}
 
-	this = gcrypt_rsa_private_key_create_empty();
+	this = create_empty();
 	err = gcry_sexp_build(&this->key, NULL,
 					"(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))",
 					n.len, n.ptr, e.len, e.ptr, d.len, d.ptr,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
index 4c3605f4b..0f3d66b80 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
@@ -34,7 +34,7 @@ struct gcrypt_rsa_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 80a91b976..f8645da97 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -159,19 +159,15 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_gcrypt_rsa_public_key_t *this,
-				   signature_scheme_t scheme, chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_gcrypt_rsa_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -196,15 +192,19 @@ static bool verify(private_gcrypt_rsa_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.encrypt.
- */
-static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
-					 chunk_t *encrypted)
+METHOD(public_key_t, encrypt_, bool,
+	private_gcrypt_rsa_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *encrypted)
 {
 	gcry_sexp_t in, out;
 	gcry_error_t err;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	/* "pkcs1" uses PKCS 1.5 (section 8.1) block type 2 encryption:
 	 * 00 | 02 | RANDOM | 00 | DATA */
 	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(value %b))",
@@ -228,19 +228,15 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
 	return !!encrypted->len;
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_gcrypt_rsa_public_key_t *this)
 {
-	return gcry_pk_get_nbits(this->key) / 8;
+	return gcry_pk_get_nbits(this->key);
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_gcrypt_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t n, e;
 	bool success;
@@ -256,11 +252,9 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_gcrypt_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -280,19 +274,15 @@ static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static public_key_t* get_ref(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gcrypt_rsa_public_key.destroy.
- */
-static void destroy(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -331,21 +321,23 @@ gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type,
 		break;
 	}
 
-	this = malloc_thing(private_gcrypt_rsa_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
-	this->key = NULL;
-	this->ref = 1;
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
 						  n.len, n.ptr, e.len, e.ptr);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
index fa18c357b..ca0a284a2 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
@@ -34,7 +34,7 @@ struct gcrypt_rsa_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index bd7100b27..b4ec1ed8d 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index 4ee449890..e99502b27 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -85,10 +85,8 @@ struct private_gmp_diffie_hellman_t {
 	bool computed;
 };
 
-/**
- * Implementation of gmp_diffie_hellman_t.set_other_public_value.
- */
-static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_gmp_diffie_hellman_t *this, chunk_t value)
 {
 	mpz_t p_min_1;
 
@@ -146,10 +144,8 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 	mpz_clear(p_min_1);
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_gmp_diffie_hellman_t *this,chunk_t *value)
 {
 	value->len = this->p_len;
 	value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
@@ -159,10 +155,8 @@ static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *valu
 	}
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_gmp_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
@@ -177,18 +171,14 @@ static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *s
 	return SUCCESS;
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_gmp_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_gmp_diffie_hellman_t *this)
 {
 	return this->group;
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.destroy.
- */
-static void destroy(private_gmp_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_gmp_diffie_hellman_t *this)
 {
 	mpz_clear(this->p);
 	mpz_clear(this->xa);
@@ -199,44 +189,38 @@ static void destroy(private_gmp_diffie_hellman_t *this)
 	free(this);
 }
 
-/*
- * Described in header.
+/**
+ * Generic internal constructor
  */
-gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
+static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group,
+											size_t exp_len, chunk_t g, chunk_t p)
 {
 	private_gmp_diffie_hellman_t *this;
-	diffie_hellman_params_t *params;
-	rng_t *rng;
 	chunk_t random;
+	rng_t *rng;
 
-	params = diffie_hellman_get_params(group);
-	if (!params)
-	{
-		return NULL;
-	}
-
-	this = malloc_thing(private_gmp_diffie_hellman_t);
-
-	/* public functions */
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+		.p_len = p.len,
+	);
 
-	/* private variables */
-	this->group = group;
 	mpz_init(this->p);
 	mpz_init(this->yb);
 	mpz_init(this->ya);
 	mpz_init(this->xa);
 	mpz_init(this->zz);
 	mpz_init(this->g);
-
-	this->computed = FALSE;
-	this->p_len = params->prime.len;
-	mpz_import(this->p, params->prime.len, 1, 1, 1, 0, params->prime.ptr);
-	mpz_import(this->g, params->generator.len, 1, 1, 1, 0, params->generator.ptr);
+	mpz_import(this->g, g.len, 1, 1, 1, 0, g.ptr);
+	mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (!rng)
@@ -247,10 +231,10 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 		return NULL;
 	}
 
-	rng->allocate_bytes(rng, params->exp_len, &random);
+	rng->allocate_bytes(rng, exp_len, &random);
 	rng->destroy(rng);
 
-	if (params->exp_len == this->p_len)
+	if (exp_len == this->p_len)
 	{
 		/* achieve bitsof(p)-1 by setting MSB to 0 */
 		*random.ptr &= 0x7F;
@@ -265,3 +249,29 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	return &this->public;
 }
 
+/*
+ * Described in header.
+ */
+gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
+{
+	diffie_hellman_params_t *params;
+
+	params = diffie_hellman_get_params(group);
+	if (!params)
+	{
+		return NULL;
+	}
+	return create_generic(group, params->exp_len,
+						  params->generator, params->prime);
+}
+
+
+gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p)
+{
+	if (group == MODP_CUSTOM)
+	{
+		return create_generic(MODP_CUSTOM, p.len, g, p);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
index 2a54eebb1..6d73c0863 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
@@ -45,5 +45,16 @@ struct gmp_diffie_hellman_t {
  */
 gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group);
 
+/**
+ * Creates a new gmp_diffie_hellman_t object for MODP_CUSTOM.
+ *
+ * @param group			MODP_CUSTOM
+ * @param g				generator
+ * @param p				prime
+ * @return				gmp_diffie_hellman_t object, NULL if not supported
+ */
+gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p);
+
 #endif /** GMP_DIFFIE_HELLMAN_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index fbce9732f..9b4fad3da 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -33,13 +33,13 @@ struct private_gmp_plugin_t {
 	gmp_plugin_t public;
 };
 
-/**
- * Implementation of gmp_plugin_t.gmptroy
- */
-static void destroy(private_gmp_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_gmp_plugin_t *this)
 {
 	lib->crypto->remove_dh(lib->crypto,
 						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->remove_dh(lib->crypto,
+						(dh_constructor_t)gmp_diffie_hellman_create_custom);
 	lib->creds->remove_builder(lib->creds,
 						(builder_function_t)gmp_rsa_private_key_gen);
 	lib->creds->remove_builder(lib->creds,
@@ -54,9 +54,15 @@ static void destroy(private_gmp_plugin_t *this)
  */
 plugin_t *gmp_plugin_create()
 {
-	private_gmp_plugin_t *this = malloc_thing(private_gmp_plugin_t);
+	private_gmp_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
@@ -81,11 +87,14 @@ plugin_t *gmp_plugin_create()
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
 
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+						(dh_constructor_t)gmp_diffie_hellman_create_custom);
+
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 						(builder_function_t)gmp_rsa_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE,
 						(builder_function_t)gmp_rsa_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
 						(builder_function_t)gmp_rsa_public_key_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index cc9985320..1b6c20817 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -209,7 +209,7 @@ static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
 }
 
 /**
- * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature.
+ * Build a signature using the PKCS#1 EMSA scheme
  */
 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 									   hash_algorithm_t hash_algorithm,
@@ -250,7 +250,7 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 	{
 		free(digestInfo.ptr);
 		DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len,
-			 this->k * 8);
+			 mpz_sizeinbase(this->n, 2));
 		return FALSE;
 	}
 
@@ -280,19 +280,15 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_type.
- */
-static key_type_t get_type(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_gmp_rsa_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.sign.
- */
-static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
@@ -317,15 +313,19 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
 	}
 }
 
-/**
- * Implementation of gmp_rsa_private_key.decrypt.
- */
-static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
-					chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_gmp_rsa_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	chunk_t em, stripped;
 	bool success = FALSE;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	/* rsa decryption using PKCS#1 RSADP */
 	stripped = em = rsadp(this, crypto);
 
@@ -356,18 +356,14 @@ end:
 	return success;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_keysize.
- */
-static size_t get_keysize(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_gmp_rsa_private_key_t *this)
 {
-	return this->k;
+	return mpz_sizeinbase(this->n, 2);
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_gmp_rsa_private_key_t *this)
 {
 	chunk_t n, e;
 	public_key_t *public;
@@ -383,27 +379,9 @@ static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
 	return public;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.equals.
- */
-static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
-{
-	return private_key_equals(&this->public.interface, other);
-}
-
-/**
- * Implementation of gmp_rsa_private_key.belongs_to.
- */
-static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
-{
-	return private_key_belongs_to(&this->public.interface, public);
-}
-
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gmp_rsa_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_gmp_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 	bool success;
@@ -435,11 +413,8 @@ static bool get_encoding(private_gmp_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_gmp_rsa_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -459,19 +434,15 @@ static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_ref.
- */
-static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_gmp_rsa_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.destroy.
- */
-static void destroy(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_gmp_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -592,23 +563,27 @@ static status_t check(private_gmp_rsa_private_key_t *this)
  */
 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
 {
-	private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
-	this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
-	this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
-	this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
-	this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
-	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
-
-	this->ref = 1;
+	private_gmp_rsa_private_key_t *this;
 
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 	return this;
 }
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
index db1fcf535..32e1f292c 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
@@ -34,7 +34,7 @@ struct gmp_rsa_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index c114ae80d..a7ba80138 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -273,19 +273,15 @@ end:
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_gmp_rsa_public_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
-				   chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -312,24 +308,21 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
 
 #define MIN_PS_PADDING 8
 
-/**
- * Implementation of public_key_t.encrypt.
- */
-static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
-					 chunk_t *crypto)
+METHOD(public_key_t, encrypt_, bool,
+	private_gmp_rsa_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypto)
 {
 	chunk_t em;
 	u_char *pos;
 	int padding, i;
 	rng_t *rng;
 
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (rng == NULL)
+	if (scheme != ENCRYPT_RSA_PKCS1)
 	{
-		DBG1(DBG_LIB, "no random generator available");
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
 		return FALSE;
 	}
-
 	/* number of pseudo-random padding octets */
 	padding = this->k - plain.len - 3;
 	if (padding < MIN_PS_PADDING)
@@ -338,6 +331,12 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 			 MIN_PS_PADDING);
 		return FALSE;
 	}
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (rng == NULL)
+	{
+		DBG1(DBG_LIB, "no random generator available");
+		return FALSE;
+	}
 
 	/* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */
 	DBG2(DBG_LIB, "padding %u bytes of data to the rsa modulus size of"
@@ -376,27 +375,15 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 	return TRUE;
 }
 
-/**
- * Implementation of gmp_rsa_public_key.equals.
- */
-static bool equals(private_gmp_rsa_public_key_t *this, public_key_t *other)
-{
-	return public_key_equals(&this->public.interface, other);
-}
-
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_gmp_rsa_public_key_t *this)
 {
-	return this->k;
+	return mpz_sizeinbase(this->n, 2);
 }
 
-/**
- * Implementation of public_key_t.get_encoding
- */
-static bool get_encoding(private_gmp_rsa_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_gmp_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t n, e;
 	bool success;
@@ -412,11 +399,8 @@ static bool get_encoding(private_gmp_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gmp_rsa_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_gmp_rsa_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -436,19 +420,15 @@ static bool get_fingerprint(private_gmp_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static private_gmp_rsa_public_key_t* get_ref(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_gmp_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gmp_rsa_public_key.destroy.
- */
-static void destroy(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_gmp_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -490,20 +470,23 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
 		return NULL;
 	}
 
-	this = malloc_thing(private_gmp_rsa_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*) (public_key_t*))get_type;
-	this->public.interface.verify = (bool (*) (public_key_t*, signature_scheme_t, chunk_t, chunk_t))verify;
-	this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_;
-	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t*))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*) (public_key_t *this))destroy;
-
-	this->ref = 1;
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	mpz_init(this->n);
 	mpz_init(this->e);
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
index 807f0bb7c..14dd71e0b 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
@@ -35,7 +35,7 @@ struct gmp_rsa_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index b03ff44a6..42a7d3747 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c
index c1ab48899..c7b2739df 100644
--- a/src/libstrongswan/plugins/hmac/hmac.c
+++ b/src/libstrongswan/plugins/hmac/hmac.c
@@ -30,7 +30,7 @@ struct private_hmac_t {
 	/**
 	 * Public hmac_t interface.
 	 */
-	hmac_t hmac;
+	hmac_t public;
 
 	/**
 	 * Block size, as in RFC.
@@ -53,10 +53,8 @@ struct private_hmac_t {
 	chunk_t ipaded_key;
 };
 
-/**
- * Implementation of hmac_t.get_mac.
- */
-static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
+METHOD(hmac_t, get_mac, void,
+	private_hmac_t *this, chunk_t data, u_int8_t *out)
 {
 	/* H(K XOR opad, H(K XOR ipad, text))
 	 *
@@ -91,37 +89,31 @@ static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
 	}
 }
 
-/**
- * Implementation of hmac_t.allocate_mac.
- */
-static void allocate_mac(private_hmac_t *this, chunk_t data, chunk_t *out)
+METHOD(hmac_t, allocate_mac, void,
+	private_hmac_t *this, chunk_t data, chunk_t *out)
 {
 	/* allocate space and use get_mac */
 	if (out == NULL)
 	{
 		/* append mode */
-		this->hmac.get_mac(&(this->hmac), data, NULL);
+		get_mac(this, data, NULL);
 	}
 	else
 	{
 		out->len = this->h->get_hash_size(this->h);
 		out->ptr = malloc(out->len);
-		this->hmac.get_mac(&(this->hmac), data, out->ptr);
+		get_mac(this, data, out->ptr);
 	}
 }
 
-/**
- * Implementation of hmac_t.get_block_size.
- */
-static size_t get_block_size(private_hmac_t *this)
+METHOD(hmac_t, get_block_size, size_t,
+	private_hmac_t *this)
 {
 	return this->h->get_hash_size(this->h);
 }
 
-/**
- * Implementation of hmac_t.set_key.
- */
-static void set_key(private_hmac_t *this, chunk_t key)
+METHOD(hmac_t, set_key, void,
+	private_hmac_t *this, chunk_t key)
 {
 	int i;
 	u_int8_t buffer[this->b];
@@ -151,10 +143,8 @@ static void set_key(private_hmac_t *this, chunk_t key)
 	this->h->get_hash(this->h, this->ipaded_key, NULL);
 }
 
-/**
- * Implementation of hmac_t.destroy.
- */
-static void destroy(private_hmac_t *this)
+METHOD(hmac_t, destroy, void,
+	private_hmac_t *this)
 {
 	this->h->destroy(this->h);
 	free(this->opaded_key.ptr);
@@ -167,14 +157,17 @@ static void destroy(private_hmac_t *this)
  */
 hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 {
-	private_hmac_t *this = malloc_thing(private_hmac_t);
-
-	/* set hmac_t methods */
-	this->hmac.get_mac = (void (*)(hmac_t *,chunk_t,u_int8_t*))get_mac;
-	this->hmac.allocate_mac = (void (*)(hmac_t *,chunk_t,chunk_t*))allocate_mac;
-	this->hmac.get_block_size = (size_t (*)(hmac_t *))get_block_size;
-	this->hmac.set_key = (void (*)(hmac_t *,chunk_t))set_key;
-	this->hmac.destroy = (void (*)(hmac_t *))destroy;
+	private_hmac_t *this;
+
+	INIT(this,
+		.public = {
+			.get_mac = _get_mac,
+			.allocate_mac = _allocate_mac,
+			.get_block_size = _get_block_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+	);
 
 	/* set b, according to hasher */
 	switch (hash_algorithm)
@@ -193,7 +186,6 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 			return NULL;
 	}
 
-	/* build the hasher */
 	this->h = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
 	if (this->h == NULL)
 	{
@@ -208,5 +200,5 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 	this->ipaded_key.ptr = malloc(this->b);
 	this->ipaded_key.len = this->b;
 
-	return &(this->hmac);
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index e6b9f7a74..73df4dc6c 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -32,10 +32,8 @@ struct private_hmac_plugin_t {
 	hmac_plugin_t public;
 };
 
-/**
- * Implementation of hmac_plugin_t.hmactroy
- */
-static void destroy(private_hmac_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_hmac_plugin_t *this)
 {
 	lib->crypto->remove_prf(lib->crypto,
 							(prf_constructor_t)hmac_prf_create);
@@ -49,9 +47,15 @@ static void destroy(private_hmac_plugin_t *this)
  */
 plugin_t *hmac_plugin_create()
 {
-	private_hmac_plugin_t *this = malloc_thing(private_hmac_plugin_t);
+	private_hmac_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256,
 						 (prf_constructor_t)hmac_prf_create);
@@ -72,12 +76,16 @@ plugin_t *hmac_plugin_create()
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128,
 							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256,
+							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96,
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128,
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192,
 							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384,
+							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256,
 							(signer_constructor_t)hmac_signer_create);
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.c b/src/libstrongswan/plugins/hmac/hmac_prf.c
index cca6e9570..ca10612f9 100644
--- a/src/libstrongswan/plugins/hmac/hmac_prf.c
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.c
@@ -36,51 +36,39 @@ struct private_hmac_prf_t {
 	hmac_t *hmac;
 };
 
-/**
- * Implementation of prf_t.get_bytes.
- */
-static void get_bytes(private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer)
+METHOD(prf_t, get_bytes, void,
+	private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer)
 {
 	this->hmac->get_mac(this->hmac, seed, buffer);
 }
 
-/**
- * Implementation of prf_t.allocate_bytes.
- */
-static void allocate_bytes(private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk)
+METHOD(prf_t, allocate_bytes, void,
+	private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	this->hmac->allocate_mac(this->hmac, seed, chunk);
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_block_size(private_hmac_prf_t *this)
+METHOD(prf_t, get_block_size, size_t,
+	private_hmac_prf_t *this)
 {
 	return this->hmac->get_block_size(this->hmac);
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_key_size(private_hmac_prf_t *this)
+METHOD(prf_t, get_key_size, size_t,
+	private_hmac_prf_t *this)
 {
 	/* for HMAC prfs, IKEv2 uses block size as key size */
 	return this->hmac->get_block_size(this->hmac);
 }
 
-/**
- * Implementation of prf_t.set_key.
- */
-static void set_key(private_hmac_prf_t *this, chunk_t key)
+METHOD(prf_t, set_key, void,
+	private_hmac_prf_t *this, chunk_t key)
 {
 	this->hmac->set_key(this->hmac, key);
 }
 
-/**
- * Implementation of prf_t.destroy.
- */
-static void destroy(private_hmac_prf_t *this)
+METHOD(prf_t, destroy, void,
+	private_hmac_prf_t *this)
 {
 	this->hmac->destroy(this->hmac);
 	free(this);
@@ -92,44 +80,47 @@ static void destroy(private_hmac_prf_t *this)
 hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo)
 {
 	private_hmac_prf_t *this;
-	hash_algorithm_t hash;
+	hmac_t *hmac;
 
 	switch (algo)
 	{
 		case PRF_HMAC_SHA1:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			break;
 		case PRF_HMAC_MD5:
-			hash = HASH_MD5;
+			hmac = hmac_create(HASH_MD5);
 			break;
 		case PRF_HMAC_SHA2_256:
-			hash = HASH_SHA256;
+			hmac = hmac_create(HASH_SHA256);
 			break;
 		case PRF_HMAC_SHA2_384:
-			hash = HASH_SHA384;
+			hmac = hmac_create(HASH_SHA384);
 			break;
 		case PRF_HMAC_SHA2_512:
-			hash = HASH_SHA512;
+			hmac = hmac_create(HASH_SHA512);
 			break;
 		default:
 			return NULL;
 	}
-
-	this = malloc_thing(private_hmac_prf_t);
-	this->hmac = hmac_create(hash);
-	if (this->hmac == NULL)
+	if (hmac == NULL)
 	{
-		free(this);
 		return NULL;
 	}
 
-	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
-	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
-	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
-	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
-	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
-	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.prf = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_block_size = _get_block_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.hmac = hmac,
+	);
+
+	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.h b/src/libstrongswan/plugins/hmac/hmac_prf.h
index 975b456f5..29d7269ae 100644
--- a/src/libstrongswan/plugins/hmac/hmac_prf.h
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.h
@@ -35,9 +35,9 @@ typedef struct hmac_prf_t hmac_prf_t;
 struct hmac_prf_t {
 
 	/**
-	 * Generic prf_t interface for this hmac_prf_t class.
+	 * Implements prf_t interface.
 	 */
-	prf_t prf_interface;
+	prf_t prf;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.c b/src/libstrongswan/plugins/hmac/hmac_signer.c
index f82a8f3a1..511a3e3a5 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.c
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.c
@@ -41,11 +41,8 @@ struct private_hmac_signer_t {
 	size_t block_size;
 };
 
-/**
- * Implementation of signer_t.get_signature.
- */
-static void get_signature(private_hmac_signer_t *this,
-						  chunk_t data, u_int8_t *buffer)
+METHOD(signer_t, get_signature, void,
+	private_hmac_signer_t *this, chunk_t data, u_int8_t *buffer)
 {
 	if (buffer == NULL)
 	{	/* append mode */
@@ -60,11 +57,8 @@ static void get_signature(private_hmac_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.allocate_signature.
- */
-static void allocate_signature (private_hmac_signer_t *this,
-								chunk_t data, chunk_t *chunk)
+METHOD(signer_t, allocate_signature, void,
+	private_hmac_signer_t *this, chunk_t data, chunk_t *chunk)
 {
 	if (chunk == NULL)
 	{	/* append mode */
@@ -83,11 +77,8 @@ static void allocate_signature (private_hmac_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.verify_signature.
- */
-static bool verify_signature(private_hmac_signer_t *this,
-							 chunk_t data, chunk_t signature)
+METHOD(signer_t, verify_signature, bool,
+	private_hmac_signer_t *this, chunk_t data, chunk_t signature)
 {
 	u_int8_t mac[this->hmac->get_block_size(this->hmac)];
 
@@ -100,38 +91,29 @@ static bool verify_signature(private_hmac_signer_t *this,
 	return memeq(signature.ptr, mac, this->block_size);
 }
 
-/**
- * Implementation of signer_t.get_key_size.
- */
-static size_t get_key_size(private_hmac_signer_t *this)
+METHOD(signer_t, get_key_size, size_t,
+	private_hmac_signer_t *this)
 {
 	return this->hmac->get_block_size(this->hmac);
 }
 
-/**
- * Implementation of signer_t.get_block_size.
- */
-static size_t get_block_size(private_hmac_signer_t *this)
+METHOD(signer_t, get_block_size, size_t,
+	private_hmac_signer_t *this)
 {
 	return this->block_size;
 }
 
-/**
- * Implementation of signer_t.set_key.
- */
-static void set_key(private_hmac_signer_t *this, chunk_t key)
+METHOD(signer_t, set_key, void,
+	private_hmac_signer_t *this, chunk_t key)
 {
 	this->hmac->set_key(this->hmac, key);
 }
 
-/**
- * Implementation of signer_t.destroy.
- */
-static status_t destroy(private_hmac_signer_t *this)
+METHOD(signer_t, destroy, void,
+	private_hmac_signer_t *this)
 {
 	this->hmac->destroy(this->hmac);
 	free(this);
-	return SUCCESS;
 }
 
 /*
@@ -140,66 +122,76 @@ static status_t destroy(private_hmac_signer_t *this)
 hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
 {
 	private_hmac_signer_t *this;
+	hmac_t *hmac;
 	size_t trunc;
-	hash_algorithm_t hash;
 
 	switch (algo)
 	{
 		case AUTH_HMAC_SHA1_96:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			trunc = 12;
 			break;
 		case AUTH_HMAC_SHA1_128:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			trunc = 16;
 			break;
 		case AUTH_HMAC_SHA1_160:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			trunc = 20;
 			break;
 		case AUTH_HMAC_MD5_96:
-			hash = HASH_MD5;
+			hmac = hmac_create(HASH_MD5);
 			trunc = 12;
 			break;
 		case AUTH_HMAC_MD5_128:
-			hash = HASH_MD5;
+			hmac = hmac_create(HASH_MD5);
 			trunc = 16;
 			break;
 		case AUTH_HMAC_SHA2_256_128:
-			hash = HASH_SHA256;
+			hmac = hmac_create(HASH_SHA256);
 			trunc = 16;
 			break;
 		case AUTH_HMAC_SHA2_384_192:
-			hash = HASH_SHA384;
+			hmac = hmac_create(HASH_SHA384);
 			trunc = 24;
 			break;
 		case AUTH_HMAC_SHA2_512_256:
-			hash = HASH_SHA512;
+			hmac = hmac_create(HASH_SHA512);
 			trunc = 32;
 			break;
+		case AUTH_HMAC_SHA2_256_256:
+			hmac = hmac_create(HASH_SHA256);
+			trunc = 32;
+			break;
+		case AUTH_HMAC_SHA2_384_384:
+			hmac = hmac_create(HASH_SHA384);
+			trunc = 48;
+			break;
 		default:
 			return NULL;
 	}
 
-	this = malloc_thing(private_hmac_signer_t);
-	this->hmac = hmac_create(hash);
-	if (this->hmac == NULL)
+	if (hmac == NULL)
 	{
-		free(this);
 		return NULL;
 	}
-	/* prevent invalid truncation */
-	this->block_size = min(trunc, this->hmac->get_block_size(this->hmac));
-
-	/* interface functions */
-	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
-	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
-	this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature;
-	this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size;
-	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
-	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
-	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
-
-	return &(this->public);
+
+	INIT(this,
+		.public = {
+			.signer = {
+				.get_signature = _get_signature,
+				.allocate_signature = _allocate_signature,
+				.verify_signature = _verify_signature,
+				.get_key_size = _get_key_size,
+				.get_block_size = _get_block_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.block_size = min(trunc, hmac->get_block_size(hmac)),
+		.hmac = hmac,
+	);
+
+	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.h b/src/libstrongswan/plugins/hmac/hmac_signer.h
index 0de93440c..5e798683b 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.h
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.h
@@ -34,9 +34,9 @@ typedef struct hmac_signer_t hmac_signer_t;
 struct hmac_signer_t {
 
 	/**
-	 * generic signer_t interface for this signer
+	 * Implements signer_t interface.
 	 */
-	signer_t signer_interface;
+	signer_t signer;
 };
 
 /**
@@ -44,8 +44,7 @@ struct hmac_signer_t {
  *
  * HMAC signatures are often truncated to shorten them to a more usable, but
  * still secure enough length.
- * Block size must be equal or smaller then the hash algorithms
- * hash.
+ * Block size must be equal or smaller then the hash algorithms hash.
  *
  * @param algo		algorithm to implement
  * @return			hmac_signer_t, NULL if  not supported
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index b96fd5abf..65a135e76 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 874ee07a2..a78dad97c 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index cc32bca88..6de400e8e 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 83c1188b6..7d4d42c14 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index de9df7271..a32418b16 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +205,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +262,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 5645d72d7..b9d97a901 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -416,10 +416,19 @@ static bool parse_authKeyIdentifier_ext(private_openssl_crl_t *this,
 static bool parse_crlNumber_ext(private_openssl_crl_t *this,
 								X509_EXTENSION *ext)
 {
-	free(this->serial.ptr);
-	this->serial = chunk_clone(
-						openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext)));
-	return this->serial.len != 0;
+	chunk_t chunk;
+
+	chunk = openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext));
+	/* quick and dirty INTEGER unwrap */
+	if (chunk.len > 1 && chunk.ptr[0] == V_ASN1_INTEGER &&
+		chunk.ptr[1] == chunk.len - 2)
+	{
+		chunk = chunk_skip(chunk, 2);
+		free(this->serial.ptr);
+		this->serial = chunk_clone(chunk);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index a8923ab56..2ed07ff0c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -41,85 +41,57 @@ struct private_openssl_crypter_t {
 };
 
 /**
- * Mapping from the algorithms defined in IKEv2 to
- * OpenSSL algorithm names and their key length
- */
-typedef struct {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2_id;
-
-	/**
-	 * Name of the algorithm, as used in OpenSSL
-	 */
-	char *name;
-
-	/**
-	 * Minimum valid key length in bytes
-	 */
-	size_t key_size_min;
-
-	/**
-	 * Maximum valid key length in bytes
-	 */
-	size_t key_size_max;
-} openssl_algorithm_t;
-
-#define END_OF_LIST -1
-
-/**
- * Algorithms for encryption
- */
-static openssl_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64, 	"***", 			0,	0}, */
-	{ENCR_DES, 			"des",			8,	8},		/* 64 bits */
-	{ENCR_3DES, 		"des3",			24,	24},	/* 192 bits */
-	{ENCR_RC5, 			"rc5", 			5,	255},	/* 40 to 2040 bits, RFC 2451 */
-	{ENCR_IDEA, 		"idea",			16,	16},	/* 128 bits, RFC 2451 */
-	{ENCR_CAST, 		"cast",			5,	16},	/* 40 to 128 bits, RFC 2451 */
-	{ENCR_BLOWFISH, 	"blowfish",		5,	56},	/* 40 to 448 bits, RFC 2451 */
-/*	{ENCR_3IDEA, 		"***",			0,	0}, */
-/*	{ENCR_DES_IV32, 	"***",			0,	0}, */
-/*	{ENCR_NULL, 		"***",			0,	0}, */ /* handled separately */
-/*	{ENCR_AES_CBC, 		"***",			0,	0}, */ /* handled separately */
-/*	{ENCR_CAMELLIA_CBC,	"***",			0,	0}, */ /* handled separately */
-/*	{ENCR_AES_CTR, 		"***",			0,	0}, */ /* disabled in evp.h */
-	{END_OF_LIST, 		NULL,			0,	0},
-};
-
-/**
  * Look up an OpenSSL algorithm name and validate its key size
  */
-static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
-					   u_int16_t ikev2_algo, size_t *key_size)
+static char* lookup_algorithm(u_int16_t ikev2_algo, size_t *key_size)
 {
-	while (openssl_algo->ikev2_id != END_OF_LIST)
+	struct {
+		/* identifier specified in IKEv2 */
+		int ikev2_id;
+		/* name of the algorithm, as used in OpenSSL */
+		char *name;
+		/* default key size in bytes */
+		size_t key_def;
+		/* minimum key size */
+		size_t key_min;
+		/* maximum key size */
+		size_t key_max;
+	} mappings[] = {
+		{ENCR_DES, 			"des",			 8,		 8,		  8},
+		{ENCR_3DES, 		"des3",			24,		24,		 24},
+		{ENCR_RC5, 			"rc5", 			16,		 5,		255},
+		{ENCR_IDEA, 		"idea",			16,		16,		 16},
+		{ENCR_CAST, 		"cast",			16,		 5,		 16},
+		{ENCR_BLOWFISH, 	"blowfish",		16,		 5,		 56},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
 	{
-		if (ikev2_algo == openssl_algo->ikev2_id)
+		if (ikev2_algo == mappings[i].ikev2_id)
 		{
 			/* set the key size if it is not set */
-			if (*key_size == 0 &&
-				(openssl_algo->key_size_min == openssl_algo->key_size_max))
+			if (*key_size == 0)
 			{
-				*key_size = openssl_algo->key_size_min;
+				*key_size = mappings[i].key_def;
 			}
-
 			/* validate key size */
-			if (*key_size < openssl_algo->key_size_min ||
-				*key_size > openssl_algo->key_size_max)
+			if (*key_size < mappings[i].key_min ||
+				*key_size > mappings[i].key_max)
 			{
 				return NULL;
 			}
-			return openssl_algo->name;
+			return mappings[i].name;
 		}
-		openssl_algo++;
 	}
 	return NULL;
 }
 
-static void crypt(private_openssl_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst, int enc)
+/**
+ * Do the actual en/decryption in an EVP context
+ */
+static void crypt(private_openssl_crypter_t *this, chunk_t data, chunk_t iv,
+				  chunk_t *dst, int enc)
 {
 	int len;
 	u_char *out;
@@ -141,53 +113,44 @@ static void crypt(private_openssl_crypter_t *this, chunk_t data,
 	EVP_CIPHER_CTX_cleanup(&ctx);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_openssl_crypter_t *this, chunk_t data,
-						chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, decrypt, void,
+	private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, data, iv, dst, 0);
 }
 
-
-/**
- * Implementation of crypter_t.encrypt.
- */
-static void encrypt (private_openssl_crypter_t *this, chunk_t data,
-							chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, encrypt, void,
+	private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, data, iv, dst, 1);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size(private_openssl_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_openssl_crypter_t *this)
 {
 	return this->cipher->block_size;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size(private_openssl_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_openssl_crypter_t *this)
+{
+	return this->cipher->block_size;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_openssl_crypter_t *this)
 {
 	return this->key.len;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key(private_openssl_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_openssl_crypter_t *this, chunk_t key)
 {
 	memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len));
 }
 
-/**
- * Implementation of crypter_t.destroy.
- */
-static void destroy (private_openssl_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_openssl_crypter_t *this)
 {
 	free(this->key.ptr);
 	free(this);
@@ -201,16 +164,32 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 {
 	private_openssl_crypter_t *this;
 
-	this = malloc_thing(private_openssl_crypter_t);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	switch (algo)
 	{
 		case ENCR_NULL:
 			this->cipher = EVP_enc_null();
+			key_size = 0;
 			break;
 		case ENCR_AES_CBC:
 			switch (key_size)
 			{
+				case 0:
+					key_size = 16;
+					/* FALL */
 				case 16:        /* AES 128 */
 					this->cipher = EVP_get_cipherbyname("aes128");
 					break;
@@ -228,6 +207,9 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 		case ENCR_CAMELLIA_CBC:
 			switch (key_size)
 			{
+				case 0:
+					key_size = 16;
+					/* FALL */
 				case 16:        /* CAMELLIA 128 */
 					this->cipher = EVP_get_cipherbyname("camellia128");
 					break;
@@ -243,11 +225,14 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 			}
 			break;
 		case ENCR_DES_ECB:
+			key_size = 8;
 			this->cipher = EVP_des_ecb();
 			break;
 		default:
 		{
-			char* name = lookup_algorithm(encryption_algs, algo, &key_size);
+			char* name;
+
+			name = lookup_algorithm(algo, &key_size);
 			if (!name)
 			{
 				/* algo unavailable or key_size invalid */
@@ -268,12 +253,5 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 
 	this->key = chunk_alloc(key_size);
 
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.h b/src/libstrongswan/plugins/openssl/openssl_crypter.h
index 7e30ae03c..b12e7a6ab 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.h
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.h
@@ -31,9 +31,9 @@ typedef struct openssl_crypter_t openssl_crypter_t;
 struct openssl_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index 9a032c54f..b27aa3391 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -57,11 +57,8 @@ struct private_openssl_diffie_hellman_t {
 	bool computed;
 };
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_openssl_diffie_hellman_t *this,
-								chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_openssl_diffie_hellman_t *this, chunk_t *value)
 {
 	*value = chunk_alloc(DH_size(this->dh));
 	memset(value->ptr, 0, value->len);
@@ -69,11 +66,8 @@ static void get_my_public_value(private_openssl_diffie_hellman_t *this,
 			  value->ptr + value->len - BN_num_bytes(this->dh->pub_key));
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
-								  chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_openssl_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
@@ -88,11 +82,8 @@ static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
 }
 
 
-/**
- * Implementation of openssl_diffie_hellman_t.set_other_public_value.
- */
-static void set_other_public_value(private_openssl_diffie_hellman_t *this,
-								   chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_openssl_diffie_hellman_t *this, chunk_t value)
 {
 	int len;
 
@@ -110,10 +101,8 @@ static void set_other_public_value(private_openssl_diffie_hellman_t *this,
 	this->computed = TRUE;
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_openssl_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_openssl_diffie_hellman_t *this)
 {
 	return this->group;
 }
@@ -137,10 +126,8 @@ static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.destroy.
- */
-static void destroy(private_openssl_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_openssl_diffie_hellman_t *this)
 {
 	BN_clear_free(this->pub_key);
 	DH_free(this->dh);
@@ -151,15 +138,22 @@ static void destroy(private_openssl_diffie_hellman_t *this)
 /*
  * Described in header.
  */
-openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group)
+openssl_diffie_hellman_t *openssl_diffie_hellman_create(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p)
 {
-	private_openssl_diffie_hellman_t *this = malloc_thing(private_openssl_diffie_hellman_t);
-
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	private_openssl_diffie_hellman_t *this;
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	this->dh = DH_new();
 	if (!this->dh)
@@ -173,11 +167,19 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 	this->pub_key = BN_new();
 	this->shared_secret = chunk_empty;
 
-	/* find a modulus according to group */
-	if (set_modulus(this) != SUCCESS)
+	if (group == MODP_CUSTOM)
 	{
-		destroy(this);
-		return NULL;
+		this->dh->p = BN_bin2bn(p.ptr, p.len, NULL);
+		this->dh->g = BN_bin2bn(g.ptr, g.len, NULL);
+	}
+	else
+	{
+		/* find a modulus according to group */
+		if (set_modulus(this) != SUCCESS)
+		{
+			destroy(this);
+			return NULL;
+		}
 	}
 
 	/* generate my public and private values */
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
index 6c4b4fe81..53dc59c78 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
@@ -40,9 +40,12 @@ struct openssl_diffie_hellman_t {
  * Creates a new openssl_diffie_hellman_t object.
  *
  * @param group			Diffie Hellman group number to use
+ * @param g				custom generator, if MODP_CUSTOM
+ * @param p				custom prime, if MODP_CUSTOM
  * @return				openssl_diffie_hellman_t object, NULL if not supported
  */
-openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group);
+openssl_diffie_hellman_t *openssl_diffie_hellman_create(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p);
 
 #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index a53e8aea0..32fc2bccd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -165,7 +165,8 @@ error:
  *   of the Diffie-Hellman shared secret value is the same as that of the
  *   Diffie-Hellman public value."
  */
-static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_t *shared_secret)
+static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this,
+							   chunk_t *shared_secret)
 {
 	const BIGNUM *priv_key;
 	EC_POINT *secret = NULL;
@@ -209,10 +210,8 @@ error:
 	return ret;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.set_other_public_value.
- */
-static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_openssl_ec_diffie_hellman_t *this, chunk_t value)
 {
 	if (!chunk2ecp(this->ec_group, value, this->pub_key))
 	{
@@ -230,18 +229,14 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
 	this->computed = TRUE;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
 {
 	ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE);
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_openssl_ec_diffie_hellman_t *this, chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_openssl_ec_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
@@ -251,18 +246,14 @@ static status_t get_shared_secret(private_openssl_ec_diffie_hellman_t *this, chu
 	return SUCCESS;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_openssl_ec_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_openssl_ec_diffie_hellman_t *this)
 {
 	return this->group;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.destroy.
- */
-static void destroy(private_openssl_ec_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_openssl_ec_diffie_hellman_t *this)
 {
 	EC_POINT_clear_free(this->pub_key);
 	EC_KEY_free(this->key);
@@ -275,13 +266,20 @@ static void destroy(private_openssl_ec_diffie_hellman_t *this)
  */
 openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group)
 {
-	private_openssl_ec_diffie_hellman_t *this = malloc_thing(private_openssl_ec_diffie_hellman_t);
-
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	private_openssl_ec_diffie_hellman_t *this;
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+	);
 
 	switch (group)
 	{
@@ -328,11 +326,6 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro
 		return NULL;
 	}
 
-	this->group = group;
-	this->computed = FALSE;
-
-	this->shared_secret = chunk_empty;
-
 	return &this->public;
 }
 #endif /* OPENSSL_NO_EC */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 281155913..f4c4759bf 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -138,11 +138,9 @@ static bool build_der_signature(private_openssl_ec_private_key_t *this,
 	return built;
 }
 
-/**
- * Implementation of private_key_t.sign.
- */
-static bool sign(private_openssl_ec_private_key_t *this,
-				 signature_scheme_t scheme, chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_openssl_ec_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
@@ -172,36 +170,38 @@ static bool sign(private_openssl_ec_private_key_t *this,
 	}
 }
 
-/**
- * Implementation of private_key_t.destroy.
- */
-static bool decrypt(private_openssl_ec_private_key_t *this,
-					chunk_t crypto, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_openssl_ec_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "EC private key decryption not implemented");
 	return FALSE;
 }
 
-/**
- * Implementation of private_key_t.get_keysize.
- */
-static size_t get_keysize(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_openssl_ec_private_key_t *this)
 {
-	return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec));
+	switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(this->ec)))
+	{
+		case NID_X9_62_prime256v1:
+			return 256;
+		case NID_secp384r1:
+			return 384;
+		case NID_secp521r1:
+			return 521;
+		default:
+			return 0;
+	}
 }
 
-/**
- * Implementation of private_key_t.get_type.
- */
-static key_type_t get_type(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_openssl_ec_private_key_t *this)
 {
 	return KEY_ECDSA;
 }
 
-/**
- * Implementation of private_key_t.get_public_key.
- */
-static public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_openssl_ec_private_key_t *this)
 {
 	public_key_t *public;
 	chunk_t key;
@@ -217,20 +217,16 @@ static public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
 	return public;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_ec_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_openssl_ec_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_ec_fingerprint(this->ec, type, fingerprint);
 }
 
-/**
- * Implementation of private_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_ec_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_openssl_ec_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -261,19 +257,15 @@ static bool get_encoding(private_openssl_ec_private_key_t *this,
 	}
 }
 
-/**
- * Implementation of private_key_t.get_ref.
- */
-static private_key_t* get_ref(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_openssl_ec_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of private_key_t.destroy.
- */
-static void destroy(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_openssl_ec_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -291,23 +283,27 @@ static void destroy(private_openssl_ec_private_key_t *this)
  */
 static private_openssl_ec_private_key_t *create_empty(void)
 {
-	private_openssl_ec_private_key_t *this = malloc_thing(private_openssl_ec_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-
-	this->ec = NULL;
-	this->ref = 1;
+	private_openssl_ec_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
index 720c63f90..f56c95aa1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
@@ -34,7 +34,7 @@ struct openssl_ec_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index def36c92f..7461695ad 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -130,19 +130,15 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this,
 	return valid;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_openssl_ec_public_key_t *this)
 {
 	return KEY_ECDSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_openssl_ec_public_key_t *this,
-				   signature_scheme_t scheme, chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_openssl_ec_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -172,22 +168,28 @@ static bool verify(private_openssl_ec_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static bool encrypt_(private_openssl_ec_public_key_t *this,
-					 chunk_t crypto, chunk_t *plain)
+METHOD(public_key_t, encrypt, bool,
+	private_openssl_ec_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "EC public key encryption not implemented");
 	return FALSE;
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_openssl_ec_public_key_t *this)
 {
-	return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec));
+	switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(this->ec)))
+	{
+		case NID_X9_62_prime256v1:
+			return 256;
+		case NID_secp384r1:
+			return 384;
+		case NID_secp521r1:
+			return 521;
+		default:
+			return 0;
+	}
 }
 
 /**
@@ -232,20 +234,16 @@ bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp)
 	return TRUE;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_ec_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_openssl_ec_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_ec_fingerprint(this->ec, type, fingerprint);
 }
 
-/**
- * Implementation of private_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_ec_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_openssl_ec_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -276,19 +274,15 @@ static bool get_encoding(private_openssl_ec_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static public_key_t* get_ref(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_openssl_ec_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of openssl_ec_public_key.destroy.
- */
-static void destroy(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_openssl_ec_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -306,21 +300,25 @@ static void destroy(private_openssl_ec_public_key_t *this)
  */
 static private_openssl_ec_public_key_t *create_empty()
 {
-	private_openssl_ec_public_key_t *this = malloc_thing(private_openssl_ec_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
-	this->ec = NULL;
-	this->ref = 1;
+	private_openssl_ec_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt,
+				.get_keysize = _get_keysize,
+				.equals = public_key_equals,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
index 29d607d38..8094083a7 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
@@ -34,7 +34,7 @@ struct openssl_ec_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
index 7556bc594..d81f4b21e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -90,27 +90,20 @@ static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
 	return NULL;
 }
 
-/**
- * Implementation of hasher_t.get_hash_size.
- */
-static size_t get_hash_size(private_openssl_hasher_t *this)
+METHOD(hasher_t, get_hash_size, size_t,
+	private_openssl_hasher_t *this)
 {
 	return this->hasher->md_size;
 }
 
-/**
- * Implementation of hasher_t.reset.
- */
-static void reset(private_openssl_hasher_t *this)
+METHOD(hasher_t, reset, void,
+	private_openssl_hasher_t *this)
 {
 	EVP_DigestInit_ex(this->ctx, this->hasher, NULL);
 }
 
-/**
- * Implementation of hasher_t.get_hash.
- */
-static void get_hash(private_openssl_hasher_t *this, chunk_t chunk,
-					 u_int8_t *hash)
+METHOD(hasher_t, get_hash, void,
+	private_openssl_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	EVP_DigestUpdate(this->ctx, chunk.ptr, chunk.len);
 	if (hash)
@@ -120,11 +113,8 @@ static void get_hash(private_openssl_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.allocate_hash.
- */
-static void allocate_hash(private_openssl_hasher_t *this, chunk_t chunk,
-						  chunk_t *hash)
+METHOD(hasher_t, allocate_hash, void,
+	private_openssl_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
@@ -137,10 +127,8 @@ static void allocate_hash(private_openssl_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.destroy.
- */
-static void destroy (private_openssl_hasher_t *this)
+METHOD(hasher_t, destroy, void,
+	private_openssl_hasher_t *this)
 {
 	EVP_MD_CTX_destroy(this->ctx);
 	free(this);
@@ -160,7 +148,17 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 		return NULL;
 	}
 
-	this = malloc_thing(private_openssl_hasher_t);
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	this->hasher = EVP_get_digestbyname(name);
 	if (!this->hasher)
@@ -170,12 +168,6 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 		return NULL;
 	}
 
-	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
-	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
-	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
-	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
-	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
 	this->ctx = EVP_MD_CTX_create();
 
 	/* initialization */
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.h b/src/libstrongswan/plugins/openssl/openssl_hasher.h
index fd7a043d1..b03f6891b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.h
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.h
@@ -31,9 +31,9 @@ typedef struct openssl_hasher_t openssl_hasher_t;
 struct openssl_hasher_t {
 
 	/**
-	 * The hasher_t interface.
+	 * Implements hasher_t interface.
 	 */
-	hasher_t hasher_interface;
+	hasher_t hasher;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 31697dcb8..0ab4eda9c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -16,6 +16,7 @@
 
 #include <openssl/evp.h>
 #include <openssl/conf.h>
+#include <openssl/rand.h>
 #include <openssl/crypto.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
@@ -24,6 +25,7 @@
 #include "openssl_plugin.h"
 
 #include <library.h>
+#include <debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include "openssl_util.h"
@@ -151,6 +153,31 @@ static void threading_init()
 }
 
 /**
+ * Seed the OpenSSL RNG, if required
+ */
+static bool seed_rng()
+{
+	rng_t *rng = NULL;
+	char buf[32];
+
+	while (RAND_status() != 1)
+	{
+		if (!rng)
+		{
+			rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+			if (!rng)
+			{
+				return FALSE;
+			}
+		}
+		rng->get_bytes(rng, sizeof(buf), buf);
+		RAND_seed(buf, sizeof(buf));
+	}
+	DESTROY_IF(rng);
+	return TRUE;
+}
+
+/**
  * cleanup OpenSSL threading locks
  */
 static void threading_cleanup()
@@ -166,10 +193,8 @@ static void threading_cleanup()
 	mutex = NULL;
 }
 
-/**
- * Implementation of openssl_plugin_t.destroy
- */
-static void destroy(private_openssl_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_openssl_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 					(crypter_constructor_t)openssl_crypter_create);
@@ -218,9 +243,15 @@ static void destroy(private_openssl_plugin_t *this)
  */
 plugin_t *openssl_plugin_create()
 {
-	private_openssl_plugin_t *this = malloc_thing(private_openssl_plugin_t);
+	private_openssl_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	threading_init();
 
@@ -233,6 +264,13 @@ plugin_t *openssl_plugin_create()
 	ENGINE_register_all_complete();
 #endif /* OPENSSL_NO_ENGINE */
 
+	if (!seed_rng())
+	{
+		DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
+		destroy(this);
+		return NULL;
+	}
+
 	/* crypter */
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)openssl_crypter_create);
@@ -312,33 +350,35 @@ plugin_t *openssl_plugin_create()
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+						(dh_constructor_t)openssl_diffie_hellman_create);
 
 	/* rsa */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE,
 					(builder_function_t)openssl_rsa_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 					(builder_function_t)openssl_rsa_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
 					(builder_function_t)openssl_rsa_private_key_connect);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
 					(builder_function_t)openssl_rsa_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 					(builder_function_t)openssl_rsa_public_key_load);
 
 #ifndef OPENSSL_NO_EC
 	/* ecdsa */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, TRUE,
 					(builder_function_t)openssl_ec_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, FALSE,
 					(builder_function_t)openssl_ec_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, TRUE,
 					(builder_function_t)openssl_ec_public_key_load);
 #endif /* OPENSSL_NO_EC */
 
 	/* X509 certificates */
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, TRUE,
 					(builder_function_t)openssl_x509_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, TRUE,
 					(builder_function_t)openssl_crl_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 5817ade9e..0b607c386 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -131,19 +131,16 @@ error:
 	return success;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_type.
- */
-static key_type_t get_type(private_openssl_rsa_private_key_t *this)
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_openssl_rsa_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.sign.
- */
-static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
@@ -168,28 +165,47 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
 	}
 }
 
-/**
- * Implementation of openssl_rsa_private_key.decrypt.
- */
-static bool decrypt(private_openssl_rsa_private_key_t *this,
-					chunk_t crypto, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_openssl_rsa_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
-	DBG1(DBG_LIB, "RSA private key decryption not implemented");
-	return FALSE;
+	int padding, len;
+	char *decrypted;
+
+	switch (scheme)
+	{
+		case ENCRYPT_RSA_PKCS1:
+			padding = RSA_PKCS1_PADDING;
+			break;
+		case ENCRYPT_RSA_OAEP_SHA1:
+			padding = RSA_PKCS1_OAEP_PADDING;
+			break;
+		default:
+			DBG1(DBG_LIB, "encryption scheme %N not supported via openssl",
+				 encryption_scheme_names, scheme);
+			return FALSE;
+	}
+	decrypted = malloc(RSA_size(this->rsa));
+	len = RSA_private_decrypt(crypto.len, crypto.ptr, decrypted,
+							  this->rsa, padding);
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "RSA decryption failed");
+		free(decrypted);
+		return FALSE;
+	}
+	*plain = chunk_create(decrypted, len);
+	return TRUE;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_keysize.
- */
-static size_t get_keysize(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_openssl_rsa_private_key_t *this)
 {
-	return RSA_size(this->rsa);
+	return RSA_size(this->rsa) * 8;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_openssl_rsa_private_key_t *this)
 {
 	chunk_t enc;
 	public_key_t *key;
@@ -204,20 +220,16 @@ static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
 	return key;
 }
 
-/**
- * Implementation of public_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_rsa_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_openssl_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
 }
 
-/*
- * Implementation of public_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_rsa_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_openssl_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -252,19 +264,15 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this,
 	}
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_ref.
- */
-static private_openssl_rsa_private_key_t* get_ref(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_openssl_rsa_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.destroy.
- */
-static void destroy(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_openssl_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -280,25 +288,29 @@ static void destroy(private_openssl_rsa_private_key_t *this)
 /**
  * Internal generic constructor
  */
-static private_openssl_rsa_private_key_t *create_empty(void)
+static private_openssl_rsa_private_key_t *create_empty()
 {
-	private_openssl_rsa_private_key_t *this = malloc_thing(private_openssl_rsa_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
-	this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
-	this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
-	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
-
-	this->engine = FALSE;
-	this->ref = 1;
+	private_openssl_rsa_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
@@ -444,6 +456,48 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 }
 
 /**
+ * Login to engine with a PIN specified for a keyid
+ */
+static bool login(ENGINE *engine, chunk_t keyid)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	identification_t *id;
+	chunk_t key;
+	char pin[64];
+	bool found = FALSE, success = FALSE;
+
+	id = identification_create_from_encoding(ID_KEY_ID, keyid);
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+														SHARED_PIN, id, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		found = TRUE;
+		key = shared->get_key(shared);
+		if (snprintf(pin, sizeof(pin), "%.*s", key.len, key.ptr) >= sizeof(pin))
+		{
+			continue;
+		}
+		if (ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
+		{
+			success = TRUE;
+			break;
+		}
+		else
+		{
+			DBG1(DBG_CFG, "setting PIN on engine failed");
+		}
+	}
+	enumerator->destroy(enumerator);
+	id->destroy(id);
+	if (!found)
+	{
+		DBG1(DBG_CFG, "no PIN found for %#B", &keyid);
+	}
+	return success;
+}
+
+/**
  * See header.
  */
 openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
@@ -451,20 +505,25 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 {
 #ifndef OPENSSL_NO_ENGINE
 	private_openssl_rsa_private_key_t *this;
-	char *keyid = NULL, *pin = NULL;
+	char *engine_id = NULL;
+	char keyname[64];
+	chunk_t keyid = chunk_empty;;
 	EVP_PKEY *key;
-	char *engine_id;
 	ENGINE *engine;
+	int slot = -1;
 
 	while (TRUE)
 	{
 		switch (va_arg(args, builder_part_t))
 		{
-			case BUILD_SMARTCARD_KEYID:
-				keyid = va_arg(args, char*);
+			case BUILD_PKCS11_KEYID:
+				keyid = va_arg(args, chunk_t);
 				continue;
-			case BUILD_SMARTCARD_PIN:
-				pin = va_arg(args, char*);
+			case BUILD_PKCS11_SLOT:
+				slot = va_arg(args, int);
+				continue;
+			case BUILD_PKCS11_MODULE:
+				engine_id = va_arg(args, char*);
 				continue;
 			case BUILD_END:
 				break;
@@ -473,17 +532,31 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 		}
 		break;
 	}
-	if (!keyid || !pin)
+	if (!keyid.len || keyid.len > 40)
 	{
 		return NULL;
 	}
 
-	engine_id = lib->settings->get_str(lib->settings,
+	memset(keyname, 0, sizeof(keyname));
+	if (slot != -1)
+	{
+		snprintf(keyname, sizeof(keyname), "%d:", slot);
+	}
+	if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1)
+	{
+		return NULL;
+	}
+	chunk_to_hex(keyid, keyname + strlen(keyname), FALSE);
+
+	if (!engine_id)
+	{
+		engine_id = lib->settings->get_str(lib->settings,
 						"libstrongswan.plugins.openssl.engine_id", "pkcs11");
+	}
 	engine = ENGINE_by_id(engine_id);
 	if (!engine)
 	{
-		DBG1(DBG_LIB, "engine '%s' is not available", engine_id);
+		DBG2(DBG_LIB, "engine '%s' is not available", engine_id);
 		return NULL;
 	}
 	if (!ENGINE_init(engine))
@@ -492,18 +565,17 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 		ENGINE_free(engine);
 		return NULL;
 	}
-	if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
+	if (!login(engine, keyid))
 	{
-		DBG1(DBG_LIB, "failed to set PIN on engine '%s'", engine_id);
+		DBG1(DBG_LIB, "login to engine '%s' failed", engine_id);
 		ENGINE_free(engine);
 		return NULL;
 	}
-
-	key = ENGINE_load_private_key(engine, keyid, NULL, NULL);
+	key = ENGINE_load_private_key(engine, keyname, NULL, NULL);
 	if (!key)
 	{
 		DBG1(DBG_LIB, "failed to load private key with ID '%s' from "
-			 "engine '%s'", keyid, engine_id);
+			 "engine '%s'", keyname, engine_id);
 		ENGINE_free(engine);
 		return NULL;
 	}
@@ -512,6 +584,11 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 	this = create_empty();
 	this->rsa = EVP_PKEY_get1_RSA(key);
 	this->engine = TRUE;
+	if (!this->rsa)
+	{
+		destroy(this);
+		return NULL;
+	}
 
 	return &this->public;
 #else /* OPENSSL_NO_ENGINE */
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
index 079dfa46a..60889d651 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
@@ -34,7 +34,7 @@ struct openssl_rsa_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 6ac61a65c..422e31521 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -114,19 +114,15 @@ error:
 	return valid;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_openssl_rsa_public_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
-				   chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -151,22 +147,43 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 	}
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static bool encrypt_(private_openssl_rsa_public_key_t *this,
-					 chunk_t crypto, chunk_t *plain)
+METHOD(public_key_t, encrypt, bool,
+	private_openssl_rsa_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypto)
 {
-	DBG1(DBG_LIB, "RSA public key encryption not implemented");
-	return FALSE;
+	int padding, len;
+	char *encrypted;
+
+	switch (scheme)
+	{
+		case ENCRYPT_RSA_PKCS1:
+			padding = RSA_PKCS1_PADDING;
+			break;
+		case ENCRYPT_RSA_OAEP_SHA1:
+			padding = RSA_PKCS1_OAEP_PADDING;
+			break;
+		default:
+			DBG1(DBG_LIB, "decryption scheme %N not supported via openssl",
+				 encryption_scheme_names, scheme);
+			return FALSE;
+	}
+	encrypted = malloc(RSA_size(this->rsa));
+	len = RSA_public_encrypt(plain.len, plain.ptr, encrypted,
+							 this->rsa, padding);
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "RSA decryption failed");
+		free(encrypted);
+		return FALSE;
+	}
+	*crypto = chunk_create(encrypted, len);
+	return TRUE;
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_openssl_rsa_public_key_t *this)
 {
-	return RSA_size(this->rsa);
+	return RSA_size(this->rsa) * 8;
 }
 
 /**
@@ -211,20 +228,16 @@ bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp)
 	return TRUE;
 }
 
-/**
- * Implementation of public_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_rsa_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_openssl_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
 }
 
-/*
- * Implementation of public_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_rsa_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_openssl_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -262,19 +275,15 @@ static bool get_encoding(private_openssl_rsa_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static public_key_t* get_ref(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_openssl_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of openssl_rsa_public_key.destroy.
- */
-static void destroy(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_openssl_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -292,21 +301,25 @@ static void destroy(private_openssl_rsa_public_key_t *this)
  */
 static private_openssl_rsa_public_key_t *create_empty()
 {
-	private_openssl_rsa_public_key_t *this = malloc_thing(private_openssl_rsa_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
-	this->rsa = NULL;
-	this->ref = 1;
+	private_openssl_rsa_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
index 620aa51ce..021257d3c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
@@ -33,7 +33,7 @@ struct openssl_rsa_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
index b65388010..20f2fa984 100644
--- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
@@ -124,13 +124,15 @@ openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo)
 	}
 
 	INIT(this,
-		.public.prf = {
-			.get_block_size = _get_block_size,
-			.get_bytes = _get_bytes,
-			.allocate_bytes = _allocate_bytes,
-			.get_key_size = _get_key_size,
-			.set_key = _set_key,
-			.destroy = _destroy,
+		.public = {
+			.prf = {
+				.get_block_size = _get_block_size,
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
 		},
 	);
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 1c9bb699e..aa39bc93d 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -187,6 +187,15 @@ static identification_t *general_name2id(GENERAL_NAME *name)
 		}
 		case GEN_DIRNAME :
 			return openssl_x509_name2id(name->d.directoryName);
+		case GEN_OTHERNAME:
+			if (OBJ_obj2nid(name->d.otherName->type_id) == NID_ms_upn &&
+				name->d.otherName->value->type == V_ASN1_UTF8STRING)
+			{
+				return identification_create_from_encoding(ID_RFC822_ADDR,
+							openssl_asn1_str2chunk(
+								name->d.otherName->value->value.utf8string));
+			}
+			return NULL;
 		default:
 			return NULL;
 	}
@@ -286,10 +295,23 @@ METHOD(certificate_t, has_subject, id_match_t,
 	identification_t *current;
 	enumerator_t *enumerator;
 	id_match_t match, best;
+	chunk_t encoding;
 
 	if (subject->get_type(subject) == ID_KEY_ID)
 	{
-		if (chunk_equals(this->hash, subject->get_encoding(subject)))
+		encoding = subject->get_encoding(subject);
+
+		if (chunk_equals(this->hash, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->subjectKeyIdentifier.len &&
+			chunk_equals(this->subjectKeyIdentifier, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->pubkey &&
+			this->pubkey->has_fingerprint(this->pubkey, encoding))
 		{
 			return ID_MATCH_PERFECT;
 		}
@@ -756,6 +778,38 @@ static bool parse_extensions(private_openssl_x509_t *this)
 }
 
 /**
+ * Parse ExtendedKeyUsage
+ */
+static void parse_extKeyUsage(private_openssl_x509_t *this)
+{
+	EXTENDED_KEY_USAGE *usage;
+	int i;
+
+	usage = X509_get_ext_d2i(this->x509, NID_ext_key_usage, NULL, NULL);
+	if (usage)
+	{
+		for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
+		{
+			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
+			{
+				case NID_server_auth:
+					this->flags |= X509_SERVER_AUTH;
+					break;
+				case NID_client_auth:
+					this->flags |= X509_CLIENT_AUTH;
+					break;
+				case NID_OCSP_sign:
+					this->flags |= X509_OCSP_SIGNER;
+					break;
+				default:
+					break;
+			}
+		}
+		sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
+	}
+}
+
+/**
  * Parse a DER encoded x509 certificate
  */
 static bool parse_certificate(private_openssl_x509_t *this)
@@ -814,6 +868,7 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	{
 		return TRUE;
 	}
+	parse_extKeyUsage(this);
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher)
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index adb8f08d1..46953f681 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
index 9edea4bd3..06c20292f 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
@@ -78,8 +78,8 @@ static void padlock_crypt(void *key, void *ctrl, void *src, void *dst,
 		: "eax", "ecx", "edx", "esi", "edi");
 }
 
-/*
- * Implementation of crypter_t.crypt
+/**
+ * Do encryption/decryption operation using Padlock control word
  */
 static void crypt(private_padlock_aes_crypter_t *this, char *iv,
 				  chunk_t src, chunk_t *dst, bool enc)
@@ -107,53 +107,44 @@ static void crypt(private_padlock_aes_crypter_t *this, char *iv,
 				  src.len / AES_BLOCK_SIZE, iv_aligned);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_padlock_aes_crypter_t *this, chunk_t data,
-						chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, decrypt, void,
+	private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, iv.ptr, data, dst, TRUE);
 }
 
-
-/**
- * Implementation of crypter_t.encrypt.
- */
-static void encrypt (private_padlock_aes_crypter_t *this, chunk_t data,
-							chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, encrypt, void,
+	private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, iv.ptr, data, dst, FALSE);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size(private_padlock_aes_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_padlock_aes_crypter_t *this)
 {
 	return AES_BLOCK_SIZE;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size(private_padlock_aes_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_padlock_aes_crypter_t *this)
+{
+	return AES_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_padlock_aes_crypter_t *this)
 {
 	return this->key.len;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key(private_padlock_aes_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_padlock_aes_crypter_t *this, chunk_t key)
 {
 	memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len));
 }
 
-/**
- * Implementation of crypter_t.destroy and aes_crypter_t.destroy.
- */
-static void destroy (private_padlock_aes_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_padlock_aes_crypter_t *this)
 {
 	free(this->key.ptr);
 	free(this);
@@ -171,29 +162,33 @@ padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo,
 	{
 		return NULL;
 	}
-
-	this = malloc_thing(private_padlock_aes_crypter_t);
-
 	switch (key_size)
 	{
+		case 0:
+			key_size = 16;
+			/* FALL */
 		case 16:        /* AES 128 */
 			break;
 		case 24:        /* AES-192 */
 		case 32:        /* AES-256 */
 			/* These need an expanded key, currently not supported, FALL */
 		default:
-			free(this);
 			return NULL;
 	}
 
-	this->key = chunk_alloc(key_size);
-
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.key = chunk_alloc(key_size),
+	);
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
index d4c7a7577..1c804860c 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
@@ -32,9 +32,9 @@ typedef struct padlock_aes_crypter_t padlock_aes_crypter_t;
 struct padlock_aes_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index c9606ae15..027c53c7b 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -101,10 +101,8 @@ static padlock_feature_t get_padlock_features()
 	return 0;
 }
 
-/**
- * Implementation of aes_plugin_t.destroy
- */
-static void destroy(private_padlock_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_padlock_plugin_t *this)
 {
 	if (this->features & PADLOCK_RNG_ENABLED)
 	{
@@ -133,11 +131,17 @@ static void destroy(private_padlock_plugin_t *this)
  */
 plugin_t *padlock_plugin_create()
 {
-	private_padlock_plugin_t *this = malloc_thing(private_padlock_plugin_t);
+	private_padlock_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.features = get_padlock_features(),
+	);
 
-	this->features = get_padlock_features();
 	if (!this->features)
 	{
 		free(this);
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.c b/src/libstrongswan/plugins/padlock/padlock_rng.c
index 8ff46081b..3d805df9d 100644
--- a/src/libstrongswan/plugins/padlock/padlock_rng.c
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.c
@@ -53,15 +53,15 @@ struct private_padlock_rng_t {
  */
 static void rng(char *buf, int len, int quality)
 {
-	while (len > 0)

+	while (len > 0)
 	{
 		int status;
 
 		/* run XSTORE until we have all bytes needed. We do not use REP, as
 		 * this should not be performance critical and it's easier this way. */
 		asm volatile (
-			".byte 0x0F,0xA7,0xC0 \n\t"

-			: "=D"(buf), "=a"(status)

+			".byte 0x0F,0xA7,0xC0 \n\t"
+			: "=D"(buf), "=a"(status)
 			: "d"(quality), "D"(buf));
 
 		/* bits[0..4] of status word contains the number of bytes read */
@@ -69,11 +69,8 @@ static void rng(char *buf, int len, int quality)
 	}
 }
 
-/**
- * Implementation of padlock_rng_t.allocate_bytes.
- */
-static void allocate_bytes(private_padlock_rng_t *this, size_t bytes,
-						   chunk_t *chunk)
+METHOD(rng_t, allocate_bytes, void,
+	private_padlock_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	chunk->len = bytes;
 	/* padlock requires some additional bytes */
@@ -82,11 +79,8 @@ static void allocate_bytes(private_padlock_rng_t *this, size_t bytes,
 	rng(chunk->ptr, chunk->len, this->quality);
 }
 
-/**
- * Implementation of padlock_rng_t.get_bytes.
- */
-static void get_bytes(private_padlock_rng_t *this, size_t bytes,
-					  u_int8_t *buffer)
+METHOD(rng_t, get_bytes, void,
+	private_padlock_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	chunk_t chunk;
 
@@ -96,10 +90,8 @@ static void get_bytes(private_padlock_rng_t *this, size_t bytes,
 	chunk_clear(&chunk);
 }
 
-/**
- * Implementation of padlock_rng_t.destroy.
- */
-static void destroy(private_padlock_rng_t *this)
+METHOD(rng_t, destroy, void,
+	private_padlock_rng_t *this)
 {
 	free(this);
 }
@@ -109,11 +101,17 @@ static void destroy(private_padlock_rng_t *this)
  */
 padlock_rng_t *padlock_rng_create(rng_quality_t quality)
 {
-	private_padlock_rng_t *this = malloc_thing(private_padlock_rng_t);
-
-	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
-	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
-	this->public.rng.destroy = (void (*) (rng_t *))destroy;
+	private_padlock_rng_t *this;
+
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* map RNG quality to Padlock quality factor */
 	switch (quality)
@@ -127,8 +125,10 @@ padlock_rng_t *padlock_rng_create(rng_quality_t quality)
 		case RNG_TRUE:
 			this->quality = PADLOCK_QF3;
 			break;
+		default:
+			free(this);
+			return NULL;
 	}
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
index 60b516675..66a077353 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
@@ -83,19 +83,14 @@ static void append_data(private_padlock_sha1_hasher_t *this, chunk_t data)
 	this->data.len += data.len;
 }
 
-/**
- * Implementation of hasher_t.reset.
- */
-static void reset(private_padlock_sha1_hasher_t *this)
+METHOD(hasher_t, reset, void,
+	private_padlock_sha1_hasher_t *this)
 {
 	chunk_free(&this->data);
 }
 
-/**
- * Implementation of hasher_t.get_hash.
- */
-static void get_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
-					 u_int8_t *hash)
+METHOD(hasher_t, get_hash, void,
+	private_padlock_sha1_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	if (hash)
 	{
@@ -116,11 +111,8 @@ static void get_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.allocate_hash.
- */
-static void allocate_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
-						  chunk_t *hash)
+METHOD(hasher_t, allocate_hash, void,
+	private_padlock_sha1_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
@@ -133,18 +125,14 @@ static void allocate_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.get_hash_size.
- */
-static size_t get_hash_size(private_padlock_sha1_hasher_t *this)
+METHOD(hasher_t, get_hash_size, size_t,
+	private_padlock_sha1_hasher_t *this)
 {
 	return HASH_SIZE_SHA1;
 }
 
-/**
- * Implementation of hasher_t.destroy.
- */
-static void destroy(private_padlock_sha1_hasher_t *this)
+METHOD(hasher_t, destroy, void,
+	private_padlock_sha1_hasher_t *this)
 {
 	free(this->data.ptr);
 	free(this);
@@ -161,15 +149,16 @@ padlock_sha1_hasher_t *padlock_sha1_hasher_create(hash_algorithm_t algo)
 	{
 		return NULL;
 	}
-
-	this = malloc_thing(private_padlock_sha1_hasher_t);
-	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
-	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
-	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
-	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
-	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
-	this->data = chunk_empty;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+	);
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
index 740bdfe98..2d2b2b45d 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
@@ -34,7 +34,7 @@ struct padlock_sha1_hasher_t {
 	/**
 	 * Implements hasher_t interface.
 	 */
-	hasher_t hasher_interface;
+	hasher_t hasher;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index e19a66fa5..cf5acdd1c 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index a15c3f258..b760adda9 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -127,8 +127,8 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 	}
 	crypter->set_key(crypter, key);
 
-	if (iv.len != crypter->get_block_size(crypter) ||
-		blob->len % iv.len)
+	if (iv.len != crypter->get_iv_size(crypter) ||
+		blob->len % crypter->get_block_size(crypter))
 	{
 		crypter->destroy(crypter);
 		DBG1(DBG_LIB, "  data size is not multiple of block size");
@@ -167,8 +167,7 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 /**
  * Converts a PEM encoded file into its binary form (RFC 1421, RFC 934)
  */
-static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data,
-						   bool *pgp)
+static status_t pem_to_bin(chunk_t *blob, bool *pgp)
 {
 	typedef enum {
 		PEM_PRE    = 0,
@@ -187,9 +186,10 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 	chunk_t dst    = *blob;
 	chunk_t line   = chunk_empty;
 	chunk_t iv     = chunk_empty;
-	chunk_t passphrase;
-	int try = 0;
 	u_char iv_buf[HASH_SIZE_MD5];
+	status_t status = NOT_FOUND;
+	enumerator_t *enumerator;
+	shared_key_t *shared;
 
 	dst.len = 0;
 	iv.ptr = iv_buf;
@@ -326,36 +326,35 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 	{
 		return SUCCESS;
 	}
-	if (!cb)
-	{
-		DBG1(DBG_LIB, "  missing passphrase");
-		return INVALID_ARG;
-	}
-	while (TRUE)
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+											SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
 	{
-		passphrase = cb(cb_data, ++try);
-		if (!passphrase.len || !passphrase.ptr)
+		chunk_t passphrase, chunk;
+
+		passphrase = shared->get_key(shared);
+		chunk = chunk_clone(*blob);
+		status = pem_decrypt(&chunk, alg, key_size, iv, passphrase);
+		if (status == SUCCESS)
 		{
-			return INVALID_ARG;
+			memcpy(blob->ptr, chunk.ptr, chunk.len);
+			blob->len = chunk.len;
 		}
-		switch (pem_decrypt(blob, alg, key_size, iv, passphrase))
-		{
-			case INVALID_ARG:
-				/* bad passphrase, retry */
-				continue;
-			case SUCCESS:
-				return SUCCESS;
-			default:
-				return FAILED;
+		free(chunk.ptr);
+		if (status != INVALID_ARG)
+		{	/* try again only if passphrase invalid */
+			break;
 		}
 	}
+	enumerator->destroy(enumerator);
+	return status;
 }
 
 /**
  * load the credential from a blob
  */
 static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
-							chunk_t(*cb)(void*,int), void *cb_data,
 							x509_flag_t flags)
 {
 	void *cred = NULL;
@@ -364,7 +363,7 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
 	blob = chunk_clone(blob);
 	if (!is_asn1(blob))
 	{
-		if (pem_to_bin(&blob, cb, cb_data, &pgp) != SUCCESS)
+		if (pem_to_bin(&blob, &pgp) != SUCCESS)
 		{
 			chunk_clear(&blob);
 			return NULL;
@@ -394,7 +393,6 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
  * load the credential from a file
  */
 static void *load_from_file(char *file, credential_type_t type, int subtype,
-							chunk_t(*cb)(void*,int), void *cb_data,
 							x509_flag_t flags)
 {
 	void *cred = NULL;
@@ -425,8 +423,7 @@ static void *load_from_file(char *file, credential_type_t type, int subtype,
 		return NULL;
 	}
 
-	cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype,
-						  cb, cb_data, flags);
+	cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype, flags);
 
 	munmap(addr, sb.st_size);
 	close(fd);
@@ -437,7 +434,6 @@ static void *load_from_file(char *file, credential_type_t type, int subtype,
  * load the credential from a file descriptor
  */
 static void *load_from_fd(int fd, credential_type_t type, int subtype,
-						  chunk_t(*cb)(void*,int), void *cb_data,
 						  x509_flag_t flags)
 {
 	char buf[8096];
@@ -464,20 +460,7 @@ static void *load_from_fd(int fd, credential_type_t type, int subtype,
 			return NULL;
 		}
 	}
-	return load_from_blob(chunk_create(buf, total), type, subtype,
-						  cb, cb_data, flags);
-}
-
-/**
- * passphrase callback to use if passphrase given
- */
-static chunk_t given_passphrase_cb(chunk_t *passphrase, int try)
-{
-	if (try > 1)
-	{	/* try only once for given passphrases */
-		return chunk_empty;
-	}
-	return *passphrase;
+	return load_from_blob(chunk_create(buf, total), type, subtype, flags);
 }
 
 /**
@@ -487,9 +470,7 @@ static void *pem_load(credential_type_t type, int subtype, va_list args)
 {
 	char *file = NULL;
 	int fd = -1;
-	chunk_t pem = chunk_empty, passphrase = chunk_empty;
-	chunk_t (*cb)(void *data, int try) = NULL;
-	void *cb_data = NULL;
+	chunk_t pem = chunk_empty;
 	int flags = 0;
 
 	while (TRUE)
@@ -505,18 +486,6 @@ static void *pem_load(credential_type_t type, int subtype, va_list args)
 			case BUILD_BLOB_PEM:
 				pem = va_arg(args, chunk_t);
 				continue;
-			case BUILD_PASSPHRASE:
-				passphrase = va_arg(args, chunk_t);
-				if (passphrase.len && passphrase.ptr)
-				{
-					cb = (void*)given_passphrase_cb;
-					cb_data = &passphrase;
-				}
-				continue;
-			case BUILD_PASSPHRASE_CALLBACK:
-				cb = va_arg(args, chunk_t(*)(void*,int));
-				cb_data = va_arg(args, void*);
-				continue;
 			case BUILD_X509_FLAG:
 				flags = va_arg(args, int);
 				continue;
@@ -530,15 +499,15 @@ static void *pem_load(credential_type_t type, int subtype, va_list args)
 
 	if (pem.len)
 	{
-		return load_from_blob(pem, type, subtype, cb, cb_data, flags);
+		return load_from_blob(pem, type, subtype, flags);
 	}
 	if (file)
 	{
-		return load_from_file(file, type, subtype, cb, cb_data, flags);
+		return load_from_file(file, type, subtype, flags);
 	}
 	if (fd != -1)
 	{
-		return load_from_fd(fd, type, subtype, cb, cb_data, flags);
+		return load_from_fd(fd, type, subtype, flags);
 	}
 	return NULL;
 }
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index 810901b7a..83efb155b 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -57,49 +57,49 @@ plugin_t *pem_plugin_create()
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
 	/* register private key PEM decoding builders */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pem_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pem_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, FALSE,
 							(builder_function_t)pem_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_DSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_DSA, FALSE,
 							(builder_function_t)pem_private_key_load);
 
 	/* register public key PEM decoding builders */
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pem_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pem_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, FALSE,
 							(builder_function_t)pem_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_DSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_DSA, FALSE,
 							(builder_function_t)pem_public_key_load);
 
 	/* register certificate PEM decoding builders */
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_ANY,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_ANY, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE,
 							(builder_function_t)pem_certificate_load);
 
 	/* register pluto specific certificate formats */
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, FALSE,
 							(builder_function_t)pem_certificate_load);
 
 	/* register PEM encoder */
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index a5bc5eb39..0098147a9 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c
index 84c9bfddd..440e70a18 100644
--- a/src/libstrongswan/plugins/pgp/pgp_builder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_builder.c
@@ -129,7 +129,7 @@ static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme,
 /**
  * Implementation of private_key_t.decrypt for signature-only keys
  */
-static bool decrypt_not_allowed(private_key_t *this,
+static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t scheme,
 								chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "decryption failed - signature only key");
diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c
index 3ed1faf01..41e0a5df6 100644
--- a/src/libstrongswan/plugins/pgp/pgp_plugin.c
+++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c
@@ -60,16 +60,16 @@ plugin_t *pgp_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pgp_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pgp_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pgp_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pgp_private_key_load);
 
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE,
 							(builder_function_t)pgp_cert_load);
 
 	lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode);
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 947f52d82..8b41499a7 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index 35ec2d2bf..d3afb5c67 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -56,11 +56,11 @@ plugin_t *pkcs1_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pkcs1_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pkcs1_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pkcs1_private_key_load);
 
 	lib->encoding->add_encoder(lib->encoding, pkcs1_encoder_encode);
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.am b/src/libstrongswan/plugins/pkcs11/Makefile.am
new file mode 100644
index 000000000..199039d95
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pkcs11.la
+else
+plugin_LTLIBRARIES = libstrongswan-pkcs11.la
+endif
+
+libstrongswan_pkcs11_la_SOURCES = \
+	pkcs11_plugin.h pkcs11_plugin.c pkcs11.h \
+	pkcs11_library.h pkcs11_library.c \
+	pkcs11_creds.h pkcs11_creds.c \
+	pkcs11_private_key.h pkcs11_private_key.c \
+	pkcs11_public_key.h pkcs11_public_key.c \
+	pkcs11_hasher.h pkcs11_hasher.c \
+	pkcs11_manager.h pkcs11_manager.c
+
+libstrongswan_pkcs11_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
new file mode 100644
index 000000000..c27310910
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -0,0 +1,614 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pkcs11
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_pkcs11_la_LIBADD =
+am_libstrongswan_pkcs11_la_OBJECTS = pkcs11_plugin.lo \
+	pkcs11_library.lo pkcs11_creds.lo pkcs11_private_key.lo \
+	pkcs11_public_key.lo pkcs11_hasher.lo pkcs11_manager.lo
+libstrongswan_pkcs11_la_OBJECTS =  \
+	$(am_libstrongswan_pkcs11_la_OBJECTS)
+libstrongswan_pkcs11_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_pkcs11_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pkcs11_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pkcs11_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs11.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs11.la
+libstrongswan_pkcs11_la_SOURCES = \
+	pkcs11_plugin.h pkcs11_plugin.c pkcs11.h \
+	pkcs11_library.h pkcs11_library.c \
+	pkcs11_creds.h pkcs11_creds.c \
+	pkcs11_private_key.h pkcs11_private_key.c \
+	pkcs11_public_key.h pkcs11_public_key.c \
+	pkcs11_hasher.h pkcs11_hasher.c \
+	pkcs11_manager.h pkcs11_manager.c
+
+libstrongswan_pkcs11_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs11/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs11/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) 
+	$(libstrongswan_pkcs11_la_LINK) $(am_libstrongswan_pkcs11_la_rpath) $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_library.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_public_key.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11.h b/src/libstrongswan/plugins/pkcs11/pkcs11.h
new file mode 100644
index 000000000..2e6a1e3ed
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11.h
@@ -0,0 +1,1357 @@
+/* pkcs11.h
+   Copyright 2006, 2007 g10 Code GmbH
+   Copyright 2006 Andreas Jellinghaus
+
+   This file is free software; as a special exception the author gives
+   unlimited permission to copy and/or distribute it, with or without
+   modifications, as long as this notice is preserved.
+
+   This file is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+   the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+   PURPOSE.  */
+
+/* Please submit changes back to the Scute project at
+   http://www.scute.org/ (or send them to marcus@g10code.com), so that
+   they can be picked up by other projects from there as well.  */
+
+/* This file is a modified implementation of the PKCS #11 standard by
+   RSA Security Inc.  It is mostly a drop-in replacement, with the
+   following change:
+
+   This header file does not require any macro definitions by the user
+   (like CK_DEFINE_FUNCTION etc).  In fact, it defines those macros
+   for you (if useful, some are missing, let me know if you need
+   more).
+
+   There is an additional API available that does comply better to the
+   GNU coding standard.  It can be switched on by defining
+   CRYPTOKI_GNU before including this header file.  For this, the
+   following changes are made to the specification:
+
+   All structure types are changed to a "struct ck_foo" where CK_FOO
+   is the type name in PKCS #11.
+
+   All non-structure types are changed to ck_foo_t where CK_FOO is the
+   lowercase version of the type name in PKCS #11.  The basic types
+   (CK_ULONG et al.) are removed without substitute.
+
+   All members of structures are modified in the following way: Type
+   indication prefixes are removed, and underscore characters are
+   inserted before words.  Then the result is lowercased.
+
+   Note that function names are still in the original case, as they
+   need for ABI compatibility.
+
+   CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute.  Use
+   <stdbool.h>.
+
+   If CRYPTOKI_COMPAT is defined before including this header file,
+   then none of the API changes above take place, and the API is the
+   one defined by the PKCS #11 standard.  */
+
+#ifndef PKCS11_H
+#define PKCS11_H 1
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* The version of cryptoki we implement.  The revision is changed with
+   each modification of this file.  If you do not use the "official"
+   version of this file, please consider deleting the revision macro
+   (you may use a macro with a different name to keep track of your
+   versions).  */
+#define CRYPTOKI_VERSION_MAJOR		2
+#define CRYPTOKI_VERSION_MINOR		20
+#define CRYPTOKI_VERSION_REVISION	6
+
+
+/* Compatibility interface is default, unless CRYPTOKI_GNU is
+   given.  */
+#ifndef CRYPTOKI_GNU
+#ifndef CRYPTOKI_COMPAT
+#define CRYPTOKI_COMPAT 1
+#endif
+#endif
+
+/* System dependencies.  */
+
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+
+/* There is a matching pop below.  */
+#pragma pack(push, cryptoki, 1)
+
+#ifdef CRYPTOKI_EXPORTS
+#define CK_SPEC __declspec(dllexport)
+#else
+#define CK_SPEC __declspec(dllimport)
+#endif
+
+#else
+
+#define CK_SPEC
+
+#endif
+
+
+#ifdef CRYPTOKI_COMPAT
+  /* If we are in compatibility mode, switch all exposed names to the
+     PKCS #11 variant.  There are corresponding #undefs below.  */
+
+#define ck_flags_t CK_FLAGS
+#define ck_version _CK_VERSION
+
+#define ck_info _CK_INFO
+#define cryptoki_version cryptokiVersion
+#define manufacturer_id manufacturerID
+#define library_description libraryDescription
+#define library_version libraryVersion
+
+#define ck_notification_t CK_NOTIFICATION
+#define ck_slot_id_t CK_SLOT_ID
+
+#define ck_slot_info _CK_SLOT_INFO
+#define slot_description slotDescription
+#define hardware_version hardwareVersion
+#define firmware_version firmwareVersion
+
+#define ck_token_info _CK_TOKEN_INFO
+#define serial_number serialNumber
+#define max_session_count ulMaxSessionCount
+#define session_count ulSessionCount
+#define max_rw_session_count ulMaxRwSessionCount
+#define rw_session_count ulRwSessionCount
+#define max_pin_len ulMaxPinLen
+#define min_pin_len ulMinPinLen
+#define total_public_memory ulTotalPublicMemory
+#define free_public_memory ulFreePublicMemory
+#define total_private_memory ulTotalPrivateMemory
+#define free_private_memory ulFreePrivateMemory
+#define utc_time utcTime
+
+#define ck_session_handle_t CK_SESSION_HANDLE
+#define ck_user_type_t CK_USER_TYPE
+#define ck_state_t CK_STATE
+
+#define ck_session_info _CK_SESSION_INFO
+#define slot_id slotID
+#define device_error ulDeviceError
+
+#define ck_object_handle_t CK_OBJECT_HANDLE
+#define ck_object_class_t CK_OBJECT_CLASS
+#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE
+#define ck_key_type_t CK_KEY_TYPE
+#define ck_certificate_type_t CK_CERTIFICATE_TYPE
+#define ck_attribute_type_t CK_ATTRIBUTE_TYPE
+
+#define ck_attribute _CK_ATTRIBUTE
+#define value pValue
+#define value_len ulValueLen
+
+#define ck_date _CK_DATE
+
+#define ck_mechanism_type_t CK_MECHANISM_TYPE
+
+#define ck_mechanism _CK_MECHANISM
+#define parameter pParameter
+#define parameter_len ulParameterLen
+
+#define ck_mechanism_info _CK_MECHANISM_INFO
+#define min_key_size ulMinKeySize
+#define max_key_size ulMaxKeySize
+
+#define ck_rv_t CK_RV
+#define ck_notify_t CK_NOTIFY
+
+#define ck_function_list _CK_FUNCTION_LIST
+
+#define ck_createmutex_t CK_CREATEMUTEX
+#define ck_destroymutex_t CK_DESTROYMUTEX
+#define ck_lockmutex_t CK_LOCKMUTEX
+#define ck_unlockmutex_t CK_UNLOCKMUTEX
+
+#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
+#define create_mutex CreateMutex
+#define destroy_mutex DestroyMutex
+#define lock_mutex LockMutex
+#define unlock_mutex UnlockMutex
+#define reserved pReserved
+
+#endif	/* CRYPTOKI_COMPAT */
+
+
+
+typedef unsigned long ck_flags_t;
+
+struct ck_version
+{
+  unsigned char major;
+  unsigned char minor;
+};
+
+
+struct ck_info
+{
+  struct ck_version cryptoki_version;
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  unsigned char library_description[32];
+  struct ck_version library_version;
+};
+
+
+typedef unsigned long ck_notification_t;
+
+#define CKN_SURRENDER	(0)
+
+
+typedef unsigned long ck_slot_id_t;
+
+
+struct ck_slot_info
+{
+  unsigned char slot_description[64];
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+};
+
+
+#define CKF_TOKEN_PRESENT	(1 << 0)
+#define CKF_REMOVABLE_DEVICE	(1 << 1)
+#define CKF_HW_SLOT		(1 << 2)
+#define CKF_ARRAY_ATTRIBUTE	(1 << 30)
+
+
+struct ck_token_info
+{
+  unsigned char label[32];
+  unsigned char manufacturer_id[32];
+  unsigned char model[16];
+  unsigned char serial_number[16];
+  ck_flags_t flags;
+  unsigned long max_session_count;
+  unsigned long session_count;
+  unsigned long max_rw_session_count;
+  unsigned long rw_session_count;
+  unsigned long max_pin_len;
+  unsigned long min_pin_len;
+  unsigned long total_public_memory;
+  unsigned long free_public_memory;
+  unsigned long total_private_memory;
+  unsigned long free_private_memory;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+  unsigned char utc_time[16];
+};
+
+
+#define CKF_RNG					(1 << 0)
+#define CKF_WRITE_PROTECTED			(1 << 1)
+#define CKF_LOGIN_REQUIRED			(1 << 2)
+#define CKF_USER_PIN_INITIALIZED		(1 << 3)
+#define CKF_RESTORE_KEY_NOT_NEEDED		(1 << 5)
+#define CKF_CLOCK_ON_TOKEN			(1 << 6)
+#define CKF_PROTECTED_AUTHENTICATION_PATH	(1 << 8)
+#define CKF_DUAL_CRYPTO_OPERATIONS		(1 << 9)
+#define CKF_TOKEN_INITIALIZED			(1 << 10)
+#define CKF_SECONDARY_AUTHENTICATION		(1 << 11)
+#define CKF_USER_PIN_COUNT_LOW			(1 << 16)
+#define CKF_USER_PIN_FINAL_TRY			(1 << 17)
+#define CKF_USER_PIN_LOCKED			(1 << 18)
+#define CKF_USER_PIN_TO_BE_CHANGED		(1 << 19)
+#define CKF_SO_PIN_COUNT_LOW			(1 << 20)
+#define CKF_SO_PIN_FINAL_TRY			(1 << 21)
+#define CKF_SO_PIN_LOCKED			(1 << 22)
+#define CKF_SO_PIN_TO_BE_CHANGED		(1 << 23)
+
+#define CK_UNAVAILABLE_INFORMATION	((unsigned long) -1)
+#define CK_EFFECTIVELY_INFINITE		(0)
+
+
+typedef unsigned long ck_session_handle_t;
+
+#define CK_INVALID_HANDLE	(0)
+
+
+typedef unsigned long ck_user_type_t;
+
+#define CKU_SO			(0)
+#define CKU_USER		(1)
+#define CKU_CONTEXT_SPECIFIC	(2)
+
+
+typedef unsigned long ck_state_t;
+
+#define CKS_RO_PUBLIC_SESSION	(0)
+#define CKS_RO_USER_FUNCTIONS	(1)
+#define CKS_RW_PUBLIC_SESSION	(2)
+#define CKS_RW_USER_FUNCTIONS	(3)
+#define CKS_RW_SO_FUNCTIONS	(4)
+
+
+struct ck_session_info
+{
+  ck_slot_id_t slot_id;
+  ck_state_t state;
+  ck_flags_t flags;
+  unsigned long device_error;
+};
+
+#define CKF_RW_SESSION		(1 << 1)
+#define CKF_SERIAL_SESSION	(1 << 2)
+
+
+typedef unsigned long ck_object_handle_t;
+
+
+typedef unsigned long ck_object_class_t;
+
+#define CKO_DATA		(0)
+#define CKO_CERTIFICATE		(1)
+#define CKO_PUBLIC_KEY		(2)
+#define CKO_PRIVATE_KEY		(3)
+#define CKO_SECRET_KEY		(4)
+#define CKO_HW_FEATURE		(5)
+#define CKO_DOMAIN_PARAMETERS	(6)
+#define CKO_MECHANISM		(7)
+#define CKO_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_hw_feature_type_t;
+
+#define CKH_MONOTONIC_COUNTER	(1)
+#define CKH_CLOCK		(2)
+#define CKH_USER_INTERFACE	(3)
+#define CKH_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_key_type_t;
+
+#define CKK_RSA			(0)
+#define CKK_DSA			(1)
+#define CKK_DH			(2)
+#define CKK_ECDSA		(3)
+#define CKK_EC			(3)
+#define CKK_X9_42_DH		(4)
+#define CKK_KEA			(5)
+#define CKK_GENERIC_SECRET	(0x10)
+#define CKK_RC2			(0x11)
+#define CKK_RC4			(0x12)
+#define CKK_DES			(0x13)
+#define CKK_DES2		(0x14)
+#define CKK_DES3		(0x15)
+#define CKK_CAST		(0x16)
+#define CKK_CAST3		(0x17)
+#define CKK_CAST128		(0x18)
+#define CKK_RC5			(0x19)
+#define CKK_IDEA		(0x1a)
+#define CKK_SKIPJACK		(0x1b)
+#define CKK_BATON		(0x1c)
+#define CKK_JUNIPER		(0x1d)
+#define CKK_CDMF		(0x1e)
+#define CKK_AES			(0x1f)
+#define CKK_BLOWFISH		(0x20)
+#define CKK_TWOFISH		(0x21)
+#define CKK_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_certificate_type_t;
+
+#define CKC_X_509		(0)
+#define CKC_X_509_ATTR_CERT	(1)
+#define CKC_WTLS		(2)
+#define CKC_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_attribute_type_t;
+
+#define CKA_CLASS			(0)
+#define CKA_TOKEN			(1)
+#define CKA_PRIVATE			(2)
+#define CKA_LABEL			(3)
+#define CKA_APPLICATION			(0x10)
+#define CKA_VALUE			(0x11)
+#define CKA_OBJECT_ID			(0x12)
+#define CKA_CERTIFICATE_TYPE		(0x80)
+#define CKA_ISSUER			(0x81)
+#define CKA_SERIAL_NUMBER		(0x82)
+#define CKA_AC_ISSUER			(0x83)
+#define CKA_OWNER			(0x84)
+#define CKA_ATTR_TYPES			(0x85)
+#define CKA_TRUSTED			(0x86)
+#define CKA_CERTIFICATE_CATEGORY	(0x87)
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN	(0x88)
+#define CKA_URL				(0x89)
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY	(0x8a)
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY	(0x8b)
+#define CKA_CHECK_VALUE			(0x90)
+#define CKA_KEY_TYPE			(0x100)
+#define CKA_SUBJECT			(0x101)
+#define CKA_ID				(0x102)
+#define CKA_SENSITIVE			(0x103)
+#define CKA_ENCRYPT			(0x104)
+#define CKA_DECRYPT			(0x105)
+#define CKA_WRAP			(0x106)
+#define CKA_UNWRAP			(0x107)
+#define CKA_SIGN			(0x108)
+#define CKA_SIGN_RECOVER		(0x109)
+#define CKA_VERIFY			(0x10a)
+#define CKA_VERIFY_RECOVER		(0x10b)
+#define CKA_DERIVE			(0x10c)
+#define CKA_START_DATE			(0x110)
+#define CKA_END_DATE			(0x111)
+#define CKA_MODULUS			(0x120)
+#define CKA_MODULUS_BITS		(0x121)
+#define CKA_PUBLIC_EXPONENT		(0x122)
+#define CKA_PRIVATE_EXPONENT		(0x123)
+#define CKA_PRIME_1			(0x124)
+#define CKA_PRIME_2			(0x125)
+#define CKA_EXPONENT_1			(0x126)
+#define CKA_EXPONENT_2			(0x127)
+#define CKA_COEFFICIENT			(0x128)
+#define CKA_PRIME			(0x130)
+#define CKA_SUBPRIME			(0x131)
+#define CKA_BASE			(0x132)
+#define CKA_PRIME_BITS			(0x133)
+#define CKA_SUB_PRIME_BITS		(0x134)
+#define CKA_VALUE_BITS			(0x160)
+#define CKA_VALUE_LEN			(0x161)
+#define CKA_EXTRACTABLE			(0x162)
+#define CKA_LOCAL			(0x163)
+#define CKA_NEVER_EXTRACTABLE		(0x164)
+#define CKA_ALWAYS_SENSITIVE		(0x165)
+#define CKA_KEY_GEN_MECHANISM		(0x166)
+#define CKA_MODIFIABLE			(0x170)
+#define CKA_ECDSA_PARAMS		(0x180)
+#define CKA_EC_PARAMS			(0x180)
+#define CKA_EC_POINT			(0x181)
+#define CKA_SECONDARY_AUTH		(0x200)
+#define CKA_AUTH_PIN_FLAGS		(0x201)
+#define CKA_ALWAYS_AUTHENTICATE		(0x202)
+#define CKA_WRAP_WITH_TRUSTED		(0x210)
+#define CKA_HW_FEATURE_TYPE		(0x300)
+#define CKA_RESET_ON_INIT		(0x301)
+#define CKA_HAS_RESET			(0x302)
+#define CKA_PIXEL_X			(0x400)
+#define CKA_PIXEL_Y			(0x401)
+#define CKA_RESOLUTION			(0x402)
+#define CKA_CHAR_ROWS			(0x403)
+#define CKA_CHAR_COLUMNS		(0x404)
+#define CKA_COLOR			(0x405)
+#define CKA_BITS_PER_PIXEL		(0x406)
+#define CKA_CHAR_SETS			(0x480)
+#define CKA_ENCODING_METHODS		(0x481)
+#define CKA_MIME_TYPES			(0x482)
+#define CKA_MECHANISM_TYPE		(0x500)
+#define CKA_REQUIRED_CMS_ATTRIBUTES	(0x501)
+#define CKA_DEFAULT_CMS_ATTRIBUTES	(0x502)
+#define CKA_SUPPORTED_CMS_ATTRIBUTES	(0x503)
+#define CKA_WRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x211)
+#define CKA_UNWRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x212)
+#define CKA_ALLOWED_MECHANISMS		(CKF_ARRAY_ATTRIBUTE | 0x600)
+#define CKA_VENDOR_DEFINED		((unsigned long) (1 << 31))
+
+
+struct ck_attribute
+{
+  ck_attribute_type_t type;
+  void *value;
+  unsigned long value_len;
+};
+
+
+struct ck_date
+{
+  unsigned char year[4];
+  unsigned char month[2];
+  unsigned char day[2];
+};
+
+
+typedef unsigned long ck_mechanism_type_t;
+
+#define CKM_RSA_PKCS_KEY_PAIR_GEN	(0)
+#define CKM_RSA_PKCS			(1)
+#define CKM_RSA_9796			(2)
+#define CKM_RSA_X_509			(3)
+#define CKM_MD2_RSA_PKCS		(4)
+#define CKM_MD5_RSA_PKCS		(5)
+#define CKM_SHA1_RSA_PKCS		(6)
+#define CKM_RIPEMD128_RSA_PKCS		(7)
+#define CKM_RIPEMD160_RSA_PKCS		(8)
+#define CKM_RSA_PKCS_OAEP		(9)
+#define CKM_RSA_X9_31_KEY_PAIR_GEN	(0xa)
+#define CKM_RSA_X9_31			(0xb)
+#define CKM_SHA1_RSA_X9_31		(0xc)
+#define CKM_RSA_PKCS_PSS		(0xd)
+#define CKM_SHA1_RSA_PKCS_PSS		(0xe)
+#define CKM_DSA_KEY_PAIR_GEN		(0x10)
+#define	CKM_DSA				(0x11)
+#define CKM_DSA_SHA1			(0x12)
+#define CKM_DH_PKCS_KEY_PAIR_GEN	(0x20)
+#define CKM_DH_PKCS_DERIVE		(0x21)
+#define	CKM_X9_42_DH_KEY_PAIR_GEN	(0x30)
+#define CKM_X9_42_DH_DERIVE		(0x31)
+#define CKM_X9_42_DH_HYBRID_DERIVE	(0x32)
+#define CKM_X9_42_MQV_DERIVE		(0x33)
+#define CKM_SHA256_RSA_PKCS		(0x40)
+#define CKM_SHA384_RSA_PKCS		(0x41)
+#define CKM_SHA512_RSA_PKCS		(0x42)
+#define CKM_SHA256_RSA_PKCS_PSS		(0x43)
+#define CKM_SHA384_RSA_PKCS_PSS		(0x44)
+#define CKM_SHA512_RSA_PKCS_PSS		(0x45)
+#define CKM_RC2_KEY_GEN			(0x100)
+#define CKM_RC2_ECB			(0x101)
+#define	CKM_RC2_CBC			(0x102)
+#define	CKM_RC2_MAC			(0x103)
+#define CKM_RC2_MAC_GENERAL		(0x104)
+#define CKM_RC2_CBC_PAD			(0x105)
+#define CKM_RC4_KEY_GEN			(0x110)
+#define CKM_RC4				(0x111)
+#define CKM_DES_KEY_GEN			(0x120)
+#define CKM_DES_ECB			(0x121)
+#define CKM_DES_CBC			(0x122)
+#define CKM_DES_MAC			(0x123)
+#define CKM_DES_MAC_GENERAL		(0x124)
+#define CKM_DES_CBC_PAD			(0x125)
+#define CKM_DES2_KEY_GEN		(0x130)
+#define CKM_DES3_KEY_GEN		(0x131)
+#define CKM_DES3_ECB			(0x132)
+#define CKM_DES3_CBC			(0x133)
+#define CKM_DES3_MAC			(0x134)
+#define CKM_DES3_MAC_GENERAL		(0x135)
+#define CKM_DES3_CBC_PAD		(0x136)
+#define CKM_CDMF_KEY_GEN		(0x140)
+#define CKM_CDMF_ECB			(0x141)
+#define CKM_CDMF_CBC			(0x142)
+#define CKM_CDMF_MAC			(0x143)
+#define CKM_CDMF_MAC_GENERAL		(0x144)
+#define CKM_CDMF_CBC_PAD		(0x145)
+#define CKM_MD2				(0x200)
+#define CKM_MD2_HMAC			(0x201)
+#define CKM_MD2_HMAC_GENERAL		(0x202)
+#define CKM_MD5				(0x210)
+#define CKM_MD5_HMAC			(0x211)
+#define CKM_MD5_HMAC_GENERAL		(0x212)
+#define CKM_SHA_1			(0x220)
+#define CKM_SHA_1_HMAC			(0x221)
+#define CKM_SHA_1_HMAC_GENERAL		(0x222)
+#define CKM_RIPEMD128			(0x230)
+#define CKM_RIPEMD128_HMAC		(0x231)
+#define CKM_RIPEMD128_HMAC_GENERAL	(0x232)
+#define CKM_RIPEMD160			(0x240)
+#define CKM_RIPEMD160_HMAC		(0x241)
+#define CKM_RIPEMD160_HMAC_GENERAL	(0x242)
+#define CKM_SHA256			(0x250)
+#define CKM_SHA256_HMAC			(0x251)
+#define CKM_SHA256_HMAC_GENERAL		(0x252)
+#define CKM_SHA384			(0x260)
+#define CKM_SHA384_HMAC			(0x261)
+#define CKM_SHA384_HMAC_GENERAL		(0x262)
+#define CKM_SHA512			(0x270)
+#define CKM_SHA512_HMAC			(0x271)
+#define CKM_SHA512_HMAC_GENERAL		(0x272)
+#define CKM_CAST_KEY_GEN		(0x300)
+#define CKM_CAST_ECB			(0x301)
+#define CKM_CAST_CBC			(0x302)
+#define CKM_CAST_MAC			(0x303)
+#define CKM_CAST_MAC_GENERAL		(0x304)
+#define CKM_CAST_CBC_PAD		(0x305)
+#define CKM_CAST3_KEY_GEN		(0x310)
+#define CKM_CAST3_ECB			(0x311)
+#define CKM_CAST3_CBC			(0x312)
+#define CKM_CAST3_MAC			(0x313)
+#define CKM_CAST3_MAC_GENERAL		(0x314)
+#define CKM_CAST3_CBC_PAD		(0x315)
+#define CKM_CAST5_KEY_GEN		(0x320)
+#define CKM_CAST128_KEY_GEN		(0x320)
+#define CKM_CAST5_ECB			(0x321)
+#define CKM_CAST128_ECB			(0x321)
+#define CKM_CAST5_CBC			(0x322)
+#define CKM_CAST128_CBC			(0x322)
+#define CKM_CAST5_MAC			(0x323)
+#define	CKM_CAST128_MAC			(0x323)
+#define CKM_CAST5_MAC_GENERAL		(0x324)
+#define CKM_CAST128_MAC_GENERAL		(0x324)
+#define CKM_CAST5_CBC_PAD		(0x325)
+#define CKM_CAST128_CBC_PAD		(0x325)
+#define CKM_RC5_KEY_GEN			(0x330)
+#define CKM_RC5_ECB			(0x331)
+#define CKM_RC5_CBC			(0x332)
+#define CKM_RC5_MAC			(0x333)
+#define CKM_RC5_MAC_GENERAL		(0x334)
+#define CKM_RC5_CBC_PAD			(0x335)
+#define CKM_IDEA_KEY_GEN		(0x340)
+#define CKM_IDEA_ECB			(0x341)
+#define	CKM_IDEA_CBC			(0x342)
+#define CKM_IDEA_MAC			(0x343)
+#define CKM_IDEA_MAC_GENERAL		(0x344)
+#define CKM_IDEA_CBC_PAD		(0x345)
+#define CKM_GENERIC_SECRET_KEY_GEN	(0x350)
+#define CKM_CONCATENATE_BASE_AND_KEY	(0x360)
+#define CKM_CONCATENATE_BASE_AND_DATA	(0x362)
+#define CKM_CONCATENATE_DATA_AND_BASE	(0x363)
+#define CKM_XOR_BASE_AND_DATA		(0x364)
+#define CKM_EXTRACT_KEY_FROM_KEY	(0x365)
+#define CKM_SSL3_PRE_MASTER_KEY_GEN	(0x370)
+#define CKM_SSL3_MASTER_KEY_DERIVE	(0x371)
+#define CKM_SSL3_KEY_AND_MAC_DERIVE	(0x372)
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH	(0x373)
+#define CKM_TLS_PRE_MASTER_KEY_GEN	(0x374)
+#define CKM_TLS_MASTER_KEY_DERIVE	(0x375)
+#define CKM_TLS_KEY_AND_MAC_DERIVE	(0x376)
+#define CKM_TLS_MASTER_KEY_DERIVE_DH	(0x377)
+#define CKM_SSL3_MD5_MAC		(0x380)
+#define CKM_SSL3_SHA1_MAC		(0x381)
+#define CKM_MD5_KEY_DERIVATION		(0x390)
+#define CKM_MD2_KEY_DERIVATION		(0x391)
+#define CKM_SHA1_KEY_DERIVATION		(0x392)
+#define CKM_PBE_MD2_DES_CBC		(0x3a0)
+#define CKM_PBE_MD5_DES_CBC		(0x3a1)
+#define CKM_PBE_MD5_CAST_CBC		(0x3a2)
+#define CKM_PBE_MD5_CAST3_CBC		(0x3a3)
+#define CKM_PBE_MD5_CAST5_CBC		(0x3a4)
+#define CKM_PBE_MD5_CAST128_CBC		(0x3a4)
+#define CKM_PBE_SHA1_CAST5_CBC		(0x3a5)
+#define CKM_PBE_SHA1_CAST128_CBC	(0x3a5)
+#define CKM_PBE_SHA1_RC4_128		(0x3a6)
+#define CKM_PBE_SHA1_RC4_40		(0x3a7)
+#define CKM_PBE_SHA1_DES3_EDE_CBC	(0x3a8)
+#define CKM_PBE_SHA1_DES2_EDE_CBC	(0x3a9)
+#define CKM_PBE_SHA1_RC2_128_CBC	(0x3aa)
+#define CKM_PBE_SHA1_RC2_40_CBC		(0x3ab)
+#define CKM_PKCS5_PBKD2			(0x3b0)
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC	(0x3c0)
+#define CKM_KEY_WRAP_LYNKS		(0x400)
+#define CKM_KEY_WRAP_SET_OAEP		(0x401)
+#define CKM_SKIPJACK_KEY_GEN		(0x1000)
+#define CKM_SKIPJACK_ECB64		(0x1001)
+#define CKM_SKIPJACK_CBC64		(0x1002)
+#define CKM_SKIPJACK_OFB64		(0x1003)
+#define CKM_SKIPJACK_CFB64		(0x1004)
+#define CKM_SKIPJACK_CFB32		(0x1005)
+#define CKM_SKIPJACK_CFB16		(0x1006)
+#define CKM_SKIPJACK_CFB8		(0x1007)
+#define CKM_SKIPJACK_WRAP		(0x1008)
+#define CKM_SKIPJACK_PRIVATE_WRAP	(0x1009)
+#define CKM_SKIPJACK_RELAYX		(0x100a)
+#define CKM_KEA_KEY_PAIR_GEN		(0x1010)
+#define CKM_KEA_KEY_DERIVE		(0x1011)
+#define CKM_FORTEZZA_TIMESTAMP		(0x1020)
+#define CKM_BATON_KEY_GEN		(0x1030)
+#define CKM_BATON_ECB128		(0x1031)
+#define CKM_BATON_ECB96			(0x1032)
+#define CKM_BATON_CBC128		(0x1033)
+#define CKM_BATON_COUNTER		(0x1034)
+#define CKM_BATON_SHUFFLE		(0x1035)
+#define CKM_BATON_WRAP			(0x1036)
+#define CKM_ECDSA_KEY_PAIR_GEN		(0x1040)
+#define CKM_EC_KEY_PAIR_GEN		(0x1040)
+#define CKM_ECDSA			(0x1041)
+#define CKM_ECDSA_SHA1			(0x1042)
+#define CKM_ECDH1_DERIVE		(0x1050)
+#define CKM_ECDH1_COFACTOR_DERIVE	(0x1051)
+#define CKM_ECMQV_DERIVE		(0x1052)
+#define CKM_JUNIPER_KEY_GEN		(0x1060)
+#define CKM_JUNIPER_ECB128		(0x1061)
+#define CKM_JUNIPER_CBC128		(0x1062)
+#define CKM_JUNIPER_COUNTER		(0x1063)
+#define CKM_JUNIPER_SHUFFLE		(0x1064)
+#define CKM_JUNIPER_WRAP		(0x1065)
+#define CKM_FASTHASH			(0x1070)
+#define CKM_AES_KEY_GEN			(0x1080)
+#define CKM_AES_ECB			(0x1081)
+#define CKM_AES_CBC			(0x1082)
+#define CKM_AES_MAC			(0x1083)
+#define CKM_AES_MAC_GENERAL		(0x1084)
+#define CKM_AES_CBC_PAD			(0x1085)
+#define CKM_DSA_PARAMETER_GEN		(0x2000)
+#define CKM_DH_PKCS_PARAMETER_GEN	(0x2001)
+#define CKM_X9_42_DH_PARAMETER_GEN	(0x2002)
+#define CKM_VENDOR_DEFINED		((unsigned long) (1 << 31))
+
+
+struct ck_mechanism
+{
+  ck_mechanism_type_t mechanism;
+  void *parameter;
+  unsigned long parameter_len;
+};
+
+
+struct ck_mechanism_info
+{
+  unsigned long min_key_size;
+  unsigned long max_key_size;
+  ck_flags_t flags;
+};
+
+#define CKF_HW			(1 << 0)
+#define CKF_ENCRYPT		(1 << 8)
+#define CKF_DECRYPT		(1 << 9)
+#define CKF_DIGEST		(1 << 10)
+#define CKF_SIGN		(1 << 11)
+#define CKF_SIGN_RECOVER	(1 << 12)
+#define CKF_VERIFY		(1 << 13)
+#define CKF_VERIFY_RECOVER	(1 << 14)
+#define CKF_GENERATE		(1 << 15)
+#define CKF_GENERATE_KEY_PAIR	(1 << 16)
+#define CKF_WRAP		(1 << 17)
+#define CKF_UNWRAP		(1 << 18)
+#define CKF_DERIVE		(1 << 19)
+#define CKF_EXTENSION		((unsigned long) (1 << 31))
+
+
+/* Flags for C_WaitForSlotEvent.  */
+#define CKF_DONT_BLOCK				(1)
+
+
+typedef unsigned long ck_rv_t;
+
+
+typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session,
+				ck_notification_t event, void *application);
+
+/* Forward reference.  */
+struct ck_function_list;
+
+#define _CK_DECLARE_FUNCTION(name, args)	\
+typedef ck_rv_t (*CK_ ## name) args;		\
+ck_rv_t CK_SPEC name args
+
+_CK_DECLARE_FUNCTION (C_Initialize, (void *init_args));
+_CK_DECLARE_FUNCTION (C_Finalize, (void *reserved));
+_CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info *info));
+_CK_DECLARE_FUNCTION (C_GetFunctionList,
+		      (struct ck_function_list **function_list));
+
+_CK_DECLARE_FUNCTION (C_GetSlotList,
+		      (unsigned char token_present, ck_slot_id_t *slot_list,
+		       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetSlotInfo,
+		      (ck_slot_id_t slot_id, struct ck_slot_info *info));
+_CK_DECLARE_FUNCTION (C_GetTokenInfo,
+		      (ck_slot_id_t slot_id, struct ck_token_info *info));
+_CK_DECLARE_FUNCTION (C_WaitForSlotEvent,
+		      (ck_flags_t flags, ck_slot_id_t *slot, void *reserved));
+_CK_DECLARE_FUNCTION (C_GetMechanismList,
+		      (ck_slot_id_t slot_id,
+		       ck_mechanism_type_t *mechanism_list,
+		       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetMechanismInfo,
+		      (ck_slot_id_t slot_id, ck_mechanism_type_t type,
+		       struct ck_mechanism_info *info));
+_CK_DECLARE_FUNCTION (C_InitToken,
+		      (ck_slot_id_t slot_id, unsigned char *pin,
+		       unsigned long pin_len, unsigned char *label));
+_CK_DECLARE_FUNCTION (C_InitPIN,
+		      (ck_session_handle_t session, unsigned char *pin,
+		       unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_SetPIN,
+		      (ck_session_handle_t session, unsigned char *old_pin,
+		       unsigned long old_len, unsigned char *new_pin,
+		       unsigned long new_len));
+
+_CK_DECLARE_FUNCTION (C_OpenSession,
+		      (ck_slot_id_t slot_id, ck_flags_t flags,
+		       void *application, ck_notify_t notify,
+		       ck_session_handle_t *session));
+_CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id));
+_CK_DECLARE_FUNCTION (C_GetSessionInfo,
+		      (ck_session_handle_t session,
+		       struct ck_session_info *info));
+_CK_DECLARE_FUNCTION (C_GetOperationState,
+		      (ck_session_handle_t session,
+		       unsigned char *operation_state,
+		       unsigned long *operation_state_len));
+_CK_DECLARE_FUNCTION (C_SetOperationState,
+		      (ck_session_handle_t session,
+		       unsigned char *operation_state,
+		       unsigned long operation_state_len,
+		       ck_object_handle_t encryption_key,
+		       ck_object_handle_t authentiation_key));
+_CK_DECLARE_FUNCTION (C_Login,
+		      (ck_session_handle_t session, ck_user_type_t user_type,
+		       unsigned char *pin, unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_CreateObject,
+		      (ck_session_handle_t session,
+		       struct ck_attribute *templ,
+		       unsigned long count, ck_object_handle_t *object));
+_CK_DECLARE_FUNCTION (C_CopyObject,
+		      (ck_session_handle_t session, ck_object_handle_t object,
+		       struct ck_attribute *templ, unsigned long count,
+		       ck_object_handle_t *new_object));
+_CK_DECLARE_FUNCTION (C_DestroyObject,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object));
+_CK_DECLARE_FUNCTION (C_GetObjectSize,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       unsigned long *size));
+_CK_DECLARE_FUNCTION (C_GetAttributeValue,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_SetAttributeValue,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjectsInit,
+		      (ck_session_handle_t session,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjects,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t *object,
+		       unsigned long max_object_count,
+		       unsigned long *object_count));
+_CK_DECLARE_FUNCTION (C_FindObjectsFinal,
+		      (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_EncryptInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Encrypt,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *encrypted_data,
+		       unsigned long *encrypted_data_len));
+_CK_DECLARE_FUNCTION (C_EncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_EncryptFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *last_encrypted_part,
+		       unsigned long *last_encrypted_part_len));
+
+_CK_DECLARE_FUNCTION (C_DecryptInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Decrypt,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_data,
+		       unsigned long encrypted_data_len,
+		       unsigned char *data, unsigned long *data_len));
+_CK_DECLARE_FUNCTION (C_DecryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part, unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_DecryptFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *last_part,
+		       unsigned long *last_part_len));
+
+_CK_DECLARE_FUNCTION (C_DigestInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism));
+_CK_DECLARE_FUNCTION (C_Digest,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *digest,
+		       unsigned long *digest_len));
+_CK_DECLARE_FUNCTION (C_DigestUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_DigestKey,
+		      (ck_session_handle_t session, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_DigestFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *digest,
+		       unsigned long *digest_len));
+
+_CK_DECLARE_FUNCTION (C_SignInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Sign,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_SignFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignRecoverInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_SignRecover,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+
+_CK_DECLARE_FUNCTION (C_VerifyInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Verify,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_VerifyFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyRecoverInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_VerifyRecover,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long signature_len,
+		       unsigned char *data,
+		       unsigned long *data_len));
+
+_CK_DECLARE_FUNCTION (C_DigestEncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptDigestUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part,
+		       unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_SignEncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part,
+		       unsigned long *part_len));
+
+_CK_DECLARE_FUNCTION (C_GenerateKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       struct ck_attribute *templ,
+		       unsigned long count,
+		       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_GenerateKeyPair,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       struct ck_attribute *public_key_template,
+		       unsigned long public_key_attribute_count,
+		       struct ck_attribute *private_key_template,
+		       unsigned long private_key_attribute_count,
+		       ck_object_handle_t *public_key,
+		       ck_object_handle_t *private_key));
+_CK_DECLARE_FUNCTION (C_WrapKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t wrapping_key,
+		       ck_object_handle_t key,
+		       unsigned char *wrapped_key,
+		       unsigned long *wrapped_key_len));
+_CK_DECLARE_FUNCTION (C_UnwrapKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t unwrapping_key,
+		       unsigned char *wrapped_key,
+		       unsigned long wrapped_key_len,
+		       struct ck_attribute *templ,
+		       unsigned long attribute_count,
+		       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_DeriveKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t base_key,
+		       struct ck_attribute *templ,
+		       unsigned long attribute_count,
+		       ck_object_handle_t *key));
+
+_CK_DECLARE_FUNCTION (C_SeedRandom,
+		      (ck_session_handle_t session, unsigned char *seed,
+		       unsigned long seed_len));
+_CK_DECLARE_FUNCTION (C_GenerateRandom,
+		      (ck_session_handle_t session,
+		       unsigned char *random_data,
+		       unsigned long random_len));
+
+_CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session));
+
+
+struct ck_function_list
+{
+  struct ck_version version;
+  CK_C_Initialize C_Initialize;
+  CK_C_Finalize C_Finalize;
+  CK_C_GetInfo C_GetInfo;
+  CK_C_GetFunctionList C_GetFunctionList;
+  CK_C_GetSlotList C_GetSlotList;
+  CK_C_GetSlotInfo C_GetSlotInfo;
+  CK_C_GetTokenInfo C_GetTokenInfo;
+  CK_C_GetMechanismList C_GetMechanismList;
+  CK_C_GetMechanismInfo C_GetMechanismInfo;
+  CK_C_InitToken C_InitToken;
+  CK_C_InitPIN C_InitPIN;
+  CK_C_SetPIN C_SetPIN;
+  CK_C_OpenSession C_OpenSession;
+  CK_C_CloseSession C_CloseSession;
+  CK_C_CloseAllSessions C_CloseAllSessions;
+  CK_C_GetSessionInfo C_GetSessionInfo;
+  CK_C_GetOperationState C_GetOperationState;
+  CK_C_SetOperationState C_SetOperationState;
+  CK_C_Login C_Login;
+  CK_C_Logout C_Logout;
+  CK_C_CreateObject C_CreateObject;
+  CK_C_CopyObject C_CopyObject;
+  CK_C_DestroyObject C_DestroyObject;
+  CK_C_GetObjectSize C_GetObjectSize;
+  CK_C_GetAttributeValue C_GetAttributeValue;
+  CK_C_SetAttributeValue C_SetAttributeValue;
+  CK_C_FindObjectsInit C_FindObjectsInit;
+  CK_C_FindObjects C_FindObjects;
+  CK_C_FindObjectsFinal C_FindObjectsFinal;
+  CK_C_EncryptInit C_EncryptInit;
+  CK_C_Encrypt C_Encrypt;
+  CK_C_EncryptUpdate C_EncryptUpdate;
+  CK_C_EncryptFinal C_EncryptFinal;
+  CK_C_DecryptInit C_DecryptInit;
+  CK_C_Decrypt C_Decrypt;
+  CK_C_DecryptUpdate C_DecryptUpdate;
+  CK_C_DecryptFinal C_DecryptFinal;
+  CK_C_DigestInit C_DigestInit;
+  CK_C_Digest C_Digest;
+  CK_C_DigestUpdate C_DigestUpdate;
+  CK_C_DigestKey C_DigestKey;
+  CK_C_DigestFinal C_DigestFinal;
+  CK_C_SignInit C_SignInit;
+  CK_C_Sign C_Sign;
+  CK_C_SignUpdate C_SignUpdate;
+  CK_C_SignFinal C_SignFinal;
+  CK_C_SignRecoverInit C_SignRecoverInit;
+  CK_C_SignRecover C_SignRecover;
+  CK_C_VerifyInit C_VerifyInit;
+  CK_C_Verify C_Verify;
+  CK_C_VerifyUpdate C_VerifyUpdate;
+  CK_C_VerifyFinal C_VerifyFinal;
+  CK_C_VerifyRecoverInit C_VerifyRecoverInit;
+  CK_C_VerifyRecover C_VerifyRecover;
+  CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
+  CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
+  CK_C_SignEncryptUpdate C_SignEncryptUpdate;
+  CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
+  CK_C_GenerateKey C_GenerateKey;
+  CK_C_GenerateKeyPair C_GenerateKeyPair;
+  CK_C_WrapKey C_WrapKey;
+  CK_C_UnwrapKey C_UnwrapKey;
+  CK_C_DeriveKey C_DeriveKey;
+  CK_C_SeedRandom C_SeedRandom;
+  CK_C_GenerateRandom C_GenerateRandom;
+  CK_C_GetFunctionStatus C_GetFunctionStatus;
+  CK_C_CancelFunction C_CancelFunction;
+  CK_C_WaitForSlotEvent C_WaitForSlotEvent;
+};
+
+
+typedef ck_rv_t (*ck_createmutex_t) (void **mutex);
+typedef ck_rv_t (*ck_destroymutex_t) (void *mutex);
+typedef ck_rv_t (*ck_lockmutex_t) (void *mutex);
+typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex);
+
+
+struct ck_c_initialize_args
+{
+  ck_createmutex_t create_mutex;
+  ck_destroymutex_t destroy_mutex;
+  ck_lockmutex_t lock_mutex;
+  ck_unlockmutex_t unlock_mutex;
+  ck_flags_t flags;
+  void *reserved;
+};
+
+
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS	(1 << 0)
+#define CKF_OS_LOCKING_OK			(1 << 1)
+
+#define CKR_OK					(0)
+#define CKR_CANCEL				(1)
+#define CKR_HOST_MEMORY				(2)
+#define CKR_SLOT_ID_INVALID			(3)
+#define CKR_GENERAL_ERROR			(5)
+#define CKR_FUNCTION_FAILED			(6)
+#define CKR_ARGUMENTS_BAD			(7)
+#define CKR_NO_EVENT				(8)
+#define CKR_NEED_TO_CREATE_THREADS		(9)
+#define CKR_CANT_LOCK				(0xa)
+#define CKR_ATTRIBUTE_READ_ONLY			(0x10)
+#define CKR_ATTRIBUTE_SENSITIVE			(0x11)
+#define CKR_ATTRIBUTE_TYPE_INVALID		(0x12)
+#define CKR_ATTRIBUTE_VALUE_INVALID		(0x13)
+#define CKR_DATA_INVALID			(0x20)
+#define CKR_DATA_LEN_RANGE			(0x21)
+#define CKR_DEVICE_ERROR			(0x30)
+#define CKR_DEVICE_MEMORY			(0x31)
+#define CKR_DEVICE_REMOVED			(0x32)
+#define CKR_ENCRYPTED_DATA_INVALID		(0x40)
+#define CKR_ENCRYPTED_DATA_LEN_RANGE		(0x41)
+#define CKR_FUNCTION_CANCELED			(0x50)
+#define CKR_FUNCTION_NOT_PARALLEL		(0x51)
+#define CKR_FUNCTION_NOT_SUPPORTED		(0x54)
+#define CKR_KEY_HANDLE_INVALID			(0x60)
+#define CKR_KEY_SIZE_RANGE			(0x62)
+#define CKR_KEY_TYPE_INCONSISTENT		(0x63)
+#define CKR_KEY_NOT_NEEDED			(0x64)
+#define CKR_KEY_CHANGED				(0x65)
+#define CKR_KEY_NEEDED				(0x66)
+#define CKR_KEY_INDIGESTIBLE			(0x67)
+#define CKR_KEY_FUNCTION_NOT_PERMITTED		(0x68)
+#define CKR_KEY_NOT_WRAPPABLE			(0x69)
+#define CKR_KEY_UNEXTRACTABLE			(0x6a)
+#define CKR_MECHANISM_INVALID			(0x70)
+#define CKR_MECHANISM_PARAM_INVALID		(0x71)
+#define CKR_OBJECT_HANDLE_INVALID		(0x82)
+#define CKR_OPERATION_ACTIVE			(0x90)
+#define CKR_OPERATION_NOT_INITIALIZED		(0x91)
+#define CKR_PIN_INCORRECT			(0xa0)
+#define CKR_PIN_INVALID				(0xa1)
+#define CKR_PIN_LEN_RANGE			(0xa2)
+#define CKR_PIN_EXPIRED				(0xa3)
+#define CKR_PIN_LOCKED				(0xa4)
+#define CKR_SESSION_CLOSED			(0xb0)
+#define CKR_SESSION_COUNT			(0xb1)
+#define CKR_SESSION_HANDLE_INVALID		(0xb3)
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED	(0xb4)
+#define CKR_SESSION_READ_ONLY			(0xb5)
+#define CKR_SESSION_EXISTS			(0xb6)
+#define CKR_SESSION_READ_ONLY_EXISTS		(0xb7)
+#define CKR_SESSION_READ_WRITE_SO_EXISTS	(0xb8)
+#define CKR_SIGNATURE_INVALID			(0xc0)
+#define CKR_SIGNATURE_LEN_RANGE			(0xc1)
+#define CKR_TEMPLATE_INCOMPLETE			(0xd0)
+#define CKR_TEMPLATE_INCONSISTENT		(0xd1)
+#define CKR_TOKEN_NOT_PRESENT			(0xe0)
+#define CKR_TOKEN_NOT_RECOGNIZED		(0xe1)
+#define CKR_TOKEN_WRITE_PROTECTED		(0xe2)
+#define	CKR_UNWRAPPING_KEY_HANDLE_INVALID	(0xf0)
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE		(0xf1)
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT	(0xf2)
+#define CKR_USER_ALREADY_LOGGED_IN		(0x100)
+#define CKR_USER_NOT_LOGGED_IN			(0x101)
+#define CKR_USER_PIN_NOT_INITIALIZED		(0x102)
+#define CKR_USER_TYPE_INVALID			(0x103)
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN	(0x104)
+#define CKR_USER_TOO_MANY_TYPES			(0x105)
+#define CKR_WRAPPED_KEY_INVALID			(0x110)
+#define CKR_WRAPPED_KEY_LEN_RANGE		(0x112)
+#define CKR_WRAPPING_KEY_HANDLE_INVALID		(0x113)
+#define CKR_WRAPPING_KEY_SIZE_RANGE		(0x114)
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT	(0x115)
+#define CKR_RANDOM_SEED_NOT_SUPPORTED		(0x120)
+#define CKR_RANDOM_NO_RNG			(0x121)
+#define CKR_DOMAIN_PARAMS_INVALID		(0x130)
+#define CKR_BUFFER_TOO_SMALL			(0x150)
+#define CKR_SAVED_STATE_INVALID			(0x160)
+#define CKR_INFORMATION_SENSITIVE		(0x170)
+#define CKR_STATE_UNSAVEABLE			(0x180)
+#define CKR_CRYPTOKI_NOT_INITIALIZED		(0x190)
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED	(0x191)
+#define CKR_MUTEX_BAD				(0x1a0)
+#define CKR_MUTEX_NOT_LOCKED			(0x1a1)
+#define CKR_FUNCTION_REJECTED			(0x200)
+#define CKR_VENDOR_DEFINED			((unsigned long) (1 << 31))
+
+
+
+/* Compatibility layer.  */
+
+#ifdef CRYPTOKI_COMPAT
+
+#undef CK_DEFINE_FUNCTION
+#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
+
+/* For NULL.  */
+#include <stddef.h>
+
+typedef unsigned char CK_BYTE;
+typedef unsigned char CK_CHAR;
+typedef unsigned char CK_UTF8CHAR;
+typedef unsigned char CK_BBOOL;
+typedef unsigned long int CK_ULONG;
+typedef long int CK_LONG;
+typedef CK_BYTE *CK_BYTE_PTR;
+typedef CK_CHAR *CK_CHAR_PTR;
+typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR;
+typedef CK_ULONG *CK_ULONG_PTR;
+typedef void *CK_VOID_PTR;
+typedef void **CK_VOID_PTR_PTR;
+#define CK_FALSE 0
+#define CK_TRUE 1
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE 0
+#endif
+#ifndef TRUE
+#define TRUE 1
+#endif
+#endif
+
+typedef struct ck_version CK_VERSION;
+typedef struct ck_version *CK_VERSION_PTR;
+
+typedef struct ck_info CK_INFO;
+typedef struct ck_info *CK_INFO_PTR;
+
+typedef ck_slot_id_t *CK_SLOT_ID_PTR;
+
+typedef struct ck_slot_info CK_SLOT_INFO;
+typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
+
+typedef struct ck_token_info CK_TOKEN_INFO;
+typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
+
+typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
+
+typedef struct ck_session_info CK_SESSION_INFO;
+typedef struct ck_session_info *CK_SESSION_INFO_PTR;
+
+typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
+
+typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
+
+typedef struct ck_attribute CK_ATTRIBUTE;
+typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
+
+typedef struct ck_date CK_DATE;
+typedef struct ck_date *CK_DATE_PTR;
+
+typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
+
+typedef struct ck_mechanism CK_MECHANISM;
+typedef struct ck_mechanism *CK_MECHANISM_PTR;
+
+typedef struct ck_mechanism_info CK_MECHANISM_INFO;
+typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
+
+typedef struct ck_function_list CK_FUNCTION_LIST;
+typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
+typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
+
+typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
+typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
+
+#define NULL_PTR NULL
+
+/* Delete the helper macros defined at the top of the file.  */
+#undef ck_flags_t
+#undef ck_version
+
+#undef ck_info
+#undef cryptoki_version
+#undef manufacturer_id
+#undef library_description
+#undef library_version
+
+#undef ck_notification_t
+#undef ck_slot_id_t
+
+#undef ck_slot_info
+#undef slot_description
+#undef hardware_version
+#undef firmware_version
+
+#undef ck_token_info
+#undef serial_number
+#undef max_session_count
+#undef session_count
+#undef max_rw_session_count
+#undef rw_session_count
+#undef max_pin_len
+#undef min_pin_len
+#undef total_public_memory
+#undef free_public_memory
+#undef total_private_memory
+#undef free_private_memory
+#undef utc_time
+
+#undef ck_session_handle_t
+#undef ck_user_type_t
+#undef ck_state_t
+
+#undef ck_session_info
+#undef slot_id
+#undef device_error
+
+#undef ck_object_handle_t
+#undef ck_object_class_t
+#undef ck_hw_feature_type_t
+#undef ck_key_type_t
+#undef ck_certificate_type_t
+#undef ck_attribute_type_t
+
+#undef ck_attribute
+#undef value
+#undef value_len
+
+#undef ck_date
+
+#undef ck_mechanism_type_t
+
+#undef ck_mechanism
+#undef parameter
+#undef parameter_len
+
+#undef ck_mechanism_info
+#undef min_key_size
+#undef max_key_size
+
+#undef ck_rv_t
+#undef ck_notify_t
+
+#undef ck_function_list
+
+#undef ck_createmutex_t
+#undef ck_destroymutex_t
+#undef ck_lockmutex_t
+#undef ck_unlockmutex_t
+
+#undef ck_c_initialize_args
+#undef create_mutex
+#undef destroy_mutex
+#undef lock_mutex
+#undef unlock_mutex
+#undef reserved
+
+#endif	/* CRYPTOKI_COMPAT */
+
+
+/* System dependencies.  */
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+#pragma pack(pop, cryptoki)
+#endif
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif	/* PKCS11_H */
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
new file mode 100644
index 000000000..1b1448c6a
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_creds.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+
+typedef struct private_pkcs11_creds_t private_pkcs11_creds_t;
+
+/**
+ * Private data of an pkcs11_creds_t object.
+ */
+struct private_pkcs11_creds_t {
+
+	/**
+	 * Public pkcs11_creds_t interface.
+	 */
+	pkcs11_creds_t public;
+
+	/**
+	 * PKCS# library
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Token slot
+	 */
+	CK_SLOT_ID slot;
+
+	/**
+	 * List of trusted certificates
+	 */
+	linked_list_t *trusted;
+
+	/**
+	 * List of untrusted certificates
+	 */
+	linked_list_t *untrusted;
+};
+
+/**
+ * Find certificates, optionally trusted
+ */
+static void find_certificates(private_pkcs11_creds_t *this,
+							  CK_SESSION_HANDLE session, CK_BBOOL trusted)
+{
+	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE type = CKC_X_509;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+		{CKA_TRUSTED, &trusted, sizeof(trusted)},
+	};
+	CK_OBJECT_HANDLE object;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_VALUE, NULL, 0},
+		{CKA_LABEL, NULL, 0},
+	};
+	enumerator_t *enumerator;
+	linked_list_t *raw;
+	certificate_t *cert;
+	struct {
+		chunk_t value;
+		chunk_t label;
+	} *entry;
+
+	raw = linked_list_create();
+	enumerator = this->lib->create_object_enumerator(this->lib,
+							session, tmpl, countof(tmpl), attr, countof(attr));
+	while (enumerator->enumerate(enumerator, &object))
+	{
+		entry = malloc(sizeof(*entry));
+		entry->value = chunk_clone(
+							chunk_create(attr[0].pValue, attr[0].ulValueLen));
+		entry->label = chunk_clone(
+							chunk_create(attr[1].pValue, attr[1].ulValueLen));
+		raw->insert_last(raw, entry);
+	}
+	enumerator->destroy(enumerator);
+
+	while (raw->remove_first(raw, (void**)&entry) == SUCCESS)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							BUILD_BLOB_ASN1_DER, entry->value,
+							BUILD_END);
+		if (cert)
+		{
+			DBG1(DBG_CFG, "    loaded %strusted cert '%.*s'",
+				 trusted ? "" : "un", entry->label.len, entry->label.ptr);
+			/* trusted certificates are also returned as untrusted */
+			this->untrusted->insert_last(this->untrusted, cert);
+			if (trusted)
+			{
+				this->trusted->insert_last(this->trusted, cert->get_ref(cert));
+			}
+		}
+		else
+		{
+			DBG1(DBG_CFG, "    loading cert '%.*s' failed",
+				 entry->label.len, entry->label.ptr);
+		}
+		free(entry->value.ptr);
+		free(entry->label.ptr);
+		free(entry);
+	}
+	raw->destroy(raw);
+}
+
+/**
+ * Load in the certificates from the token
+ */
+static bool load_certificates(private_pkcs11_creds_t *this)
+{
+	CK_SESSION_HANDLE session;
+	CK_RV rv;
+
+	rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION,
+									 NULL, NULL, &session);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "opening session failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+
+	find_certificates(this, session, CK_TRUE);
+	find_certificates(this, session, CK_FALSE);
+
+	this->lib->f->C_CloseSession(session);
+	return TRUE;
+}
+
+/**
+ * filter function for certs enumerator
+ */
+static bool certs_filter(identification_t *id,
+						 certificate_t **in, certificate_t **out)
+{
+	public_key_t *public;
+	certificate_t *cert = *in;
+
+	if (id == NULL || cert->has_subject(cert, id))
+	{
+		*out = *in;
+		return TRUE;
+	}
+	public = cert->get_public_key(cert);
+	if (public)
+	{
+		if (public->has_fingerprint(public, id->get_encoding(id)))
+		{
+			public->destroy(public);
+			*out = *in;
+			return TRUE;
+		}
+		public->destroy(public);
+	}
+	return FALSE;
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs11_creds_t *this, certificate_type_t cert, key_type_t key,
+	identification_t *id, bool trusted)
+{
+	enumerator_t *inner;
+
+	if (cert != CERT_X509 && cert != CERT_ANY)
+	{
+		return NULL;
+	}
+	if (trusted)
+	{
+		inner = this->trusted->create_enumerator(this->trusted);
+	}
+	else
+	{
+		inner = this->untrusted->create_enumerator(this->untrusted);
+	}
+	return enumerator_create_filter(inner, (void*)certs_filter, id, NULL);
+}
+
+METHOD(pkcs11_creds_t, get_library, pkcs11_library_t*,
+	private_pkcs11_creds_t *this)
+{
+	return this->lib;
+}
+
+METHOD(pkcs11_creds_t, get_slot, CK_SLOT_ID,
+	private_pkcs11_creds_t *this)
+{
+	return this->slot;
+}
+
+METHOD(pkcs11_creds_t, destroy, void,
+	private_pkcs11_creds_t *this)
+{
+	this->trusted->destroy_offset(this->trusted,
+								offsetof(certificate_t, destroy));
+	this->untrusted->destroy_offset(this->untrusted,
+								offsetof(certificate_t, destroy));
+	free(this);
+}
+
+/**
+ * See header
+ */
+pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot)
+{
+	private_pkcs11_creds_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_shared_enumerator = (void*)enumerator_create_empty,
+				.create_private_enumerator = (void*)enumerator_create_empty,
+				.create_cert_enumerator = _create_cert_enumerator,
+				.create_cdp_enumerator  = (void*)enumerator_create_empty,
+				.cache_cert = (void*)nop,
+			},
+			.get_library = _get_library,
+			.get_slot = _get_slot,
+			.destroy = _destroy,
+		},
+		.lib = p11,
+		.slot = slot,
+		.trusted = linked_list_create(),
+		.untrusted = linked_list_create(),
+	);
+
+	if (!load_certificates(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
new file mode 100644
index 000000000..c40a8dea6
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_creds pkcs11_creds
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_CREDS_H_
+#define PKCS11_CREDS_H_
+
+typedef struct pkcs11_creds_t pkcs11_creds_t;
+
+#include "pkcs11_library.h"
+
+#include <credentials/credential_manager.h>
+
+/**
+ * Credential set on top on a PKCS#11 token.
+ */
+struct pkcs11_creds_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Get the PKCS#11 library this set uses.
+	 *
+	 * @return		library
+	 */
+	pkcs11_library_t* (*get_library)(pkcs11_creds_t *this);
+
+	/**
+	 * Get the slot of the token this set uses.
+	 *
+	 * @return		slot
+	 */
+	CK_SLOT_ID (*get_slot)(pkcs11_creds_t *this);
+
+	/**
+	 * Destroy a pkcs11_creds_t.
+	 */
+	void (*destroy)(pkcs11_creds_t *this);
+};
+
+/**
+ * Create a pkcs11_creds instance.
+ *
+ * @param p11			loaded PKCS#11 library
+ * @param slot			slot of the token we hand out credentials
+ */
+pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot);
+
+#endif /** PKCS11_CREDS_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
new file mode 100644
index 000000000..6d327be40
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
@@ -0,0 +1,323 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_hasher.h"
+
+#include <unistd.h>
+
+#include <debug.h>
+#include <threading/mutex.h>
+
+#include "pkcs11_manager.h"
+
+typedef struct private_pkcs11_hasher_t private_pkcs11_hasher_t;
+
+/**
+ * Private data of an pkcs11_hasher_t object.
+ */
+struct private_pkcs11_hasher_t {
+
+	/**
+	 * Public pkcs11_hasher_t interface.
+	 */
+	pkcs11_hasher_t public;
+
+	/**
+	 * PKCS#11 library
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Mechanism for this hasher
+	 */
+	CK_MECHANISM_PTR mech;
+
+	/**
+	 * Token session
+	 */
+	CK_SESSION_HANDLE session;
+
+	/**
+	 * size of the hash
+	 */
+	size_t size;
+
+	/**
+	 * Mutex to lock the tokens hashing engine
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * do we have an initialized state?
+	 */
+	bool have_state;
+
+	/**
+	 * state buffer
+	 */
+	CK_BYTE_PTR state;
+
+	/**
+	 * Length of the state buffer
+	 */
+	CK_ULONG state_len;
+};
+
+METHOD(hasher_t, get_hash_size, size_t,
+	private_pkcs11_hasher_t *this)
+{
+	return this->size;
+}
+
+/**
+ * Save the Operation state to host memory
+ */
+static void save_state(private_pkcs11_hasher_t *this)
+{
+	CK_RV rv;
+
+	while (TRUE)
+	{
+		if (!this->state)
+		{
+			rv = this->lib->f->C_GetOperationState(this->session, NULL,
+												   &this->state_len);
+			if (rv != CKR_OK)
+			{
+				break;
+			}
+			this->state = malloc(this->state_len);
+		}
+		rv = this->lib->f->C_GetOperationState(this->session, this->state,
+											   &this->state_len);
+		switch (rv)
+		{
+			case CKR_BUFFER_TOO_SMALL:
+				free(this->state);
+				this->state = NULL;
+				continue;
+			case CKR_OK:
+				this->have_state = TRUE;
+				return;
+			default:
+				break;
+		}
+		break;
+	}
+	DBG1(DBG_CFG, "C_GetOperationState() failed: %N", ck_rv_names, rv);
+	abort();
+}
+
+/**
+ * Load the Operation state from host memory
+ */
+static void load_state(private_pkcs11_hasher_t *this)
+{
+	CK_RV rv;
+
+	rv = this->lib->f->C_SetOperationState(this->session, this->state,
+						this->state_len, CK_INVALID_HANDLE, CK_INVALID_HANDLE);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_SetOperationState() failed: %N", ck_rv_names, rv);
+		abort();
+	}
+	this->have_state = FALSE;
+}
+
+METHOD(hasher_t, reset, void,
+	private_pkcs11_hasher_t *this)
+{
+	this->have_state = FALSE;
+}
+
+METHOD(hasher_t, get_hash, void,
+	private_pkcs11_hasher_t *this, chunk_t chunk, u_int8_t *hash)
+{
+	CK_RV rv;
+	CK_ULONG len;
+
+	this->mutex->lock(this->mutex);
+	if (this->have_state)
+	{
+		load_state(this);
+	}
+	else
+	{
+		rv = this->lib->f->C_DigestInit(this->session, this->mech);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_DigestInit() failed: %N", ck_rv_names, rv);
+			abort();
+		}
+	}
+	if (chunk.len)
+	{
+		rv = this->lib->f->C_DigestUpdate(this->session, chunk.ptr, chunk.len);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_DigestUpdate() failed: %N", ck_rv_names, rv);
+			abort();
+		}
+	}
+	if (hash)
+	{
+		len = this->size;
+		rv = this->lib->f->C_DigestFinal(this->session,
+								hash, &len);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_DigestFinal() failed: %N", ck_rv_names, rv);
+			abort();
+		}
+	}
+	else
+	{
+		save_state(this);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(hasher_t, allocate_hash, void,
+	private_pkcs11_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+	if (hash)
+	{
+		*hash = chunk_alloc(this->size);
+		get_hash(this, chunk, hash->ptr);
+	}
+	else
+	{
+		get_hash(this, chunk, NULL);
+	}
+}
+
+METHOD(hasher_t, destroy, void,
+	private_pkcs11_hasher_t *this)
+{
+	this->lib->f->C_CloseSession(this->session);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * Get the Cryptoki mechanism for a hash algorithm
+ */
+static CK_MECHANISM_PTR algo_to_mechanism(hash_algorithm_t algo, size_t *size)
+{
+	static struct {
+		hash_algorithm_t algo;
+		CK_MECHANISM mechanism;
+		size_t size;
+	} mappings[] = {
+		{HASH_MD2,		{CKM_MD2,		NULL, 0},	HASH_SIZE_MD2},
+		{HASH_MD5,		{CKM_MD5,		NULL, 0},	HASH_SIZE_MD5},
+		{HASH_SHA1,		{CKM_SHA_1,		NULL, 0},	HASH_SIZE_SHA1},
+		{HASH_SHA256,	{CKM_SHA256,	NULL, 0},	HASH_SIZE_SHA256},
+		{HASH_SHA384,	{CKM_SHA384,	NULL, 0},	HASH_SIZE_SHA384},
+		{HASH_SHA512,	{CKM_SHA512,	NULL, 0},	HASH_SIZE_SHA512},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
+	{
+		if (mappings[i].algo == algo)
+		{
+			*size = mappings[i].size;
+			return &mappings[i].mechanism;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Find a token we can use for a hash algorithm
+ */
+static pkcs11_library_t* find_token(hash_algorithm_t algo,
+			CK_SESSION_HANDLE *session, CK_MECHANISM_PTR *mout, size_t *size)
+{
+	enumerator_t *tokens, *mechs;
+	pkcs11_manager_t *manager;
+	pkcs11_library_t *current, *found = NULL;
+	CK_MECHANISM_TYPE type;
+	CK_MECHANISM_PTR mech;
+	CK_SLOT_ID slot;
+
+	mech = algo_to_mechanism(algo, size);
+	if (!mech)
+	{
+		return NULL;
+	}
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+	tokens = manager->create_token_enumerator(manager);
+	while (tokens->enumerate(tokens, &current, &slot))
+	{
+		mechs = current->create_mechanism_enumerator(current, slot);
+		while (mechs->enumerate(mechs, &type, NULL))
+		{
+			if (type == mech->mechanism)
+			{
+				if (current->f->C_OpenSession(slot, CKF_SERIAL_SESSION,
+											  NULL, NULL, session) == CKR_OK)
+				{
+					found = current;
+					*mout = mech;
+					break;
+				}
+			}
+		}
+		mechs->destroy(mechs);
+		if (found)
+		{
+			break;
+		}
+	}
+	tokens->destroy(tokens);
+	return found;
+}
+
+/**
+ * See header
+ */
+pkcs11_hasher_t *pkcs11_hasher_create(hash_algorithm_t algo)
+{
+	private_pkcs11_hasher_t *this;
+
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.destroy = _destroy,
+			},
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	this->lib = find_token(algo, &this->session, &this->mech, &this->size);
+	if (!this->lib)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h
new file mode 100644
index 000000000..9c55d463e
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_hasher pkcs11_hasher
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_HASHER_H_
+#define PKCS11_HASHER_H_
+
+#include <crypto/hashers/hasher.h>
+
+typedef struct pkcs11_hasher_t pkcs11_hasher_t;
+
+/**
+ * Hash implementation using a PKCS#11 token.
+ */
+struct pkcs11_hasher_t {
+
+	/**
+	 * Implements hasher_t interface.
+	 */
+	hasher_t hasher;
+};
+
+/**
+ * Creates a PKCS#11 based hasher.
+ *
+ * @param algo		hash algorithm
+ * @return			hasher, NULL if not supported
+ */
+pkcs11_hasher_t *pkcs11_hasher_create(hash_algorithm_t algo);
+
+#endif /** PKCS11_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
new file mode 100644
index 000000000..9fb1b7769
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -0,0 +1,869 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_library.h"
+
+#include <dlfcn.h>
+
+#include <library.h>
+#include <debug.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+
+typedef struct private_pkcs11_library_t private_pkcs11_library_t;
+
+
+ENUM_BEGIN(ck_rv_names, CKR_OK, CKR_CANT_LOCK,
+	"OK",
+	"CANCEL",
+	"HOST_MEMORY",
+	"SLOT_ID_INVALID",
+	"(0x04)",
+	"GENERAL_ERROR",
+	"FUNCTION_FAILED",
+	"ARGUMENTS_BAD",
+	"NO_EVENT",
+	"NEED_TO_CREATE_THREADS",
+	"CANT_LOCK");
+ENUM_NEXT(ck_rv_names, CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID,
+		CKR_CANT_LOCK,
+	"ATTRIBUTE_READ_ONLY",
+	"ATTRIBUTE_SENSITIVE",
+	"ATTRIBUTE_TYPE_INVALID",
+	"ATTRIBUTE_VALUE_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_DATA_INVALID, CKR_DATA_LEN_RANGE,
+		CKR_ATTRIBUTE_VALUE_INVALID,
+	"DATA_INVALID"
+	"DATA_LEN_RANGE");
+ENUM_NEXT(ck_rv_names, CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED,
+		CKR_DATA_LEN_RANGE,
+	"DEVICE_ERROR",
+	"DEVICE_MEMORY",
+	"DEVICE_REMOVED");
+ENUM_NEXT(ck_rv_names, CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE,
+		CKR_DEVICE_REMOVED,
+	"ENCRYPTED_DATA_INVALID",
+	"ENCRYPTED_DATA_LEN_RANGE");
+ENUM_NEXT(ck_rv_names, CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED,
+		CKR_ENCRYPTED_DATA_LEN_RANGE,
+	"FUNCTION_CANCELED",
+	"FUNCTION_NOT_PARALLEL",
+	"(0x52)",
+	"(0x53)",
+	"FUNCTION_NOT_SUPPORTED");
+ENUM_NEXT(ck_rv_names, CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE,
+		CKR_FUNCTION_NOT_SUPPORTED,
+	"KEY_HANDLE_INVALID",
+	"(0x61)",
+	"KEY_SIZE_RANGE",
+	"KEY_TYPE_INCONSISTENT",
+	"KEY_NOT_NEEDED",
+	"KEY_CHANGED",
+	"KEY_NEEDED",
+	"KEY_INDIGESTIBLE",
+	"KEY_FUNCTION_NOT_PERMITTED",
+	"KEY_NOT_WRAPPABLE",
+	"KEY_UNEXTRACTABLE");
+ENUM_NEXT(ck_rv_names, CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID,
+		CKR_KEY_UNEXTRACTABLE,
+	"MECHANISM_INVALID",
+	"MECHANISM_PARAM_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID,
+		CKR_MECHANISM_PARAM_INVALID,
+	"OBJECT_HANDLE_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED,
+		CKR_OBJECT_HANDLE_INVALID,
+	"OPERATION_ACTIVE",
+	"OPERATION_NOT_INITIALIZED");
+ENUM_NEXT(ck_rv_names, CKR_PIN_INCORRECT, CKR_PIN_LOCKED,
+		CKR_OPERATION_NOT_INITIALIZED,
+	"PIN_INCORRECT",
+	"PIN_INVALID",
+	"PIN_LEN_RANGE",
+	"PIN_EXPIRED",
+	"PIN_LOCKED");
+ENUM_NEXT(ck_rv_names, CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS,
+		CKR_PIN_LOCKED,
+	"SESSION_CLOSED",
+	"SESSION_COUNT",
+	"(0xb2)",
+	"SESSION_HANDLE_INVALID",
+	"SESSION_PARALLEL_NOT_SUPPORTED",
+	"SESSION_READ_ONLY",
+	"SESSION_EXISTS",
+	"SESSION_READ_ONLY_EXISTS",
+	"SESSION_READ_WRITE_SO_EXISTS");
+ENUM_NEXT(ck_rv_names, CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE,
+		CKR_SESSION_READ_WRITE_SO_EXISTS,
+	"SIGNATURE_INVALID",
+	"SIGNATURE_LEN_RANGE");
+ENUM_NEXT(ck_rv_names, CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT,
+		CKR_SIGNATURE_LEN_RANGE,
+	"TEMPLATE_INCOMPLETE",
+	"TEMPLATE_INCONSISTENT",
+);
+ENUM_NEXT(ck_rv_names, CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED,
+		CKR_TEMPLATE_INCONSISTENT,
+	"TOKEN_NOT_PRESENT",
+	"TOKEN_NOT_RECOGNIZED",
+	"TOKEN_WRITE_PROTECTED");
+ENUM_NEXT(ck_rv_names, CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT,
+		CKR_TOKEN_WRITE_PROTECTED,
+	"UNWRAPPING_KEY_HANDLE_INVALID",
+	"UNWRAPPING_KEY_SIZE_RANGE",
+	"UNWRAPPING_KEY_TYPE_INCONSISTENT");
+ENUM_NEXT(ck_rv_names, CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES,
+		CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT,
+	"USER_ALREADY_LOGGED_IN",
+	"USER_NOT_LOGGED_IN",
+	"USER_PIN_NOT_INITIALIZED",
+	"USER_TYPE_INVALID",
+	"USER_ANOTHER_ALREADY_LOGGED_IN",
+	"USER_TOO_MANY_TYPES");
+ENUM_NEXT(ck_rv_names, CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT,
+		CKR_USER_TOO_MANY_TYPES,
+	"WRAPPED_KEY_INVALID",
+	"(0x111)",
+	"WRAPPED_KEY_LEN_RANGE",
+	"WRAPPING_KEY_HANDLE_INVALID",
+	"WRAPPING_KEY_SIZE_RANGE",
+	"WRAPPING_KEY_TYPE_INCONSISTENT");
+ENUM_NEXT(ck_rv_names, CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG,
+		CKR_WRAPPING_KEY_TYPE_INCONSISTENT,
+	"RANDOM_SEED_NOT_SUPPORTED",
+	"RANDOM_NO_RNG");
+ENUM_NEXT(ck_rv_names, CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID,
+		CKR_RANDOM_NO_RNG,
+	"DOMAIN_PARAMS_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL,
+		CKR_DOMAIN_PARAMS_INVALID,
+	"BUFFER_TOO_SMALL");
+ENUM_NEXT(ck_rv_names, CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID,
+		CKR_BUFFER_TOO_SMALL,
+	"SAVED_STATE_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE,
+		CKR_SAVED_STATE_INVALID,
+	"INFORMATION_SENSITIVE");
+ENUM_NEXT(ck_rv_names, CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE,
+		CKR_INFORMATION_SENSITIVE,
+	"STATE_UNSAVEABLE");
+ENUM_NEXT(ck_rv_names, CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED,
+		CKR_STATE_UNSAVEABLE,
+	"CRYPTOKI_NOT_INITIALIZED",
+	"CRYPTOKI_ALREADY_INITIALIZED");
+ENUM_NEXT(ck_rv_names, CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED,
+		CKR_CRYPTOKI_ALREADY_INITIALIZED,
+	"MUTEX_BAD",
+	"MUTEX_NOT_LOCKED");
+ENUM_NEXT(ck_rv_names, CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED,
+		CKR_MUTEX_NOT_LOCKED,
+	"FUNCTION_REJECTED");
+ENUM_END(ck_rv_names, CKR_FUNCTION_REJECTED);
+
+
+ENUM_BEGIN(ck_mech_names, CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_DSA_SHA1,
+	"RSA_PKCS_KEY_PAIR_GEN",
+	"RSA_PKCS",
+	"RSA_9796",
+	"RSA_X_509",
+	"MD2_RSA_PKCS",
+	"MD5_RSA_PKCS",
+	"SHA1_RSA_PKCS",
+	"RIPEMD128_RSA_PKCS",
+	"RIPEMD160_RSA_PKCS",
+	"RSA_PKCS_OAEP",
+	"RSA_X9_31_KEY_PAIR_GEN",
+	"RSA_X9_31",
+	"SHA1_RSA_X9_31",
+	"RSA_PKCS_PSS",
+	"SHA1_RSA_PKCS_PSS",
+	"(0xf)",
+	"DSA_KEY_PAIR_GEN",
+	"DSA",
+	"DSA_SHA1");
+ENUM_NEXT(ck_mech_names, CKM_DH_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_DERIVE,
+		CKM_DSA_SHA1,
+	"DH_PKCS_KEY_PAIR_GEN",
+	"DH_PKCS_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_MQV_DERIVE,
+		CKM_DH_PKCS_DERIVE,
+	"X9_42_DH_KEY_PAIR_GEN",
+	"X9_42_DH_DERIVE",
+	"X9_42_DH_HYBRID_DERIVE",
+	"X9_42_MQV_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_SHA256_RSA_PKCS, CKM_SHA512_RSA_PKCS_PSS,
+		CKM_X9_42_MQV_DERIVE,
+	"SHA256_RSA_PKCS",
+	"SHA384_RSA_PKCS",
+	"SHA512_RSA_PKCS",
+	"SHA256_RSA_PKCS_PSS",
+	"SHA384_RSA_PKCS_PSS",
+	"SHA512_RSA_PKCS_PSS");
+ENUM_NEXT(ck_mech_names, CKM_RC2_KEY_GEN, CKM_RC2_CBC_PAD,
+		CKM_SHA512_RSA_PKCS_PSS,
+	"RC2_KEY_GEN",
+	"RC2_ECB",
+	"RC2_CBC",
+	"RC2_MAC",
+	"RC2_MAC_GENERAL",
+	"RC2_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_RC4_KEY_GEN, CKM_RC4,
+		CKM_RC2_CBC_PAD,
+	"RC4_KEY_GEN",
+	"RC4");
+ENUM_NEXT(ck_mech_names, CKM_DES_KEY_GEN, CKM_DES_CBC_PAD,
+		CKM_RC4,
+	"DES_KEY_GEN",
+	"DES_ECB",
+	"DES_CBC",
+	"DES_MAC",
+	"DES_MAC_GENERAL",
+	"DES_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_DES2_KEY_GEN, CKM_DES3_CBC_PAD,
+		CKM_DES_CBC_PAD,
+	"DES2_KEY_GEN",
+	"DES3_KEY_GEN",
+	"DES3_ECB",
+	"DES3_CBC",
+	"DES3_MAC",
+	"DES3_MAC_GENERAL",
+	"DES3_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_CDMF_KEY_GEN, CKM_CDMF_CBC_PAD,
+		CKM_DES3_CBC_PAD,
+	"CDMF_KEY_GEN",
+	"CDMF_ECB",
+	"CDMF_CBC",
+	"CDMF_MAC",
+	"CDMF_MAC_GENERAL",
+	"CDMF_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_MD2, CKM_MD2_HMAC_GENERAL,
+		CKM_CDMF_CBC_PAD,
+	"MD2",
+	"MD2_HMAC",
+	"MD2_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_MD5, CKM_MD5_HMAC_GENERAL,
+		CKM_MD2_HMAC_GENERAL,
+	"MD5",
+	"MD5_HMAC",
+	"MD5_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA_1, CKM_SHA_1_HMAC_GENERAL,
+		CKM_MD5_HMAC_GENERAL,
+	"SHA_1",
+	"SHA_1_HMAC",
+	"SHA_1_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_RIPEMD128, CKM_RIPEMD128_HMAC_GENERAL,
+		CKM_SHA_1_HMAC_GENERAL,
+	"RIPEMD128",
+	"RIPEMD128_HMAC",
+	"RIPEMD128_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_RIPEMD160, CKM_RIPEMD160_HMAC_GENERAL,
+		CKM_RIPEMD128_HMAC_GENERAL,
+	"RIPEMD160",
+	"RIPEMD160_HMAC",
+	"RIPEMD160_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA256, CKM_SHA256_HMAC_GENERAL,
+		CKM_RIPEMD160_HMAC_GENERAL,
+	"SHA256",
+	"SHA256_HMAC",
+	"SHA256_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA384, CKM_SHA384_HMAC_GENERAL,
+		CKM_SHA256_HMAC_GENERAL,
+	"SHA384",
+	"SHA384_HMAC",
+	"SHA384_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA512, CKM_SHA512_HMAC_GENERAL,
+		CKM_SHA384_HMAC_GENERAL	,
+	"SHA512",
+	"SHA512_HMAC",
+	"SHA512_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_CAST_KEY_GEN, CKM_CAST_CBC_PAD,
+		CKM_SHA512_HMAC_GENERAL,
+	"CAST_KEY_GEN",
+	"CAST_ECB",
+	"CAST_CBC",
+	"CAST_MAC",
+	"CAST_MAC_GENERAL",
+	"CAST_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_CAST3_KEY_GEN, CKM_CAST3_CBC_PAD,
+		CKM_CAST_CBC_PAD,
+	"CAST3_KEY_GEN",
+	"CAST3_ECB",
+	"CAST3_CBC",
+	"CAST3_MAC",
+	"CAST3_MAC_GENERAL",
+	"CAST3_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_CAST128_KEY_GEN, CKM_CAST128_CBC_PAD,
+		CKM_CAST3_CBC_PAD,
+	"CAST128_KEY_GEN",
+	"CAST128_ECB",
+	"CAST128_CBC",
+	"CAST128_MAC",
+	"CAST128_MAC_GENERAL",
+	"CAST128_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_RC5_KEY_GEN, CKM_RC5_CBC_PAD,
+		CKM_CAST128_CBC_PAD,
+	"RC5_KEY_GEN",
+	"RC5_ECB",
+	"RC5_CBC",
+	"RC5_MAC",
+	"RC5_MAC_GENERAL",
+	"RC5_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_IDEA_KEY_GEN, CKM_IDEA_CBC_PAD,
+		CKM_RC5_CBC_PAD,
+	"IDEA_KEY_GEN",
+	"IDEA_ECB",
+	"IDEA_CBC",
+	"IDEA_MAC",
+	"IDEA_MAC_GENERAL",
+	"IDEA_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_GENERIC_SECRET_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN,
+		CKM_IDEA_CBC_PAD,
+	"GENERIC_SECRET_KEY_GEN");
+ENUM_NEXT(ck_mech_names, CKM_CONCATENATE_BASE_AND_KEY, CKM_EXTRACT_KEY_FROM_KEY,
+		CKM_GENERIC_SECRET_KEY_GEN,
+	"CONCATENATE_BASE_AND_KEY",
+	"(0x361)",
+	"CONCATENATE_BASE_AND_DATA",
+	"CONCATENATE_DATA_AND_BASE",
+	"XOR_BASE_AND_DATA",
+	"EXTRACT_KEY_FROM_KEY");
+ENUM_NEXT(ck_mech_names, CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_MASTER_KEY_DERIVE_DH,
+		CKM_EXTRACT_KEY_FROM_KEY,
+	"SSL3_PRE_MASTER_KEY_GEN",
+	"SSL3_MASTER_KEY_DERIVE",
+	"SSL3_KEY_AND_MAC_DERIVE",
+	"SSL3_MASTER_KEY_DERIVE_DH",
+	"TLS_PRE_MASTER_KEY_GEN",
+	"TLS_MASTER_KEY_DERIVE",
+	"TLS_KEY_AND_MAC_DERIVE",
+	"TLS_MASTER_KEY_DERIVE_DH");
+ENUM_NEXT(ck_mech_names, CKM_SSL3_MD5_MAC, CKM_SSL3_SHA1_MAC,
+		CKM_TLS_MASTER_KEY_DERIVE_DH,
+	"SSL3_MD5_MAC",
+	"SSL3_SHA1_MAC");
+ENUM_NEXT(ck_mech_names, CKM_MD5_KEY_DERIVATION, CKM_SHA1_KEY_DERIVATION,
+		CKM_SSL3_SHA1_MAC,
+	"MD5_KEY_DERIVATION",
+	"MD2_KEY_DERIVATION",
+	"SHA1_KEY_DERIVATION");
+ENUM_NEXT(ck_mech_names, CKM_PBE_MD2_DES_CBC, CKM_PBE_SHA1_RC2_40_CBC,
+		CKM_SHA1_KEY_DERIVATION,
+	"PBE_MD2_DES_CBC",
+	"PBE_MD5_DES_CBC",
+	"PBE_MD5_CAST_CBC",
+	"PBE_MD5_CAST3_CBC",
+	"PBE_MD5_CAST128_CBC",
+	"PBE_SHA1_CAST128_CBC",
+	"PBE_SHA1_RC4_128",
+	"PBE_SHA1_RC4_40",
+	"PBE_SHA1_DES3_EDE_CBC",
+	"PBE_SHA1_DES2_EDE_CBC",
+	"PBE_SHA1_RC2_128_CBC",
+	"PBE_SHA1_RC2_40_CBC");
+ENUM_NEXT(ck_mech_names, CKM_PKCS5_PBKD2, CKM_PKCS5_PBKD2,
+		CKM_PBE_SHA1_RC2_40_CBC,
+	"PKCS5_PBKD2");
+ENUM_NEXT(ck_mech_names, CKM_PBA_SHA1_WITH_SHA1_HMAC, CKM_PBA_SHA1_WITH_SHA1_HMAC,
+		CKM_PKCS5_PBKD2,
+	"PBA_SHA1_WITH_SHA1_HMAC");
+ENUM_NEXT(ck_mech_names, CKM_KEY_WRAP_LYNKS, CKM_KEY_WRAP_SET_OAEP,
+		CKM_PBA_SHA1_WITH_SHA1_HMAC,
+	"KEY_WRAP_LYNKS",
+	"KEY_WRAP_SET_OAEP");
+ENUM_NEXT(ck_mech_names, CKM_SKIPJACK_KEY_GEN, CKM_SKIPJACK_RELAYX,
+		CKM_KEY_WRAP_SET_OAEP,
+	"SKIPJACK_KEY_GEN",
+	"SKIPJACK_ECB64",
+	"SKIPJACK_CBC64",
+	"SKIPJACK_OFB64",
+	"SKIPJACK_CFB64",
+	"SKIPJACK_CFB32",
+	"SKIPJACK_CFB16",
+	"SKIPJACK_CFB8",
+	"SKIPJACK_WRAP",
+	"SKIPJACK_PRIVATE_WRAP",
+	"SKIPJACK_RELAYX");
+ENUM_NEXT(ck_mech_names, CKM_KEA_KEY_PAIR_GEN, CKM_KEA_KEY_DERIVE,
+		CKM_SKIPJACK_RELAYX,
+	"KEA_KEY_PAIR_GEN",
+	"KEA_KEY_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_FORTEZZA_TIMESTAMP, CKM_FORTEZZA_TIMESTAMP,
+		CKM_KEA_KEY_DERIVE,
+	"FORTEZZA_TIMESTAMP");
+ENUM_NEXT(ck_mech_names, CKM_BATON_KEY_GEN, CKM_BATON_WRAP,
+		CKM_FORTEZZA_TIMESTAMP,
+	"BATON_KEY_GEN",
+	"BATON_ECB128",
+	"BATON_ECB96",
+	"BATON_CBC128",
+	"BATON_COUNTER",
+	"BATON_SHUFFLE",
+	"BATON_WRAP");
+ENUM_NEXT(ck_mech_names, CKM_ECDSA_KEY_PAIR_GEN, CKM_ECDSA_SHA1,
+		CKM_BATON_WRAP,
+	"ECDSA_KEY_PAIR_GEN",
+	"ECDSA",
+	"ECDSA_SHA1");
+ENUM_NEXT(ck_mech_names, CKM_ECDH1_DERIVE, CKM_ECMQV_DERIVE,
+		CKM_ECDSA_SHA1,
+	"ECDH1_DERIVE",
+	"ECDH1_COFACTOR_DERIVE",
+	"ECMQV_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_JUNIPER_KEY_GEN, CKM_JUNIPER_WRAP,
+		CKM_ECMQV_DERIVE,
+	"JUNIPER_KEY_GEN",
+	"JUNIPER_ECB128",
+	"JUNIPER_CBC128",
+	"JUNIPER_COUNTER",
+	"JUNIPER_SHUFFLE",
+	"JUNIPER_WRAP");
+ENUM_NEXT(ck_mech_names, CKM_FASTHASH, CKM_FASTHASH,
+		CKM_JUNIPER_WRAP,
+	"FASTHASH");
+ENUM_NEXT(ck_mech_names, CKM_AES_KEY_GEN, CKM_AES_CBC_PAD,
+		CKM_FASTHASH,
+	"AES_KEY_GEN",
+	"AES_ECB",
+	"AES_CBC",
+	"AES_MAC",
+	"AES_MAC_GENERAL",
+	"AES_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_DSA_PARAMETER_GEN, CKM_X9_42_DH_PARAMETER_GEN,
+		CKM_AES_CBC_PAD,
+	"DSA_PARAMETER_GEN",
+	"DH_PKCS_PARAMETER_GEN",
+	"X9_42_DH_PARAMETER_GEN");
+ENUM_END(ck_mech_names, CKM_X9_42_DH_PARAMETER_GEN);
+
+/**
+ * Private data of an pkcs11_library_t object.
+ */
+struct private_pkcs11_library_t {
+
+	/**
+	 * Public pkcs11_library_t interface.
+	 */
+	pkcs11_library_t public;
+
+	/**
+	 * dlopen() handle
+	 */
+	void *handle;
+
+	/**
+	 * Name as passed to the constructor
+	 */
+	char *name;
+};
+
+METHOD(pkcs11_library_t, get_name, char*,
+	private_pkcs11_library_t *this)
+{
+	return this->name;
+}
+
+/**
+ * Object enumerator
+ */
+typedef struct {
+	/* implements enumerator_t */
+	enumerator_t public;
+	/* session */
+	CK_SESSION_HANDLE session;
+	/* pkcs11 library */
+	pkcs11_library_t *lib;
+	/* attributes to retreive */
+	CK_ATTRIBUTE_PTR attr;
+	/* number of attributes */
+	CK_ULONG count;
+	/* currently allocated attributes, to free */
+	linked_list_t *freelist;
+} object_enumerator_t;
+
+/**
+ * Free contents of attributes in a list
+ */
+static void free_attrs(object_enumerator_t *this)
+{
+	CK_ATTRIBUTE_PTR attr;
+
+	while (this->freelist->remove_last(this->freelist, (void**)&attr) == SUCCESS)
+	{
+		free(attr->pValue);
+		attr->pValue = NULL;
+		attr->ulValueLen = 0;
+	}
+}
+
+/**
+ * Get attributes for a given object during enumeration
+ */
+static bool get_attributes(object_enumerator_t *this, CK_OBJECT_HANDLE object)
+{
+	CK_RV rv;
+	int i;
+
+	free_attrs(this);
+
+	/* get length of objects first */
+	rv = this->lib->f->C_GetAttributeValue(this->session, object,
+										   this->attr, this->count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetAttributeValue(NULL) error: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	/* allocate required chunks */
+	for (i = 0; i < this->count; i++)
+	{
+		if (this->attr[i].pValue == NULL &&
+			this->attr[i].ulValueLen != 0 && this->attr[i].ulValueLen != -1)
+		{
+			this->attr[i].pValue = malloc(this->attr[i].ulValueLen);
+			this->freelist->insert_last(this->freelist, &this->attr[i]);
+		}
+	}
+	/* get the data */
+	rv = this->lib->f->C_GetAttributeValue(this->session, object,
+										   this->attr, this->count);
+	if (rv != CKR_OK)
+	{
+		free_attrs(this);
+		DBG1(DBG_CFG, "C_GetAttributeValue(NULL) error: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(enumerator_t, object_enumerate, bool,
+	object_enumerator_t *this, CK_OBJECT_HANDLE *out)
+{
+	CK_OBJECT_HANDLE object;
+	CK_ULONG found;
+	CK_RV rv;
+
+	rv = this->lib->f->C_FindObjects(this->session, &object, 1, &found);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_FindObjects() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	if (found)
+	{
+		if (this->attr)
+		{
+			if (!get_attributes(this, object))
+			{
+				return FALSE;
+			}
+		}
+		*out = object;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, object_destroy, void,
+	object_enumerator_t *this)
+{
+	this->lib->f->C_FindObjectsFinal(this->session);
+	free_attrs(this);
+	this->freelist->destroy(this->freelist);
+	free(this);
+}
+
+METHOD(pkcs11_library_t, create_object_enumerator, enumerator_t*,
+	private_pkcs11_library_t *this, CK_SESSION_HANDLE session,
+	CK_ATTRIBUTE_PTR tmpl, CK_ULONG tcount,
+	CK_ATTRIBUTE_PTR attr, CK_ULONG acount)
+{
+	object_enumerator_t *enumerator;
+	CK_RV rv;
+
+	rv = this->public.f->C_FindObjectsInit(session, tmpl, tcount);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_FindObjectsInit() failed: %N", ck_rv_names, rv);
+		return enumerator_create_empty();
+	}
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_object_enumerate,
+			.destroy = _object_destroy,
+		},
+		.session = session,
+		.lib = &this->public,
+		.attr = attr,
+		.count = acount,
+		.freelist = linked_list_create(),
+	);
+	return &enumerator->public;
+}
+
+/**
+ * Enumerator over mechanisms
+ */
+typedef struct {
+	/* implements enumerator_t */
+	enumerator_t public;
+	/* PKCS#11 library */
+	pkcs11_library_t *lib;
+	/* slot of token */
+	CK_SLOT_ID slot;
+	/* mechanism type list */
+	CK_MECHANISM_TYPE_PTR mechs;
+	/* number of mechanism types */
+	CK_ULONG count;
+	/* current mechanism */
+	CK_ULONG current;
+} mechanism_enumerator_t;
+
+METHOD(enumerator_t, enumerate_mech, bool,
+	mechanism_enumerator_t *this, CK_MECHANISM_TYPE* type,
+	CK_MECHANISM_INFO *info)
+{
+	CK_RV rv;
+
+	if (this->current >= this->count)
+	{
+		return FALSE;
+	}
+	if (info)
+	{
+		rv = this->lib->f->C_GetMechanismInfo(this->slot,
+											  this->mechs[this->current], info);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_GetMechanismInfo() failed: %N", ck_rv_names, rv);
+			return FALSE;
+		}
+	}
+	*type = this->mechs[this->current++];
+	return TRUE;
+}
+
+METHOD(enumerator_t, destroy_mech, void,
+	mechanism_enumerator_t *this)
+{
+	free(this->mechs);
+	free(this);
+}
+
+METHOD(pkcs11_library_t, create_mechanism_enumerator, enumerator_t*,
+	private_pkcs11_library_t *this, CK_SLOT_ID slot)
+{
+	mechanism_enumerator_t *enumerator;
+	CK_RV rv;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_mech,
+			.destroy = _destroy_mech,
+		},
+		.lib = &this->public,
+		.slot = slot,
+	);
+
+	rv = enumerator->lib->f->C_GetMechanismList(slot, NULL, &enumerator->count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetMechanismList() failed: %N", ck_rv_names, rv);
+		free(enumerator);
+		return enumerator_create_empty();
+	}
+	enumerator->mechs = malloc(sizeof(CK_MECHANISM_TYPE) * enumerator->count);
+	enumerator->lib->f->C_GetMechanismList(slot, enumerator->mechs,
+										   &enumerator->count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetMechanismList() failed: %N", ck_rv_names, rv);
+		destroy_mech(enumerator);
+		return enumerator_create_empty();
+	}
+	return &enumerator->public;
+}
+
+METHOD(pkcs11_library_t, destroy, void,
+	private_pkcs11_library_t *this)
+{
+	this->public.f->C_Finalize(NULL);
+	dlclose(this->handle);
+	free(this);
+}
+
+/**
+ * See header
+ */
+void pkcs11_library_trim(char *str, int len)
+{
+	int i;
+
+	str[len - 1] = '\0';
+	for (i = len - 2; i > 0; i--)
+	{
+		if (str[i] == ' ')
+		{
+			str[i] = '\0';
+			continue;
+		}
+		break;
+	}
+}
+
+/**
+ * Mutex creation callback
+ */
+static CK_RV CreateMutex(CK_VOID_PTR_PTR data)
+{
+	*data = mutex_create(MUTEX_TYPE_DEFAULT);
+	return CKR_OK;
+}
+
+/**
+ * Mutex destruction callback
+ */
+static CK_RV DestroyMutex(CK_VOID_PTR data)
+{
+	mutex_t *mutex = (mutex_t*)data;
+
+	mutex->destroy(mutex);
+	return CKR_OK;
+}
+
+/**
+ * Mutex lock callback
+ */
+static CK_RV LockMutex(CK_VOID_PTR data)
+{
+	mutex_t *mutex = (mutex_t*)data;
+
+	mutex->lock(mutex);
+	return CKR_OK;
+}
+
+/**
+ * Mutex unlock callback
+ */
+static CK_RV UnlockMutex(CK_VOID_PTR data)
+{
+	mutex_t *mutex = (mutex_t*)data;
+
+	mutex->unlock(mutex);
+	return CKR_OK;
+}
+
+/**
+ * Initialize a PKCS#11 library
+ */
+static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
+{
+	CK_C_GetFunctionList pC_GetFunctionList;
+	CK_INFO info;
+	CK_RV rv;
+	CK_C_INITIALIZE_ARGS args = {
+		.CreateMutex = CreateMutex,
+		.DestroyMutex = DestroyMutex,
+		.LockMutex = LockMutex,
+		.UnlockMutex = UnlockMutex,
+	};
+
+	pC_GetFunctionList = dlsym(this->handle, "C_GetFunctionList");
+	if (!pC_GetFunctionList)
+	{
+		DBG1(DBG_CFG, "C_GetFunctionList not found for '%s': %s", name, dlerror());
+		return FALSE;
+	}
+	rv = pC_GetFunctionList(&this->public.f);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetFunctionList() error for '%s': %N",
+			 name, ck_rv_names, rv);
+		return FALSE;
+	}
+
+	rv = this->public.f->C_Initialize(&args);
+	if (rv == CKR_CANT_LOCK)
+	{	/* try OS locking */
+		memset(&args, 0, sizeof(args));
+		args.flags = CKF_OS_LOCKING_OK;
+		rv = this->public.f->C_Initialize(&args);
+	}
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_Initialize() error for '%s': %N",
+			 name, ck_rv_names, rv);
+		return FALSE;
+	}
+	rv = this->public.f->C_GetInfo(&info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetInfo() error for '%s': %N",
+			 name, ck_rv_names, rv);
+		this->public.f->C_Finalize(NULL);
+		return FALSE;
+	}
+
+	pkcs11_library_trim(info.manufacturerID,
+			strnlen(info.manufacturerID, sizeof(info.manufacturerID)));
+	pkcs11_library_trim(info.libraryDescription,
+			strnlen(info.libraryDescription, sizeof(info.libraryDescription)));
+
+	DBG1(DBG_CFG, "loaded PKCS#11 v%d.%d library '%s' (%s)",
+		 info.cryptokiVersion.major, info.cryptokiVersion.minor, name, file);
+	DBG1(DBG_CFG, "  %s: %s v%d.%d",
+		 info.manufacturerID, info.libraryDescription,
+		 info.libraryVersion.major, info.libraryVersion.minor);
+	if (args.flags & CKF_OS_LOCKING_OK)
+	{
+		DBG1(DBG_CFG, "  uses OS locking functions");
+	}
+	return TRUE;
+}
+
+/**
+ * See header
+ */
+pkcs11_library_t *pkcs11_library_create(char *name, char *file)
+{
+	private_pkcs11_library_t *this;
+
+	INIT(this,
+		.public = {
+			.get_name = _get_name,
+			.create_object_enumerator = _create_object_enumerator,
+			.create_mechanism_enumerator = _create_mechanism_enumerator,
+			.destroy = _destroy,
+		},
+		.name = name,
+		.handle = dlopen(file, RTLD_LAZY),
+	);
+
+	if (!this->handle)
+	{
+		DBG1(DBG_CFG, "opening PKCS#11 library failed: %s", dlerror());
+		free(this);
+		return NULL;
+	}
+
+	if (!initialize(this, name, file))
+	{
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
new file mode 100644
index 000000000..1457d24d4
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_library pkcs11_library
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_LIBRARY_H_
+#define PKCS11_LIBRARY_H_
+
+typedef struct pkcs11_library_t pkcs11_library_t;
+
+#include "pkcs11.h"
+
+#include <enum.h>
+#include <utils/enumerator.h>
+
+/**
+ * A loaded and initialized PKCS#11 library.
+ */
+struct pkcs11_library_t {
+
+	/**
+	 * PKCS#11 function list, as returned by C_GetFunctionList
+	 */
+	CK_FUNCTION_LIST_PTR f;
+
+	/**
+	 * Get the name this instance was created with.
+	 *
+	 * @return			name, as passed to constructor
+	 */
+	char* (*get_name)(pkcs11_library_t *this);
+
+	/**
+	 * Create an enumerator over CK_OBJECT_HANDLE using a search template.
+	 *
+	 * An optional attribute array is automatically filled in with the
+	 * objects associated attributes. If the value of an output attribute
+	 * is NULL, the value gets allocated/freed during enumeration.
+	 *
+	 * @param session	session to use
+	 * @param tmpl		search template
+	 * @param tcount 	number of attributes in the search template
+	 * @param attr		attributes to read from object
+	 * @param acount	number of attributes to read
+	 */
+	enumerator_t* (*create_object_enumerator)(pkcs11_library_t *this,
+			CK_SESSION_HANDLE session, CK_ATTRIBUTE_PTR tmpl, CK_ULONG tcount,
+			CK_ATTRIBUTE_PTR attr, CK_ULONG acount);
+
+	/**
+	 * Create an enumerator over supported mechanisms of a token.
+	 *
+	 * The resulting enumerator enumerates over the mechanism type, and if
+	 * a non-NULL pointer is given, over the mechanism info details.
+	 *
+	 * @param slot		slot of the token
+	 * @return			enumerator over (CK_MECHANISM_TYPE, CK_MECHANISM_INFO)
+	 */
+	enumerator_t* (*create_mechanism_enumerator)(pkcs11_library_t *this,
+												 CK_SLOT_ID slot);
+
+	/**
+	 * Destroy a pkcs11_library_t.
+	 */
+	void (*destroy)(pkcs11_library_t *this);
+};
+
+/**
+ * Enum names for CK_RV return values
+ */
+extern enum_name_t *ck_rv_names;
+
+/**
+ * Enum names for CK_MECHANISM_TYPE values
+ */
+extern enum_name_t *ck_mech_names;
+
+/**
+ * Trim/null terminate a string returned by the varius PKCS#11 functions.
+ *
+ * @param str		string to trim
+ * @param len		max length of the string
+ */
+void pkcs11_library_trim(char *str, int len);
+
+/**
+ * Create a pkcs11_library instance.
+ *
+ * @param name		an arbitrary name, for debugging
+ * @param file		pkcs11 library file to dlopen()
+ * @return			library abstraction
+ */
+pkcs11_library_t *pkcs11_library_create(char *name, char *file);
+
+#endif /** PKCS11_LIBRARY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
new file mode 100644
index 000000000..0c27600a6
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -0,0 +1,407 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_manager.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/thread.h>
+
+#include "pkcs11_library.h"
+
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_pkcs11_manager_t private_pkcs11_manager_t;
+
+/**
+ * Private data of an pkcs11_manager_t object.
+ */
+struct private_pkcs11_manager_t {
+
+	/**
+	 * Public pkcs11_manager_t interface.
+	 */
+	pkcs11_manager_t public;
+
+	/**
+	 * List of loaded libraries, as lib_entry_t
+	 */
+	linked_list_t *libs;
+
+	/**
+	 * Slot event callback function
+	 */
+	pkcs11_manager_token_event_t cb;
+
+	/**
+	 * Slot event user data
+	 */
+	void *data;
+};
+
+/**
+ * Entry for a loaded library
+ */
+typedef struct {
+	/* back reference to this */
+	private_pkcs11_manager_t *this;
+	/* associated library path */
+	char *path;
+	/* loaded library */
+	pkcs11_library_t *lib;
+	/* event dispatcher job */
+	callback_job_t *job;
+} lib_entry_t;
+
+/**
+ * Destroy a lib_entry_t
+ */
+static void lib_entry_destroy(lib_entry_t *entry)
+{
+	if (entry->job)
+	{
+		entry->job->cancel(entry->job);
+	}
+	entry->lib->destroy(entry->lib);
+	free(entry);
+}
+
+/**
+ * Print supported mechanisms of a token in a slot
+ */
+static void print_mechs(lib_entry_t *entry, CK_SLOT_ID slot)
+{
+	enumerator_t *enumerator;
+	CK_MECHANISM_TYPE type;
+	CK_MECHANISM_INFO info;
+
+	enumerator = entry->lib->create_mechanism_enumerator(entry->lib, slot);
+	while (enumerator->enumerate(enumerator, &type, &info))
+	{
+		DBG2(DBG_CFG, "      %N %lu-%lu [ %s%s%s%s%s%s%s%s%s%s%s%s%s]",
+			ck_mech_names, type,
+			info.ulMinKeySize, info.ulMaxKeySize,
+			info.flags & CKF_HW ? "HW " : "",
+			info.flags & CKF_ENCRYPT ? "ENCR " : "",
+			info.flags & CKF_DECRYPT ? "DECR " : "",
+			info.flags & CKF_DIGEST ? "DGST " : "",
+			info.flags & CKF_SIGN ? "SIGN " : "",
+			info.flags & CKF_SIGN_RECOVER ? "SIGN_RCVR " : "",
+			info.flags & CKF_VERIFY ? "VRFY " : "",
+			info.flags & CKF_VERIFY_RECOVER ? "VRFY_RCVR " : "",
+			info.flags & CKF_GENERATE ? "GEN " : "",
+			info.flags & CKF_GENERATE_KEY_PAIR ? "GEN_KEY_PAIR " : "",
+			info.flags & CKF_WRAP ? "WRAP " : "",
+			info.flags & CKF_UNWRAP ? "UNWRAP " : "",
+			info.flags & CKF_DERIVE ? "DERIVE " : "");
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Handle a token
+ */
+static void handle_token(lib_entry_t *entry, CK_SLOT_ID slot)
+{
+	CK_TOKEN_INFO info;
+	CK_RV rv;
+
+	rv = entry->lib->f->C_GetTokenInfo(slot, &info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetTokenInfo failed: %N", ck_rv_names, rv);
+		return;
+	}
+	pkcs11_library_trim(info.label, sizeof(info.label));
+	pkcs11_library_trim(info.manufacturerID, sizeof(info.manufacturerID));
+	pkcs11_library_trim(info.model, sizeof(info.model));
+	DBG1(DBG_CFG, "    %s (%s: %s)",
+		 info.label, info.manufacturerID, info.model);
+
+	print_mechs(entry, slot);
+}
+
+/**
+ * Handle slot changes
+ */
+static void handle_slot(lib_entry_t *entry, CK_SLOT_ID slot, bool hot)
+{
+	CK_SLOT_INFO info;
+	CK_RV rv;
+
+	rv = entry->lib->f->C_GetSlotInfo(slot, &info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSlotInfo failed: %N", ck_rv_names, rv);
+		return;
+	}
+
+	pkcs11_library_trim(info.slotDescription, sizeof(info.slotDescription));
+	if (info.flags & CKF_TOKEN_PRESENT)
+	{
+		DBG1(DBG_CFG, "  found token in slot '%s':%lu (%s)",
+			 entry->lib->get_name(entry->lib), slot, info.slotDescription);
+		handle_token(entry, slot);
+		if (hot)
+		{
+			entry->this->cb(entry->this->data, entry->lib, slot, TRUE);
+		}
+	}
+	else
+	{
+		DBG1(DBG_CFG, "token removed from slot '%s':%lu (%s)",
+			 entry->lib->get_name(entry->lib), slot, info.slotDescription);
+		if (hot)
+		{
+			entry->this->cb(entry->this->data, entry->lib, slot, FALSE);
+		}
+	}
+}
+
+/**
+ * Dispatch slot events
+ */
+static job_requeue_t dispatch_slot_events(lib_entry_t *entry)
+{
+	CK_SLOT_ID slot;
+	CK_RV rv;
+	bool old;
+
+	old = thread_cancelability(TRUE);
+	rv = entry->lib->f->C_WaitForSlotEvent(0, &slot, NULL);
+	thread_cancelability(old);
+	if (rv == CKR_FUNCTION_NOT_SUPPORTED || rv == CKR_NO_EVENT)
+	{
+		DBG1(DBG_CFG, "module '%s' does not support hot-plugging, cancelled",
+			 entry->lib->get_name(entry->lib));
+		return JOB_REQUEUE_NONE;
+	}
+	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
+	{	/* C_Finalize called, abort */
+		return JOB_REQUEUE_NONE;
+	}
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "error in C_WaitForSlotEvent: %N", ck_rv_names, rv);
+	}
+	handle_slot(entry, slot, TRUE);
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * End dispatching, unset job
+ */
+static void end_dispatch(lib_entry_t *entry)
+{
+	entry->job = NULL;
+}
+
+/**
+ * Get the slot list of a library
+ */
+static CK_SLOT_ID_PTR get_slot_list(pkcs11_library_t *p11, CK_ULONG *out)
+{
+	CK_SLOT_ID_PTR slots;
+	CK_ULONG count;
+	CK_RV rv;
+
+	rv = p11->f->C_GetSlotList(TRUE, NULL, &count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSlotList() failed: %N", ck_rv_names, rv);
+		return NULL;
+	}
+	if (count == 0)
+	{
+		return NULL;
+	}
+	slots = malloc(sizeof(CK_SLOT_ID) * count);
+	rv = p11->f->C_GetSlotList(TRUE, slots, &count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSlotList() failed: %N", ck_rv_names, rv);
+		free(slots);
+		return NULL;
+	}
+	*out = count;
+	return slots;
+}
+
+/**
+ * Query the slots for tokens
+ */
+static void query_slots(lib_entry_t *entry)
+{
+	CK_ULONG count;
+	CK_SLOT_ID_PTR slots;
+	int i;
+
+	slots = get_slot_list(entry->lib, &count);
+	if (slots)
+	{
+		for (i = 0; i < count; i++)
+		{
+			handle_slot(entry, slots[i], FALSE);
+		}
+		free(slots);
+	}
+}
+
+/**
+ * Token enumerator
+ */
+typedef struct {
+	/* implements enumerator */
+	enumerator_t public;
+	/* inner enumerator over PKCS#11 libraries */
+	enumerator_t *inner;
+	/* active library entry */
+	lib_entry_t *entry;
+	/* slot list with tokens */
+	CK_SLOT_ID_PTR slots;
+	/* number of slots */
+	CK_ULONG count;
+	/* current slot */
+	int current;
+} token_enumerator_t;
+
+METHOD(enumerator_t, enumerate_token, bool,
+	token_enumerator_t *this, pkcs11_library_t **out, CK_SLOT_ID *slot)
+{
+	if (this->current >= this->count)
+	{
+		free(this->slots);
+		this->slots = NULL;
+		this->current = 0;
+	}
+	while (!this->slots)
+	{
+		if (!this->inner->enumerate(this->inner, &this->entry))
+		{
+			return FALSE;
+		}
+		this->slots = get_slot_list(this->entry->lib, &this->count);
+	}
+	*out = this->entry->lib;
+	*slot = this->slots[this->current++];
+	return TRUE;
+}
+
+METHOD(enumerator_t, destroy_token, void,
+	token_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this->slots);
+	free(this);
+}
+
+METHOD(pkcs11_manager_t, create_token_enumerator, enumerator_t*,
+	private_pkcs11_manager_t *this)
+{
+	token_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_token,
+			.destroy = _destroy_token,
+		},
+		.inner = this->libs->create_enumerator(this->libs),
+	);
+	return &enumerator->public;
+}
+
+/**
+ * Singleton instance
+ */
+static private_pkcs11_manager_t *singleton = NULL;
+
+METHOD(pkcs11_manager_t, destroy, void,
+	private_pkcs11_manager_t *this)
+{
+	this->libs->destroy_function(this->libs, (void*)lib_entry_destroy);
+	free(this);
+	singleton = NULL;
+}
+
+/**
+ * See header
+ */
+pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
+										void *data)
+{
+	private_pkcs11_manager_t *this;
+	enumerator_t *enumerator;
+	lib_entry_t *entry;
+	char *module;
+
+	INIT(this,
+		.public = {
+			.create_token_enumerator = _create_token_enumerator,
+			.destroy = _destroy,
+		},
+		.libs = linked_list_create(),
+		.cb = cb,
+		.data = data,
+	);
+
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+										"libstrongswan.plugins.pkcs11.modules");
+	while (enumerator->enumerate(enumerator, &module))
+	{
+		INIT(entry,
+			.this = this,
+		);
+
+		entry->path = lib->settings->get_str(lib->settings,
+				"libstrongswan.plugins.pkcs11.modules.%s.path", NULL, module);
+		if (!entry->path)
+		{
+			DBG1(DBG_CFG, "PKCS11 module '%s' misses library path", module);
+			free(entry);
+			continue;
+		}
+		entry->lib = pkcs11_library_create(module, entry->path);
+		if (!entry->lib)
+		{
+			free(entry);
+			continue;
+		}
+		this->libs->insert_last(this->libs, entry);
+	}
+	enumerator->destroy(enumerator);
+
+	singleton = this;
+
+	enumerator = this->libs->create_enumerator(this->libs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		query_slots(entry);
+		entry->job = callback_job_create((void*)dispatch_slot_events,
+										 entry, (void*)end_dispatch, NULL);
+		lib->processor->queue_job(lib->processor, (job_t*)entry->job);
+	}
+	enumerator->destroy(enumerator);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+pkcs11_manager_t *pkcs11_manager_get()
+{
+	return (pkcs11_manager_t*)singleton;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h
new file mode 100644
index 000000000..b80d67324
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_manager pkcs11_manager
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_MANAGER_H_
+#define PKCS11_MANAGER_H_
+
+typedef struct pkcs11_manager_t pkcs11_manager_t;
+
+#include <library.h>
+
+#include "pkcs11_library.h"
+
+/**
+ * Token event callback function.
+ *
+ * @param data		user supplied data, as passed to pkcs11_manager_create()
+ * @param p11		loaded PKCS#11 library token belongs to
+ * @param slot		slot number the event occured in
+ * @param add		TRUE if token was added to the slot, FALSE if removed
+ */
+typedef void (*pkcs11_manager_token_event_t)(void *data, pkcs11_library_t *p11,
+											 CK_SLOT_ID slot, bool add);
+
+
+/**
+ * Manages multiple PKCS#11 libraries with hot pluggable slots
+ */
+struct pkcs11_manager_t {
+
+	/**
+	 * Create an enumerator over all tokens.
+	 *
+	 * @return			enumerator over (pkcs11_library_t*,CK_SLOT_ID)
+	 */
+	enumerator_t* (*create_token_enumerator)(pkcs11_manager_t *this);
+
+	/**
+	 * Destroy a pkcs11_manager_t.
+	 */
+	void (*destroy)(pkcs11_manager_t *this);
+};
+
+/**
+ * Create a pkcs11_manager instance.
+ *
+ * @param cb		token event callback function
+ * @param data		user data to pass to token event callback
+ * @return			instance
+ */
+pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
+										void *data);
+
+
+/**
+ * Get the singleton instance of the manager
+ *
+ * @return			instance, NULL if none available
+ */
+pkcs11_manager_t *pkcs11_manager_get();
+
+#endif /** PKCS11_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
new file mode 100644
index 000000000..ace405c23
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_plugin.h"
+
+#include <library.h>
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/mutex.h>
+
+#include "pkcs11_manager.h"
+#include "pkcs11_creds.h"
+#include "pkcs11_private_key.h"
+#include "pkcs11_public_key.h"
+#include "pkcs11_hasher.h"
+
+typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t;
+
+/**
+ * private data of pkcs11_plugin
+ */
+struct private_pkcs11_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pkcs11_plugin_t public;
+
+	/**
+	 * PKCS#11 library/slot manager
+	 */
+	pkcs11_manager_t *manager;
+
+	/**
+	 * List of credential sets, pkcs11_creds_t
+	 */
+	linked_list_t *creds;
+
+	/**
+	 * mutex to lock list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Token event callback function
+ */
+static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
+						   CK_SLOT_ID slot, bool add)
+{
+	enumerator_t *enumerator;
+	pkcs11_creds_t *creds, *found = NULL;;
+
+	if (add)
+	{
+		creds = pkcs11_creds_create(p11, slot);
+		if (creds)
+		{
+			this->mutex->lock(this->mutex);
+			this->creds->insert_last(this->creds, creds);
+			this->mutex->unlock(this->mutex);
+			lib->credmgr->add_set(lib->credmgr, &creds->set);
+		}
+	}
+	else
+	{
+		this->mutex->lock(this->mutex);
+		enumerator = this->creds->create_enumerator(this->creds);
+		while (enumerator->enumerate(enumerator, &creds))
+		{
+			if (creds->get_library(creds) == p11 &&
+				creds->get_slot(creds) == slot)
+			{
+				found = creds;
+				this->creds->remove_at(this->creds, enumerator);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		this->mutex->unlock(this->mutex);
+
+		if (found)
+		{
+			lib->credmgr->remove_set(lib->credmgr, &found->set);
+			found->destroy(found);
+			/* flush the cache after a token is gone */
+			lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
+		}
+	}
+}
+
+METHOD(plugin_t, destroy, void,
+	private_pkcs11_plugin_t *this)
+{
+	pkcs11_creds_t *creds;
+
+	lib->creds->remove_builder(lib->creds,
+							(builder_function_t)pkcs11_private_key_connect);
+	while (this->creds->remove_last(this->creds, (void**)&creds) == SUCCESS)
+	{
+		lib->credmgr->remove_set(lib->credmgr, &creds->set);
+		creds->destroy(creds);
+	}
+	lib->crypto->remove_hasher(lib->crypto,
+							(hasher_constructor_t)pkcs11_hasher_create);
+	this->creds->destroy(this->creds);
+	this->manager->destroy(this->manager);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *pkcs11_plugin_create()
+{
+	private_pkcs11_plugin_t *this;
+	enumerator_t *enumerator;
+	pkcs11_library_t *p11;
+	CK_SLOT_ID slot;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.creds = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	this->manager = pkcs11_manager_create((void*)token_event_cb, this);
+
+	if (lib->settings->get_bool(lib->settings,
+							"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
+	{
+		lib->crypto->add_hasher(lib->crypto, HASH_MD2,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+					(hasher_constructor_t)pkcs11_hasher_create);
+	}
+
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
+							(builder_function_t)pkcs11_private_key_connect);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
+							(builder_function_t)pkcs11_public_key_load);
+
+	enumerator = this->manager->create_token_enumerator(this->manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		token_event_cb(this, p11, slot, TRUE);
+	}
+	enumerator->destroy(enumerator);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h
new file mode 100644
index 000000000..432e2173a
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11 pkcs11
+ * @ingroup plugins
+ *
+ * @defgroup pkcs11_plugin pkcs11_plugin
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_PLUGIN_H_
+#define PKCS11_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pkcs11_plugin_t pkcs11_plugin_t;
+
+/**
+ * Plugin providing PKCS#11 token support.
+ */
+struct pkcs11_plugin_t {
+
+	/**
+	 * Implements plugin interface,
+	 */
+	plugin_t plugin;
+};
+
+#endif /** PKCS11_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
new file mode 100644
index 000000000..cabca3f54
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -0,0 +1,600 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_private_key.h"
+
+#include "pkcs11_library.h"
+#include "pkcs11_manager.h"
+
+#include <debug.h>
+#include <threading/mutex.h>
+
+typedef struct private_pkcs11_private_key_t private_pkcs11_private_key_t;
+
+/**
+ * Private data of an pkcs11_private_key_t object.
+ */
+struct private_pkcs11_private_key_t {
+
+	/**
+	 * Public pkcs11_private_key_t interface.
+	 */
+	pkcs11_private_key_t public;
+
+	/**
+	 * PKCS#11 module
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Token session
+	 */
+	CK_SESSION_HANDLE session;
+
+	/**
+	 * Mutex to lock session
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Key object on the token
+	 */
+	CK_OBJECT_HANDLE object;
+
+	/**
+	 * Key requires reauthentication for each signature/decryption
+	 */
+	CK_BBOOL reauth;
+
+	/**
+	 * Keyid of the key we use
+	 */
+	identification_t *keyid;
+
+	/**
+	 * Associated public key
+	 */
+	public_key_t *pubkey;
+
+	/**
+	 * References to this key
+	 */
+	refcount_t ref;
+};
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_pkcs11_private_key_t *this)
+{
+	return this->pubkey->get_type(this->pubkey);
+}
+
+METHOD(private_key_t, get_keysize, int,
+	private_pkcs11_private_key_t *this)
+{
+	return this->pubkey->get_keysize(this->pubkey);
+}
+
+/**
+ * See header.
+ */
+CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme)
+{
+	static struct {
+		signature_scheme_t scheme;
+		CK_MECHANISM mechanism;
+	} mappings[] = {
+		{SIGN_RSA_EMSA_PKCS1_NULL,		{CKM_RSA_PKCS,				NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA1,		{CKM_SHA1_RSA_PKCS,			NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA256,	{CKM_SHA256_RSA_PKCS,		NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA384,	{CKM_SHA384_RSA_PKCS,		NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA512,	{CKM_SHA512_RSA_PKCS,		NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_MD5,		{CKM_MD5_RSA_PKCS,			NULL, 0}},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
+	{
+		if (mappings[i].scheme == scheme)
+		{
+			return &mappings[i].mechanism;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * See header.
+ */
+CK_MECHANISM_PTR pkcs11_encryption_scheme_to_mech(encryption_scheme_t scheme)
+{
+	static struct {
+		encryption_scheme_t scheme;
+		CK_MECHANISM mechanism;
+	} mappings[] = {
+		{ENCRYPT_RSA_PKCS1,			{CKM_RSA_PKCS,				NULL, 0}},
+		{ENCRYPT_RSA_OAEP_SHA1,		{CKM_RSA_PKCS_OAEP,			NULL, 0}},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
+	{
+		if (mappings[i].scheme == scheme)
+		{
+			return &mappings[i].mechanism;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Reauthenticate to do a signature
+ */
+static bool reauth(private_pkcs11_private_key_t *this)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	chunk_t pin;
+	CK_RV rv;
+	bool found = FALSE, success = FALSE;
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+												SHARED_PIN, this->keyid, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		found = TRUE;
+		pin = shared->get_key(shared);
+		rv = this->lib->f->C_Login(this->session, CKU_CONTEXT_SPECIFIC,
+								   pin.ptr, pin.len);
+		if (rv == CKR_OK)
+		{
+			success = TRUE;
+			break;
+		}
+		DBG1(DBG_CFG, "reauthentication login failed: %N", ck_rv_names, rv);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "private key requires reauthentication, but no PIN found");
+		return FALSE;
+	}
+	return success;
+}
+
+METHOD(private_key_t, sign, bool,
+	private_pkcs11_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_BYTE_PTR buf;
+	CK_ULONG len;
+	CK_RV rv;
+
+	mechanism = pkcs11_signature_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "signature scheme %N not supported",
+			 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_SignInit(this->session, mechanism, this->object);
+	if (this->reauth && !reauth(this))
+	{
+		return FALSE;
+	}
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_SignInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	len = (get_keysize(this) + 7) / 8;
+	buf = malloc(len);
+	rv = this->lib->f->C_Sign(this->session, data.ptr, data.len, buf, &len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Sign() failed: %N", ck_rv_names, rv);
+		free(buf);
+		return FALSE;
+	}
+	*signature = chunk_create(buf, len);
+	return TRUE;
+}
+
+METHOD(private_key_t, decrypt, bool,
+	private_pkcs11_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypt, chunk_t *plain)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_BYTE_PTR buf;
+	CK_ULONG len;
+	CK_RV rv;
+
+	mechanism = pkcs11_encryption_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_DecryptInit(this->session, mechanism, this->object);
+	if (this->reauth && !reauth(this))
+	{
+		return FALSE;
+	}
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_DecryptInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	len = (get_keysize(this) + 7) / 8;
+	buf = malloc(len);
+	rv = this->lib->f->C_Decrypt(this->session, crypt.ptr, crypt.len, buf, &len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Decrypt() failed: %N", ck_rv_names, rv);
+		free(buf);
+		return FALSE;
+	}
+	*plain = chunk_create(buf, len);
+	return TRUE;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_pkcs11_private_key_t *this)
+{
+	return this->pubkey->get_ref(this->pubkey);
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+	private_pkcs11_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
+{
+	return this->pubkey->get_fingerprint(this->pubkey, type, fingerprint);
+}
+
+METHOD(private_key_t, get_encoding, bool,
+	private_pkcs11_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	return FALSE;
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_pkcs11_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(private_key_t, destroy, void,
+	private_pkcs11_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		if (this->pubkey)
+		{
+			this->pubkey->destroy(this->pubkey);
+		}
+		this->mutex->destroy(this->mutex);
+		this->keyid->destroy(this->keyid);
+		this->lib->f->C_CloseSession(this->session);
+		free(this);
+	}
+}
+
+/**
+ * Find the PKCS#11 library by its friendly name
+ */
+static pkcs11_library_t* find_lib(char *module)
+{
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator;
+	pkcs11_library_t *p11, *found = NULL;
+	CK_SLOT_ID slot;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		if (streq(module, p11->get_name(p11)))
+		{
+			found = p11;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Find the PKCS#11 lib having a keyid, and optionally a slot
+ */
+static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot)
+{
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator;
+	pkcs11_library_t *p11, *found = NULL;
+	CK_SLOT_ID current;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &current))
+	{
+		if (*slot == -1 || *slot == current)
+		{
+			/* we look for a public key, it is usually readable without login */
+			CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+			CK_ATTRIBUTE tmpl[] = {
+				{CKA_CLASS, &class, sizeof(class)},
+				{CKA_ID, keyid.ptr, keyid.len},
+			};
+			CK_OBJECT_HANDLE object;
+			CK_SESSION_HANDLE session;
+			CK_RV rv;
+			enumerator_t *keys;
+
+			rv = p11->f->C_OpenSession(current, CKF_SERIAL_SESSION, NULL, NULL,
+									   &session);
+			if (rv != CKR_OK)
+			{
+				DBG1(DBG_CFG, "opening PKCS#11 session failed: %N",
+					 ck_rv_names, rv);
+				continue;
+			}
+			keys = p11->create_object_enumerator(p11, session,
+												 tmpl, countof(tmpl), NULL, 0);
+			if (keys->enumerate(keys, &object))
+			{
+				DBG1(DBG_CFG, "found key on PKCS#11 token '%s':%d",
+					 p11->get_name(p11), current);
+				found = p11;
+				*slot = current;
+			}
+			keys->destroy(keys);
+			p11->f->C_CloseSession(session);
+			if (found)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Find the key on the token
+ */
+static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
+{
+	CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_ID, keyid.ptr, keyid.len},
+	};
+	CK_OBJECT_HANDLE object;
+	CK_KEY_TYPE type;
+	CK_BBOOL reauth;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_KEY_TYPE, &type, sizeof(type)},
+		{CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
+		{CKA_MODULUS, NULL, 0},
+		{CKA_PUBLIC_EXPONENT, NULL, 0},
+	};
+	enumerator_t *enumerator;
+	chunk_t modulus, pubexp;
+
+	enumerator = this->lib->create_object_enumerator(this->lib,
+						this->session, tmpl, countof(tmpl), attr, countof(attr));
+	if (enumerator->enumerate(enumerator, &object))
+	{
+		switch (type)
+		{
+			case CKK_RSA:
+				if (attr[2].ulValueLen == -1 || attr[3].ulValueLen == -1)
+				{
+					DBG1(DBG_CFG, "reading modulus/exponent from PKCS#1 failed");
+					break;
+				}
+				modulus = chunk_create(attr[2].pValue, attr[2].ulValueLen);
+				pubexp = chunk_create(attr[3].pValue, attr[3].ulValueLen);
+				this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+									KEY_RSA, BUILD_RSA_MODULUS, modulus,
+									BUILD_RSA_PUB_EXP, pubexp, BUILD_END);
+				if (!this->pubkey)
+				{
+					DBG1(DBG_CFG, "extracting public key from PKCS#11 RSA "
+						 "private key failed");
+				}
+				this->reauth = reauth;
+				this->object = object;
+				break;
+			default:
+				DBG1(DBG_CFG, "PKCS#11 key type %d not supported", type);
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return this->pubkey != NULL;
+}
+
+/**
+ * Find a PIN and try to log in
+ */
+static bool login(private_pkcs11_private_key_t *this, int slot)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	chunk_t pin;
+	CK_RV rv;
+	CK_SESSION_INFO info;
+	bool found = FALSE, success = FALSE;
+
+	rv = this->lib->f->C_GetSessionInfo(this->session, &info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSessionInfo failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	if (info.state != CKS_RO_PUBLIC_SESSION &&
+		info.state != CKS_RW_PUBLIC_SESSION)
+	{	/* already logged in with another session, skip */
+		return TRUE;
+	}
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+												SHARED_PIN, this->keyid, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		found = TRUE;
+		pin = shared->get_key(shared);
+		rv = this->lib->f->C_Login(this->session, CKU_USER, pin.ptr, pin.len);
+		if (rv == CKR_OK)
+		{
+			success = TRUE;
+			break;
+		}
+		DBG1(DBG_CFG, "login to '%s':%d failed: %N",
+			 this->lib->get_name(this->lib), slot, ck_rv_names, rv);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "no PIN found for PKCS#11 key %Y", this->keyid);
+		return FALSE;
+	}
+	return success;
+}
+
+/**
+ * See header.
+ */
+pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
+{
+	private_pkcs11_private_key_t *this;
+	char *module = NULL;
+	chunk_t keyid = chunk_empty;
+	int slot = -1;
+	CK_RV rv;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_PKCS11_KEYID:
+				keyid = va_arg(args, chunk_t);
+				continue;
+			case BUILD_PKCS11_SLOT:
+				slot = va_arg(args, int);
+				continue;
+			case BUILD_PKCS11_MODULE:
+				module = va_arg(args, char*);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!keyid.len)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
+
+	if (module && slot != -1)
+	{
+		this->lib = find_lib(module);
+		if (!this->lib)
+		{
+			DBG1(DBG_CFG, "PKCS#11 module '%s' not found", module);
+			free(this);
+			return NULL;
+		}
+	}
+	else
+	{
+		this->lib = find_lib_by_keyid(keyid, &slot);
+		if (!this->lib)
+		{
+			DBG1(DBG_CFG, "no PKCS#11 module found having a keyid %#B", &keyid);
+			free(this);
+			return NULL;
+		}
+	}
+
+	rv = this->lib->f->C_OpenSession(slot, CKF_SERIAL_SESSION,
+									 NULL, NULL, &this->session);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "opening private key session on '%s':%d failed: %N",
+			 module, slot, ck_rv_names, rv);
+		free(this);
+		return NULL;
+	}
+
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->keyid = identification_create_from_encoding(ID_KEY_ID, keyid);
+
+	if (!login(this, slot))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	if (!find_key(this, keyid))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h
new file mode 100644
index 000000000..428913f0a
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_private_key pkcs11_private_key
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_PRIVATE_KEY_H_
+#define PKCS11_PRIVATE_KEY_H_
+
+typedef struct pkcs11_private_key_t pkcs11_private_key_t;
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+#include "pkcs11.h"
+
+/**
+ * Private Key implementation on top of PKCS#11.
+ */
+struct pkcs11_private_key_t {
+
+	/**
+	 * Implements private_key_t interface.
+	 */
+	private_key_t key;
+};
+
+/**
+ * Open a private key on a PKCS#11 device.
+ *
+ * Accepts the BUILD_SMARTCARD_KEYID and the BUILD_SMARTCARD_PIN arguments.
+ *
+ * @param type		type of the key
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args);
+
+/**
+ * Get the Cryptoki mechanism for a signature scheme.
+ */
+CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme);
+
+/**
+ * Get the Cryptoki mechanism for a encryption scheme.
+ */
+CK_MECHANISM_PTR pkcs11_encryption_scheme_to_mech(encryption_scheme_t scheme);
+
+#endif /** PKCS11_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
new file mode 100644
index 000000000..8d32d9a3f
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@@ -0,0 +1,473 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_public_key.h"
+
+#include "pkcs11.h"
+#include "pkcs11_private_key.h"
+#include "pkcs11_manager.h"
+
+#include <debug.h>
+#include <threading/mutex.h>
+
+typedef struct private_pkcs11_public_key_t private_pkcs11_public_key_t;
+
+/**
+ * Private data of an pkcs11_public_key_t object.
+ */
+struct private_pkcs11_public_key_t {
+
+	/**
+	 * Public pkcs11_public_key_t interface.
+	 */
+	pkcs11_public_key_t public;
+
+	/**
+	 * Type of the key
+	 */
+	key_type_t type;
+
+	/**
+	 * Key size in bytes
+	 */
+	size_t k;
+
+	/**
+	 * PKCS#11 library this key uses
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Slot the token is in
+	 */
+	CK_SLOT_ID slot;
+
+	/**
+	 * Session we use
+	 */
+	CK_SESSION_HANDLE session;
+
+	/**
+	 * Object handle to the key
+	 */
+	CK_OBJECT_HANDLE object;
+
+	/**
+	 * Mutex to lock session
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * References to this key
+	 */
+	refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+	private_pkcs11_public_key_t *this)
+{
+	return this->type;
+}
+
+METHOD(public_key_t, get_keysize, int,
+	private_pkcs11_public_key_t *this)
+{
+	return this->k * 8;
+}
+
+METHOD(public_key_t, verify, bool,
+	private_pkcs11_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t sig)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_RV rv;
+
+	mechanism = pkcs11_signature_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "signature scheme %N not supported",
+			 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	if (sig.len && sig.ptr[0] == 0)
+	{	/* trim leading zero byte in sig */
+		sig = chunk_skip(sig, 1);
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_VerifyInit(this->session, mechanism, this->object);
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_VerifyInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	rv = this->lib->f->C_Verify(this->session, data.ptr, data.len,
+								sig.ptr, sig.len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Verify() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(public_key_t, encrypt, bool,
+	private_pkcs11_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypt)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_BYTE_PTR buf;
+	CK_ULONG len;
+	CK_RV rv;
+
+	mechanism = pkcs11_encryption_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_EncryptInit(this->session, mechanism, this->object);
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_EncryptInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	len = (get_keysize(this) + 7) / 8;
+	buf = malloc(len);
+	rv = this->lib->f->C_Encrypt(this->session, plain.ptr, plain.len, buf, &len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Encrypt() failed: %N", ck_rv_names, rv);
+		free(buf);
+		return FALSE;
+	}
+	*crypt = chunk_create(buf, len);
+	return TRUE;
+}
+
+/**
+ * Encode RSA key using a given encoding type
+ */
+static bool encode_rsa(private_pkcs11_public_key_t *this,
+					cred_encoding_type_t type, void *cache, chunk_t *encoding)
+{
+	CK_RV rv;
+	bool success = FALSE;
+	chunk_t n, e;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_MODULUS, NULL, 0},
+		{CKA_PUBLIC_EXPONENT, NULL, 0},
+	};
+
+	rv = this->lib->f->C_GetAttributeValue(this->session, this->object,
+										   attr, countof(attr));
+	if (rv != CKR_OK ||
+		attr[0].ulValueLen == 0 || attr[0].ulValueLen == -1 ||
+		attr[1].ulValueLen == 0 || attr[1].ulValueLen == -1)
+	{
+		return FALSE;
+	}
+	attr[0].pValue = malloc(attr[0].ulValueLen);
+	attr[1].pValue = malloc(attr[1].ulValueLen);
+	rv = this->lib->f->C_GetAttributeValue(this->session, this->object,
+										   attr, countof(attr));
+	if (rv == CKR_OK)
+	{
+		n = chunk_create(attr[0].pValue, attr[0].ulValueLen);
+		e = chunk_create(attr[1].pValue, attr[1].ulValueLen);
+		success = lib->encoding->encode(lib->encoding, type, cache, encoding,
+			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
+	}
+	free(attr[0].pValue);
+	free(attr[1].pValue);
+	return success;
+}
+
+METHOD(public_key_t, get_encoding, bool,
+	private_pkcs11_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	switch (this->type)
+	{
+		case KEY_RSA:
+			return encode_rsa(this, type, NULL, encoding);
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+	private_pkcs11_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
+	switch (this->type)
+	{
+		case KEY_RSA:
+			return encode_rsa(this, type, this, fp);
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_pkcs11_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(public_key_t, destroy, void,
+	private_pkcs11_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		this->lib->f->C_CloseSession(this->session);
+		this->mutex->destroy(this->mutex);
+		free(this);
+	}
+}
+
+/**
+ * Create an empty PKCS#11 public key
+ */
+static private_pkcs11_public_key_t *create(key_type_t type, size_t k,
+							pkcs11_library_t *p11, CK_SLOT_ID slot,
+							CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object)
+{
+	private_pkcs11_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = type,
+		.k = k,
+		.lib = p11,
+		.slot = slot,
+		.session = session,
+		.object = object,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.ref = 1,
+	);
+
+	return this;
+}
+
+/**
+ * Find a key object, including PKCS11 library and slot
+ */
+static private_pkcs11_public_key_t* find_rsa_key(chunk_t n, chunk_t e)
+{
+	private_pkcs11_public_key_t *this = NULL;
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator, *keys;
+	pkcs11_library_t *p11;
+	CK_SLOT_ID slot;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+		CK_KEY_TYPE type = CKK_RSA;
+		CK_ATTRIBUTE tmpl[] = {
+			{CKA_CLASS, &class, sizeof(class)},
+			{CKA_KEY_TYPE, &type, sizeof(type)},
+			{CKA_MODULUS, n.ptr, n.len},
+			{CKA_PUBLIC_EXPONENT, e.ptr, e.len},
+		};
+		CK_OBJECT_HANDLE object;
+		CK_SESSION_HANDLE session;
+		CK_RV rv;
+
+		rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
+								   &session);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
+			continue;
+		}
+		keys = p11->create_object_enumerator(p11, session,
+											 tmpl, countof(tmpl), NULL, 0);
+		if (keys->enumerate(keys, &object))
+		{
+			this = create(KEY_RSA, n.len, p11, slot, session, object);
+			keys->destroy(keys);
+			break;
+		}
+		keys->destroy(keys);
+		p11->f->C_CloseSession(session);
+	}
+	enumerator->destroy(enumerator);
+	return this;
+}
+
+/**
+ * Create a key object in a suitable token session
+ */
+static private_pkcs11_public_key_t* create_rsa_key(chunk_t n, chunk_t e)
+{
+	private_pkcs11_public_key_t *this = NULL;
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator, *mechs;
+	pkcs11_library_t *p11;
+	CK_SLOT_ID slot;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		CK_MECHANISM_TYPE mech;
+		CK_MECHANISM_INFO info;
+		CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+		CK_KEY_TYPE type = CKK_RSA;
+		CK_ATTRIBUTE tmpl[] = {
+			{CKA_CLASS, &class, sizeof(class)},
+			{CKA_KEY_TYPE, &type, sizeof(type)},
+			{CKA_MODULUS, n.ptr, n.len},
+			{CKA_PUBLIC_EXPONENT, e.ptr, e.len}
+		};
+		CK_OBJECT_HANDLE object;
+		CK_SESSION_HANDLE session;
+		CK_RV rv;
+
+		mechs = p11->create_mechanism_enumerator(p11, slot);
+		while (mechs->enumerate(mechs, &mech, &info))
+		{
+			if (!(info.flags & CKF_VERIFY))
+			{
+				continue;
+			}
+			switch (mech)
+			{
+				case CKM_RSA_PKCS:
+				case CKM_SHA1_RSA_PKCS:
+				case CKM_SHA256_RSA_PKCS:
+				case CKM_SHA384_RSA_PKCS:
+				case CKM_SHA512_RSA_PKCS:
+				case CKM_MD5_RSA_PKCS:
+					break;
+				default:
+					continue;
+			}
+			rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
+									   &session);
+			if (rv != CKR_OK)
+			{
+				DBG1(DBG_CFG, "opening PKCS#11 session failed: %N",
+					 ck_rv_names, rv);
+				continue;
+			}
+			rv = p11->f->C_CreateObject(session, tmpl, countof(tmpl), &object);
+			if (rv == CKR_OK)
+			{
+				this = create(KEY_RSA, n.len, p11, slot, session, object);
+				DBG2(DBG_CFG, "created RSA public key on token '%s':%d ",
+					 p11->get_name(p11), slot);
+				break;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "creating RSA public key on token '%s':%d "
+					 "failed: %N", p11->get_name(p11), slot, ck_rv_names, rv);
+				p11->f->C_CloseSession(session);
+			}
+		}
+		mechs->destroy(mechs);
+		if (this)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return this;
+}
+
+/**
+ * See header
+ */
+pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args)
+{
+	private_pkcs11_public_key_t *this;
+	chunk_t n, e;
+
+	n = e = chunk_empty;
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_RSA_MODULUS:
+				n = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PUB_EXP:
+				e = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (type == KEY_RSA && e.ptr && n.ptr)
+	{
+		if (n.len && n.ptr[0] == 0)
+		{	/* trim leading zero byte in modulus */
+			n = chunk_skip(n, 1);
+		}
+		this = find_rsa_key(n, e);
+		if (this)
+		{
+			return &this->public;
+		}
+		this = create_rsa_key(n, e);
+		if (this)
+		{
+			return &this->public;
+		}
+	}
+	return NULL;
+}
+
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
new file mode 100644
index 000000000..4fd94620e
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_public_key pkcs11_public_key
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_PUBLIC_KEY_H_
+#define PKCS11_PUBLIC_KEY_H_
+
+typedef struct pkcs11_public_key_t pkcs11_public_key_t;
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * PKCS#11 based public key implementation.
+ */
+struct pkcs11_public_key_t {
+
+	/**
+	 * Implements public_key_t.
+	 */
+	public_key_t key;
+};
+
+/**
+ * Create a public key in a PKCS#11 session.
+ *
+ * @param type		type of the key
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args);
+
+#endif /** PKCS11_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 336d0bc02..e1427bf15 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -189,7 +189,6 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
 		plugin = load_plugin(this, path, token);
 		if (plugin)
 		{
-			/* insert in front to destroy them in reverse order */
 			this->plugins->insert_last(this->plugins, plugin);
 			this->names->insert_last(this->names, token);
 		}
@@ -215,12 +214,13 @@ static void unload(private_plugin_loader_t *this)
 	plugin_t *plugin;
 	char *name;
 
-	while (this->plugins->remove_first(this->plugins,
+	/* unload plugins in reverse order */
+	while (this->plugins->remove_last(this->plugins,
 									   (void**)&plugin) == SUCCESS)
 	{
 		plugin->destroy(plugin);
 	}
-	while (this->names->remove_first(this->names, (void**)&name) == SUCCESS)
+	while (this->names->remove_last(this->names, (void**)&name) == SUCCESS)
 	{
 		free(name);
 	}
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 4dc5985cd..495223855 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
index b0eabc9ee..6f41ada2a 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -50,7 +50,7 @@ plugin_t *pubkey_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE,
 							(builder_function_t)pubkey_cert_wrap);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index af929080d..efd24c761 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 871566e65..16a9d21c5 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c
index d352a9583..02393b907 100644
--- a/src/libstrongswan/plugins/revocation/revocation_plugin.c
+++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c
@@ -52,7 +52,11 @@ plugin_t *revocation_plugin_create()
 	private_revocation_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.validator = revocation_validator_create(),
 	);
 	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 703764e5e..1036bedfc 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 5e490f2e5..579e6f9b0 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 6d81d0d81..9c9b57f98 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 6d3b05d19..049301977 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -13,9 +13,14 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
 	test_vectors/3des_cbc.c \
 	test_vectors/aes_cbc.c \
+	test_vectors/aes_ctr.c \
 	test_vectors/aes_xcbc.c \
+	test_vectors/aes_ccm.c \
+	test_vectors/aes_gcm.c \
 	test_vectors/blowfish.c \
 	test_vectors/camellia_cbc.c \
+	test_vectors/camellia_ctr.c \
+	test_vectors/camellia_xcbc.c \
 	test_vectors/cast.c \
 	test_vectors/des.c \
 	test_vectors/idea.c \
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 20a6db81e..9be3f825a 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -75,10 +76,11 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_test_vectors_la_LIBADD =
 am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
-	3des_cbc.lo aes_cbc.lo aes_xcbc.lo blowfish.lo camellia_cbc.lo \
-	cast.lo des.lo idea.lo null.lo rc5.lo serpent_cbc.lo \
-	twofish_cbc.lo md2.lo md4.lo md5.lo md5_hmac.lo sha1.lo \
-	sha1_hmac.lo sha2.lo sha2_hmac.lo fips_prf.lo rng.lo
+	3des_cbc.lo aes_cbc.lo aes_ctr.lo aes_xcbc.lo aes_ccm.lo \
+	aes_gcm.lo blowfish.lo camellia_cbc.lo camellia_ctr.lo \
+	camellia_xcbc.lo cast.lo des.lo idea.lo null.lo rc5.lo \
+	serpent_cbc.lo twofish_cbc.lo md2.lo md4.lo md5.lo md5_hmac.lo \
+	sha1.lo sha1_hmac.lo sha2.lo sha2_hmac.lo fips_prf.lo rng.lo
 libstrongswan_test_vectors_la_OBJECTS =  \
 	$(am_libstrongswan_test_vectors_la_OBJECTS)
 libstrongswan_test_vectors_la_LINK = $(LIBTOOL) --tag=CC \
@@ -171,6 +173,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +206,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +231,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +263,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -269,9 +286,14 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
 	test_vectors/3des_cbc.c \
 	test_vectors/aes_cbc.c \
+	test_vectors/aes_ctr.c \
 	test_vectors/aes_xcbc.c \
+	test_vectors/aes_ccm.c \
+	test_vectors/aes_gcm.c \
 	test_vectors/blowfish.c \
 	test_vectors/camellia_cbc.c \
+	test_vectors/camellia_ctr.c \
+	test_vectors/camellia_xcbc.c \
 	test_vectors/cast.c \
 	test_vectors/des.c \
 	test_vectors/idea.c \
@@ -376,9 +398,14 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/3des_cbc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_cbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_ccm.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_ctr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_gcm.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_xcbc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_cbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_ctr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_xcbc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cast.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf.Plo@am__quote@
@@ -433,6 +460,13 @@ aes_cbc.lo: test_vectors/aes_cbc.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
 
+aes_ctr.lo: test_vectors/aes_ctr.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ctr.lo -MD -MP -MF $(DEPDIR)/aes_ctr.Tpo -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_ctr.Tpo $(DEPDIR)/aes_ctr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_ctr.c' object='aes_ctr.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
+
 aes_xcbc.lo: test_vectors/aes_xcbc.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo
@@ -440,6 +474,20 @@ aes_xcbc.lo: test_vectors/aes_xcbc.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
 
+aes_ccm.lo: test_vectors/aes_ccm.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ccm.lo -MD -MP -MF $(DEPDIR)/aes_ccm.Tpo -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_ccm.Tpo $(DEPDIR)/aes_ccm.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_ccm.c' object='aes_ccm.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
+
+aes_gcm.lo: test_vectors/aes_gcm.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_gcm.lo -MD -MP -MF $(DEPDIR)/aes_gcm.Tpo -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_gcm.Tpo $(DEPDIR)/aes_gcm.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_gcm.c' object='aes_gcm.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
+
 blowfish.lo: test_vectors/blowfish.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo
@@ -454,6 +502,20 @@ camellia_cbc.lo: test_vectors/camellia_cbc.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
 
+camellia_ctr.lo: test_vectors/camellia_ctr.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_ctr.lo -MD -MP -MF $(DEPDIR)/camellia_ctr.Tpo -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_ctr.Tpo $(DEPDIR)/camellia_ctr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_ctr.c' object='camellia_ctr.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
+
+camellia_xcbc.lo: test_vectors/camellia_xcbc.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_xcbc.lo -MD -MP -MF $(DEPDIR)/camellia_xcbc.Tpo -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_xcbc.Tpo $(DEPDIR)/camellia_xcbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_xcbc.c' object='camellia_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
+
 cast.lo: test_vectors/cast.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index b182dd829..ab4689c1c 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -19,6 +19,15 @@ TEST_VECTOR_CRYPTER(aes_cbc3)
 TEST_VECTOR_CRYPTER(aes_cbc4)
 TEST_VECTOR_CRYPTER(aes_cbc5)
 TEST_VECTOR_CRYPTER(aes_cbc6)
+TEST_VECTOR_CRYPTER(aes_ctr1)
+TEST_VECTOR_CRYPTER(aes_ctr2)
+TEST_VECTOR_CRYPTER(aes_ctr3)
+TEST_VECTOR_CRYPTER(aes_ctr4)
+TEST_VECTOR_CRYPTER(aes_ctr5)
+TEST_VECTOR_CRYPTER(aes_ctr6)
+TEST_VECTOR_CRYPTER(aes_ctr7)
+TEST_VECTOR_CRYPTER(aes_ctr8)
+TEST_VECTOR_CRYPTER(aes_ctr9)
 TEST_VECTOR_CRYPTER(blowfish1)
 TEST_VECTOR_CRYPTER(blowfish2)
 TEST_VECTOR_CRYPTER(camellia_cbc1)
@@ -27,6 +36,15 @@ TEST_VECTOR_CRYPTER(camellia_cbc3)
 TEST_VECTOR_CRYPTER(camellia_cbc4)
 TEST_VECTOR_CRYPTER(camellia_cbc5)
 TEST_VECTOR_CRYPTER(camellia_cbc6)
+TEST_VECTOR_CRYPTER(camellia_ctr1)
+TEST_VECTOR_CRYPTER(camellia_ctr2)
+TEST_VECTOR_CRYPTER(camellia_ctr3)
+TEST_VECTOR_CRYPTER(camellia_ctr4)
+TEST_VECTOR_CRYPTER(camellia_ctr5)
+TEST_VECTOR_CRYPTER(camellia_ctr6)
+TEST_VECTOR_CRYPTER(camellia_ctr7)
+TEST_VECTOR_CRYPTER(camellia_ctr8)
+TEST_VECTOR_CRYPTER(camellia_ctr9)
 TEST_VECTOR_CRYPTER(cast1)
 TEST_VECTOR_CRYPTER(des_cbc1)
 TEST_VECTOR_CRYPTER(des_cbc2)
@@ -49,11 +67,31 @@ TEST_VECTOR_CRYPTER(twofish_cbc1)
 TEST_VECTOR_CRYPTER(twofish_cbc2)
 TEST_VECTOR_CRYPTER(twofish_cbc3)
 
+TEST_VECTOR_AEAD(aes_ccm1)
+TEST_VECTOR_AEAD(aes_ccm2)
+TEST_VECTOR_AEAD(aes_ccm3)
+TEST_VECTOR_AEAD(aes_ccm4)
+TEST_VECTOR_AEAD(aes_ccm5)
+TEST_VECTOR_AEAD(aes_ccm6)
+TEST_VECTOR_AEAD(aes_ccm7)
+TEST_VECTOR_AEAD(aes_ccm8)
+TEST_VECTOR_AEAD(aes_ccm9)
+TEST_VECTOR_AEAD(aes_ccm10)
+TEST_VECTOR_AEAD(aes_ccm11)
+TEST_VECTOR_AEAD(aes_gcm1)
+TEST_VECTOR_AEAD(aes_gcm2)
+TEST_VECTOR_AEAD(aes_gcm3)
+TEST_VECTOR_AEAD(aes_gcm4)
+TEST_VECTOR_AEAD(aes_gcm5)
+TEST_VECTOR_AEAD(aes_gcm6)
+TEST_VECTOR_AEAD(aes_gcm7)
+
 TEST_VECTOR_SIGNER(aes_xcbc_s1)
 TEST_VECTOR_SIGNER(aes_xcbc_s2)
 TEST_VECTOR_SIGNER(aes_xcbc_s3)
 TEST_VECTOR_SIGNER(aes_xcbc_s4)
 TEST_VECTOR_SIGNER(aes_xcbc_s5)
+TEST_VECTOR_SIGNER(camellia_xcbc_s1)
 TEST_VECTOR_SIGNER(md5_hmac_s1)
 TEST_VECTOR_SIGNER(md5_hmac_s2)
 TEST_VECTOR_SIGNER(md5_hmac_s3)
@@ -118,6 +156,9 @@ TEST_VECTOR_PRF(aes_xcbc_p4)
 TEST_VECTOR_PRF(aes_xcbc_p5)
 TEST_VECTOR_PRF(aes_xcbc_p6)
 TEST_VECTOR_PRF(aes_xcbc_p7)
+TEST_VECTOR_PRF(camellia_xcbc_p1)
+TEST_VECTOR_PRF(camellia_xcbc_p2)
+TEST_VECTOR_PRF(camellia_xcbc_p3)
 TEST_VECTOR_PRF(md5_hmac_p1)
 TEST_VECTOR_PRF(md5_hmac_p2)
 TEST_VECTOR_PRF(md5_hmac_p3)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
new file mode 100644
index 000000000..8de180ad5
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test vectors with 11 bytes nonces are hard to find, neither RFC3610 nor
+ * NIST 800-38C has one. These vectors are taken from the Linux kernel,
+ * originally from "fips cavs fax files on hand at Red Hat".
+ */
+aead_test_vector_t aes_ccm1 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 0,
+	.key	= "\x83\xac\x54\x66\xc2\xeb\xe5\x05\x2e\x01\xd1\xfc\x5d\x82\x66\x2e"
+			  "\x96\xac\x59",
+	.iv		= "\x30\x07\xa1\xe2\xa2\xc7\x55\x24",
+	.plain	= "\x19\xc8\x81\xf6\xe9\x86\xff\x93\x0b\x78\x67\xe5\xbb\xb7\xfc\x6e"
+			  "\x83\x77\xb3\xa6\x0c\x8c\x9f\x9c\x35\x2e\xad\xe0\x62\xf9\x91\xa1",
+	.cipher	= "\xab\x6f\xe1\x69\x1d\x19\x99\xa8\x92\xa0\xc4\x6f\x7e\xe2\x8b\xb1"
+			  "\x70\xbb\x8c\xa6\x4c\x6e\x97\x8a\x57\x2b\xbe\x5d\x98\xa6\xb1\x32"
+			  "\xda\x24\xea\xd9\xa1\x39\x98\xfd\xa4\xbe\xd9\xf2\x1a\x6d\x22\xa8",
+};
+
+aead_test_vector_t aes_ccm2 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 32,
+	.key	= "\x1e\x2c\x7e\x01\x41\x9a\xef\xc0\x0d\x58\x96\x6e\x5c\xa2\x4b\xd3"
+			  "\x4f\xa3\x19",
+	.iv		= "\xd3\x01\x5a\xd8\x30\x60\x15\x56",
+	.adata	= "\xda\xe6\x28\x9c\x45\x2d\xfd\x63\x5e\xda\x4c\xb6\xe6\xfc\xf9\xb7"
+			  "\x0c\x56\xcb\xe4\xe0\x05\x7a\xe1\x0a\x63\x09\x78\xbc\x2c\x55\xde",
+	.plain	= "\x87\xa3\x36\xfd\x96\xb3\x93\x78\xa9\x28\x63\xba\x12\xa3\x14\x85"
+			  "\x57\x1e\x06\xc9\x7b\x21\xef\x76\x7f\x38\x7e\x8e\x29\xa4\x3e\x7e",
+	.cipher	= "\x8a\x1e\x11\xf0\x02\x6b\xe2\x19\xfc\x70\xc4\x6d\x8e\xb7\x99\xab"
+			  "\xc5\x4b\xa2\xac\xd3\xf3\x48\xff\x3b\xb5\xce\x53\xef\xde\xbb\x02"
+			  "\xa9\x86\x15\x6c\x13\xfe\xda\x0a\x22\xb8\x29\x3d\xd8\x39\x9a\x23",
+};
+
+aead_test_vector_t aes_ccm3 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 0, .alen = 32,
+	.key	= "\xf4\x6b\xc2\x75\x62\xfe\xb4\xe1\xa3\xf0\xff\xdd\x4e\x4b\x12\x75"
+			  "\x53\x14\x73\x66\x8d\x88\xf6\x80\xa0\x20\x35",
+	.iv		= "\x26\xf2\x21\x8d\x50\x20\xda\xe2",
+	.adata	= "\x5b\x9e\x13\x67\x02\x5e\xef\xc1\x6c\xf9\xd7\x1e\x52\x8f\x7a\x47"
+			  "\xe9\xd4\xcf\x20\x14\x6e\xf0\x2d\xd8\x9e\x2b\x56\x10\x23\x56\xe7",
+	.cipher	= "\x36\xea\x7a\x70\x08\xdc\x6a\xbc\xad\x0c\x7a\x63\xf6\x61\xfd\x9b",
+};
+
+aead_test_vector_t aes_ccm4 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 32, .alen = 32,
+	.key	= "\x56\xdf\x5c\x8f\x26\x3f\x0e\x42\xef\x7a\xd3\xce\xfc\x84\x60\x62"
+			  "\xca\xb4\x40\xaf\x5f\xc9\xc9\x01\xd6\x3c\x8c",
+	.iv		= "\x86\x84\xb6\xcd\xef\x09\x2e\x94",
+	.adata	= "\x02\x65\x78\x3c\xe9\x21\x30\x91\xb1\xb9\xda\x76\x9a\x78\x6d\x95"
+			  "\xf2\x88\x32\xa3\xf2\x50\xcb\x4c\xe3\x00\x73\x69\x84\x69\x87\x79",
+	.plain	= "\x9f\xd2\x02\x4b\x52\x49\x31\x3c\x43\x69\x3a\x2d\x8e\x70\xad\x7e"
+			  "\xe0\xe5\x46\x09\x80\x89\x13\xb2\x8c\x8b\xd9\x3f\x86\xfb\xb5\x6b",
+	.cipher	= "\x39\xdf\x7c\x3c\x5a\x29\xb9\x62\x5d\x51\xc2\x16\xd8\xbd\x06\x9f"
+			  "\x9b\x6a\x09\x70\xc1\x51\x83\xc2\x66\x88\x1d\x4f\x9a\xda\xe0\x1e"
+			  "\xc7\x79\x11\x58\xe5\x6b\x20\x40\x7a\xea\x46\x42\x8b\xe4\x6f\xe1",
+};
+
+aead_test_vector_t aes_ccm5 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 32, .alen = 32,
+	.key	= "\xe0\x8d\x99\x71\x60\xd7\x97\x1a\xbd\x01\x99\xd5\x8a\xdf\x71\x3a"
+			  "\xd3\xdf\x24\x4b\x5e\x3d\x4b\x4e\x30\x7a\xb9\xd8\x53\x0a\x5e\x2b"
+			  "\x1e\x29\x91",
+	.iv		= "\xad\x8e\xc1\x53\x0a\xcf\x2d\xbe",
+	.adata	= "\x19\xb6\x1f\x57\xc4\xf3\xf0\x8b\x78\x2b\x94\x02\x29\x0f\x42\x27"
+			  "\x6b\x75\xcb\x98\x34\x08\x7e\x79\xe4\x3e\x49\x0d\x84\x8b\x22\x87",
+	.plain	= "\xe1\xd9\xd8\x13\xeb\x3a\x75\x3f\x9d\xbd\x5f\x66\xbe\xdc\xbb\x66"
+			  "\xbf\x17\x99\x62\x4a\x39\x27\x1f\x1d\xdc\x24\xae\x19\x2f\x98\x4c",
+	.cipher	= "\x19\xb8\x61\x33\x45\x2b\x43\x96\x6f\x51\xd0\x20\x30\x7d\x9b\xc6"
+			  "\x26\x3d\xf8\xc9\x65\x16\xa8\x9f\xf0\x62\x17\x34\xf2\x1e\x8d\x75"
+			  "\x4e\x13\xcc\xc0\xc3\x2a\x54\x2d",
+};
+
+aead_test_vector_t aes_ccm6 = {
+	.alg = ENCR_AES_CCM_ICV12, .key_size = 32, .len = 32, .alen = 32,
+	.key	= "\x7c\xc8\x18\x3b\x8d\x99\xe0\x7c\x45\x41\xb8\xbd\x5c\xa7\xc2\x32"
+			  "\x8a\xb8\x02\x59\xa4\xfe\xa9\x2c\x09\x75\x9a\x9b\x3c\x9b\x27\x39"
+			  "\xf9\xd9\x4e",
+	.iv		= "\x63\xb5\x3d\x9d\x43\xf6\x1e\x50",
+	.adata	= "\x57\xf5\x6b\x8b\x57\x5c\x3d\x3b\x13\x02\x01\x0c\x83\x4c\x96\x35"
+			  "\x8e\xd6\x39\xcf\x7d\x14\x9b\x94\xb0\x39\x36\xe6\x8f\x57\xe0\x13",
+	.plain	= "\x3b\x6c\x29\x36\xb6\xef\x07\xa6\x83\x72\x07\x4f\xcf\xfa\x66\x89"
+			  "\x5f\xca\xb1\xba\xd5\x8f\x2c\x27\x30\xdb\x75\x09\x93\xd4\x65\xe4",
+	.cipher	= "\xb0\x88\x5a\x33\xaa\xe5\xc7\x1d\x85\x23\xc7\xc6\x2f\xf4\x1e\x3d"
+			  "\xcc\x63\x44\x25\x07\x78\x4f\x9e\x96\xb8\x88\xeb\xbc\x48\x1f\x06"
+			  "\x39\xaf\x39\xac\xd8\x4a\x80\x39\x7b\x72\x8a\xf7",
+};
+
+aead_test_vector_t aes_ccm7 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 32, .len = 32, .alen = 32,
+	.key	= "\xab\xd0\xe9\x33\x07\x26\xe5\x83\x8c\x76\x95\xd4\xb6\xdc\xf3\x46"
+			  "\xf9\x8f\xad\xe3\x02\x13\x83\x77\x3f\xb0\xf1\xa1\xa1\x22\x0f\x2b"
+			  "\x24\xa7\x8b",
+	.iv		= "\x07\xcb\xcc\x0e\xe6\x33\xbf\xf5",
+	.adata	= "\xd4\xdb\x30\x1d\x03\xfe\xfd\x5f\x87\xd4\x8c\xb6\xb6\xf1\x7a\x5d"
+			  "\xab\x90\x65\x8d\x8e\xca\x4d\x4f\x16\x0c\x40\x90\x4b\xc7\x36\x73",
+	.plain	= "\xf5\xc6\x7d\x48\xc1\xb7\xe6\x92\x97\x5a\xca\xc4\xa9\x6d\xf9\x3d"
+			  "\x6c\xde\xbc\xf1\x90\xea\x6a\xb2\x35\x86\x36\xaf\x5c\xfe\x4b\x3a",
+	.cipher	= "\x83\x6f\x40\x87\x72\xcf\xc1\x13\xef\xbb\x80\x21\x04\x6c\x58\x09"
+			  "\x07\x1b\xfc\xdf\xc0\x3f\x5b\xc7\xe0\x79\xa8\x6e\x71\x7c\x3f\xcf"
+			  "\x5c\xda\xb2\x33\xe5\x13\xe2\x0d\x74\xd1\xef\xb5\x0f\x3a\xb5\xf8",
+};
+
+aead_test_vector_t aes_ccm8 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 16, .len = 0, .alen = 0,
+	.key	= "\xab\x2f\x8a\x74\xb7\x1c\xd2\xb1\xff\x80\x2e\x48\x7d\x82\xf8\xb9"
+			  "\xaf\x94\x87",
+	.iv		= "\x78\x35\x82\x81\x7f\x88\x94\x68",
+	.cipher	= "\x41\x3c\xb8\x87\x73\xcb\xf3\xf3",
+};
+
+aead_test_vector_t aes_ccm9 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 0, .alen = 32,
+	.key	= "\x39\xbb\xa7\xbe\x59\x97\x9e\x73\xa2\xbc\x6b\x98\xd7\x75\x7f\xe3"
+			  "\xa4\x48\x93\x39\x26\x71\x4a\xc6\xee\x49\x83",
+	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
+	.adata	= "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64"
+			  "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6\xdb\x00\x56\x36\x61",
+	.cipher	= "\x71\x99\xfa\xf4\x44\x12\x68\x9b",
+};
+
+aead_test_vector_t aes_ccm10 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 0, .alen = 0,
+	.key	= "\xa4\x4b\x54\x29\x0a\xb8\x6d\x01\x5b\x80\x2a\xcf\x25\xc4\xb7\x5c"
+			  "\x20\x2c\xad\x30\xc2\x2b\x41\xfb\x0e\x85\xbc\x33\xad\x0f\x2b\xff"
+			  "\xee\x49\x83",
+	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
+	.cipher	= "\x1f\xb8\x8f\xa3\xdd\x54\x00\xf2",
+};
+
+aead_test_vector_t aes_ccm11 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 32, .alen = 32,
+	.key	= "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0"
+			  "\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83",
+	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
+	.adata	= "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64"
+			  "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6\xdb\x00\x56\x36\x61",
+	.plain	= "\x85\x34\x66\x42\xc8\x92\x0f\x36\x58\xe0\x6b\x91\x3c\x98\x5c\xbb"
+			  "\x0a\x85\xcc\x02\xad\x7a\x96\xe9\x65\x43\xa4\xc3\x0f\xdc\x55\x81",
+	.cipher	= "\xfb\xe5\x5d\x34\xbe\xe5\xe8\xe7\x5a\xef\x2f\xbf\x1f\x7f\xd4\xb2"
+			  "\x66\xca\x61\x1e\x96\x7a\x61\xb3\x1c\x16\x45\x52\xba\x04\x9c\x9f"
+			  "\xb1\xd2\x40\xbc\x52\x7c\x6f\xb1",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c
new file mode 100644
index 000000000..1e5126a70
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test 1 of RFC3686
+ */
+crypter_test_vector_t aes_ctr1 = {
+	.alg = ENCR_AES_CTR, .key_size = 16, .len = 16,
+	.key	= "\xae\x68\x52\xf8\x12\x10\x67\xcc\x4b\xf7\xa5\x76\x55\x77\xf3\x9e"
+			  "\x00\x00\x00\x30",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "Single block msg",
+	.cipher	= "\xe4\x09\x5d\x4f\xb7\xa7\xb3\x79\x2d\x61\x75\xa3\x26\x13\x11\xb8"
+};
+
+/**
+ * Test 2 of RFC3686
+ */
+crypter_test_vector_t aes_ctr2 = {
+	.alg = ENCR_AES_CTR, .key_size = 16, .len = 32,
+	.key	= "\x7e\x24\x06\x78\x17\xfa\xe0\xd7\x43\xd6\xce\x1f\x32\x53\x91\x63"
+			  "\x00\x6c\xb6\xdb",
+	.iv		= "\xc0\x54\x3b\x59\xda\x48\xd9\x0b",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\x51\x04\xa1\x06\x16\x8a\x72\xd9\x79\x0d\x41\xee\x8e\xda\xd3\x88"
+			  "\xeb\x2e\x1e\xfc\x46\xda\x57\xc8\xfc\xe6\x30\xdf\x91\x41\xbe\x28"
+};
+
+/**
+ * Test 3 of RFC3686
+ */
+crypter_test_vector_t aes_ctr3 = {
+	.alg = ENCR_AES_CTR, .key_size = 16, .len = 36,
+	.key	= "\x76\x91\xbe\x03\x5e\x50\x20\xa8\xac\x6e\x61\x85\x29\xf9\xa0\xdc"
+			  "\x00\xe0\x01\x7b",
+	.iv		= "\x27\x77\x7f\x3f\x4a\x17\x86\xf0",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xc1\xcf\x48\xa8\x9f\x2f\xfd\xd9\xcf\x46\x52\xe9\xef\xdb\x72\xd7"
+			  "\x45\x40\xa4\x2b\xde\x6d\x78\x36\xd5\x9a\x5c\xea\xae\xf3\x10\x53"
+			  "\x25\xb2\x07\x2f",
+};
+
+/**
+ * Test 4 of RFC3686
+ */
+crypter_test_vector_t aes_ctr4 = {
+	.alg = ENCR_AES_CTR, .key_size = 24, .len = 16,
+	.key	= "\x16\xaf\x5b\x14\x5f\xc9\xf5\x79\xc1\x75\xf9\x3e\x3b\xfb\x0e\xed"
+			  "\x86\x3d\x06\xcc\xfd\xb7\x85\x15"
+			  "\x00\x00\x00\x48",
+	.iv		= "\x36\x73\x3c\x14\x7d\x6d\x93\xcb",
+	.plain	= "Single block msg",
+	.cipher	= "\x4b\x55\x38\x4f\xe2\x59\xc9\xc8\x4e\x79\x35\xa0\x03\xcb\xe9\x28",
+};
+
+/**
+ * Test 5 of RFC3686
+ */
+crypter_test_vector_t aes_ctr5 = {
+	.alg = ENCR_AES_CTR, .key_size = 24, .len = 32,
+	.key	= "\x7c\x5c\xb2\x40\x1b\x3d\xc3\x3c\x19\xe7\x34\x08\x19\xe0\xf6\x9c"
+			  "\x67\x8c\x3d\xb8\xe6\xf6\xa9\x1a"
+			  "\x00\x96\xb0\x3b",
+	.iv		= "\x02\x0c\x6e\xad\xc2\xcb\x50\x0d",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\x45\x32\x43\xfc\x60\x9b\x23\x32\x7e\xdf\xaa\xfa\x71\x31\xcd\x9f"
+			  "\x84\x90\x70\x1c\x5a\xd4\xa7\x9c\xfc\x1f\xe0\xff\x42\xf4\xfb\x00",
+};
+
+/**
+ * Test 6 of RFC3686
+ */
+crypter_test_vector_t aes_ctr6 = {
+	.alg = ENCR_AES_CTR, .key_size = 24, .len = 36,
+	.key	= "\x02\xbf\x39\x1e\xe8\xec\xb1\x59\xb9\x59\x61\x7b\x09\x65\x27\x9b"
+			  "\xf5\x9b\x60\xa7\x86\xd3\xe0\xfe"
+			  "\x00\x07\xbd\xfd",
+	.iv		= "\x5c\xbd\x60\x27\x8d\xcc\x09\x12",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\x96\x89\x3f\xc5\x5e\x5c\x72\x2f\x54\x0b\x7d\xd1\xdd\xf7\xe7\x58"
+			  "\xd2\x88\xbc\x95\xc6\x91\x65\x88\x45\x36\xc8\x11\x66\x2f\x21\x88"
+			  "\xab\xee\x09\x35",
+};
+
+/**
+ * Test 7 of RFC3686
+ */
+crypter_test_vector_t aes_ctr7 = {
+	.alg = ENCR_AES_CTR, .key_size = 32, .len = 16,
+	.key	= "\x77\x6b\xef\xf2\x85\x1d\xb0\x6f\x4c\x8a\x05\x42\xc8\x69\x6f\x6c"
+			  "\x6a\x81\xaf\x1e\xec\x96\xb4\xd3\x7f\xc1\xd6\x89\xe6\xc1\xc1\x04"
+			  "\x00\x00\x00\x60",
+	.iv		= "\xdb\x56\x72\xc9\x7a\xa8\xf0\xb2",
+	.plain	= "Single block msg",
+	.cipher	= "\x14\x5a\xd0\x1d\xbf\x82\x4e\xc7\x56\x08\x63\xdc\x71\xe3\xe0\xc0",
+};
+
+/**
+ * Test 8 of RFC3686
+ */
+crypter_test_vector_t aes_ctr8 = {
+	.alg = ENCR_AES_CTR, .key_size = 32, .len = 32,
+	.key	= "\xf6\xd6\x6d\x6b\xd5\x2d\x59\xbb\x07\x96\x36\x58\x79\xef\xf8\x86"
+			  "\xc6\x6d\xd5\x1a\x5b\x6a\x99\x74\x4b\x50\x59\x0c\x87\xa2\x38\x84"
+			  "\x00\xfa\xac\x24",
+	.iv		= "\xc1\x58\x5e\xf1\x5a\x43\xd8\x75",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\xf0\x5e\x23\x1b\x38\x94\x61\x2c\x49\xee\x00\x0b\x80\x4e\xb2\xa9"
+			  "\xb8\x30\x6b\x50\x8f\x83\x9d\x6a\x55\x30\x83\x1d\x93\x44\xaf\x1c",
+};
+
+/**
+ * Test 9 of RFC3686
+ */
+crypter_test_vector_t aes_ctr9 = {
+	.alg = ENCR_AES_CTR, .key_size = 32, .len = 36,
+	.key	= "\xff\x7a\x61\x7c\xe6\x91\x48\xe4\xf1\x72\x6e\x2f\x43\x58\x1d\xe2"
+			  "\xaa\x62\xd9\xf8\x05\x53\x2e\xdf\xf1\xee\xd6\x87\xfb\x54\x15\x3d"
+			  "\x00\x1c\xc5\xb7",
+	.iv		= "\x51\xa5\x1d\x70\xa1\xc1\x11\x48",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xeb\x6c\x52\x82\x1d\x0b\xbb\xf7\xce\x75\x94\x46\x2a\xca\x4f\xaa"
+			  "\xb4\x07\xdf\x86\x65\x69\xfd\x07\xf4\x8c\xc0\xb5\x83\xd6\x07\x1f"
+			  "\x1e\xc0\xe6\xb8",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
new file mode 100644
index 000000000..7534633e1
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * From the Linux kernel, those with an IV. Originally from
+ * McGrew & Viega - http://citeseer.ist.psu.edu/656989.html
+ */
+aead_test_vector_t aes_gcm1 = {
+	.alg = ENCR_AES_GCM_ICV8, .key_size = 16, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
+			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6",
+};
+
+aead_test_vector_t aes_gcm2 = {
+	.alg = ENCR_AES_GCM_ICV12, .key_size = 16, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
+			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd",
+};
+
+aead_test_vector_t aes_gcm3 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
+			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4",
+};
+
+aead_test_vector_t aes_gcm4 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 60, .alen = 20,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39",
+	.adata	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef"
+			  "\xab\xad\xda\xd2",
+	.cipher = "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x5b\xc9\x4f\xbc"
+			  "\x32\x21\xa5\xdb\x94\xfa\xe9\x5a\xe7\x12\x1a\x47",
+};
+
+aead_test_vector_t aes_gcm5 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 24, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher = "\x39\x80\xca\x0b\x3c\x00\xe8\x41\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
+			  "\x85\x9e\x1c\xea\xa6\xef\xd9\x84\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
+			  "\x7d\x77\x3d\x00\xc1\x44\xc5\x25\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
+			  "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9\xcc\xda\x27\x10\xac\xad\xe2\x56"
+			  "\x99\x24\xa7\xc8\x58\x73\x36\xbf\xb1\x18\x02\x4d\xb8\x67\x4a\x14",
+};
+
+aead_test_vector_t aes_gcm6 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
+			  "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
+			  "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38"
+			  "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x89\x80\x15\xad"
+			  "\xb0\x94\xda\xc5\xd9\x34\x71\xbd\xec\x1a\x50\x22\x70\xe3\xcc\x6c",
+};
+
+aead_test_vector_t aes_gcm7 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 60, .alen = 20,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.adata	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef"
+			  "\xab\xad\xda\xd2",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39",
+	.cipher	= "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
+			  "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
+			  "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38"
+			  "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x76\xfc\x6e\xce"
+			  "\x0f\x4e\x17\x68\xcd\xdf\x88\x53\xbb\x2d\x55\x1b",
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c
new file mode 100644
index 000000000..241e6ca7a
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test 1 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr1 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 16,
+	.key	= "\xae\x68\x52\xf8\x12\x10\x67\xcc\x4b\xf7\xa5\x76\x55\x77\xf3\x9e"
+			  "\x00\x00\x00\x30",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "Single block msg",
+	.cipher	= "\xd0\x9d\xc2\x9a\x82\x14\x61\x9a\x20\x87\x7c\x76\xdb\x1f\x0b\x3f"
+};
+
+/**
+ * Test 2 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr2 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 32,
+	.key	= "\x7e\x24\x06\x78\x17\xfa\xe0\xd7\x43\xd6\xce\x1f\x32\x53\x91\x63"
+			  "\x00\x6c\xb6\xdb",
+	.iv		= "\xc0\x54\x3b\x59\xda\x48\xd9\x0b",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\xdb\xf3\xc7\x8d\xc0\x83\x96\xd4\xda\x7c\x90\x77\x65\xbb\xcb\x44"
+			  "\x2b\x8e\x8e\x0f\x31\xf0\xdc\xa7\x2c\x74\x17\xe3\x53\x60\xe0\x48"
+};
+
+/**
+ * Test 3 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr3 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 36,
+	.key	= "\x76\x91\xbe\x03\x5e\x50\x20\xa8\xac\x6e\x61\x85\x29\xf9\xa0\xdc"
+			  "\x00\xe0\x01\x7b",
+	.iv		= "\x27\x77\x7f\x3f\x4a\x17\x86\xf0",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xb1\x9d\x1f\xcd\xcb\x75\xeb\x88\x2f\x84\x9c\xe2\x4d\x85\xcf\x73"
+			  "\x9c\xe6\x4b\x2b\x5c\x9d\x73\xf1\x4f\x2d\x5d\x9d\xce\x98\x89\xcd"
+			  "\xdf\x50\x86\x96",
+};
+
+/**
+ * Test 4 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr4 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 16,
+	.key	= "\x16\xaf\x5b\x14\x5f\xc9\xf5\x79\xc1\x75\xf9\x3e\x3b\xfb\x0e\xed"
+			  "\x86\x3d\x06\xcc\xfd\xb7\x85\x15"
+			  "\x00\x00\x00\x48",
+	.iv		= "\x36\x73\x3c\x14\x7d\x6d\x93\xcb",
+	.plain	= "Single block msg",
+	.cipher	= "\x23\x79\x39\x9e\x8a\x8d\x2b\x2b\x16\x70\x2f\xc7\x8b\x9e\x96\x96",
+};
+
+/**
+ * Test 5 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr5 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 32,
+	.key	= "\x7c\x5c\xb2\x40\x1b\x3d\xc3\x3c\x19\xe7\x34\x08\x19\xe0\xf6\x9c"
+			  "\x67\x8c\x3d\xb8\xe6\xf6\xa9\x1a"
+			  "\x00\x96\xb0\x3b",
+	.iv		= "\x02\x0c\x6e\xad\xc2\xcb\x50\x0d",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\x7d\xef\x34\xf7\xa5\xd0\xe4\x15\x67\x4b\x7f\xfc\xae\x67\xc7\x5d"
+			  "\xd0\x18\xb8\x6f\xf2\x30\x51\xe0\x56\x39\x2a\x99\xf3\x5a\x4c\xed",
+};
+
+/**
+ * Test 6 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr6 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 36,
+	.key	= "\x02\xbf\x39\x1e\xe8\xec\xb1\x59\xb9\x59\x61\x7b\x09\x65\x27\x9b"
+			  "\xf5\x9b\x60\xa7\x86\xd3\xe0\xfe"
+			  "\x00\x07\xbd\xfd",
+	.iv		= "\x5c\xbd\x60\x27\x8d\xcc\x09\x12",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\x57\x10\xe5\x56\xe1\x48\x7a\x20\xb5\xac\x0e\x73\xf1\x9e\x4e\x78"
+			  "\x76\xf3\x7f\xdc\x91\xb1\xef\x4d\x4d\xad\xe8\xe6\x66\xa6\x4d\x0e"
+			  "\xd5\x57\xab\x57",
+};
+
+/**
+ * Test 7 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr7 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 16,
+	.key	= "\x77\x6b\xef\xf2\x85\x1d\xb0\x6f\x4c\x8a\x05\x42\xc8\x69\x6f\x6c"
+			  "\x6a\x81\xaf\x1e\xec\x96\xb4\xd3\x7f\xc1\xd6\x89\xe6\xc1\xc1\x04"
+			  "\x00\x00\x00\x60",
+	.iv		= "\xdb\x56\x72\xc9\x7a\xa8\xf0\xb2",
+	.plain	= "Single block msg",
+	.cipher	= "\x34\x01\xf9\xc8\x24\x7e\xff\xce\xbd\x69\x94\x71\x4c\x1b\xbb\x11",
+};
+
+/**
+ * Test 8 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr8 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 32,
+	.key	= "\xf6\xd6\x6d\x6b\xd5\x2d\x59\xbb\x07\x96\x36\x58\x79\xef\xf8\x86"
+			  "\xc6\x6d\xd5\x1a\x5b\x6a\x99\x74\x4b\x50\x59\x0c\x87\xa2\x38\x84"
+			  "\x00\xfa\xac\x24",
+	.iv		= "\xc1\x58\x5e\xf1\x5a\x43\xd8\x75",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\xd6\xc3\x03\x92\x24\x6f\x78\x08\xa8\x3c\x2b\x22\xa8\x83\x9e\x45"
+			  "\xe5\x1c\xd4\x8a\x1c\xdf\x40\x6e\xbc\x9c\xc2\xd3\xab\x83\x41\x08",
+};
+
+/**
+ * Test 9 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr9 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 36,
+	.key	= "\xff\x7a\x61\x7c\xe6\x91\x48\xe4\xf1\x72\x6e\x2f\x43\x58\x1d\xe2"
+			  "\xaa\x62\xd9\xf8\x05\x53\x2e\xdf\xf1\xee\xd6\x87\xfb\x54\x15\x3d"
+			  "\x00\x1c\xc5\xb7",
+	.iv		= "\x51\xa5\x1d\x70\xa1\xc1\x11\x48",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xa4\xda\x23\xfc\xe6\xa5\xff\xaa\x6d\x64\xae\x9a\x06\x52\xa4\x2c"
+			  "\xd1\x61\xa3\x4b\x65\xf9\x67\x9f\x75\xc0\x1f\x10\x1f\x71\x27\x6f"
+			  "\x15\xef\x0d\x8d",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c
new file mode 100644
index 000000000..2a58b3732
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * draft-kanno-ipsecme-camellia-xcbc Test Case #1
+ */
+signer_test_vector_t camellia_xcbc_s1 = {
+	.alg = AUTH_CAMELLIA_XCBC_96, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.data	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.mac	= "\x3d\x04\x2d\xd4\xe7\xbc\x79\x1c\xee\x32\x04\x15",
+};
+
+prf_test_vector_t camellia_xcbc_p1 = {
+	.alg = PRF_CAMELLIA128_XCBC, .key_size = 16, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\x3d\x04\x2d\xd4\xe7\xbc\x79\x1c\xee\x32\x04\x15\xc5\xe3\x26\xd6",
+};
+
+/**
+ * draft-kanno-ipsecme-camellia-xcbc Test Case #2
+ */
+prf_test_vector_t camellia_xcbc_p2 = {
+	.alg = PRF_CAMELLIA128_XCBC, .key_size = 10, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\xb9\x16\xb4\x23\x42\x0a\x90\x6c\xd7\xd7\xb6\x72\xa2\x4e\x97\x6f",
+};
+
+/**
+ * draft-kanno-ipsecme-camellia-xcbc Test #3
+ */
+prf_test_vector_t camellia_xcbc_p3 = {
+	.alg = PRF_CAMELLIA128_XCBC, .key_size = 18, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\xed\xcb",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\xb9\x71\x46\x36\x9d\x31\x94\x0f\xf5\x7a\x0d\xdf\x22\x33\xc1\xd2",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index 234d237f3..f3a254d8d 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -20,6 +20,7 @@
 
 /* define symbols of all test vectors */
 #define TEST_VECTOR_CRYPTER(x) crypter_test_vector_t x;
+#define TEST_VECTOR_AEAD(x) aead_test_vector_t x;
 #define TEST_VECTOR_SIGNER(x) signer_test_vector_t x;
 #define TEST_VECTOR_HASHER(x) hasher_test_vector_t x;
 #define TEST_VECTOR_PRF(x) prf_test_vector_t x;
@@ -28,12 +29,14 @@
 #include "test_vectors.h"
 
 #undef TEST_VECTOR_CRYPTER
+#undef TEST_VECTOR_AEAD
 #undef TEST_VECTOR_SIGNER
 #undef TEST_VECTOR_HASHER
 #undef TEST_VECTOR_PRF
 #undef TEST_VECTOR_RNG
 
 #define TEST_VECTOR_CRYPTER(x)
+#define TEST_VECTOR_AEAD(x)
 #define TEST_VECTOR_SIGNER(x)
 #define TEST_VECTOR_HASHER(x)
 #define TEST_VECTOR_PRF(x)
@@ -48,6 +51,14 @@ static crypter_test_vector_t *crypter[] = {
 #undef TEST_VECTOR_CRYPTER
 #define TEST_VECTOR_CRYPTER(x)
 
+#undef TEST_VECTOR_AEAD
+#define TEST_VECTOR_AEAD(x) &x,
+static aead_test_vector_t *aead[] = {
+#include "test_vectors.h"
+};
+#undef TEST_VECTOR_AEAD
+#define TEST_VECTOR_AEAD(x)
+
 #undef TEST_VECTOR_SIGNER
 #define TEST_VECTOR_SIGNER(x) &x,
 static signer_test_vector_t *signer[] = {
@@ -116,6 +127,11 @@ plugin_t *test_vectors_plugin_create()
 		lib->crypto->add_test_vector(lib->crypto,
 									 ENCRYPTION_ALGORITHM, crypter[i]);
 	}
+	for (i = 0; i < countof(aead); i++)
+	{
+		lib->crypto->add_test_vector(lib->crypto,
+									 AEAD_ALGORITHM, aead[i]);
+	}
 	for (i = 0; i < countof(signer); i++)
 	{
 		lib->crypto->add_test_vector(lib->crypto,
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index f40427f3f..b1cc2f168 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 92b576aa5..559090aa0 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -260,7 +260,7 @@ static const asn1Object_t otherNameObjects[] = {
 /**
  * Extracts an otherName
  */
-static bool parse_otherName(chunk_t blob, int level0)
+static bool parse_otherName(chunk_t *blob, int level0, id_type_t *type)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
@@ -268,7 +268,7 @@ static bool parse_otherName(chunk_t blob, int level0)
 	int oid = OID_UNKNOWN;
 	bool success = FALSE;
 
-	parser = asn1_parser_create(otherNameObjects, blob);
+	parser = asn1_parser_create(otherNameObjects, *blob);
 	parser->set_top_level(parser, level0);
 
 	while (parser->iterate(parser, &objectID, &object))
@@ -279,13 +279,27 @@ static bool parse_otherName(chunk_t blob, int level0)
 				oid = asn1_known_oid(object);
 				break;
 			case ON_OBJ_VALUE:
-				if (oid == OID_XMPP_ADDR)
+				switch (oid)
 				{
-					if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
-								parser->get_level(parser)+1, "xmppAddr"))
-					{
-						goto end;
-					}
+					case OID_XMPP_ADDR:
+						if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
+									parser->get_level(parser)+1, "xmppAddr"))
+						{
+							goto end;
+						}
+						break;
+					case OID_USER_PRINCIPAL_NAME:
+						if (asn1_parse_simple_object(&object, ASN1_UTF8STRING,
+									parser->get_level(parser)+1, "msUPN"))
+						{	/* we handle UPNs as RFC822 addr */
+							*blob = object;
+							*type = ID_RFC822_ADDR;
+						}
+						else
+						{
+							goto end;
+						}
+						break;
 				}
 				break;
 			default:
@@ -379,7 +393,8 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 				}
 				break;
 			case GN_OBJ_OTHER_NAME:
-				if (!parse_otherName(object, parser->get_level(parser)+1))
+				if (!parse_otherName(&object, parser->get_level(parser)+1,
+									 &id_type))
 				{
 					goto end;
 				}
@@ -1091,15 +1106,28 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
 	identification_t *current;
 	enumerator_t *enumerator;
 	id_match_t match, best;
+	chunk_t encoding;
 
-	if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID)
+	if (subject->get_type(subject) == ID_KEY_ID)
 	{
-		if (chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+		encoding = subject->get_encoding(subject);
+
+		if (this->encoding_hash.len &&
+			chunk_equals(this->encoding_hash, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->subjectKeyIdentifier.len &&
+			chunk_equals(this->subjectKeyIdentifier, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->public_key &&
+			this->public_key->has_fingerprint(this->public_key, encoding))
 		{
 			return ID_MATCH_PERFECT;
 		}
 	}
-
 	best = this->subject->matches(this->subject, subject);
 	enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
 	while (enumerator->enumerate(enumerator, &current))
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index bfb0ca621..7b488484e 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -684,7 +684,7 @@ x509_pkcs10_t *x509_pkcs10_gen(certificate_type_t type, va_list args)
 				enumerator->destroy(enumerator);
 				continue;
 			}
-			case BUILD_PASSPHRASE:
+			case BUILD_CHALLENGE_PWD:
 				cert->challengePassword = chunk_clone(va_arg(args, chunk_t));
 				continue;
 			case BUILD_DIGEST_ALG:
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 8391781e2..11a7f023c 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -73,25 +73,25 @@ plugin_t *x509_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE,
 							(builder_function_t)x509_cert_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, TRUE,
 							(builder_function_t)x509_cert_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, FALSE,
 							(builder_function_t)x509_ac_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, TRUE,
 							(builder_function_t)x509_ac_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, TRUE,
 							(builder_function_t)x509_crl_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, FALSE,
 							(builder_function_t)x509_crl_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, FALSE,
 							(builder_function_t)x509_ocsp_request_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, TRUE,
 							(builder_function_t)x509_ocsp_response_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, FALSE,
 							(builder_function_t)x509_pkcs10_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, TRUE,
 							(builder_function_t)x509_pkcs10_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 69bba8d6f..e82e5246f 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index b9f03eeac..be18d92b8 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -27,10 +27,11 @@ typedef struct private_xcbc_t private_xcbc_t;
  * The variable names are the same as in the RFC.
  */
 struct private_xcbc_t {
+
 	/**
 	 * Public xcbc_t interface.
 	 */
-	xcbc_t xcbc;
+	xcbc_t public;
 
 	/**
 	 * Block size, in bytes
@@ -135,9 +136,9 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 	if (this->remaining_bytes == this->b && !this->zero)
 	{
 		/* a) If the blocksize of M[n] is 128 bits:
-         *    XOR M[n] with E[n-1] and Key K2, then encrypt the result with
-         *    Key K1, yielding E[n].
-         */
+		 *    XOR M[n] with E[n-1] and Key K2, then encrypt the result with
+		 *    Key K1, yielding E[n].
+		 */
 		memxor(this->e, this->remaining, this->b);
 		memxor(this->e, this->k2, this->b);
 		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
@@ -147,20 +148,20 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 		/* b) If the blocksize of M[n] is less than 128 bits:
 		 *
 		 *  i) Pad M[n] with a single "1" bit, followed by the number of
-         *     "0" bits (possibly none) required to increase M[n]'s
-         *     blocksize to 128 bits.
-         */
-        if (this->remaining_bytes < this->b)
-        {
-		    this->remaining[this->remaining_bytes] = 0x80;
-		    while (++this->remaining_bytes < this->b)
-		    {
-			    this->remaining[this->remaining_bytes] = 0x00;
-		    }
-        }
-        /*  ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result
-         *      with Key K1, yielding E[n].
-         */
+		 *     "0" bits (possibly none) required to increase M[n]'s
+		 *     blocksize to 128 bits.
+		 */
+		if (this->remaining_bytes < this->b)
+		{
+			this->remaining[this->remaining_bytes] = 0x80;
+			while (++this->remaining_bytes < this->b)
+			{
+				this->remaining[this->remaining_bytes] = 0x00;
+			}
+		}
+		/*  ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result
+		 *      with Key K1, yielding E[n].
+		 */
 		memxor(this->e, this->remaining, this->b);
 		memxor(this->e, this->k3, this->b);
 		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
@@ -174,10 +175,8 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 	this->zero = TRUE;
 }
 
-/**
- * Implementation of xcbc_t.get_mac.
- */
-static void get_mac(private_xcbc_t *this, chunk_t data, u_int8_t *out)
+METHOD(xcbc_t, get_mac, void,
+	private_xcbc_t *this, chunk_t data, u_int8_t *out)
 {
 	/* update E, do not process last block */
 	update(this, data);
@@ -188,18 +187,14 @@ static void get_mac(private_xcbc_t *this, chunk_t data, u_int8_t *out)
 	}
 }
 
-/**
- * Implementation of xcbc_t.get_block_size.
- */
-static size_t get_block_size(private_xcbc_t *this)
+METHOD(xcbc_t, get_block_size, size_t,
+	private_xcbc_t *this)
 {
 	return this->b;
 }
 
-/**
- * Implementation of xcbc_t.set_key.
- */
-static void set_key(private_xcbc_t *this, chunk_t key)
+METHOD(xcbc_t, set_key, void,
+	private_xcbc_t *this, chunk_t key)
 {
 	chunk_t iv, k1, lengthened;
 
@@ -228,11 +223,11 @@ static void set_key(private_xcbc_t *this, chunk_t key)
 
 	/*
 	 * (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret
-     *     key K, as follows:
-     *     K1 = 0x01010101010101010101010101010101 encrypted with Key K
-     *     K2 = 0x02020202020202020202020202020202 encrypted with Key K
-     *     K3 = 0x03030303030303030303030303030303 encrypted with Key K
-     */
+	 *     key K, as follows:
+	 *     K1 = 0x01010101010101010101010101010101 encrypted with Key K
+	 *     K2 = 0x02020202020202020202020202020202 encrypted with Key K
+	 *     K3 = 0x03030303030303030303030303030303 encrypted with Key K
+	 */
 	this->k1->set_key(this->k1, lengthened);
 	memset(this->k2, 0x02, this->b);
 	this->k1->encrypt(this->k1, chunk_create(this->k2, this->b), iv, NULL);
@@ -243,10 +238,8 @@ static void set_key(private_xcbc_t *this, chunk_t key)
 	this->k1->set_key(this->k1, k1);
 }
 
-/**
- * Implementation of xcbc_t.destroy.
- */
-static void destroy(private_xcbc_t *this)
+METHOD(xcbc_t, destroy, void,
+	private_xcbc_t *this)
 {
 	this->k1->destroy(this->k1);
 	free(this->k2);
@@ -263,35 +256,38 @@ xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size)
 {
 	private_xcbc_t *this;
 	crypter_t *crypter;
+	u_int8_t b;
 
 	crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size);
 	if (!crypter)
 	{
 		return NULL;
 	}
+	b = crypter->get_block_size(crypter);
 	/* input and output of crypter must be equal for xcbc */
-	if (crypter->get_block_size(crypter) != key_size)
+	if (b != key_size)
 	{
 		crypter->destroy(crypter);
 		return NULL;
 	}
 
-	this = malloc_thing(private_xcbc_t);
-	this->xcbc.get_mac = (void (*)(xcbc_t *,chunk_t,u_int8_t*))get_mac;
-	this->xcbc.get_block_size = (size_t (*)(xcbc_t *))get_block_size;
-	this->xcbc.set_key = (void (*)(xcbc_t *,chunk_t))set_key;
-	this->xcbc.destroy = (void (*)(xcbc_t *))destroy;
-
-	this->b = crypter->get_block_size(crypter);
-	this->k1 = crypter;
-	this->k2 = malloc(this->b);
-	this->k3 = malloc(this->b);
-	this->e = malloc(this->b);
-	memset(this->e, 0, this->b);
-	this->remaining = malloc(this->b);
-	this->remaining_bytes = 0;
-	this->zero = TRUE;
-
-	return &this->xcbc;
+	INIT(this,
+		.public = {
+			.get_mac = _get_mac,
+			.get_block_size = _get_block_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+		.b = b,
+		.k1 = crypter,
+		.k2 = malloc(b),
+		.k3 = malloc(b),
+		.e = malloc(b),
+		.remaining = malloc(b),
+		.zero = TRUE,
+	);
+	memset(this->e, 0, b);
+
+	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
index 9d903bfaa..88156f383 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -32,15 +32,13 @@ struct private_xcbc_plugin_t {
 	xcbc_plugin_t public;
 };
 
-/**
- * Implementation of xcbc_plugin_t.xcbctroy
- */
-static void destroy(private_xcbc_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_xcbc_plugin_t *this)
 {
 	lib->crypto->remove_prf(lib->crypto,
-							(prf_constructor_t)xcbc_prf_create);
+					(prf_constructor_t)xcbc_prf_create);
 	lib->crypto->remove_signer(lib->crypto,
-							   (signer_constructor_t)xcbc_signer_create);
+					(signer_constructor_t)xcbc_signer_create);
 	free(this);
 }
 
@@ -49,14 +47,24 @@ static void destroy(private_xcbc_plugin_t *this)
  */
 plugin_t *xcbc_plugin_create()
 {
-	private_xcbc_plugin_t *this = malloc_thing(private_xcbc_plugin_t);
+	private_xcbc_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC,
-						 (prf_constructor_t)xcbc_prf_create);
+					(prf_constructor_t)xcbc_prf_create);
+	lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC,
+					(prf_constructor_t)xcbc_prf_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96,
-							(signer_constructor_t)xcbc_signer_create);
+					(signer_constructor_t)xcbc_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96,
+					(signer_constructor_t)xcbc_signer_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.c b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
index 2459dc616..ac9e1fda0 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
@@ -35,18 +35,14 @@ struct private_xcbc_prf_t {
 	xcbc_t *xcbc;
 };
 
-/**
- * Implementation of prf_t.get_bytes.
- */
-static void get_bytes(private_xcbc_prf_t *this, chunk_t seed, u_int8_t *buffer)
+METHOD(prf_t, get_bytes, void,
+	private_xcbc_prf_t *this, chunk_t seed, u_int8_t *buffer)
 {
 	this->xcbc->get_mac(this->xcbc, seed, buffer);
 }
 
-/**
- * Implementation of prf_t.allocate_bytes.
- */
-static void allocate_bytes(private_xcbc_prf_t *this, chunk_t seed, chunk_t *chunk)
+METHOD(prf_t, allocate_bytes, void,
+	private_xcbc_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	if (chunk)
 	{
@@ -59,35 +55,27 @@ static void allocate_bytes(private_xcbc_prf_t *this, chunk_t seed, chunk_t *chun
 	}
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_block_size(private_xcbc_prf_t *this)
+METHOD(prf_t, get_block_size, size_t,
+	private_xcbc_prf_t *this)
 {
 	return this->xcbc->get_block_size(this->xcbc);
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_key_size(private_xcbc_prf_t *this)
+METHOD(prf_t, get_key_size, size_t,
+	private_xcbc_prf_t *this)
 {
 	/* in xcbc, block and key size are always equal */
 	return this->xcbc->get_block_size(this->xcbc);
 }
 
-/**
- * Implementation of prf_t.set_key.
- */
-static void set_key(private_xcbc_prf_t *this, chunk_t key)
+METHOD(prf_t, set_key, void,
+	private_xcbc_prf_t *this, chunk_t key)
 {
 	this->xcbc->set_key(this->xcbc, key);
 }
 
-/**
- * Implementation of prf_t.destroy.
- */
-static void destroy(private_xcbc_prf_t *this)
+METHOD(prf_t, destroy, void,
+	private_xcbc_prf_t *this)
 {
 	this->xcbc->destroy(this->xcbc);
 	free(this);
@@ -106,6 +94,9 @@ xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo)
 		case PRF_AES128_XCBC:
 			xcbc = xcbc_create(ENCR_AES_CBC, 16);
 			break;
+		case PRF_CAMELLIA128_XCBC:
+			xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16);
+			break;
 		default:
 			return NULL;
 	}
@@ -114,15 +105,19 @@ xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo)
 		return NULL;
 	}
 
-	this = malloc_thing(private_xcbc_prf_t);
-	this->xcbc = xcbc;
-
-	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
-	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
-	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
-	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
-	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
-	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+	INIT(this,
+		.public = {
+			.prf = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_block_size = _get_block_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.xcbc = xcbc,
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.h b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
index d2db9af41..294a853b4 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
@@ -34,9 +34,9 @@ typedef struct xcbc_prf_t xcbc_prf_t;
 struct xcbc_prf_t {
 
 	/**
-	 * Generic prf_t interface for this xcbc_prf_t class.
+	 * Implements prf_t interface.
 	 */
-	prf_t prf_interface;
+	prf_t prf;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.c b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
index 1c98d39d7..ece592323 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
@@ -41,11 +41,8 @@ struct private_xcbc_signer_t {
 	size_t block_size;
 };
 
-/**
- * Implementation of signer_t.get_signature.
- */
-static void get_signature(private_xcbc_signer_t *this,
-						  chunk_t data, u_int8_t *buffer)
+METHOD(signer_t, get_signature, void,
+	private_xcbc_signer_t *this, chunk_t data, u_int8_t *buffer)
 {
 	if (buffer == NULL)
 	{	/* append mode */
@@ -60,11 +57,8 @@ static void get_signature(private_xcbc_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.allocate_signature.
- */
-static void allocate_signature (private_xcbc_signer_t *this,
-								chunk_t data, chunk_t *chunk)
+METHOD(signer_t, allocate_signature, void,
+	private_xcbc_signer_t *this, chunk_t data, chunk_t *chunk)
 {
 	if (chunk == NULL)
 	{	/* append mode */
@@ -83,11 +77,8 @@ static void allocate_signature (private_xcbc_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.verify_signature.
- */
-static bool verify_signature(private_xcbc_signer_t *this,
-							 chunk_t data, chunk_t signature)
+METHOD(signer_t, verify_signature, bool,
+	private_xcbc_signer_t *this, chunk_t data, chunk_t signature)
 {
 	u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
 
@@ -100,38 +91,29 @@ static bool verify_signature(private_xcbc_signer_t *this,
 	return memeq(signature.ptr, mac, this->block_size);
 }
 
-/**
- * Implementation of signer_t.get_key_size.
- */
-static size_t get_key_size(private_xcbc_signer_t *this)
+METHOD(signer_t, get_key_size, size_t,
+	private_xcbc_signer_t *this)
 {
 	return this->xcbc->get_block_size(this->xcbc);
 }
 
-/**
- * Implementation of signer_t.get_block_size.
- */
-static size_t get_block_size(private_xcbc_signer_t *this)
+METHOD(signer_t, get_block_size, size_t,
+	private_xcbc_signer_t *this)
 {
 	return this->block_size;
 }
 
-/**
- * Implementation of signer_t.set_key.
- */
-static void set_key(private_xcbc_signer_t *this, chunk_t key)
+METHOD(signer_t, set_key, void,
+	private_xcbc_signer_t *this, chunk_t key)
 {
 	this->xcbc->set_key(this->xcbc, key);
 }
 
-/**
- * Implementation of signer_t.destroy.
- */
-static status_t destroy(private_xcbc_signer_t *this)
+METHOD(signer_t, destroy, void,
+	private_xcbc_signer_t *this)
 {
 	this->xcbc->destroy(this->xcbc);
 	free(this);
-	return SUCCESS;
 }
 
 /*
@@ -149,6 +131,10 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
 			xcbc = xcbc_create(ENCR_AES_CBC, 16);
 			trunc = 12;
 			break;
+		case AUTH_CAMELLIA_XCBC_96:
+			xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16);
+			trunc = 12;
+			break;
 		default:
 			return NULL;
 	}
@@ -157,18 +143,21 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
 		return NULL;
 	}
 
-	this = malloc_thing(private_xcbc_signer_t);
-	this->xcbc = xcbc;
-	this->block_size = min(trunc, xcbc->get_block_size(xcbc));
-
-	/* interface functions */
-	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
-	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
-	this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature;
-	this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size;
-	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
-	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
-	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
+	INIT(this,
+		.public = {
+			.signer = {
+				.get_signature = _get_signature,
+				.allocate_signature = _allocate_signature,
+				.verify_signature = _verify_signature,
+				.get_key_size = _get_key_size,
+				.get_block_size = _get_block_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.xcbc = xcbc,
+		.block_size = min(trunc, xcbc->get_block_size(xcbc)),
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.h b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
index 181cfe299..56b55f223 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
@@ -31,9 +31,9 @@ typedef struct xcbc_signer_t xcbc_signer_t;
 struct xcbc_signer_t {
 
 	/**
-	 * generic signer_t interface for this signer
+	 * Implements signer_t interface.
 	 */
-	signer_t signer_interface;
+	signer_t signer;
 };
 
 /**