Imported Upstream version 5.1.2

author: Yves-Alexis Perez <corsac@debian.org> 2014-03-11 20:48:48 +0100
committer: Yves-Alexis Perez <corsac@debian.org> 2014-03-11 20:48:48 +0100
commit: 15fb7904f4431a6e7c305fd08732458f7f885e7e (patch)
tree: c93b60ee813af70509f00f34e29ebec311762427 /src
parent: 5313d2d78ca150515f7f5eb39801c100690b6b29 (diff)
download: vyos-strongswan-15fb7904f4431a6e7c305fd08732458f7f885e7e.tar.gz
vyos-strongswan-15fb7904f4431a6e7c305fd08732458f7f885e7e.zip
522 files changed, 22027 insertions, 3786 deletions
diff --git a/src/Makefile.am b/src/Makefile.am
index 218c9434c..7d11893d1 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -96,12 +96,12 @@ if USE_MEDSRV
   SUBDIRS += medsrv
 endif
 
-if USE_INTEGRITY_TEST
-  SUBDIRS += checksum
-endif
-
 if USE_ATTR_SQL
   SUBDIRS += pool
+else
+if USE_SQL
+  SUBDIRS += pool
+endif
 endif
 
 if USE_TKM
@@ -116,8 +116,6 @@ if USE_LIBPTTLS
   SUBDIRS += pt-tls-client
 endif
 
-EXTRA_DIST = strongswan.conf
-
-install-exec-local :
-		test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
-		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+if USE_INTEGRITY_TEST
+  SUBDIRS += checksum
+endif
diff --git a/src/Makefile.in b/src/Makefile.in
index 42dfba38e..1c2a427f7 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -101,11 +101,12 @@ host_triplet = @host@
 @USE_FAST_TRUE@am__append_22 = libfast
 @USE_MANAGER_TRUE@am__append_23 = manager
 @USE_MEDSRV_TRUE@am__append_24 = medsrv
-@USE_INTEGRITY_TEST_TRUE@am__append_25 = checksum
-@USE_ATTR_SQL_TRUE@am__append_26 = pool
+@USE_ATTR_SQL_TRUE@am__append_25 = pool
+@USE_ATTR_SQL_FALSE@@USE_SQL_TRUE@am__append_26 = pool
 @USE_TKM_TRUE@am__append_27 = charon-tkm
 @USE_CMD_TRUE@am__append_28 = charon-cmd
 @USE_LIBPTTLS_TRUE@am__append_29 = pt-tls-client
+@USE_INTEGRITY_TEST_TRUE@am__append_30 = checksum
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -183,8 +184,8 @@ DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
 	libtls libradius libtncif libtnccs libpttls libimcv libpts \
 	libcharon starter ipsec _copyright charon charon-nm stroke \
 	_updown _updown_espmark openac scepclient pki conftest dumm \
-	libfast manager medsrv checksum pool charon-tkm charon-cmd \
-	pt-tls-client
+	libfast manager medsrv pool charon-tkm charon-cmd \
+	pt-tls-client checksum
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -225,8 +226,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -294,6 +293,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -382,12 +386,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -402,6 +410,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -421,8 +430,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_19) $(am__append_20) $(am__append_21) \
 	$(am__append_22) $(am__append_23) $(am__append_24) \
 	$(am__append_25) $(am__append_26) $(am__append_27) \
-	$(am__append_28) $(am__append_29)
-EXTRA_DIST = strongswan.conf
+	$(am__append_28) $(am__append_29) $(am__append_30)
 all: all-recursive
 
 .SUFFIXES:
@@ -678,7 +686,7 @@ install-dvi: install-dvi-recursive
 
 install-dvi-am:
 
-install-exec-am: install-exec-local
+install-exec-am:
 
 install-html: install-html-recursive
 
@@ -725,19 +733,14 @@ uninstall-am:
 	ctags-am distclean distclean-generic distclean-libtool \
 	distclean-tags distdir dvi dvi-am html html-am info info-am \
 	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-exec-local \
-	install-html install-html-am install-info install-info-am \
-	install-man install-pdf install-pdf-am install-ps \
-	install-ps-am install-strip installcheck installcheck-am \
-	installdirs installdirs-am maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
-	uninstall-am
-
-
-install-exec-local :
-		test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
-		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	installdirs-am maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+	ps ps-am tags tags-am uninstall uninstall-am
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 8a57e13bc..0783f9e7b 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -184,8 +184,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -253,6 +251,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -341,12 +344,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -361,6 +368,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c
index b20b17256..806f78062 100644
--- a/src/_copyright/_copyright.c
+++ b/src/_copyright/_copyright.c
@@ -24,7 +24,7 @@
 #include <library.h>
 
 static const char *copyright[] = {
-	"Copyright (C) 1999-2012",
+	"Copyright (C) 1999-2013",
 	"    Henry Spencer, D. Hugh Redelmeier, Michael Richardson, Ken Bantoft,",
 	"    Stephen J. Bevan, JuanJo Ciarlante, Thomas Egerer, Heiko Hund,",
 	"    Mathieu Lafon, Stephane Laroche, Kai Martius, Stephan Scholz,",
@@ -36,10 +36,12 @@ static const char *copyright[] = {
 	"    Roger Wegmann, Simon Zwahlen,",
 	"    ZHW Zuercher Hochschule Winterthur (Switzerland).",
 	"",
-	"    Philip Boetschi, Tobias Brunner, Sansar Choinyambuu, Adrian Doerig,",
-	"    Andreas Eigenmann, Giuliano Grassi, Reto Guadagnini, Fabian Hartmann,",
-	"    Noah Heusser, Jan Hutter, Thomas Kallenberg, Daniel Roethlisberger,",
-	"    Ralf Sager, Joel Stillhart, Daniel Wydler, Andreas Steffen,",
+	"    Philip Boetschi, Tobias Brunner, Christoph Buehler, Reto Buerki,",
+	"    Sansar Choinyambuu, Adrian Doerig, Andreas Eigenmann, Giuliano Grassi,",
+	"    Reto Guadagnini, Fabian Hartmann, Noah Heusser, Jan Hutter,",
+	"    Thomas Kallenberg, Patrick Loetscher, Daniel Roethlisberger,",
+	"    Adrian-Ken Rueegsegger, Ralf Sager, Joel Stillhart, Daniel Wydler,",
+	"    Andreas Steffen,",
 	"    HSR Hochschule fuer Technik Rapperswil (Switzerland).",
 	"",
 	"    Martin Willi (revosec AG), Clavister (Sweden).",
@@ -74,7 +76,7 @@ main(int argc, char *argv[])
 	const char **notice = copyright;
 	const char **co;
 
-	library_init(NULL);
+	library_init(NULL, "_copyright");
 	atexit(library_deinit);
 
 	while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 30f32b2b7..e77049543 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -165,8 +165,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -234,6 +232,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -322,12 +325,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -342,6 +349,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index c68c23d8a..532bd2437 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -50,6 +50,9 @@
 #       PLUTO_PROTO
 #              is the negotiated IPsec protocol, ah|esp
 #
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
+#
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
 #
@@ -411,6 +414,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -435,6 +446,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -474,6 +492,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -517,6 +544,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 42522f5e8..918bd6a89 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -165,8 +165,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -234,6 +232,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -322,12 +325,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -342,6 +349,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index d484f6463..62d6cd725 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon-cmd/charon-cmd.8.in b/src/charon-cmd/charon-cmd.8.in
index 25d706995..a2d424e9a 100644
--- a/src/charon-cmd/charon-cmd.8.in
+++ b/src/charon-cmd/charon-cmd.8.in
@@ -116,6 +116,24 @@ address will always be proposed.
 .BI "\-\-remote\-ts " subnet
 Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
 .TP
+.BI "\-\-ike\-proposal " proposal
+IKE proposal to offer instead of default. For IKEv1, a single proposal consists
+of one encryption algorithm, an integrity/PRF algorithm and a DH group. IKEv2
+can propose multiple algorithms of the same kind. To specify multiple proposals,
+repeat the option.
+.TP
+.BI "\-\-esp\-proposal " proposal
+ESP proposal to offer instead of default. For IKEv1, a single proposal consists
+of one encryption algorithm, an integrity algorithm and an optional DH group for
+Perfect Forward Secrecy rekeying. IKEv2 can propose multiple algorithms of the
+same kind. To specify multiple proposals, repeat the option.
+.TP
+.BI "\-\-ah\-proposal " proposal
+AH proposal to offer instead of ESP. For IKEv1, a single proposal consists
+of an integrity algorithm and an optional DH group for Perfect Forward Secrecy
+rekeying. IKEv2 can propose multiple algorithms of the same kind. To specify
+multiple proposals, repeat the option.
+.TP
 .BI "\-\-profile " name
 Authentication profile to use, the list of supported profiles can be found
 in the
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index 5f4787b58..a70d314af 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -322,7 +322,7 @@ int main(int argc, char *argv[])
 
 	dbg = dbg_stderr;
 	atexit(library_deinit);
-	if (!library_init(NULL))
+	if (!library_init(NULL, "charon-cmd"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
@@ -334,12 +334,12 @@ int main(int argc, char *argv[])
 		}
 	}
 	atexit(libhydra_deinit);
-	if (!libhydra_init("charon-cmd"))
+	if (!libhydra_init())
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 	atexit(libcharon_deinit);
-	if (!libcharon_init("charon-cmd"))
+	if (!libcharon_init())
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
@@ -389,6 +389,7 @@ int main(int argc, char *argv[])
 	sigaddset(&action.sa_mask, SIGINT);
 	sigaddset(&action.sa_mask, SIGTERM);
 	sigaddset(&action.sa_mask, SIGHUP);
+	sigaddset(&action.sa_mask, SIGUSR1);
 	sigaction(SIGSEGV, &action, NULL);
 	sigaction(SIGILL, &action, NULL);
 	sigaction(SIGBUS, &action, NULL);
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
index 180e8da98..ac085e131 100644
--- a/src/charon-cmd/cmd/cmd_connection.c
+++ b/src/charon-cmd/cmd/cmd_connection.c
@@ -87,6 +87,16 @@ struct private_cmd_connection_t {
 	linked_list_t *remote_ts;
 
 	/**
+	 * List of IKE proposals
+	 */
+	linked_list_t *ike_proposals;
+
+	/**
+	 * List of CHILD proposals
+	 */
+	linked_list_t *child_proposals;
+
+	/**
 	 * Hostname to connect to
 	 */
 	char *host;
@@ -135,6 +145,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 	u_int16_t local_port, remote_port = IKEV2_UDP_PORT;
 	ike_version_t version = IKE_ANY;
 	bool aggressive = FALSE;
+	proposal_t *proposal;
 
 	switch (this->profile)
 	{
@@ -165,7 +176,18 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 	}
 	ike_cfg = ike_cfg_create(version, TRUE, FALSE, "0.0.0.0", local_port,
 					this->host, remote_port, FRAGMENTATION_NO, 0);
-	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	if (this->ike_proposals->get_count(this->ike_proposals))
+	{
+		while (this->ike_proposals->remove_first(this->ike_proposals,
+												 (void**)&proposal) == SUCCESS)
+		{
+			ike_cfg->add_proposal(ike_cfg, proposal);
+		}
+	}
+	else
+	{
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	}
 	peer_cfg = peer_cfg_create("cmd", ike_cfg,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
 					36000, 0, /* rekey 10h, reauth none */
@@ -173,7 +195,6 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 					TRUE, aggressive, TRUE, /* mobike, aggressive, pull */
 					30, 0, /* DPD delay, timeout */
 					FALSE, NULL, NULL); /* mediation */
-	peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
 
 	return peer_cfg;
 }
@@ -306,10 +327,13 @@ static bool add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg)
 /**
  * Attach child config to peer config
  */
-static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
+static child_cfg_t* create_child_cfg(private_cmd_connection_t *this,
+									 peer_cfg_t *peer_cfg)
 {
 	child_cfg_t *child_cfg;
 	traffic_selector_t *ts;
+	proposal_t *proposal;
+	bool has_v4 = FALSE, has_v6 = FALSE;
 	lifetime_cfg_t lifetime = {
 		.time = {
 			.life = 10800 /* 3h */,
@@ -322,7 +346,18 @@ static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
 								 NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
 								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
 								 0, 0, NULL, NULL, 0);
-	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	if (this->child_proposals->get_count(this->child_proposals))
+	{
+		while (this->child_proposals->remove_first(this->child_proposals,
+												(void**)&proposal) == SUCCESS)
+		{
+			child_cfg->add_proposal(child_cfg, proposal);
+		}
+	}
+	else
+	{
+		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	}
 	while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS)
 	{
 		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@@ -333,12 +368,31 @@ static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
 		ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
 									"0.0.0.0", 0, "255.255.255.255", 65535);
 		this->remote_ts->insert_last(this->remote_ts, ts);
+		has_v4 = TRUE;
 	}
 	while (this->remote_ts->remove_first(this->remote_ts,
 										 (void**)&ts) == SUCCESS)
 	{
+		switch (ts->get_type(ts))
+		{
+			case TS_IPV4_ADDR_RANGE:
+				has_v4 = TRUE;
+				break;
+			case TS_IPV6_ADDR_RANGE:
+				has_v6 = TRUE;
+				break;
+		}
 		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 	}
+	if (has_v4)
+	{
+		peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
+	}
+	if (has_v6)
+	{
+		peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("::", 0));
+	}
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
 
 	return child_cfg;
 }
@@ -374,8 +428,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
 		return JOB_REQUEUE_NONE;
 	}
 
-	child_cfg = create_child_cfg(this);
-	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
+	child_cfg = create_child_cfg(this, peer_cfg);
 
 	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
 									 controller_cb_empty, NULL, 0) != SUCCESS)
@@ -421,6 +474,8 @@ static void set_profile(private_cmd_connection_t *this, char *name)
 METHOD(cmd_connection_t, handle, bool,
 	private_cmd_connection_t *this, cmd_option_type_t opt, char *arg)
 {
+	proposal_t *proposal;
+
 	switch (opt)
 	{
 		case CMD_OPT_HOST:
@@ -447,6 +502,30 @@ METHOD(cmd_connection_t, handle, bool,
 		case CMD_OPT_REMOTE_TS:
 			add_ts(this, this->remote_ts, arg);
 			break;
+		case CMD_OPT_IKE_PROPOSAL:
+			proposal = proposal_create_from_string(PROTO_IKE, arg);
+			if (!proposal)
+			{
+				exit(1);
+			}
+			this->ike_proposals->insert_last(this->ike_proposals, proposal);
+			break;
+		case CMD_OPT_ESP_PROPOSAL:
+			proposal = proposal_create_from_string(PROTO_ESP, arg);
+			if (!proposal)
+			{
+				exit(1);
+			}
+			this->child_proposals->insert_last(this->child_proposals, proposal);
+			break;
+		case CMD_OPT_AH_PROPOSAL:
+			proposal = proposal_create_from_string(PROTO_AH, arg);
+			if (!proposal)
+			{
+				exit(1);
+			}
+			this->child_proposals->insert_last(this->child_proposals, proposal);
+			break;
 		case CMD_OPT_PROFILE:
 			set_profile(this, arg);
 			break;
@@ -459,6 +538,10 @@ METHOD(cmd_connection_t, handle, bool,
 METHOD(cmd_connection_t, destroy, void,
 	private_cmd_connection_t *this)
 {
+	this->ike_proposals->destroy_offset(this->ike_proposals,
+								offsetof(proposal_t, destroy));
+	this->child_proposals->destroy_offset(this->child_proposals,
+								offsetof(proposal_t, destroy));
 	this->local_ts->destroy_offset(this->local_ts,
 								offsetof(traffic_selector_t, destroy));
 	this->remote_ts->destroy_offset(this->remote_ts,
@@ -481,6 +564,8 @@ cmd_connection_t *cmd_connection_create()
 		.pid = getpid(),
 		.local_ts = linked_list_create(),
 		.remote_ts = linked_list_create(),
+		.ike_proposals = linked_list_create(),
+		.child_proposals = linked_list_create(),
 		.profile = PROF_UNDEF,
 	);
 
diff --git a/src/charon-cmd/cmd/cmd_options.c b/src/charon-cmd/cmd/cmd_options.c
index 597ccda1f..5428941ff 100644
--- a/src/charon-cmd/cmd/cmd_options.c
+++ b/src/charon-cmd/cmd/cmd_options.c
@@ -56,6 +56,12 @@ cmd_option_t cmd_options[CMD_OPT_COUNT] = {
 	  "additional traffic selector to propose for our side", {}},
 	{ CMD_OPT_REMOTE_TS, "remote-ts", required_argument, "subnet",
 	  "traffic selector to propose for remote side", {}},
+	{ CMD_OPT_IKE_PROPOSAL, "ike-proposal", required_argument, "proposal",
+	  "a single IKE proposal to offer instead of the default", {}},
+	{ CMD_OPT_ESP_PROPOSAL, "esp-proposal", required_argument, "proposal",
+	  "a single ESP proposal to offer instead of the default", {}},
+	{ CMD_OPT_AH_PROPOSAL, "ah-proposal", required_argument, "proposal",
+	  "a single AH proposal to offer instead of the default", {}},
 	{ CMD_OPT_PROFILE, "profile", required_argument, "name",
 	  "authentication profile to use, where name is one of:", {
 		"  ikev2-pub, ikev2-eap, ikev2-pub-eap",
diff --git a/src/charon-cmd/cmd/cmd_options.h b/src/charon-cmd/cmd/cmd_options.h
index 6b8b04cdf..c7441e795 100644
--- a/src/charon-cmd/cmd/cmd_options.h
+++ b/src/charon-cmd/cmd/cmd_options.h
@@ -45,6 +45,9 @@ enum cmd_option_type_t {
 	CMD_OPT_AGENT,
 	CMD_OPT_LOCAL_TS,
 	CMD_OPT_REMOTE_TS,
+	CMD_OPT_IKE_PROPOSAL,
+	CMD_OPT_AH_PROPOSAL,
+	CMD_OPT_ESP_PROPOSAL,
 	CMD_OPT_PROFILE,
 
 	CMD_OPT_COUNT
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index c204c8c3a..955d15313 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -192,8 +192,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -261,6 +259,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -349,12 +352,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -369,6 +376,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index 9ce6dbaeb..32cec36ec 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -161,7 +161,7 @@ int main(int argc, char *argv[])
 	dbg = dbg_syslog;
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "charon-nm"))
 	{
 		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
@@ -175,7 +175,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
 
-	if (!libhydra_init("charon-nm"))
+	if (!libhydra_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
 		libhydra_deinit();
@@ -183,7 +183,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 
-	if (!libcharon_init("charon-nm"))
+	if (!libcharon_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
 		goto deinit;
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index f474dad60..ebebde2c0 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -22,10 +22,6 @@
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 
-#ifndef CAP_DAC_OVERRIDE
-#define CAP_DAC_OVERRIDE 1
-#endif
-
 typedef struct nm_backend_t nm_backend_t;
 
 /**
@@ -143,14 +139,6 @@ static bool nm_backend_init()
 		return FALSE;
 	}
 
-	/* bypass file permissions to read from users ssh-agent */
-	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
-	{
-		DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
-		nm_backend_deinit();
-		return FALSE;
-	}
-
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
 				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index f37367532..f0daff61e 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -412,9 +412,10 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		loose_gateway_id = TRUE;
 	}
 
-	if (auth_class == AUTH_CLASS_EAP)
+	if (auth_class == AUTH_CLASS_EAP ||
+		auth_class == AUTH_CLASS_PSK)
 	{
-		/* username/password authentication ... */
+		/* username/password or PSK authentication ... */
 		str = nm_setting_vpn_get_data_item(vpn, "user");
 		if (str)
 		{
@@ -548,7 +549,14 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	auth->add(auth, AUTH_RULE_IDENTITY, user);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
 	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	if (auth_class == AUTH_CLASS_PSK)
+	{
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+	}
+	else
+	{
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	}
 	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
 	auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
@@ -623,7 +631,7 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 	method = nm_setting_vpn_get_data_item(settings, "method");
 	if (method)
 	{
-		if (streq(method, "eap"))
+		if (streq(method, "eap") || streq(method, "psk"))
 		{
 			if (nm_setting_vpn_get_secret(settings, "password"))
 			{
diff --git a/src/charon-tkm/Makefile.am b/src/charon-tkm/Makefile.am
index 0fef1f62d..d2b81a3ea 100644
--- a/src/charon-tkm/Makefile.am
+++ b/src/charon-tkm/Makefile.am
@@ -1,26 +1,30 @@
-SRC = $(top_builddir)/src
+SRC = $(abs_top_srcdir)/src
+OBJ = $(abs_top_builddir)/src
 
-# includes relative to obj directory
 AM_CPPFLAGS = \
-	-include $(top_builddir)/config.h \
-	-I../$(SRC)/libstrongswan \
-	-I../$(SRC)/libhydra \
-	-I../$(SRC)/libcharon
+	-include $(abs_top_builddir)/config.h \
+	-I$(SRC)/libstrongswan \
+	-I$(SRC)/libhydra \
+	-I$(SRC)/libcharon
 
 LIBLD = \
-	-L$(SRC)/libstrongswan/.libs \
-	-L$(SRC)/libhydra/.libs \
-	-L$(SRC)/libcharon/.libs
-LIBPT = $(SRC)/libstrongswan/.libs:$(SRC)/libhydra/.libs:$(SRC)/libcharon/.libs
+	-L$(OBJ)/libstrongswan/.libs \
+	-L$(OBJ)/libhydra/.libs \
+	-L$(OBJ)/libcharon/.libs
+LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libhydra/.libs:$(OBJ)/libcharon/.libs
 LIBFL = -lstrongswan -lhydra -lcharon
 
 DEFS += -DPLUGINS=\""$(PLUGINS)\"" -DIPSEC_PIDDIR=\"${piddir}\"
 
 BUILD_OPTS = \
-	-XOBJ_DIR=$(CURDIR)/obj \
+	-XOBJ_DIR=$(abs_builddir)/obj \
 	-cargs $(AM_CPPFLAGS) $(DEFS) \
 	-largs $(LIBLD) $(LIBFL)
 
+TEST_OPTS = \
+	-cargs -DBUILDDIR=\"${abs_top_builddir}\" \
+	-largs -L$(OBJ)/libstrongswan/tests/.libs -ltest
+
 # plugins to enable
 PLUGINS = \
 	kernel-netlink \
@@ -35,15 +39,15 @@ build_charon: build_charon.gpr src/charon-tkm.c
 	@$(GPRBUILD) -p $< $(BUILD_OPTS)
 
 build_tests: build_tests.gpr
-	@$(GPRBUILD) -p $< $(BUILD_OPTS) -cargs @CHECK_CFLAGS@ -largs @CHECK_LIBS@
+	@$(GPRBUILD) -p $< $(BUILD_OPTS) $(TEST_OPTS)
+
+check-tkm: build_tests
+	@LD_LIBRARY_PATH=$(LIBPT) obj/tests
 
-if UNITTESTS
-check: build_tests
-	@LD_LIBRARY_PATH=$(LIBPT) obj/test_runner
-else
 check:
-	@echo "reconfigure with --enable-unit-tests"
-endif
+	@echo "TKM tests are not run automatically because they have to be run as root" >&2
+	@echo "and require a properly configured TKM daemon to be running." >&2
+	@echo "They can be run from '$(abs_builddir)' with 'make check-tkm'" >&2
 
 install: build_charon
 	$(INSTALL) -m 755 obj/charon-tkm $(DESTDIR)$(ipsecdir)
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index 5f878acf9..15e654d00 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -131,8 +131,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -200,6 +198,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -288,12 +291,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -308,6 +315,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -318,27 +326,30 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-SRC = $(top_builddir)/src
-
-# includes relative to obj directory
+SRC = $(abs_top_srcdir)/src
+OBJ = $(abs_top_builddir)/src
 AM_CPPFLAGS = \
-	-include $(top_builddir)/config.h \
-	-I../$(SRC)/libstrongswan \
-	-I../$(SRC)/libhydra \
-	-I../$(SRC)/libcharon
+	-include $(abs_top_builddir)/config.h \
+	-I$(SRC)/libstrongswan \
+	-I$(SRC)/libhydra \
+	-I$(SRC)/libcharon
 
 LIBLD = \
-	-L$(SRC)/libstrongswan/.libs \
-	-L$(SRC)/libhydra/.libs \
-	-L$(SRC)/libcharon/.libs
+	-L$(OBJ)/libstrongswan/.libs \
+	-L$(OBJ)/libhydra/.libs \
+	-L$(OBJ)/libcharon/.libs
 
-LIBPT = $(SRC)/libstrongswan/.libs:$(SRC)/libhydra/.libs:$(SRC)/libcharon/.libs
+LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libhydra/.libs:$(OBJ)/libcharon/.libs
 LIBFL = -lstrongswan -lhydra -lcharon
 BUILD_OPTS = \
-	-XOBJ_DIR=$(CURDIR)/obj \
+	-XOBJ_DIR=$(abs_builddir)/obj \
 	-cargs $(AM_CPPFLAGS) $(DEFS) \
 	-largs $(LIBLD) $(LIBFL)
 
+TEST_OPTS = \
+	-cargs -DBUILDDIR=\"${abs_top_builddir}\" \
+	-largs -L$(OBJ)/libstrongswan/tests/.libs -ltest
+
 
 # plugins to enable
 PLUGINS = \
@@ -543,12 +554,15 @@ build_charon: build_charon.gpr src/charon-tkm.c
 	@$(GPRBUILD) -p $< $(BUILD_OPTS)
 
 build_tests: build_tests.gpr
-	@$(GPRBUILD) -p $< $(BUILD_OPTS) -cargs @CHECK_CFLAGS@ -largs @CHECK_LIBS@
+	@$(GPRBUILD) -p $< $(BUILD_OPTS) $(TEST_OPTS)
+
+check-tkm: build_tests
+	@LD_LIBRARY_PATH=$(LIBPT) obj/tests
 
-@UNITTESTS_TRUE@check: build_tests
-@UNITTESTS_TRUE@	@LD_LIBRARY_PATH=$(LIBPT) obj/test_runner
-@UNITTESTS_FALSE@check:
-@UNITTESTS_FALSE@	@echo "reconfigure with --enable-unit-tests"
+check:
+	@echo "TKM tests are not run automatically because they have to be run as root" >&2
+	@echo "and require a properly configured TKM daemon to be running." >&2
+	@echo "They can be run from '$(abs_builddir)' with 'make check-tkm'" >&2
 
 install: build_charon
 	$(INSTALL) -m 755 obj/charon-tkm $(DESTDIR)$(ipsecdir)
diff --git a/src/charon-tkm/build_common.gpr b/src/charon-tkm/build_common.gpr
index ac322d713..102f6b7a2 100644
--- a/src/charon-tkm/build_common.gpr
+++ b/src/charon-tkm/build_common.gpr
@@ -5,7 +5,7 @@ project Build_Common is
 
    for Source_Dirs use ();
 
-   Obj_Dir := "obj";
+   Obj_Dir := external ("OBJ_DIR", "obj");
 
    C_Compiler_Switches   := ("-W",
                              "-Wall",
diff --git a/src/charon-tkm/build_tests.gpr b/src/charon-tkm/build_tests.gpr
index 032c7969e..2bdc99650 100644
--- a/src/charon-tkm/build_tests.gpr
+++ b/src/charon-tkm/build_tests.gpr
@@ -4,11 +4,15 @@ project Build_Tests is
 
    for Languages use ("Ada", "C");
    for Source_Dirs use ("src/ees", "src/ehandler", "src/tkm", "tests");
-   for Main use ("test_runner");
+   for Main use ("tests");
    for Object_Dir use Build_Common.Obj_Dir;
 
    package Compiler is
       for Default_Switches ("c") use Build_Common.C_Compiler_Switches;
    end Compiler;
 
+   package Binder is
+      for Default_Switches ("ada") use Build_Common.Ada_Binder_Switches;
+   end Binder;
+
 end Build_Tests;
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 14a735590..9a22f9ad9 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -250,13 +250,13 @@ int main(int argc, char *argv[])
 	dbg = dbg_syslog;
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, dmn_name))
 	{
 		library_deinit();
 		exit(status);
 	}
 
-	if (!libhydra_init(dmn_name))
+	if (!libhydra_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
 		libhydra_deinit();
@@ -264,7 +264,7 @@ int main(int argc, char *argv[])
 		exit(status);
 	}
 
-	if (!libcharon_init(dmn_name))
+	if (!libcharon_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
 		goto deinit;
@@ -288,10 +288,6 @@ int main(int argc, char *argv[])
 	static plugin_feature_t features[] = {
 		PLUGIN_REGISTER(NONCE_GEN, tkm_nonceg_create),
 			PLUGIN_PROVIDE(NONCE_GEN),
-		PLUGIN_REGISTER(DH, tkm_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
-			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 		PLUGIN_REGISTER(PUBKEY, tkm_public_key_load, TRUE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
 			PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
@@ -302,6 +298,12 @@ int main(int argc, char *argv[])
 	lib->plugins->add_static_features(lib->plugins, "tkm-backend", features,
 			countof(features), TRUE);
 
+	if (!register_dh_mapping())
+	{
+		DBG1(DBG_DMN, "no DH group mapping defined - aborting %s", dmn_name);
+		goto deinit;
+	}
+
 	/* register TKM keymat variant */
 	keymat_register_constructor(IKEV2, (keymat_constructor_t)tkm_keymat_create);
 
@@ -380,6 +382,7 @@ int main(int argc, char *argv[])
 	lib->encoding->remove_encoder(lib->encoding, tkm_encoder_encode);
 
 deinit:
+	destroy_dh_mapping();
 	libcharon_deinit();
 	libhydra_deinit();
 	library_deinit();
diff --git a/src/charon-tkm/src/tkm/tkm.c b/src/charon-tkm/src/tkm/tkm.c
index a39221dc2..61eb6056c 100644
--- a/src/charon-tkm/src/tkm/tkm.c
+++ b/src/charon-tkm/src/tkm/tkm.c
@@ -61,7 +61,7 @@ bool tkm_init()
 	ehandler_init();
 
 	ikesock = lib->settings->get_str(lib->settings, "%s.ike_socket", IKE_SOCKET,
-									 charon->name);
+									 lib->ns);
 	if (ike_init(ikesock) != TKM_OK)
 	{
 		tkmlib_final();
@@ -70,7 +70,7 @@ bool tkm_init()
 	DBG1(DBG_DMN, "connected to TKM via socket '%s'", ikesock);
 
 	eessock = lib->settings->get_str(lib->settings, "%s.ees_socket", EES_SOCKET,
-									 charon->name);
+									 lib->ns);
 	ees_server_init(eessock);
 	DBG1(DBG_DMN, "serving EES requests on socket '%s'", eessock);
 
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
index 19f57de01..a34d0b1d4 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -21,10 +21,13 @@
 #include "tkm_utils.h"
 #include "tkm_diffie_hellman.h"
 
-#include <utils/debug.h>
+#include <daemon.h>
+#include <collections/hashtable.h>
 
 typedef struct private_tkm_diffie_hellman_t private_tkm_diffie_hellman_t;
 
+static hashtable_t *group_map = NULL;
+
 /**
  * Private data of a tkm_diffie_hellman_t object.
  */
@@ -102,6 +105,95 @@ METHOD(tkm_diffie_hellman_t, get_id, dh_id_type,
 	return this->context_id;
 }
 
+static u_int hash(void *key)
+{
+	diffie_hellman_group_t k = *(diffie_hellman_group_t*)key;
+	return chunk_hash(chunk_from_thing(k));
+}
+
+static bool equals(void *key, void *other_key)
+{
+	return *(diffie_hellman_group_t*)key == *(diffie_hellman_group_t*)other_key;
+}
+
+/*
+ * Described in header.
+ */
+int register_dh_mapping()
+{
+	int count, i;
+	char *iana_id_str, *tkm_id_str;
+	diffie_hellman_group_t *iana_id;
+	u_int64_t *tkm_id;
+	hashtable_t *map;
+	enumerator_t *enumerator;
+
+	map = hashtable_create((hashtable_hash_t)hash,
+						   (hashtable_equals_t)equals, 16);
+
+	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
+															"%s.dh_mapping",
+															lib->ns);
+
+	while (enumerator->enumerate(enumerator, &iana_id_str, &tkm_id_str))
+	{
+		iana_id = malloc_thing(diffie_hellman_group_t);
+		*iana_id = settings_value_as_int(iana_id_str, 0);
+		tkm_id = malloc_thing(u_int64_t);
+		*tkm_id = settings_value_as_int(tkm_id_str, 0);
+
+		map->put(map, iana_id, tkm_id);
+	}
+	enumerator->destroy(enumerator);
+
+	count = map->get_count(map);
+	plugin_feature_t f[count + 1];
+	f[0] = PLUGIN_REGISTER(DH, tkm_diffie_hellman_create);
+
+	i = 1;
+	enumerator = map->create_enumerator(map);
+	while (enumerator->enumerate(enumerator, &iana_id, &tkm_id))
+	{
+		f[i] = PLUGIN_PROVIDE(DH, *iana_id);
+		i++;
+	}
+	enumerator->destroy(enumerator);
+
+	lib->plugins->add_static_features(lib->plugins, "tkm-dh", f, countof(f), TRUE);
+
+	if (count > 0)
+	{
+		group_map = map;
+	}
+	else
+	{
+		map->destroy(map);
+	}
+
+	return count;
+}
+
+/*
+ * Described in header.
+ */
+void destroy_dh_mapping()
+{
+	enumerator_t *enumerator;
+	char *key, *value;
+
+	if (group_map)
+	{
+		enumerator = group_map->create_enumerator(group_map);
+		while (enumerator->enumerate(enumerator, &key, &value))
+		{
+			free(key);
+			free(value);
+		}
+		enumerator->destroy(enumerator);
+		group_map->destroy(group_map);
+	}
+}
+
 /*
  * Described in header.
  */
@@ -109,6 +201,11 @@ tkm_diffie_hellman_t *tkm_diffie_hellman_create(diffie_hellman_group_t group)
 {
 	private_tkm_diffie_hellman_t *this;
 
+	if (!group_map)
+	{
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.dh = {
@@ -130,7 +227,14 @@ tkm_diffie_hellman_t *tkm_diffie_hellman_create(diffie_hellman_group_t group)
 		return NULL;
 	}
 
-	if (ike_dh_create(this->context_id, group, &this->pubvalue) != TKM_OK)
+	u_int64_t *dha_id = group_map->get(group_map, &group);
+	if (!dha_id)
+	{
+		free(this);
+		return NULL;
+	}
+
+	if (ike_dh_create(this->context_id, *dha_id, &this->pubvalue) != TKM_OK)
 	{
 		free(this);
 		return NULL;
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.h b/src/charon-tkm/src/tkm/tkm_diffie_hellman.h
index a144303fa..d38a414d8 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.h
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.h
@@ -47,6 +47,19 @@ struct tkm_diffie_hellman_t {
 };
 
 /**
+ * Loads IANA DH group identifier to TKM id mapping from config and registers
+ * the corresponding DH features.
+ *
+ * @return          number of registered mappings
+ */
+int register_dh_mapping();
+
+/**
+ * Destroy IANA DH group identifier to TKM id mapping.
+ */
+void destroy_dh_mapping();
+
+/**
  * Creates a new tkm_diffie_hellman_t object.
  *
  * @param group			Diffie Hellman group number to use
diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c
index 407d0a87f..0fadf1acf 100644
--- a/src/charon-tkm/src/tkm/tkm_id_manager.c
+++ b/src/charon-tkm/src/tkm/tkm_id_manager.c
@@ -17,7 +17,6 @@
 #include "tkm_id_manager.h"
 
 #include <utils/debug.h>
-#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 #define TKM_LIMIT 100
diff --git a/src/charon-tkm/tests/chunk_map_tests.c b/src/charon-tkm/tests/chunk_map_tests.c
index 6deef9a80..1283a787c 100644
--- a/src/charon-tkm/tests/chunk_map_tests.c
+++ b/src/charon-tkm/tests/chunk_map_tests.c
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
 
 #include "tkm_chunk_map.h"
 
@@ -48,11 +48,20 @@ START_TEST(test_chunk_map_handling)
 }
 END_TEST
 
-TCase *make_chunk_map_tests(void)
+Suite *make_chunk_map_tests()
 {
-	TCase *tc = tcase_create("Chunk map tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("chunk map");
+
+	tc = tcase_create("creating");
 	tcase_add_test(tc, test_chunk_map_creation);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("handling");
 	tcase_add_test(tc, test_chunk_map_handling);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/diffie_hellman_tests.c b/src/charon-tkm/tests/diffie_hellman_tests.c
index ffe99614d..89658a770 100644
--- a/src/charon-tkm/tests/diffie_hellman_tests.c
+++ b/src/charon-tkm/tests/diffie_hellman_tests.c
@@ -14,7 +14,8 @@
  * for more details.
  */
 
-#include <check.h>
+#include <daemon.h>
+#include <tests/test_suite.h>
 
 #include "tkm_diffie_hellman.h"
 
@@ -49,11 +50,20 @@ START_TEST(test_dh_get_my_pubvalue)
 }
 END_TEST
 
-TCase *make_diffie_hellman_tests(void)
+Suite *make_diffie_hellman_tests()
 {
-	TCase *tc = tcase_create("Diffie-Hellman tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("Diffie-Hellman");
+
+	tc = tcase_create("creation");
 	tcase_add_test(tc, test_dh_creation);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get_my_pubvalue");
 	tcase_add_test(tc, test_dh_get_my_pubvalue);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/id_manager_tests.c b/src/charon-tkm/tests/id_manager_tests.c
index 15522f118..8157496ca 100644
--- a/src/charon-tkm/tests/id_manager_tests.c
+++ b/src/charon-tkm/tests/id_manager_tests.c
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
 
 #include "tkm_id_manager.h"
 
@@ -135,16 +135,28 @@ START_TEST(test_release_id_nonexistent)
 }
 END_TEST
 
-TCase *make_id_manager_tests(void)
+Suite *make_id_manager_tests()
 {
-	TCase *tc = tcase_create("Context id manager tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("context id manager");
+
+	tc = tcase_create("creation");
 	tcase_add_test(tc, test_id_mgr_creation);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("acquire");
 	tcase_add_test(tc, test_acquire_id);
 	tcase_add_test(tc, test_acquire_id_invalid_kind);
 	tcase_add_test(tc, test_acquire_id_same);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("release");
 	tcase_add_test(tc, test_release_id);
 	tcase_add_test(tc, test_release_id_invalid_kind);
 	tcase_add_test(tc, test_release_id_nonexistent);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c
index 11785602d..6f0b396d3 100644
--- a/src/charon-tkm/tests/kernel_sad_tests.c
+++ b/src/charon-tkm/tests/kernel_sad_tests.c
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
 
 #include "tkm_kernel_sad.h"
 
@@ -107,16 +107,31 @@ START_TEST(test_remove_nonexistent)
 }
 END_TEST
 
-TCase *make_kernel_sad_tests(void)
+Suite *make_kernel_sad_tests()
 {
-	TCase *tc = tcase_create("Kernel SAD tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("kernel SAD tests");
+
+	tc = tcase_create("creation");
 	tcase_add_test(tc, test_sad_creation);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("insert");
 	tcase_add_test(tc, test_insert);
 	tcase_add_test(tc, test_insert_duplicate);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get_esa_id");
 	tcase_add_test(tc, test_get_esa_id);
 	tcase_add_test(tc, test_get_esa_id_nonexistent);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("remove");
 	tcase_add_test(tc, test_remove);
 	tcase_add_test(tc, test_remove_nonexistent);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
index 2a7525d4e..1982671d3 100644
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -14,7 +14,8 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
+
 #include <daemon.h>
 #include <hydra.h>
 #include <config/proposal.h>
@@ -139,11 +140,20 @@ START_TEST(test_derive_child_keys)
 }
 END_TEST
 
-TCase *make_keymat_tests(void)
+Suite *make_keymat_tests()
 {
-	TCase *tc = tcase_create("Keymat tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("keymat");
+
+	tc = tcase_create("derive IKE keys");
 	tcase_add_test(tc, test_derive_ike_keys);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("derive CHILD keys");
 	tcase_add_test(tc, test_derive_child_keys);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/nonceg_tests.c b/src/charon-tkm/tests/nonceg_tests.c
index 3a1effab8..6f524cb22 100644
--- a/src/charon-tkm/tests/nonceg_tests.c
+++ b/src/charon-tkm/tests/nonceg_tests.c
@@ -14,7 +14,8 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
+
 #include <tkm/client.h>
 
 #include "tkm.h"
@@ -82,12 +83,24 @@ START_TEST(test_nonceg_get_nonce)
 }
 END_TEST
 
-TCase *make_nonceg_tests(void)
+Suite *make_nonceg_tests()
 {
-	TCase *tc = tcase_create("Nonce generator tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("nonce generator");
+
+	tc = tcase_create("creation");
 	tcase_add_test(tc, test_nonceg_creation);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("allocate");
 	tcase_add_test(tc, test_nonceg_allocate_nonce);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get");
 	tcase_add_test(tc, test_nonceg_get_nonce);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/test_runner.c b/src/charon-tkm/tests/test_runner.c
deleted file mode 100644
index 5ae032935..000000000
--- a/src/charon-tkm/tests/test_runner.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (C) 2012 Reto Buerki
- * Copyright (C) 2012 Adrian-Ken Rueegsegger
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <hydra.h>
-#include <daemon.h>
-
-#include "tkm.h"
-#include "tkm_nonceg.h"
-#include "tkm_diffie_hellman.h"
-#include "tkm_kernel_ipsec.h"
-#include "test_runner.h"
-
-int main(void)
-{
-	library_init(NULL);
-	libhydra_init("test_runner");
-	libcharon_init("test_runner");
-
-	lib->settings->set_int(lib->settings, "test_runner.filelog.stdout.default",
-						   1);
-	charon->load_loggers(charon, NULL, FALSE);
-
-	/* Register TKM specific plugins */
-	static plugin_feature_t features[] = {
-		PLUGIN_REGISTER(NONCE_GEN, tkm_nonceg_create),
-			PLUGIN_PROVIDE(NONCE_GEN),
-		PLUGIN_REGISTER(DH, tkm_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
-			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
-		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
-			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
-	};
-	lib->plugins->add_static_features(lib->plugins, "tkm-tests", features,
-			countof(features), TRUE);
-
-	if (!charon->initialize(charon, PLUGINS))
-	{
-		fprintf(stderr, "Unable to init charon");
-		return EXIT_FAILURE;
-	}
-
-	if (!tkm_init())
-	{
-		fprintf(stderr, "Could not connect to TKM, aborting tests\n");
-		return EXIT_FAILURE;
-	}
-
-	int number_failed;
-	Suite *s = suite_create("TKM tests");
-	suite_add_tcase(s, make_id_manager_tests());
-	suite_add_tcase(s, make_chunk_map_tests());
-	suite_add_tcase(s, make_utility_tests());
-	suite_add_tcase(s, make_nonceg_tests());
-	suite_add_tcase(s, make_diffie_hellman_tests());
-	suite_add_tcase(s, make_keymat_tests());
-	suite_add_tcase(s, make_kernel_sad_tests());
-
-	SRunner *sr = srunner_create(s);
-
-	srunner_run_all(sr, CK_NORMAL);
-	number_failed = srunner_ntests_failed(sr);
-
-	tkm_deinit();
-	libcharon_deinit();
-	libhydra_deinit();
-	library_deinit();
-	srunner_free(sr);
-
-	return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
-}
diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c
new file mode 100644
index 000000000..18754c717
--- /dev/null
+++ b/src/charon-tkm/tests/tests.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <tests/test_runner.h>
+
+#include <library.h>
+#include <hydra.h>
+#include <daemon.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+#include "tkm_diffie_hellman.h"
+#include "tkm_kernel_ipsec.h"
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, args) \
+	{ .suite = x, .feature = PLUGIN_DEPENDS(type, args) },
+#include "tests.h"
+	{ .suite = NULL, }
+};
+
+static bool tkm_initialized = false;
+
+static bool test_runner_init(bool init)
+{
+	bool result = TRUE;
+
+	if (init)
+	{
+		libhydra_init();
+		libcharon_init();
+		lib->settings->set_int(lib->settings,
+							   "test_runner.filelog.stdout.default", 0);
+		charon->load_loggers(charon, NULL, FALSE);
+
+		/* Register TKM specific plugins */
+		static plugin_feature_t features[] = {
+			PLUGIN_REGISTER(NONCE_GEN, tkm_nonceg_create),
+				PLUGIN_PROVIDE(NONCE_GEN),
+			PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
+				PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+		};
+		lib->plugins->add_static_features(lib->plugins, "tkm-tests", features,
+										  countof(features), TRUE);
+
+		lib->settings->set_int(lib->settings, "%s.dh_mapping.%d", 1,
+							   lib->ns, MODP_3072_BIT);
+		lib->settings->set_int(lib->settings, "%s.dh_mapping.%d", 2,
+							   lib->ns, MODP_4096_BIT);
+		register_dh_mapping();
+
+		plugin_loader_add_plugindirs(BUILDDIR "/src/libstrongswan/plugins",
+									 PLUGINS);
+		plugin_loader_add_plugindirs(BUILDDIR "/src/libhydra/plugins",
+									 PLUGINS);
+		plugin_loader_add_plugindirs(BUILDDIR "/src/libcharon/plugins",
+									 PLUGINS);
+		if (charon->initialize(charon, PLUGINS))
+		{
+			if (!tkm_initialized)
+			{
+				if (!tkm_init())
+				{
+					return FALSE;
+				}
+				tkm_initialized = true;
+			}
+			return TRUE;
+		}
+		result = FALSE;
+	}
+
+	destroy_dh_mapping();
+	libcharon_deinit();
+	libhydra_deinit();
+	return result;
+}
+
+int main(int argc, char *argv[])
+{
+	bool result;
+
+	/* disable leak detective because of how tkm_init/deinit is called, which
+	 * does not work otherwise due to limitations of the external libraries */
+	setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
+
+	result = test_runner_run("tkm", tests, test_runner_init);
+	tkm_deinit();
+
+	return result;
+}
diff --git a/src/charon-tkm/tests/test_runner.h b/src/charon-tkm/tests/tests.h
index 236a7f2a6..fb5e96a9c 100644
--- a/src/charon-tkm/tests/test_runner.h
+++ b/src/charon-tkm/tests/tests.h
@@ -14,17 +14,10 @@
  * for more details.
  */
 
-#ifndef TEST_RUNNER_H_
-#define TEST_RUNNER_H_
-
-#include <check.h>
-
-TCase *make_id_manager_tests(void);
-TCase *make_chunk_map_tests(void);
-TCase *make_utility_tests(void);
-TCase *make_nonceg_tests(void);
-TCase *make_diffie_hellman_tests(void);
-TCase *make_keymat_tests(void);
-TCase *make_kernel_sad_tests(void);
-
-#endif /** TEST_RUNNER_H_ */
+TEST_SUITE(make_id_manager_tests)
+TEST_SUITE(make_chunk_map_tests)
+TEST_SUITE(make_utility_tests)
+TEST_SUITE(make_nonceg_tests)
+TEST_SUITE(make_diffie_hellman_tests)
+TEST_SUITE(make_keymat_tests)
+TEST_SUITE(make_kernel_sad_tests)
diff --git a/src/charon-tkm/tests/utils_tests.c b/src/charon-tkm/tests/utils_tests.c
index b3ead7633..0a4d6fbd2 100644
--- a/src/charon-tkm/tests/utils_tests.c
+++ b/src/charon-tkm/tests/utils_tests.c
@@ -14,7 +14,8 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
+
 #include <tkm/types.h>
 
 #include "tkm_utils.h"
@@ -53,11 +54,17 @@ START_TEST(test_chunk_to_sequence)
 }
 END_TEST
 
-TCase *make_utility_tests(void)
+Suite *make_utility_tests()
 {
-	TCase *tc = tcase_create("Utility tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("utility tests");
+
+	tc = tcase_create("chunk<->sequence");
 	tcase_add_test(tc, test_sequence_to_chunk);
 	tcase_add_test(tc, test_chunk_to_sequence);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon/Android.mk b/src/charon/Android.mk
index 1dd27d534..852d73c10 100644
--- a/src/charon/Android.mk
+++ b/src/charon/Android.mk
@@ -8,7 +8,6 @@ charon.c
 # build charon -----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libcharon \
 	$(strongswan_PATH)/src/libstrongswan
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 0bb2e67bf..f3b7cfd56 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -188,8 +188,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -257,6 +255,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -345,12 +348,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -365,6 +372,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 340f852cd..089ac4570 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -289,7 +289,7 @@ int main(int argc, char *argv[])
 	dbg = dbg_stderr;
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "charon"))
 	{
 		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
@@ -303,7 +303,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
 
-	if (!libhydra_init("charon"))
+	if (!libhydra_init())
 	{
 		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
 		libhydra_deinit();
@@ -311,7 +311,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 
-	if (!libcharon_init("charon"))
+	if (!libcharon_init())
 	{
 		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
 		goto deinit;
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index a22e91ed1..d172b1545 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -4,15 +4,16 @@ ipseclib_LTLIBRARIES = $(LIBCHECKSUM_LIBS)
 nodist_libchecksum_la_SOURCES = checksum.c
 libchecksum_la_LDFLAGS = -module -avoid-version -rpath '$(ipseclibdir)'
 
-noinst_PROGRAMS = checksum_builder
+EXTRA_PROGRAMS = checksum_builder
 checksum_builder_SOURCES = checksum_builder.c
 checksum_builder_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(DLLIB)
+checksum_builder_LDFLAGS = -rpath '$(DESTDIR)$(ipseclibdir)'
 
-CLEANFILES = checksum.c
+CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
@@ -88,28 +89,28 @@ endif
 if USE_CHARON
   deps += $(top_builddir)/src/libcharon/libcharon.la
   libs += $(DESTDIR)$(ipseclibdir)/libcharon.so
-  exes += $(top_builddir)/src/charon/.libs/charon
+  exes += $(DESTDIR)$(ipsecdir)/charon
 if !MONOLITHIC
   AM_CPPFLAGS += -DC_PLUGINS=\""${c_plugins}\""
 endif
 endif
 
 if USE_CMD
-  exes += $(top_builddir)/src/charon-cmd/.libs/charon-cmd
+  exes += $(DESTDIR)$(sbindir)/charon-cmd
 endif
 
 if USE_TOOLS
-  exes += $(top_builddir)/src/openac/.libs/openac
-  exes += $(top_builddir)/src/pki/.libs/pki
-  exes += $(top_builddir)/src/scepclient/.libs/scepclient
+  exes += $(DESTDIR)$(ipsecdir)/openac
+  exes += $(DESTDIR)$(ipsecdir)/scepclient
+  exes += $(DESTDIR)$(bindir)/pki
 endif
 
 if USE_ATTR_SQL
-  exes += $(top_builddir)/src/pool/.libs/pool
+  exes += $(DESTDIR)$(ipsecdir)/pool
 endif
 
 if USE_IMV_ATTESTATION
-  exes += $(top_builddir)/src/libpts/plugins/imv_attestation/.libs/attest
+  exes += $(DESTDIR)$(ipsecdir)/attest
 endif
 
 checksum.c : checksum_builder $(deps) $(exes)
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 738133643..cdfbf1016 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -14,7 +14,6 @@
 
 @SET_MAKE@
 
-
 VPATH = @srcdir@
 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
@@ -79,7 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-noinst_PROGRAMS = checksum_builder$(EXEEXT)
+EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
 @MONOLITHIC_FALSE@am__append_1 = -DS_PLUGINS=\""${s_plugins}\""
 @USE_LIBHYDRA_TRUE@am__append_2 = $(top_builddir)/src/libhydra/libhydra.la
 @USE_LIBHYDRA_TRUE@am__append_3 = $(DESTDIR)$(ipseclibdir)/libhydra.so
@@ -103,15 +102,14 @@ noinst_PROGRAMS = checksum_builder$(EXEEXT)
 @USE_PTS_TRUE@am__append_21 = $(DESTDIR)$(ipseclibdir)/libpts.so
 @USE_CHARON_TRUE@am__append_22 = $(top_builddir)/src/libcharon/libcharon.la
 @USE_CHARON_TRUE@am__append_23 = $(DESTDIR)$(ipseclibdir)/libcharon.so
-@USE_CHARON_TRUE@am__append_24 = $(top_builddir)/src/charon/.libs/charon
+@USE_CHARON_TRUE@am__append_24 = $(DESTDIR)$(ipsecdir)/charon
 @MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_25 = -DC_PLUGINS=\""${c_plugins}\""
-@USE_CMD_TRUE@am__append_26 = $(top_builddir)/src/charon-cmd/.libs/charon-cmd
-@USE_TOOLS_TRUE@am__append_27 =  \
-@USE_TOOLS_TRUE@	$(top_builddir)/src/openac/.libs/openac \
-@USE_TOOLS_TRUE@	$(top_builddir)/src/pki/.libs/pki \
-@USE_TOOLS_TRUE@	$(top_builddir)/src/scepclient/.libs/scepclient
-@USE_ATTR_SQL_TRUE@am__append_28 = $(top_builddir)/src/pool/.libs/pool
-@USE_IMV_ATTESTATION_TRUE@am__append_29 = $(top_builddir)/src/libpts/plugins/imv_attestation/.libs/attest
+@USE_CMD_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/charon-cmd
+@USE_TOOLS_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/openac \
+@USE_TOOLS_TRUE@	$(DESTDIR)$(ipsecdir)/scepclient \
+@USE_TOOLS_TRUE@	$(DESTDIR)$(bindir)/pki
+@USE_ATTR_SQL_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/pool
+@USE_IMV_ATTESTATION_TRUE@am__append_29 = $(DESTDIR)$(ipsecdir)/attest
 subdir = src/checksum
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -172,7 +170,6 @@ libchecksum_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libchecksum_la_LDFLAGS) $(LDFLAGS) -o \
 	$@
-PROGRAMS = $(noinst_PROGRAMS)
 am_checksum_builder_OBJECTS = checksum_builder.$(OBJEXT)
 checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS)
 am__DEPENDENCIES_1 =
@@ -181,6 +178,10 @@ checksum_builder_DEPENDENCIES =  \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1)
+checksum_builder_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(checksum_builder_LDFLAGS) $(LDFLAGS) \
+	-o $@
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -256,8 +257,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -325,6 +324,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -413,12 +417,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -433,6 +441,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -456,7 +465,8 @@ checksum_builder_LDADD = \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(DLLIB)
 
-CLEANFILES = checksum.c
+checksum_builder_LDFLAGS = -rpath '$(DESTDIR)$(ipseclibdir)'
+CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
@@ -552,18 +562,9 @@ clean-ipseclibLTLIBRARIES:
 libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) $(EXTRA_libchecksum_la_DEPENDENCIES) 
 	$(AM_V_CCLD)$(libchecksum_la_LINK)  $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
 
-clean-noinstPROGRAMS:
-	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-
 checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) $(EXTRA_checksum_builder_DEPENDENCIES) 
 	@rm -f checksum_builder$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(checksum_builder_LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -688,7 +689,7 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+all-am: Makefile $(LTLIBRARIES)
 installdirs:
 	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
@@ -727,7 +728,7 @@ maintainer-clean-generic:
 clean: clean-am
 
 clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
-	clean-local clean-noinstPROGRAMS mostlyclean-am
+	clean-local mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -801,19 +802,19 @@ uninstall-am: uninstall-ipseclibLTLIBRARIES
 
 .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
 	clean-ipseclibLTLIBRARIES clean-libtool clean-local \
-	clean-noinstPROGRAMS cscopelist-am ctags ctags-am distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am \
-	install-data-hook install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipseclibLTLIBRARIES install-man \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
-	uninstall-hook uninstall-ipseclibLTLIBRARIES
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipseclibLTLIBRARIES install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am uninstall-hook \
+	uninstall-ipseclibLTLIBRARIES
 
 
 checksum.c : checksum_builder $(deps) $(exes)
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index bccd269cf..cc8185ecd 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -23,9 +23,6 @@
 #include <daemon.h>
 #include <collections/enumerator.h>
 
-/* we need to fake the pluto symbol to dlopen() the xauth plugin */
-void *pluto;
-
 /**
  * Integrity checker
  */
@@ -139,7 +136,7 @@ int main(int argc, char* argv[])
 	/* avoid confusing leak reports in build process */
 	setenv("LEAK_DETECTIVE_DISABLE", "1", 0);
 	/* don't use a strongswan.conf, forces integrity check to disabled */
-	library_init("");
+	library_init("", "checksum_builder");
 	atexit(library_deinit);
 
 	integrity = integrity_checker_create(NULL);
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 73bf7240c..ee6bf57f5 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -202,8 +202,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -271,6 +269,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -359,12 +362,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -379,6 +386,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index faf9df91f..584a2698a 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -81,7 +81,7 @@ static bool load_configs(char *suite_file, char *test_file)
 	}
 	conftest->test = settings_create(suite_file);
 	conftest->test->load_files(conftest->test, test_file, TRUE);
-	conftest->suite_dir = strdup(dirname(suite_file));
+	conftest->suite_dir = path_dirname(suite_file);
 	return TRUE;
 }
 
@@ -435,18 +435,18 @@ int main(int argc, char *argv[])
 	char *suite_file = "suite.conf", *test_file = NULL, *preload, *plugins;
 	file_logger_t *logger;
 
-	if (!library_init(NULL))
+	if (!library_init(NULL, "conftest"))
 	{
 		library_deinit();
 		return SS_RC_LIBSTRONGSWAN_INTEGRITY;
 	}
-	if (!libhydra_init("conftest"))
+	if (!libhydra_init())
 	{
 		libhydra_deinit();
 		library_deinit();
 		return SS_RC_INITIALIZATION_FAILED;
 	}
-	if (!libcharon_init("conftest"))
+	if (!libcharon_init())
 	{
 		libcharon_deinit();
 		libhydra_deinit();
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index ab818f1be..f1628ef69 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -223,8 +223,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -292,6 +290,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -380,12 +383,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -400,6 +407,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/dumm/cowfs.h b/src/dumm/cowfs.h
index b9334dc96..6869e3563 100644
--- a/src/dumm/cowfs.h
+++ b/src/dumm/cowfs.h
@@ -64,7 +64,7 @@ struct cowfs_t {
  * @param master		read only master file system directory
  * @param host			copy on write host directory
  * @param mount			mountpoint where union is mounted
- * @return				instance, or NULL if FUSE initalization failed
+ * @return				instance, or NULL if FUSE initialization failed
  */
 cowfs_t *cowfs_create(char *master, char *host, char *mount);
 
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index 5acda3a9c..03ecbe40d 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -774,7 +774,7 @@ void Init_dumm()
 	/* there are too many to report, rubyruby... */
 	setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
 
-	library_init(NULL);
+	library_init(NULL, "dumm");
 
 	dumm = dumm_create(NULL);
 
diff --git a/src/dumm/main.c b/src/dumm/main.c
index 4cdf4682f..a53e1f67c 100644
--- a/src/dumm/main.c
+++ b/src/dumm/main.c
@@ -479,7 +479,7 @@ int main(int argc, char *argv[])
 	enumerator_t *enumerator;
 	guest_t *guest;
 
-	library_init(NULL);
+	library_init(NULL, "dumm");
 	gtk_init(&argc, &argv);
 
 	pages = linked_list_create();
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 1e301feb0..1987dbde5 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -131,8 +131,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -200,6 +198,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -288,12 +291,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -308,6 +315,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 091519292..69b736a7a 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -165,8 +165,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -234,6 +232,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -322,12 +325,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -342,6 +349,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 9548f9b15..b7d820e21 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.1.1" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.1.2rc2" "strongSwan"
 .
 .SH NAME
 .
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 0fe88efb4..cc5220973 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -217,7 +217,6 @@ endif
 # build libcharon --------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/include \
 	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libstrongswan
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 4413d69c0..5f8453616 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -715,8 +715,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -784,6 +782,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -872,12 +875,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -892,6 +899,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index cb6f6ca0e..c74daa0cc 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -14,12 +14,12 @@
  * for more details.
  */
 
-#include "ike_cfg.h"
-
+#define _GNU_SOURCE /* for stdndup() */
 #include <string.h>
 
-#include <daemon.h>
+#include "ike_cfg.h"
 
+#include <daemon.h>
 
 ENUM(ike_version_names, IKE_ANY, IKEV2,
 	"IKEv1/2",
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 1f3f2ba8b..891d1be84 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -741,6 +741,10 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 			case ECP_256_BP:
 			case ECP_384_BP:
 			case ECP_512_BP:
+			case NTRU_112_BIT:
+			case NTRU_128_BIT:
+			case NTRU_192_BIT:
+			case NTRU_256_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;
 			default:
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 5e3ae72b9..0cecd1d3b 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -181,7 +181,7 @@ static void handle_syslog_identifier(private_daemon_t *this)
 	char *identifier;
 
 	identifier = lib->settings->get_str(lib->settings, "%s.syslog.identifier",
-										NULL, charon->name);
+										NULL, lib->ns);
 	if (identifier)
 	{	/* set identifier, which is prepended to each log line */
 		if (!this->syslog_identifier ||
@@ -292,15 +292,15 @@ static void load_sys_logger(private_daemon_t *this, char *facility,
 	sys_logger = add_sys_logger(this, facility, current_loggers);
 	sys_logger->set_options(sys_logger,
 				lib->settings->get_bool(lib->settings, "%s.syslog.%s.ike_name",
-										FALSE, charon->name, facility));
+										FALSE, lib->ns, facility));
 
 	def = lib->settings->get_int(lib->settings, "%s.syslog.%s.default", 1,
-								 charon->name, facility);
+								 lib->ns, facility);
 	for (group = 0; group < DBG_MAX; group++)
 	{
 		sys_logger->set_level(sys_logger, group,
 				lib->settings->get_int(lib->settings, "%s.syslog.%s.%N", def,
-							charon->name, facility, debug_lower_names, group));
+							lib->ns, facility, debug_lower_names, group));
 	}
 	charon->bus->add_logger(charon->bus, &sys_logger->logger);
 }
@@ -318,25 +318,25 @@ static void load_file_logger(private_daemon_t *this, char *filename,
 	char *time_format;
 
 	time_format = lib->settings->get_str(lib->settings,
-					"%s.filelog.%s.time_format", NULL, charon->name, filename);
+						"%s.filelog.%s.time_format", NULL, lib->ns, filename);
 	ike_name = lib->settings->get_bool(lib->settings,
-					"%s.filelog.%s.ike_name", FALSE, charon->name, filename);
+						"%s.filelog.%s.ike_name", FALSE, lib->ns, filename);
 	flush_line = lib->settings->get_bool(lib->settings,
-					"%s.filelog.%s.flush_line", FALSE, charon->name, filename);
+						"%s.filelog.%s.flush_line", FALSE, lib->ns, filename);
 	append = lib->settings->get_bool(lib->settings,
-					"%s.filelog.%s.append", TRUE, charon->name, filename);
+						"%s.filelog.%s.append", TRUE, lib->ns, filename);
 
 	file_logger = add_file_logger(this, filename, current_loggers);
 	file_logger->set_options(file_logger, time_format, ike_name);
 	file_logger->open(file_logger, flush_line, append);
 
 	def = lib->settings->get_int(lib->settings, "%s.filelog.%s.default", 1,
-								 charon->name, filename);
+								 lib->ns, filename);
 	for (group = 0; group < DBG_MAX; group++)
 	{
 		file_logger->set_level(file_logger, group,
 				lib->settings->get_int(lib->settings, "%s.filelog.%s.%N", def,
-							charon->name, filename, debug_lower_names, group));
+							lib->ns, filename, debug_lower_names, group));
 	}
 	charon->bus->add_logger(charon->bus, &file_logger->logger);
 }
@@ -353,7 +353,7 @@ METHOD(daemon_t, load_loggers, void,
 	current_loggers = this->loggers;
 	this->loggers = linked_list_create();
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
-													"%s.syslog", charon->name);
+														"%s.syslog", lib->ns);
 	while (enumerator->enumerate(enumerator, &target))
 	{
 		load_sys_logger(this, target, current_loggers);
@@ -361,7 +361,7 @@ METHOD(daemon_t, load_loggers, void,
 	enumerator->destroy(enumerator);
 
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
-													"%s.filelog", charon->name);
+														"%s.filelog", lib->ns);
 	while (enumerator->enumerate(enumerator, &target))
 	{
 		load_file_logger(this, target, current_loggers);
@@ -473,7 +473,6 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.bus);
 	this->loggers->destroy_function(this->loggers, (void*)logger_entry_destroy);
 	this->mutex->destroy(this->mutex);
-	free((void*)this->public.name);
 	free(this);
 }
 
@@ -483,7 +482,7 @@ METHOD(daemon_t, start, void,
 	/* start the engine, go multithreaded */
 	lib->processor->set_threads(lib->processor,
 						lib->settings->get_int(lib->settings, "%s.threads",
-											   DEFAULT_THREADS, charon->name));
+											   DEFAULT_THREADS, lib->ns));
 }
 
 
@@ -525,7 +524,7 @@ METHOD(daemon_t, initialize, bool,
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 				PLUGIN_DEPENDS(CUSTOM, "socket"),
 	};
-	lib->plugins->add_static_features(lib->plugins, charon->name, features,
+	lib->plugins->add_static_features(lib->plugins, lib->ns, features,
 									  countof(features), TRUE);
 
 	/* load plugins, further infrastructure may need it */
@@ -558,7 +557,7 @@ METHOD(daemon_t, initialize, bool,
 /**
  * Create the daemon.
  */
-private_daemon_t *daemon_create(const char *name)
+private_daemon_t *daemon_create()
 {
 	private_daemon_t *this;
 
@@ -569,7 +568,6 @@ private_daemon_t *daemon_create(const char *name)
 			.load_loggers = _load_loggers,
 			.set_level = _set_level,
 			.bus = bus_create(),
-			.name = strdup(name ?: "libcharon"),
 		},
 		.loggers = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
@@ -607,7 +605,7 @@ void libcharon_deinit()
 /**
  * Described in header.
  */
-bool libcharon_init(const char *name)
+bool libcharon_init()
 {
 	private_daemon_t *this;
 
@@ -618,7 +616,7 @@ bool libcharon_init(const char *name)
 		return !this->integrity_failed;
 	}
 
-	this = daemon_create(name);
+	this = daemon_create();
 
 	/* for uncritical pseudo random numbers */
 	srandom(time(NULL) + getpid());
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 24e623c44..36242bb04 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -272,11 +272,6 @@ struct daemon_t {
 #endif /* ME */
 
 	/**
-	 * Name of the binary that uses the library (used for settings etc.)
-	 */
-	const char *name;
-
-	/**
 	 * Initialize the daemon.
 	 *
 	 * @param plugins	list of plugins to load
@@ -324,12 +319,11 @@ extern daemon_t *charon;
  * calling initialize().
  *
  * libcharon_init() may be called multiple times in a single process, but each
- * caller should call libcharon_deinit() for each call to libcharon_init().
+ * caller must call libcharon_deinit() for each call to libcharon_init().
  *
- * @param name	name of the binary that uses the library
  * @return		FALSE if integrity check failed
  */
-bool libcharon_init(const char *name);
+bool libcharon_init();
 
 /**
  * Deinitialize libcharon and destroy the "charon" instance of daemon_t.
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index f7a13d728..889ad6358 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -65,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_
 	"ME_CONNECT_FAILED");
 ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_NOTIFY_STATUS");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, IFOM_CAPABILITY, MS_NOTIFY_STATUS,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -109,8 +109,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
 	"SECURE PASSWORD_METHOD",
 	"PSK_PERSIST",
 	"PSK_CONFIRM",
-	"ERX_SUPPORTED");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
+	"ERX_SUPPORTED",
+	"IFOM_CAPABILITY");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, IFOM_CAPABILITY,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD_R_U_THERE",
@@ -171,7 +172,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S
 	"ME_CONN_FAIL");
 ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_STATUS");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, IFOM_CAPABILITY, MS_NOTIFY_STATUS,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -215,8 +216,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STA
 	"SEC_PASSWD",
 	"PSK_PST",
 	"PSK_CFM",
-	"ERX_SUP");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
+	"ERX_SUP",
+	"IFOM_CAP");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, IFOM_CAPABILITY,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD",
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 847fddc69..c67644a01 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -145,6 +145,8 @@ enum notify_type_t {
 	PSK_CONFIRM = 16426,
 	/* EAP Re-authentication Extension, RFC 6867 */
 	ERX_SUPPORTED = 16427,
+	/* IFOM capability, 3GPP TS 24.303, annex B.2 */
+	IFOM_CAPABILITY = 16428,
 	/* IKEv1 initial contact */
 	INITIAL_CONTACT_IKEV1 = 24578,
 	/* IKEv1 DPD */
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index 2209f1997..8dfb47b69 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -633,27 +633,27 @@ receiver_t *receiver_create()
 	);
 
 	if (lib->settings->get_bool(lib->settings,
-				"%s.dos_protection", TRUE, charon->name))
+								"%s.dos_protection", TRUE, lib->ns))
 	{
 		this->cookie_threshold = lib->settings->get_int(lib->settings,
-				"%s.cookie_threshold", COOKIE_THRESHOLD_DEFAULT, charon->name);
+					"%s.cookie_threshold", COOKIE_THRESHOLD_DEFAULT, lib->ns);
 		this->block_threshold = lib->settings->get_int(lib->settings,
-				"%s.block_threshold", BLOCK_THRESHOLD_DEFAULT, charon->name);
+					"%s.block_threshold", BLOCK_THRESHOLD_DEFAULT, lib->ns);
 	}
 	this->init_limit_job_load = lib->settings->get_int(lib->settings,
-				"%s.init_limit_job_load", 0, charon->name);
+					"%s.init_limit_job_load", 0, lib->ns);
 	this->init_limit_half_open = lib->settings->get_int(lib->settings,
-				"%s.init_limit_half_open", 0, charon->name);
+					"%s.init_limit_half_open", 0, lib->ns);
 	this->receive_delay = lib->settings->get_int(lib->settings,
-				"%s.receive_delay", 0, charon->name);
+					"%s.receive_delay", 0, lib->ns);
 	this->receive_delay_type = lib->settings->get_int(lib->settings,
-				"%s.receive_delay_type", 0, charon->name),
+					"%s.receive_delay_type", 0, lib->ns),
 	this->receive_delay_request = lib->settings->get_bool(lib->settings,
-				"%s.receive_delay_request", TRUE, charon->name),
+					"%s.receive_delay_request", TRUE, lib->ns),
 	this->receive_delay_response = lib->settings->get_bool(lib->settings,
-				"%s.receive_delay_response", TRUE, charon->name),
+					"%s.receive_delay_response", TRUE, lib->ns),
 	this->initiator_only = lib->settings->get_bool(lib->settings,
-				"%s.initiator_only", FALSE, charon->name),
+					"%s.initiator_only", FALSE, lib->ns),
 
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!this->hasher)
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
index dd8efc1ec..bed4f35ce 100644
--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
@@ -204,13 +204,13 @@ sender_t * sender_create()
 		.got = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.sent = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.send_delay = lib->settings->get_int(lib->settings,
-								"%s.send_delay", 0, charon->name),
+									"%s.send_delay", 0, lib->ns),
 		.send_delay_type = lib->settings->get_int(lib->settings,
-								"%s.send_delay_type", 0, charon->name),
+									"%s.send_delay_type", 0, lib->ns),
 		.send_delay_request = lib->settings->get_bool(lib->settings,
-								"%s.send_delay_request", TRUE, charon->name),
+									"%s.send_delay_request", TRUE, lib->ns),
 		.send_delay_response = lib->settings->get_bool(lib->settings,
-								"%s.send_delay_response", TRUE, charon->name),
+									"%s.send_delay_response", TRUE, lib->ns),
 	);
 
 	lib->processor->queue_job(lib->processor,
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 4a8150291..bc32b5ade 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index f2147f694..6278a6234 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 7d8d12d3b..ae64a8758 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/android_log/android_log_logger.c b/src/libcharon/plugins/android_log/android_log_logger.c
index 48bcaa577..99eb66bb1 100644
--- a/src/libcharon/plugins/android_log/android_log_logger.c
+++ b/src/libcharon/plugins/android_log/android_log_logger.c
@@ -100,7 +100,7 @@ android_log_logger_t *android_log_logger_create()
 		},
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.level = lib->settings->get_int(lib->settings,
-							"%s.plugins.android_log.loglevel", 1, charon->name),
+								"%s.plugins.android_log.loglevel", 1, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 8fcd0f19f..f812770f3 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/certexpire/certexpire_export.c b/src/libcharon/plugins/certexpire/certexpire_export.c
index f1205cfd8..4aa84904b 100644
--- a/src/libcharon/plugins/certexpire/certexpire_export.c
+++ b/src/libcharon/plugins/certexpire/certexpire_export.c
@@ -430,31 +430,31 @@ certexpire_export_t *certexpire_export_create()
 								   (hashtable_equals_t)equals, 32),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.local_path = lib->settings->get_str(lib->settings,
-								"%s.plugins.certexpire.csv.local",
-								NULL, charon->name),
+									"%s.plugins.certexpire.csv.local",
+									NULL, lib->ns),
 		.remote_path = lib->settings->get_str(lib->settings,
-								"%s.plugins.certexpire.csv.remote",
-								NULL, charon->name),
+									"%s.plugins.certexpire.csv.remote",
+									NULL, lib->ns),
 		.separator = lib->settings->get_str(lib->settings,
-								"%s.plugins.certexpire.csv.separator",
-								",", charon->name),
+									"%s.plugins.certexpire.csv.separator",
+									",", lib->ns),
 		.format = lib->settings->get_str(lib->settings,
-								"%s.plugins.certexpire.csv.format",
-								"%d:%m:%Y", charon->name),
+									"%s.plugins.certexpire.csv.format",
+									"%d:%m:%Y", lib->ns),
 		.fixed_fields = lib->settings->get_bool(lib->settings,
-								"%s.plugins.certexpire.csv.fixed_fields",
-								TRUE, charon->name),
+									"%s.plugins.certexpire.csv.fixed_fields",
+									TRUE, lib->ns),
 		.empty_string = lib->settings->get_str(lib->settings,
-								"%s.plugins.certexpire.csv.empty_string",
-								"", charon->name),
+									"%s.plugins.certexpire.csv.empty_string",
+									"", lib->ns),
 		.force = lib->settings->get_bool(lib->settings,
-								"%s.plugins.certexpire.csv.force",
-								TRUE, charon->name),
+									"%s.plugins.certexpire.csv.force",
+									TRUE, lib->ns),
 	);
 
 	cron = lib->settings->get_str(lib->settings,
 								  "%s.plugins.certexpire.csv.cron",
-								  NULL, charon->name);
+								  NULL, lib->ns);
 	if (cron)
 	{
 		this->cron = certexpire_cron_create(cron,
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 48492595d..d8eb802b7 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/coupling/coupling_validator.c b/src/libcharon/plugins/coupling/coupling_validator.c
index 958bd2b6d..fc35462e3 100644
--- a/src/libcharon/plugins/coupling/coupling_validator.c
+++ b/src/libcharon/plugins/coupling/coupling_validator.c
@@ -214,12 +214,11 @@ coupling_validator_t *coupling_validator_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.max_couplings = lib->settings->get_int(lib->settings,
 												"%s.plugins.coupling.max", 1,
-												charon->name),
+												lib->ns),
 	);
 
 	hash = lib->settings->get_str(lib->settings,
-								  "%s.plugins.coupling.hash", "sha1",
-								  charon->name);
+								  "%s.plugins.coupling.hash", "sha1", lib->ns);
 	this->hasher = lib->crypto->create_hasher(lib->crypto,
 							enum_from_name(hash_algorithm_short_names, hash));
 	if (!this->hasher)
@@ -230,8 +229,7 @@ coupling_validator_t *coupling_validator_create()
 	}
 
 	path = lib->settings->get_str(lib->settings,
-								  "%s.plugins.coupling.file", NULL,
-								  charon->name);
+								  "%s.plugins.coupling.file", NULL, lib->ns);
 	if (!path)
 	{
 		DBG1(DBG_CFG, "coupling file path unspecified");
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 4a2ebe7f4..395cd76ea 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index 044c8a819..b8c1b4059 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -643,6 +643,28 @@ METHOD(dhcp_socket_t, destroy, void,
 }
 
 /**
+ * Bind a socket to a particular interface name
+ */
+static bool bind_to_device(int fd, char *iface)
+{
+	struct ifreq ifreq;
+
+	if (strlen(iface) > sizeof(ifreq.ifr_name))
+	{
+		DBG1(DBG_CFG, "name for DHCP interface too long: '%s'", iface);
+		return FALSE;
+	}
+	memcpy(ifreq.ifr_name, iface, sizeof(ifreq.ifr_name));
+	if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &ifreq, sizeof(ifreq)))
+	{
+		DBG1(DBG_CFG, "binding DHCP socket to '%s' failed: %s",
+			 iface, strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
  * See header
  */
 dhcp_socket_t *dhcp_socket_create()
@@ -655,6 +677,7 @@ dhcp_socket_t *dhcp_socket_create()
 			.s_addr = INADDR_ANY,
 		},
 	};
+	char *iface;
 	int on = 1;
 	struct sock_filter dhcp_filter_code[] = {
 		BPF_STMT(BPF_LD+BPF_B+BPF_ABS,
@@ -711,13 +734,15 @@ dhcp_socket_t *dhcp_socket_create()
 	}
 	this->identity_lease = lib->settings->get_bool(lib->settings,
 								"%s.plugins.dhcp.identity_lease", FALSE,
-								charon->name);
+								lib->ns);
 	this->force_dst = lib->settings->get_str(lib->settings,
 								"%s.plugins.dhcp.force_server_address", FALSE,
-								charon->name);
+								lib->ns);
 	this->dst = host_create_from_string(lib->settings->get_str(lib->settings,
 								"%s.plugins.dhcp.server", "255.255.255.255",
-								charon->name), DHCP_SERVER_PORT);
+								lib->ns), DHCP_SERVER_PORT);
+	iface = lib->settings->get_str(lib->settings, "%s.plugins.dhcp.interface",
+								   NULL, lib->ns);
 	if (!this->dst)
 	{
 		DBG1(DBG_CFG, "configured DHCP server address invalid");
@@ -766,6 +791,15 @@ dhcp_socket_t *dhcp_socket_create()
 		destroy(this);
 		return NULL;
 	}
+	if (iface)
+	{
+		if (!bind_to_device(this->send, iface) ||
+			!bind_to_device(this->receive, iface))
+		{
+			destroy(this);
+			return NULL;
+		}
+	}
 
 	lib->watcher->add(lib->watcher, this->receive, WATCHER_READ,
 					  (watcher_cb_t)receive_dhcp, this);
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index c9222c202..4be453ea8 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/dnscert/dnscert_plugin.c b/src/libcharon/plugins/dnscert/dnscert_plugin.c
index 713bc9e3b..1b93480cf 100644
--- a/src/libcharon/plugins/dnscert/dnscert_plugin.c
+++ b/src/libcharon/plugins/dnscert/dnscert_plugin.c
@@ -74,7 +74,7 @@ METHOD(plugin_t, reload, bool,
 	private_dnscert_plugin_t *this)
 {
 	bool enabled = lib->settings->get_bool(lib->settings,
-							"%s.plugins.dnscert.enable", FALSE, charon->name);
+								"%s.plugins.dnscert.enable", FALSE, lib->ns);
 
 	if (enabled != this->enabled)
 	{
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index bac7d846f..e9da68ee8 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -225,8 +225,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -294,6 +292,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -382,12 +385,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -402,6 +409,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
index e3a4e17b7..f77b48b09 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
@@ -130,7 +130,7 @@ duplicheck_notify_t *duplicheck_notify_create()
 
 	uri = lib->settings->get_str(lib->settings,
 					"%s.plugins.duplicheck.socket", "unix://" DUPLICHECK_SOCKET,
-					charon->name);
+					lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 3);
 	if (!this->service)
 	{
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
index 4d018dbef..689c795d8 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -93,7 +93,7 @@ plugin_t *duplicheck_plugin_create()
 	private_duplicheck_plugin_t *this;
 
 	if (!lib->settings->get_bool(lib->settings,
-							"%s.plugins.duplicheck.enable", TRUE, charon->name))
+								 "%s.plugins.duplicheck.enable", TRUE, lib->ns))
 	{
 		return NULL;
 	}
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 139ce1483..67cf66720 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.c b/src/libcharon/plugins/eap_aka/eap_aka_server.c
index b7608382d..eba7af874 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_server.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.c
@@ -721,7 +721,7 @@ eap_aka_server_t *eap_aka_server_create(identification_t *server,
 	this->permanent = peer->clone(peer);
 	this->use_reauth = this->use_pseudonym = this->use_permanent =
 		lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-aka.request_identity", TRUE, charon->name);
+						"%s.plugins.eap-aka.request_identity", TRUE, lib->ns);
 
 	/* generate a non-zero identifier */
 	do {
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 9fb9ef709..7d6ae956c 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
index 1bfc39e5a..a71dae78a 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
@@ -177,7 +177,7 @@ eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f)
 #else /* !SEQ_CHECK */
 									FALSE,
 #endif /* SEQ_CHECK */
-									charon->name),
+									lib->ns),
 	);
 
 	eap_aka_3gpp2_get_sqn(this->sqn, 0);
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 61a9da187..6ff0acb32 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
index d24cbd128..3216446af 100644
--- a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
@@ -377,14 +377,14 @@ eap_dynamic_t *eap_dynamic_create(identification_t *server,
 		.server = server->clone(server),
 		.types = linked_list_create(),
 		.prefer_peer = lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-dynamic.prefer_peer", FALSE, charon->name),
+						"%s.plugins.eap-dynamic.prefer_peer", FALSE, lib->ns),
 	);
 
 	/* get all supported EAP methods */
 	get_supported_eap_types(this);
 	/* move preferred methods to the front */
 	preferred = lib->settings->get_str(lib->settings,
-					"%s.plugins.eap-dynamic.preferred", NULL, charon->name);
+						"%s.plugins.eap-dynamic.preferred", NULL, lib->ns);
 	if (preferred)
 	{
 		handle_preferred_eap_types(this, preferred);
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index c48d95527..99ae94e37 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
index 2f64f325c..e751b51b6 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -149,7 +149,7 @@ METHOD(eap_method_t, process_server, status_t,
 	/* get XAuth backend to use for credential verification. Default to PAM
 	 * to support legacy EAP-GTC configurations */
 	backend = lib->settings->get_str(lib->settings,
-							"%s.plugins.eap-gtc.backend", "pam", charon->name);
+								"%s.plugins.eap-gtc.backend", "pam", lib->ns);
 	xauth = charon->xauth->create_instance(charon->xauth, backend, XAUTH_SERVER,
 										   this->server, this->peer);
 	if (!xauth)
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 01fbe22a5..688879a82 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 6ae97da15..150b131f0 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index bdc6a9d1d..d52f26a9a 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 35ec4db8b..7ac4a6edf 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_peap/eap_peap.c b/src/libcharon/plugins/eap_peap/eap_peap.c
index 8aba703c5..c24dd578c 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap.c
@@ -157,18 +157,18 @@ static eap_peap_t *eap_peap_create(private_eap_peap_t * this,
 
 	if (is_server && !lib->settings->get_bool(lib->settings,
 								"%s.plugins.eap-peap.request_peer_auth", FALSE,
-								charon->name))
+								lib->ns))
 	{
 		peer = NULL;
 	}
 	frag_size = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-peap.fragment_size", MAX_FRAGMENT_LEN,
-					charon->name);
+					lib->ns);
 	max_msg_count = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-peap.max_message_count", MAX_MESSAGE_COUNT,
-					charon->name);
+					lib->ns);
 	include_length = lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-peap.include_length", FALSE, charon->name);
+					"%s.plugins.eap-peap.include_length", FALSE, lib->ns);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP,
 					 application, NULL);
 	this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count,
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c
index 5237cb62c..33b01e95e 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_server.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_server.c
@@ -92,7 +92,7 @@ static status_t start_phase2_auth(private_eap_peap_server_t *this)
 
 	eap_type_str = lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-peap.phase2_method", "mschapv2",
-							charon->name);
+							lib->ns);
 	type = eap_type_from_string(eap_type_str);
 	if (type == 0)
 	{
@@ -129,7 +129,7 @@ static status_t start_phase2_auth(private_eap_peap_server_t *this)
 static status_t start_phase2_tnc(private_eap_peap_server_t *this)
 {
 	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
-						"%s.plugins.eap-peap.phase2_tnc", FALSE, charon->name))
+						"%s.plugins.eap-peap.phase2_tnc", FALSE, lib->ns))
 	{
 		DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
 		this->ph2_method = charon->eap->create_instance(charon->eap, EAP_TNC,
@@ -274,7 +274,7 @@ METHOD(tls_application_t, process, status_t,
 
 		/* Start Phase 2 of EAP-PEAP authentication */
 		if (lib->settings->get_bool(lib->settings,
-				"%s.plugins.eap-peap.request_peer_auth", FALSE, charon->name))
+					"%s.plugins.eap-peap.request_peer_auth", FALSE, lib->ns))
 		{
 			return start_phase2_tnc(this);
 		}
@@ -425,7 +425,7 @@ eap_peap_server_t *eap_peap_server_create(identification_t *server,
 		.start_phase2_tnc = TRUE,
 		.start_phase2_id = lib->settings->get_bool(lib->settings,
 										"%s.plugins.eap-peap.phase2_piggyback",
-										FALSE, charon->name),
+										FALSE, lib->ns),
 		.phase2_result = EAP_FAILURE,
 		.avp = eap_peap_avp_create(TRUE),
 	);
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 3064ceadb..3e2bf046d 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 6087a528f..6719497d3 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -188,7 +188,7 @@ void eap_radius_build_attributes(radius_message_t *request)
 		}
 		if (lib->settings->get_bool(lib->settings,
 									"%s.plugins.eap-radius.station_id_with_port",
-									TRUE, charon->name))
+									TRUE, lib->ns))
 		{
 			station_id_fmt = "%#H";
 		}
@@ -573,12 +573,12 @@ static void process_cfg_attributes(radius_message_t *msg)
 void eap_radius_process_attributes(radius_message_t *message)
 {
 	if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.class_group", FALSE, charon->name))
+						"%s.plugins.eap-radius.class_group", FALSE, lib->ns))
 	{
 		process_class(message);
 	}
 	if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.filter_id", FALSE, charon->name))
+						"%s.plugins.eap-radius.filter_id", FALSE, lib->ns))
 	{
 		process_filter_id(message);
 	}
@@ -720,10 +720,10 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 		.type = EAP_RADIUS,
 		.eap_start = lib->settings->get_bool(lib->settings,
 									"%s.plugins.eap-radius.eap_start", FALSE,
-									charon->name),
+									lib->ns),
 		.id_prefix = lib->settings->get_str(lib->settings,
 									"%s.plugins.eap-radius.id_prefix", "",
-									charon->name),
+									lib->ns),
 	);
 	this->client = eap_radius_create_client();
 	if (!this->client)
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index afb661e19..8c780e78d 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -712,7 +712,7 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 	if (lib->settings->get_bool(lib->settings,
-			"%s.plugins.eap-radius.station_id_with_port", TRUE, charon->name))
+				"%s.plugins.eap-radius.station_id_with_port", TRUE, lib->ns))
 	{
 		this->station_id_fmt = "%#H";
 	}
@@ -721,14 +721,14 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 		this->station_id_fmt = "%H";
 	}
 	if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.accounting", FALSE, charon->name))
+							"%s.plugins.eap-radius.accounting", FALSE, lib->ns))
 	{
 		singleton = this;
 		charon->bus->add_listener(charon->bus, &this->public.listener);
 	}
 	this->acct_req_vip = lib->settings->get_bool(lib->settings,
 							"%s.plugins.eap-radius.accounting_requires_vip",
-							FALSE, charon->name);
+							FALSE, lib->ns);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_dae.c b/src/libcharon/plugins/eap_radius/eap_radius_dae.c
index f22ddc56f..a0bf99efd 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_dae.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_dae.c
@@ -452,11 +452,11 @@ static bool open_socket(private_eap_radius_dae_t *this)
 
 	host = host_create_from_string(
 				lib->settings->get_str(lib->settings,
-						"%s.plugins.eap-radius.dae.listen", "0.0.0.0",
-						charon->name),
+							"%s.plugins.eap-radius.dae.listen", "0.0.0.0",
+							lib->ns),
 				lib->settings->get_int(lib->settings,
-						"%s.plugins.eap-radius.dae.port", RADIUS_DAE_PORT,
-						charon->name));
+							"%s.plugins.eap-radius.dae.port", RADIUS_DAE_PORT,
+							lib->ns));
 	if (!host)
 	{
 		DBG1(DBG_CFG, "invalid RADIUS DAE listen address");
@@ -504,7 +504,7 @@ eap_radius_dae_t *eap_radius_dae_create(eap_radius_accounting_t *accounting)
 		.secret = {
 			.ptr = lib->settings->get_str(lib->settings,
 									"%s.plugins.eap-radius.dae.secret", NULL,
-									charon->name),
+									lib->ns),
 		},
 		.hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5),
 		.signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128),
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
index 3e80e8918..b873e1d69 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
@@ -438,10 +438,10 @@ eap_radius_forward_t *eap_radius_forward_create()
 		},
 		.from_attr = parse_selector(lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-radius.forward.ike_to_radius", "",
-							charon->name)),
+							lib->ns)),
 		.to_attr = parse_selector(lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-radius.forward.radius_to_ike", "",
-							charon->name)),
+							lib->ns)),
 		.from = hashtable_create((hashtable_hash_t)hash,
 						(hashtable_equals_t)equals, 8),
 		.to = hashtable_create((hashtable_hash_t)hash,
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 90a4ef6de..1a48c07e5 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -100,23 +100,23 @@ static void load_configs(private_eap_radius_plugin_t *this)
 	int auth_port, acct_port, sockets, preference;
 
 	address = lib->settings->get_str(lib->settings,
-					"%s.plugins.eap-radius.server", NULL, charon->name);
+								"%s.plugins.eap-radius.server", NULL, lib->ns);
 	if (address)
 	{	/* legacy configuration */
 		secret = lib->settings->get_str(lib->settings,
-					"%s.plugins.eap-radius.secret", NULL, charon->name);
+								"%s.plugins.eap-radius.secret", NULL, lib->ns);
 		if (!secret)
 		{
 			DBG1(DBG_CFG, "no RADIUS secret defined");
 			return;
 		}
 		nas_identifier = lib->settings->get_str(lib->settings,
-					"%s.plugins.eap-radius.nas_identifier", "strongSwan",
-					charon->name);
+						"%s.plugins.eap-radius.nas_identifier", "strongSwan",
+						lib->ns);
 		auth_port = lib->settings->get_int(lib->settings,
-					"%s.plugins.eap-radius.port", AUTH_PORT, charon->name);
+						"%s.plugins.eap-radius.port", AUTH_PORT, lib->ns);
 		sockets = lib->settings->get_int(lib->settings,
-					"%s.plugins.eap-radius.sockets", 1, charon->name);
+						"%s.plugins.eap-radius.sockets", 1, lib->ns);
 		config = radius_config_create(address, address, auth_port, ACCT_PORT,
 									  nas_identifier, secret, sockets, 0);
 		if (!config)
@@ -129,12 +129,12 @@ static void load_configs(private_eap_radius_plugin_t *this)
 	}
 
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
-								"%s.plugins.eap-radius.servers", charon->name);
+									"%s.plugins.eap-radius.servers", lib->ns);
 	while (enumerator->enumerate(enumerator, &section))
 	{
 		address = lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-radius.servers.%s.address", NULL,
-							charon->name, section);
+							lib->ns, section);
 		if (!address)
 		{
 			DBG1(DBG_CFG, "RADIUS server '%s' misses address, skipped", section);
@@ -142,7 +142,7 @@ static void load_configs(private_eap_radius_plugin_t *this)
 		}
 		secret = lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-radius.servers.%s.secret", NULL,
-							charon->name, section);
+							lib->ns, section);
 		if (!secret)
 		{
 			DBG1(DBG_CFG, "RADIUS server '%s' misses secret, skipped", section);
@@ -150,22 +150,22 @@ static void load_configs(private_eap_radius_plugin_t *this)
 		}
 		nas_identifier = lib->settings->get_str(lib->settings,
 				"%s.plugins.eap-radius.servers.%s.nas_identifier", "strongSwan",
-				charon->name, section);
+				lib->ns, section);
 		auth_port = lib->settings->get_int(lib->settings,
 			"%s.plugins.eap-radius.servers.%s.auth_port",
 				lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-radius.servers.%s.port",
-					AUTH_PORT, charon->name, section),
-			charon->name, section);
+					AUTH_PORT, lib->ns, section),
+			lib->ns, section);
 		acct_port = lib->settings->get_int(lib->settings,
 				"%s.plugins.eap-radius.servers.%s.acct_port", ACCT_PORT,
-				charon->name, section);
+				lib->ns, section);
 		sockets = lib->settings->get_int(lib->settings,
 				"%s.plugins.eap-radius.servers.%s.sockets", 1,
-				charon->name, section);
+				lib->ns, section);
 		preference = lib->settings->get_int(lib->settings,
 				"%s.plugins.eap-radius.servers.%s.preference", 0,
-				charon->name, section);
+				lib->ns, section);
 		config = radius_config_create(section, address, auth_port, acct_port,
 								nas_identifier, secret, sockets, preference);
 		if (!config)
@@ -203,7 +203,7 @@ static bool plugin_cb(private_eap_radius_plugin_t *this,
 		load_configs(this);
 
 		if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.dae.enable", FALSE, charon->name))
+						"%s.plugins.eap-radius.dae.enable", FALSE, lib->ns))
 		{
 			this->dae = eap_radius_dae_create(this->accounting);
 		}
@@ -368,7 +368,7 @@ void eap_radius_handle_timeout(ike_sa_id_t *id)
 
 	if (lib->settings->get_bool(lib->settings,
 								"%s.plugins.eap-radius.close_all_on_timeout",
-								FALSE, charon->name))
+								FALSE, lib->ns))
 	{
 		DBG1(DBG_CFG, "deleting all IKE_SAs after RADIUS timeout");
 		lib->processor->queue_job(lib->processor,
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
index e66bbf38f..d00f6bb2c 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
@@ -256,7 +256,7 @@ static bool parse_rounds(private_eap_radius_xauth_t *this, char *profile)
 	}
 
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-					"%s.plugins.eap-radius.xauth.%s", charon->name, profile);
+							"%s.plugins.eap-radius.xauth.%s", lib->ns, profile);
 	while (enumerator->enumerate(enumerator, &type, &message))
 	{
 		bool invalid = TRUE;
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index c9d80681a..3707f64f3 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.c b/src/libcharon/plugins/eap_sim/eap_sim_server.c
index 334e2df1d..f22266bda 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_server.c
+++ b/src/libcharon/plugins/eap_sim/eap_sim_server.c
@@ -635,7 +635,7 @@ eap_sim_server_t *eap_sim_server_create(identification_t *server,
 	this->use_reauth = this->use_pseudonym = this->use_permanent =
 		lib->settings->get_bool(lib->settings,
 								"%s.plugins.eap-sim.request_identity", TRUE,
-								charon->name);
+								lib->ns);
 
 	/* generate a non-zero identifier */
 	do {
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 39995495e..05bbc3129 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 2723f4059..a22a5c355 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 27a9f0c09..189baacbc 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 5c136cec4..33443a1d2 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 86cf3a752..02cf1532c 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
index 6bcc58e66..176321833 100644
--- a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
@@ -66,7 +66,7 @@ static bool load_db(private_eap_simaka_sql_t *this,
 
 		uri = lib->settings->get_str(lib->settings,
 									 "%s.plugins.eap-simaka-sql.database", NULL,
-									 charon->name);
+									 lib->ns);
 		if (!uri)
 		{
 			DBG1(DBG_CFG, "eap-simaka-sql database URI missing");
@@ -80,7 +80,7 @@ static bool load_db(private_eap_simaka_sql_t *this,
 		}
 		remove_used = lib->settings->get_bool(lib->settings,
 								"%s.plugins.eap-simaka-sql.remove_used", FALSE,
-								charon->name);
+								lib->ns);
 
 		this->provider = eap_simaka_sql_provider_create(this->db, remove_used);
 		this->card = eap_simaka_sql_card_create(this->db, remove_used);
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index 7be65990c..ec189f895 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
index 48e38755d..dffbaf266 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -145,12 +145,12 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 
 	frag_size = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN,
-					charon->name);
+					lib->ns);
 	max_msg_count = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT,
-					charon->name);
+					lib->ns);
 	include_length = lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-tls.include_length", TRUE, charon->name);
+					"%s.plugins.eap-tls.include_length", TRUE, lib->ns);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL);
 	this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count,
 												 include_length);
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index e482a7148..6d4ff8756 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index f9ab74258..2147c0482 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -273,10 +273,10 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 	);
 
 	max_msg_count = lib->settings->get_int(lib->settings,
-					"%s.plugins.eap-tnc.max_message_count",
-					EAP_TNC_MAX_MESSAGE_COUNT, charon->name);
+						"%s.plugins.eap-tnc.max_message_count",
+						EAP_TNC_MAX_MESSAGE_COUNT, lib->ns);
 	protocol = lib->settings->get_str(lib->settings,
-					"%s.plugins.eap-tnc.protocol", "tnccs-1.1", charon->name);
+						"%s.plugins.eap-tnc.protocol", "tnccs-1.1", lib->ns);
 	if (strcaseeq(protocol, "tnccs-2.0"))
 	{
 		type = TNCCS_2_0;
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index a774ad609..a22b1e220 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index ebd1c5479..703cd3f29 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -147,18 +147,18 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 	);
 	if (is_server && !lib->settings->get_bool(lib->settings,
 								"%s.plugins.eap-ttls.request_peer_auth", FALSE,
-								charon->name))
+								lib->ns))
 	{
 		peer = NULL;
 	}
 	frag_size = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN,
-					charon->name);
+					lib->ns);
 	max_msg_count = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-ttls.max_message_count", MAX_MESSAGE_COUNT,
-					charon->name);
+					lib->ns);
 	include_length = lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-ttls.include_length", TRUE, charon->name);
+					"%s.plugins.eap-ttls.include_length", TRUE, lib->ns);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS,
 					 application, NULL);
 	this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count,
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
index eef8d6682..88c2b88c6 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
@@ -80,7 +80,7 @@ static status_t start_phase2_auth(private_eap_ttls_server_t *this)
 
 	eap_type_str = lib->settings->get_str(lib->settings,
 									"%s.plugins.eap-ttls.phase2_method", "md5",
-									charon->name);
+									lib->ns);
 	type = eap_type_from_string(eap_type_str);
 	if (type == 0)
 	{
@@ -115,7 +115,7 @@ static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
 	eap_inner_method_t *inner_method;
 
 	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
-						"%s.plugins.eap-ttls.phase2_tnc", FALSE, charon->name))
+							"%s.plugins.eap-ttls.phase2_tnc", FALSE, lib->ns))
 	{
 		DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
 		this->method = charon->eap->create_instance(charon->eap, EAP_TNC,
@@ -242,7 +242,7 @@ METHOD(tls_application_t, process, status_t,
 
 		/* Start Phase 2 of EAP-TTLS authentication */
 		if (lib->settings->get_bool(lib->settings,
-				"%s.plugins.eap-ttls.request_peer_auth", FALSE, charon->name))
+					"%s.plugins.eap-ttls.request_peer_auth", FALSE, lib->ns))
 		{
 			return start_phase2_tnc(this, EAP_TLS);
 		}
@@ -301,7 +301,7 @@ METHOD(tls_application_t, build, status_t,
 
 	if (this->method == NULL && this->start_phase2 &&
 		lib->settings->get_bool(lib->settings,
-				"%s.plugins.eap-ttls.phase2_piggyback", FALSE, charon->name))
+					"%s.plugins.eap-ttls.phase2_piggyback", FALSE, lib->ns))
 	{
 		/* generate an EAP Identity request which will be piggybacked right
 		 * onto the TLS Finished message thus initiating EAP-TTLS phase2
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index ad8aba11e..d8a135cc1 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -226,8 +226,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -295,6 +293,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -383,12 +386,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -403,6 +410,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c
index aafd0a4cd..959c4c67d 100644
--- a/src/libcharon/plugins/error_notify/error_notify_socket.c
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.c
@@ -142,7 +142,7 @@ error_notify_socket_t *error_notify_socket_create()
 
 	uri = lib->settings->get_str(lib->settings,
 				"%s.plugins.error-notify.socket", "unix://" ERROR_NOTIFY_SOCKET,
-				charon->name);
+				lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 10);
 	if (!this->service)
 	{
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 4d2a32e6f..60c55f01e 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 9948ab3db..2f3263064 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index d26c38325..dd55fae8b 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -309,7 +309,7 @@ static void load_pools(private_ha_attribute_t *this)
 	pool_t *pool;
 
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-										"%s.plugins.ha.pools", charon->name);
+												"%s.plugins.ha.pools", lib->ns);
 	while (enumerator->enumerate(enumerator, &name, &net))
 	{
 		net = strdup(net);
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index 5d4cc6184..493cad5ec 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -160,19 +160,19 @@ plugin_t *ha_plugin_create()
 	bool fifo, monitor, resync;
 
 	local = lib->settings->get_str(lib->settings,
-							"%s.plugins.ha.local", NULL, charon->name);
+								"%s.plugins.ha.local", NULL, lib->ns);
 	remote = lib->settings->get_str(lib->settings,
-							"%s.plugins.ha.remote", NULL, charon->name);
+								"%s.plugins.ha.remote", NULL, lib->ns);
 	secret = lib->settings->get_str(lib->settings,
-							"%s.plugins.ha.secret", NULL, charon->name);
+								"%s.plugins.ha.secret", NULL, lib->ns);
 	fifo = lib->settings->get_bool(lib->settings,
-							"%s.plugins.ha.fifo_interface", TRUE, charon->name);
+								"%s.plugins.ha.fifo_interface", TRUE, lib->ns);
 	monitor = lib->settings->get_bool(lib->settings,
-							"%s.plugins.ha.monitor", TRUE, charon->name);
+								"%s.plugins.ha.monitor", TRUE, lib->ns);
 	resync = lib->settings->get_bool(lib->settings,
-							"%s.plugins.ha.resync", TRUE, charon->name);
+								"%s.plugins.ha.resync", TRUE, lib->ns);
 	count = min(SEGMENTS_MAX, lib->settings->get_int(lib->settings,
-							"%s.plugins.ha.segment_count", 1, charon->name));
+								"%s.plugins.ha.segment_count", 1, lib->ns));
 	if (!local || !remote)
 	{
 		DBG1(DBG_CFG, "HA config misses local/remote address");
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index cab38c63d..fc7d7a8b4 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -470,12 +470,12 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
 		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.heartbeat_delay = lib->settings->get_int(lib->settings,
 				"%s.plugins.ha.heartbeat_delay", DEFAULT_HEARTBEAT_DELAY,
-				charon->name),
+				lib->ns),
 		.heartbeat_timeout = lib->settings->get_int(lib->settings,
 				"%s.plugins.ha.heartbeat_timeout", DEFAULT_HEARTBEAT_TIMEOUT,
-				charon->name),
+				lib->ns),
 		.autobalance = lib->settings->get_int(lib->settings,
-				"%s.plugins.ha.autobalance", 0, charon->name),
+				"%s.plugins.ha.autobalance", 0, lib->ns),
 	);
 
 	if (monitor)
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index 5c3d01558..2ee5a49f1 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_plugin.c b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
index 9bc49ba28..9f00abe8b 100644
--- a/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
+++ b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
@@ -53,7 +53,7 @@ METHOD(plugin_t, reload, bool,
 	private_ipseckey_plugin_t *this)
 {
 	bool enabled = lib->settings->get_bool(lib->settings,
-							"%s.plugins.ipseckey.enable", FALSE, charon->name);
+								"%s.plugins.ipseckey.enable", FALSE, lib->ns);
 
 	if (enabled != this->enabled)
 	{
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index fa28babe4..1726c689c 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index d0744e300..b33580700 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -695,7 +695,7 @@ kernel_libipsec_ipsec_t *kernel_libipsec_ipsec_create()
 		.policies = linked_list_create(),
 		.excludes = linked_list_create(),
 		.allow_peer_ts = lib->settings->get_bool(lib->settings,
-				"%s.plugins.kernel-libipsec.allow_peer_ts", FALSE, hydra->daemon),
+					"%s.plugins.kernel-libipsec.allow_peer_ts", FALSE, lib->ns),
 	);
 
 	ipsec->events->register_listener(ipsec->events, &this->ipsec_listener);
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
index 56f526217..e3b688dd6 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@@ -144,6 +144,6 @@ plugin_t *kernel_libipsec_plugin_create()
 
 	/* set TUN device as default to install VIPs */
 	lib->settings->set_str(lib->settings, "%s.install_virtual_ip_on",
-						   this->tun->get_name(this->tun), charon->name);
+						   this->tun->get_name(this->tun), lib->ns);
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 9373703a2..48163aff2 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/led/led_listener.c b/src/libcharon/plugins/led/led_listener.c
index be80bcde2..3351f6614 100644
--- a/src/libcharon/plugins/led/led_listener.c
+++ b/src/libcharon/plugins/led/led_listener.c
@@ -230,12 +230,12 @@ led_listener_t *led_listener_create()
 		},
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.blink_time = lib->settings->get_int(lib->settings,
-							"%s.plugins.led.blink_time", 50, charon->name),
+								"%s.plugins.led.blink_time", 50, lib->ns),
 	);
 
 	this->activity = open_led(lib->settings->get_str(lib->settings,
-							"%s.plugins.led.activity_led", NULL, charon->name),
-							&this->activity_max);
+								"%s.plugins.led.activity_led", NULL, lib->ns),
+								&this->activity_max);
 	set_led(this->activity, 0);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 93dd6b486..2369044dd 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -228,8 +228,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -297,6 +295,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -385,12 +388,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -405,6 +412,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index e4e47c1ac..e133190b4 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -236,11 +236,11 @@ static void load_addrs(private_load_tester_config_t *this)
 	mem_pool_t *pool;
 
 	this->keep = lib->settings->get_bool(lib->settings,
-						"%s.plugins.load-tester.addrs_keep", FALSE, charon->name);
+						"%s.plugins.load-tester.addrs_keep", FALSE, lib->ns);
 	this->prefix = lib->settings->get_int(lib->settings,
-						"%s.plugins.load-tester.addrs_prefix", 16, charon->name);
+						"%s.plugins.load-tester.addrs_prefix", 16, lib->ns);
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-						"%s.plugins.load-tester.addrs", charon->name);
+						"%s.plugins.load-tester.addrs", lib->ns);
 	while (enumerator->enumerate(enumerator, &iface, &token))
 	{
 		tokens = enumerator_create_token(token, ",", " ");
@@ -917,72 +917,71 @@ load_tester_config_t *load_tester_config_create()
 	);
 
 	if (lib->settings->get_bool(lib->settings,
-			"%s.plugins.load-tester.request_virtual_ip", FALSE, charon->name))
+				"%s.plugins.load-tester.request_virtual_ip", FALSE, lib->ns))
 	{
 		this->vip = host_create_from_string("0.0.0.0", 0);
 	}
 	this->pool = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.pool", NULL, charon->name);
+					"%s.plugins.load-tester.pool", NULL, lib->ns);
 	this->initiator = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator", "0.0.0.0", charon->name);
+					"%s.plugins.load-tester.initiator", "0.0.0.0", lib->ns);
 	this->responder = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.responder", "127.0.0.1", charon->name);
+					"%s.plugins.load-tester.responder", "127.0.0.1", lib->ns);
 
 	this->proposal = proposal_create_from_string(PROTO_IKE,
 				lib->settings->get_str(lib->settings,
 					"%s.plugins.load-tester.proposal", "aes128-sha1-modp768",
-					charon->name));
+					lib->ns));
 	if (!this->proposal)
 	{	/* fallback */
 		this->proposal = proposal_create_from_string(PROTO_IKE,
 													 "aes128-sha1-modp768");
 	}
 	this->esp = proposal_create_from_string(PROTO_ESP,
-			lib->settings->get_str(lib->settings,
-				"%s.plugins.load-tester.esp", "aes128-sha1",
-				charon->name));
+				lib->settings->get_str(lib->settings,
+					"%s.plugins.load-tester.esp", "aes128-sha1", lib->ns));
 	if (!this->esp)
 	{	/* fallback */
 		this->esp = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
 	}
 
 	this->ike_rekey = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.ike_rekey", 0, charon->name);
+				"%s.plugins.load-tester.ike_rekey", 0, lib->ns);
 	this->child_rekey = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.child_rekey", 600, charon->name);
+				"%s.plugins.load-tester.child_rekey", 600, lib->ns);
 	this->dpd_delay = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.dpd_delay", 0, charon->name);
+				"%s.plugins.load-tester.dpd_delay", 0, lib->ns);
 	this->dpd_timeout = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.dpd_timeout", 0, charon->name);
+				"%s.plugins.load-tester.dpd_timeout", 0, lib->ns);
 
 	this->initiator_auth = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator_auth", "pubkey", charon->name);
+				"%s.plugins.load-tester.initiator_auth", "pubkey", lib->ns);
 	this->responder_auth = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.responder_auth", "pubkey", charon->name);
+				"%s.plugins.load-tester.responder_auth", "pubkey", lib->ns);
 	this->initiator_id = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator_id", NULL, charon->name);
+				"%s.plugins.load-tester.initiator_id", NULL, lib->ns);
 	this->initiator_match = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator_match", NULL, charon->name);
+				"%s.plugins.load-tester.initiator_match", NULL, lib->ns);
 	this->responder_id = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.responder_id", NULL, charon->name);
+				"%s.plugins.load-tester.responder_id", NULL, lib->ns);
 
 	this->mode = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.mode", NULL, charon->name);
+				"%s.plugins.load-tester.mode", NULL, lib->ns);
 	this->initiator_tsi = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator_tsi", NULL, charon->name);
+				"%s.plugins.load-tester.initiator_tsi", NULL, lib->ns);
 	this->responder_tsi =lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.responder_tsi",
-			this->initiator_tsi, charon->name);
+				"%s.plugins.load-tester.responder_tsi",
+				this->initiator_tsi, lib->ns);
 	this->initiator_tsr = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator_tsr", NULL, charon->name);
+				"%s.plugins.load-tester.initiator_tsr", NULL, lib->ns);
 	this->responder_tsr =lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.responder_tsr",
-			this->initiator_tsr, charon->name);
+				"%s.plugins.load-tester.responder_tsr",
+				this->initiator_tsr, lib->ns);
 
 	this->port = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.dynamic_port", 0, charon->name);
+				"%s.plugins.load-tester.dynamic_port", 0, lib->ns);
 	this->version = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.version", IKE_ANY, charon->name);
+				"%s.plugins.load-tester.version", IKE_ANY, lib->ns);
 
 	load_addrs(this);
 
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
index f9ec9142f..5f089f5db 100644
--- a/src/libcharon/plugins/load_tester/load_tester_control.c
+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
@@ -302,7 +302,7 @@ load_tester_control_t *load_tester_control_create()
 
 	uri = lib->settings->get_str(lib->settings,
 				"%s.plugins.load-tester.socket", "unix://" LOAD_TESTER_SOCKET,
-				charon->name);
+				lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 10);
 	if (this->service)
 	{
diff --git a/src/libcharon/plugins/load_tester/load_tester_creds.c b/src/libcharon/plugins/load_tester/load_tester_creds.c
index 028205bd2..f17d41f46 100644
--- a/src/libcharon/plugins/load_tester/load_tester_creds.c
+++ b/src/libcharon/plugins/load_tester/load_tester_creds.c
@@ -202,7 +202,7 @@ static private_key_t *load_issuer_key()
 	char *path;
 
 	path = lib->settings->get_str(lib->settings,
-					"%s.plugins.load-tester.issuer_key", NULL, charon->name);
+						"%s.plugins.load-tester.issuer_key", NULL, lib->ns);
 	if (!path)
 	{
 		return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
@@ -222,7 +222,7 @@ static certificate_t *load_issuer_cert()
 	char *path;
 
 	path = lib->settings->get_str(lib->settings,
-					"%s.plugins.load-tester.issuer_cert", NULL, charon->name);
+						"%s.plugins.load-tester.issuer_cert", NULL, lib->ns);
 	if (!path)
 	{
 		return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
@@ -246,7 +246,7 @@ static void load_ca_certs(private_load_tester_creds_t *this)
 	char *path;
 
 	path = lib->settings->get_str(lib->settings,
-						"%s.plugins.load-tester.ca_dir", NULL, charon->name);
+							"%s.plugins.load-tester.ca_dir", NULL, lib->ns);
 	if (path)
 	{
 		enumerator = enumerator_create_directory(path);
@@ -445,11 +445,11 @@ load_tester_creds_t *load_tester_creds_create()
 	char *pwd, *psk, *digest;
 
 	psk = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.preshared_key", default_psk, charon->name);
+				"%s.plugins.load-tester.preshared_key", default_psk, lib->ns);
 	pwd = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.eap_password", default_pwd, charon->name);
+				"%s.plugins.load-tester.eap_password", default_pwd, lib->ns);
 	digest = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.digest", "sha1", charon->name);
+				"%s.plugins.load-tester.digest", "sha1", lib->ns);
 
 	INIT(this,
 		.public = {
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c
index 7e832ddc0..068020ef7 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.c
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.c
@@ -126,7 +126,7 @@ load_tester_listener_t *load_tester_listener_create(u_int shutdown_on,
 		},
 		.delete_after_established = lib->settings->get_bool(lib->settings,
 					"%s.plugins.load-tester.delete_after_established", FALSE,
-					charon->name),
+					lib->ns),
 		.shutdown_on = shutdown_on,
 		.config = config,
 	);
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 03557a269..e684f22ce 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -193,7 +193,7 @@ static bool register_load_tester(private_load_tester_plugin_t *this,
 		lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
 
 		if (lib->settings->get_bool(lib->settings,
-				"%s.plugins.load-tester.shutdown_when_complete", 0, charon->name))
+				"%s.plugins.load-tester.shutdown_when_complete", 0, lib->ns))
 		{
 			shutdown_on = this->iterations * this->initiators;
 		}
@@ -262,8 +262,8 @@ plugin_t *load_tester_plugin_create()
 {
 	private_load_tester_plugin_t *this;
 
-	if (!lib->settings->get_bool(lib->settings,
-						"%s.plugins.load-tester.enable", FALSE, charon->name))
+	if (!lib->settings->get_bool(lib->settings, "%s.plugins.load-tester.enable",
+								 FALSE, lib->ns))
 	{
 		DBG1(DBG_CFG, "disabling load-tester plugin, not configured");
 		return NULL;
@@ -279,19 +279,19 @@ plugin_t *load_tester_plugin_create()
 			},
 		},
 		.delay = lib->settings->get_int(lib->settings,
-						"%s.plugins.load-tester.delay", 0, charon->name),
+							"%s.plugins.load-tester.delay", 0, lib->ns),
 		.iterations = lib->settings->get_int(lib->settings,
-						"%s.plugins.load-tester.iterations", 1, charon->name),
+							"%s.plugins.load-tester.iterations", 1, lib->ns),
 		.initiators = lib->settings->get_int(lib->settings,
-						"%s.plugins.load-tester.initiators", 0, charon->name),
+							"%s.plugins.load-tester.initiators", 0, lib->ns),
 		.init_limit = lib->settings->get_int(lib->settings,
-						"%s.plugins.load-tester.init_limit", 0, charon->name),
+							"%s.plugins.load-tester.init_limit", 0, lib->ns),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
 	);
 
 	if (lib->settings->get_bool(lib->settings,
-			"%s.plugins.load-tester.fake_kernel", FALSE, charon->name))
+			"%s.plugins.load-tester.fake_kernel", FALSE, lib->ns))
 	{
 		hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index d74ce4668..4b6d214de 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -224,8 +224,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -293,6 +291,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -381,12 +384,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -401,6 +408,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/lookip/lookip_socket.c b/src/libcharon/plugins/lookip/lookip_socket.c
index d25573bf4..4b33e3e31 100644
--- a/src/libcharon/plugins/lookip/lookip_socket.c
+++ b/src/libcharon/plugins/lookip/lookip_socket.c
@@ -87,10 +87,21 @@ static void entry_destroy(entry_t *entry)
 }
 
 /**
- * Disconnect a stream, remove connection entry
+ * Data for async disconnect job
  */
-static void disconnect(private_lookip_socket_t *this, stream_t *stream)
+typedef struct {
+	/** socket ref */
+	private_lookip_socket_t *this;
+	/** stream to disconnect */
+	stream_t *stream;
+} disconnect_data_t;
+
+/**
+ * Disconnect a stream asynchronously, remove connection entry
+ */
+static job_requeue_t disconnect_async(disconnect_data_t *data)
 {
+	private_lookip_socket_t *this = data->this;
 	enumerator_t *enumerator;
 	entry_t *entry;
 
@@ -98,7 +109,7 @@ static void disconnect(private_lookip_socket_t *this, stream_t *stream)
 	enumerator = this->connected->create_enumerator(this->connected);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->stream == stream)
+		if (entry->stream == data->stream)
 		{
 			this->connected->remove_at(this->connected, enumerator);
 			if (entry->up || entry->down)
@@ -111,6 +122,24 @@ static void disconnect(private_lookip_socket_t *this, stream_t *stream)
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Queue async disconnect job
+ */
+static void disconnect(private_lookip_socket_t *this, stream_t *stream)
+{
+	disconnect_data_t *data;
+
+	INIT(data,
+		.this = this,
+		.stream = stream,
+	);
+
+	lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create((void*)disconnect_async, data,
+										free, NULL));
 }
 
 /**
@@ -393,8 +422,8 @@ lookip_socket_t *lookip_socket_create(lookip_listener_t *listener)
 	);
 
 	uri = lib->settings->get_str(lib->settings,
-				"%s.plugins.lookip.socket", "unix://" LOOKIP_SOCKET,
-				charon->name);
+							"%s.plugins.lookip.socket", "unix://" LOOKIP_SOCKET,
+							lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 10);
 	if (!this->service)
 	{
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index a8b793f6f..314088a25 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 76b05c634..8d7ca04e6 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 20e3553e7..7abc23e50 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index 9e794cec3..b891f55f1 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index c8d8fae1c..bf85d5713 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/radattr/radattr_listener.c b/src/libcharon/plugins/radattr/radattr_listener.c
index 5443800e5..aca83aafc 100644
--- a/src/libcharon/plugins/radattr/radattr_listener.c
+++ b/src/libcharon/plugins/radattr/radattr_listener.c
@@ -19,7 +19,6 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <fcntl.h>
-#include <sys/mman.h>
 #include <errno.h>
 
 #include <daemon.h>
@@ -110,10 +109,7 @@ static void add_radius_attribute(private_radattr_listener_t *this,
 		identification_t *id;
 		auth_cfg_t *auth;
 		char path[PATH_MAX];
-		chunk_t data;
-		struct stat sb;
-		void *addr;
-		int fd;
+		chunk_t *data;
 
 		auth = ike_sa->get_auth_cfg(ike_sa, TRUE);
 		id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
@@ -123,44 +119,16 @@ static void add_radius_attribute(private_radattr_listener_t *this,
 		}
 
 		snprintf(path, sizeof(path), "%s/%Y", this->dir, id);
-		fd = open(path, O_RDONLY);
-		if (fd != -1)
+		data = chunk_map(path, FALSE);
+		if (data)
 		{
-			if (fstat(fd, &sb) != -1)
+			if (data->len >= 2)
 			{
-				if (sb.st_size <= MAX_ATTR_SIZE)
-				{
-					addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-					if (addr != MAP_FAILED)
-					{
-						data = chunk_create(addr, sb.st_size);
-						if (data.len >= 2)
-						{
-							DBG1(DBG_CFG, "adding RADIUS %N attribute",
-								 radius_attribute_type_names, data.ptr[0]);
-							message->add_notify(message, FALSE,
-												RADIUS_ATTRIBUTE, data);
-						}
-						munmap(addr, sb.st_size);
-					}
-					else
-					{
-						DBG1(DBG_CFG, "mapping RADIUS attribute '%s' failed: %s",
-							 path, strerror(errno));
-					}
-				}
-				else
-				{
-					DBG1(DBG_CFG, "RADIUS attribute '%s' exceeds size limit",
-						 path);
-				}
-			}
-			else
-			{
-				DBG1(DBG_CFG, "fstat RADIUS attribute '%s' failed: %s",
-					 path, strerror(errno));
+				DBG1(DBG_CFG, "adding RADIUS %N attribute",
+					 radius_attribute_type_names, data->ptr[0]);
+				message->add_notify(message, FALSE, RADIUS_ATTRIBUTE, *data);
 			}
-			close(fd);
+			chunk_unmap(data);
 		}
 		else
 		{
@@ -212,9 +180,9 @@ radattr_listener_t *radattr_listener_create()
 			.destroy = _destroy,
 		},
 		.dir = lib->settings->get_str(lib->settings,
-							"%s.plugins.radattr.dir", NULL, charon->name),
+								"%s.plugins.radattr.dir", NULL, lib->ns),
 		.mid = lib->settings->get_int(lib->settings,
-							"%s.plugins.radattr.message_id", -1, charon->name),
+								"%s.plugins.radattr.message_id", -1, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index f56840410..43f3c6fbf 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index cfcee2f79..155113e48 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index ea976dfe9..081d3efc7 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -617,7 +617,7 @@ static int open_socket(private_socket_default_socket_t *this,
 		mark_t mark;
 
 		fwmark = lib->settings->get_str(lib->settings,
-						"%s.plugins.socket-default.fwmark", NULL, charon->name);
+							"%s.plugins.socket-default.fwmark", NULL, lib->ns);
 		if (fwmark && mark_from_string(fwmark, &mark))
 		{
 			if (setsockopt(skt, SOL_SOCKET, SO_MARK, &mark.value,
@@ -657,10 +657,10 @@ static bool use_family(int family)
 	{
 		case AF_INET:
 			return lib->settings->get_bool(lib->settings,
-					"%s.plugins.socket-default.use_ipv4", TRUE, charon->name);
+						"%s.plugins.socket-default.use_ipv4", TRUE, lib->ns);
 		case AF_INET6:
 			return lib->settings->get_bool(lib->settings,
-					"%s.plugins.socket-default.use_ipv6", TRUE, charon->name);
+						"%s.plugins.socket-default.use_ipv6", TRUE, lib->ns);
 		default:
 			return FALSE;
 	}
@@ -735,14 +735,14 @@ socket_default_socket_t *socket_default_socket_create()
 			},
 		},
 		.port = lib->settings->get_int(lib->settings,
-							"%s.port", CHARON_UDP_PORT, charon->name),
+							"%s.port", CHARON_UDP_PORT, lib->ns),
 		.natt = lib->settings->get_int(lib->settings,
-							"%s.port_nat_t", CHARON_NATT_PORT, charon->name),
+							"%s.port_nat_t", CHARON_NATT_PORT, lib->ns),
 		.max_packet = lib->settings->get_int(lib->settings,
-							"%s.max_packet", MAX_PACKET, charon->name),
+							"%s.max_packet", MAX_PACKET, lib->ns),
 		.set_source = lib->settings->get_bool(lib->settings,
 							"%s.plugins.socket-default.set_source", TRUE,
-							charon->name),
+							lib->ns),
 	);
 
 	if (this->port && this->port == this->natt)
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 1efbdabbc..da40a433b 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index 012f18e31..3161a709f 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -668,7 +668,7 @@ socket_dynamic_socket_t *socket_dynamic_socket_create()
 		},
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.max_packet = lib->settings->get_int(lib->settings,
-									"%s.max_packet", MAX_PACKET, charon->name),
+										"%s.max_packet", MAX_PACKET, lib->ns),
 	);
 
 	if (pipe(this->notify) != 0)
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 18461fa04..963804932 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/sql/sql_logger.c b/src/libcharon/plugins/sql/sql_logger.c
index 547e7691e..9a7a6e0ff 100644
--- a/src/libcharon/plugins/sql/sql_logger.c
+++ b/src/libcharon/plugins/sql/sql_logger.c
@@ -141,7 +141,7 @@ sql_logger_t *sql_logger_create(database_t *db)
 		.db = db,
 		.recursive = thread_value_create(NULL),
 		.level = lib->settings->get_int(lib->settings,
-								"%s.plugins.sql.loglevel", -1, charon->name),
+										"%s.plugins.sql.loglevel", -1, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c
index c1b4461d2..c5dd6e8b3 100644
--- a/src/libcharon/plugins/sql/sql_plugin.c
+++ b/src/libcharon/plugins/sql/sql_plugin.c
@@ -73,7 +73,7 @@ static bool open_database(private_sql_plugin_t *this,
 		char *uri;
 
 		uri = lib->settings->get_str(lib->settings, "%s.plugins.sql.database",
-									 NULL, charon->name);
+									 NULL, lib->ns);
 		if (!uri)
 		{
 			DBG1(DBG_CFG, "sql plugin: database URI not set");
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index a913e063e..11a8771cc 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 2e10f324b..e5e6d9246 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -880,7 +880,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 			else
 			{
 				vip = host_create_from_string(token, 0);
-				if (vip)
+				if (!vip)
 				{
 					DBG1(DBG_CFG, "ignored invalid subnet token: %s", token);
 				}
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index b583bfc53..f770d7c9e 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -778,7 +778,7 @@ stroke_control_t *stroke_control_create()
 			.destroy = _destroy,
 		},
 		.timeout = lib->settings->get_int(lib->settings,
-								"%s.plugins.stroke.timeout", 0, charon->name),
+									"%s.plugins.stroke.timeout", 0, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 8d0001271..f908219ed 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -17,8 +17,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <limits.h>
-#include <libgen.h>
-#include <sys/mman.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <unistd.h>
@@ -521,7 +519,16 @@ METHOD(stroke_cred_t, cache_cert, void,
 
 			if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
 			{
-				chunk_write(chunk, buf, "crl", 022, TRUE);
+				if (chunk_write(chunk, buf, 022, TRUE))
+				{
+					DBG1(DBG_CFG, "  written crl file '%s' (%d bytes)",
+						 buf, chunk.len);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  writing crl file '%s' failed: %s",
+						 buf, strerror(errno));
+				}
 				free(chunk.ptr);
 			}
 		}
@@ -1092,46 +1099,24 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr,
 static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 						 char *file, int level, FILE *prompt)
 {
-	int line_nr = 0, fd;
-	chunk_t src, line;
-	struct stat sb;
-	void *addr;
+	int line_nr = 0;
+	chunk_t *src, line;
 
 	DBG1(DBG_CFG, "loading secrets from '%s'", file);
-	fd = open(file, O_RDONLY);
-	if (fd == -1)
+	src = chunk_map(file, FALSE);
+	if (!src)
 	{
 		DBG1(DBG_CFG, "opening secrets file '%s' failed: %s", file,
 			 strerror(errno));
 		return;
 	}
-	if (fstat(fd, &sb) == -1)
-	{
-		DBG1(DBG_LIB, "getting file size of '%s' failed: %s", file,
-			 strerror(errno));
-		close(fd);
-		return;
-	}
-	if (sb.st_size == 0)
-	{	/* skip empty files, as mmap() complains */
-		close(fd);
-		return;
-	}
-	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		DBG1(DBG_LIB, "mapping '%s' failed: %s", file, strerror(errno));
-		close(fd);
-		return;
-	}
-	src = chunk_create(addr, sb.st_size);
 
 	if (!secrets)
 	{
 		secrets = mem_cred_create();
 	}
 
-	while (fetchline(&src, &line))
+	while (fetchline(src, &line))
 	{
 		chunk_t ids, token;
 		shared_key_type_t type;
@@ -1172,8 +1157,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 			}
 			else
 			{	/* use directory of current file if relative */
-				dir = strdup(file);
-				dir = dirname(dir);
+				dir = path_dirname(file);
 
 				if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern))
 				{
@@ -1272,8 +1256,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 			break;
 		}
 	}
-	munmap(addr, sb.st_size);
-	close(fd);
+	chunk_unmap(src);
 
 	if (level == 0)
 	{	/* replace secrets in active credential set */
@@ -1394,7 +1377,7 @@ stroke_cred_t *stroke_cred_create()
 
 	this->force_ca_cert = lib->settings->get_bool(lib->settings,
 						"%s.plugins.stroke.ignore_missing_ca_basic_constraint",
-						FALSE, charon->name);
+						FALSE, lib->ns);
 
 	load_certs(this);
 	load_secrets(this, NULL, SECRETS_FILE, 0, NULL);
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 3adebb523..169ff2bf6 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Tobias Brunner
+ * Copyright (C) 2011-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -99,6 +99,11 @@ struct private_stroke_socket_t {
 	 * Counter values for IKE events
 	 */
 	stroke_counter_t *counter;
+
+	/**
+	 * TRUE if log level changes are not allowed
+	 */
+	bool prevent_loglevel_changes;
 };
 
 /**
@@ -490,6 +495,25 @@ static void stroke_leases(private_stroke_socket_t *this,
 }
 
 /**
+ * Callback function for usage report
+ */
+static void report_usage(FILE *out, int count, size_t bytes,
+						 backtrace_t *bt, bool detailed)
+{
+	fprintf(out, "%zu bytes total, %d allocations, %zu bytes average:\n",
+			bytes, count, bytes / count);
+	bt->log(bt, out, detailed);
+}
+
+/**
+ * Callback function for memusage summary
+ */
+static void sum_usage(FILE *out, int count, size_t bytes, int whitelisted)
+{
+	fprintf(out, "Total memory usage: %zu\n", bytes);
+}
+
+/**
  * Show memory usage
  */
 static void stroke_memusage(private_stroke_socket_t *this,
@@ -497,7 +521,9 @@ static void stroke_memusage(private_stroke_socket_t *this,
 {
 	if (lib->leak_detective)
 	{
-		lib->leak_detective->usage(lib->leak_detective, out);
+		lib->leak_detective->usage(lib->leak_detective,
+								   (leak_detective_report_cb_t)report_usage,
+								   (leak_detective_summary_cb_t)sum_usage, out);
 	}
 }
 
@@ -546,6 +572,12 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
 		 msg->loglevel.level, msg->loglevel.type);
 
+	if (this->prevent_loglevel_changes)
+	{
+		DBG1(DBG_CFG, "prevented log level change");
+		fprintf(out, "command not allowed!\n");
+		return;
+	}
 	if (strcaseeq(msg->loglevel.type, "any"))
 	{
 		group = DBG_ANY;
@@ -555,7 +587,7 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 		group = enum_from_name(debug_names, msg->loglevel.type);
 		if ((int)group < 0)
 		{
-			fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
+			fprintf(out, "unknown type '%s'!\n", msg->loglevel.type);
 			return;
 		}
 	}
@@ -591,8 +623,8 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
 		return FALSE;
 	}
 
-	/* read message */
-	msg = malloc(len);
+	/* read message (we need an additional byte to terminate the buffer) */
+	msg = malloc(len + 1);
 	msg->length = len;
 	if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len)))
 	{
@@ -603,6 +635,9 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
 		free(msg);
 		return FALSE;
 	}
+	/* make sure even incorrectly unterminated strings don't extend over the
+	 * message boundaries */
+	((char*)msg)[len] = '\0';
 
 	DBG3(DBG_CFG, "stroke message %b", (void*)msg, len);
 
@@ -727,6 +762,8 @@ stroke_socket_t *stroke_socket_create()
 		.public = {
 			.destroy = _destroy,
 		},
+		.prevent_loglevel_changes = lib->settings->get_bool(lib->settings,
+				"%s.plugins.stroke.prevent_loglevel_changes", FALSE, lib->ns),
 	);
 
 	this->cred = stroke_cred_create();
@@ -746,10 +783,10 @@ stroke_socket_t *stroke_socket_create()
 	charon->bus->add_listener(charon->bus, &this->counter->listener);
 
 	max_concurrent = lib->settings->get_int(lib->settings,
-			"%s.plugins.stroke.max_concurrent", MAX_CONCURRENT_DEFAULT,
-			charon->name);
+				"%s.plugins.stroke.max_concurrent", MAX_CONCURRENT_DEFAULT,
+				lib->ns);
 	uri = lib->settings->get_str(lib->settings,
-			"%s.plugins.stroke.socket", "unix://" STROKE_SOCKET, charon->name);
+				"%s.plugins.stroke.socket", "unix://" STROKE_SOCKET, lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 10);
 	if (!this->service)
 	{
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index 8ad5c88ba..63724728a 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
index c8596114c..c1594b0b2 100644
--- a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
+++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
@@ -178,9 +178,9 @@ static bool load_validator(private_systime_fix_plugin_t *this)
 	char *str, *fmt;
 
 	fmt = lib->settings->get_str(lib->settings,
-			"%s.plugins.%s.threshold_format", "%Y", charon->name, get_name(this));
+			"%s.plugins.%s.threshold_format", "%Y", lib->ns, get_name(this));
 	str = lib->settings->get_str(lib->settings,
-			"%s.plugins.%s.threshold", NULL, charon->name, get_name(this));
+			"%s.plugins.%s.threshold", NULL, lib->ns, get_name(this));
 	if (!str)
 	{
 		DBG1(DBG_CFG, "no threshold configured for %s, disabled",
@@ -274,9 +274,9 @@ plugin_t *systime_fix_plugin_create()
 			},
 		},
 		.interval = lib->settings->get_int(lib->settings,
-				"%s.plugins.%s.interval", 0, charon->name, get_name(this)),
+						"%s.plugins.%s.interval", 0, lib->ns, get_name(this)),
 		.reauth = lib->settings->get_bool(lib->settings,
-				"%s.plugins.%s.reauth", FALSE, charon->name, get_name(this)),
+						"%s.plugins.%s.reauth", FALSE, lib->ns, get_name(this)),
 	);
 
 	return &this->public.plugin;
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index ca995b01f..ace18e77c 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
index 4ad19c530..d2ba2e345 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
@@ -191,8 +191,8 @@ tnc_ifmap_listener_t *tnc_ifmap_listener_create(bool reload)
 
 	/* schedule periodic transmission of IF-MAP renewSession request */
 	reschedule =  lib->settings->get_int(lib->settings,
-						"%s.plugins.tnc-ifmap.renew_session_interval",
-						 IFMAP_RENEW_SESSION_INTERVAL, charon->name);
+								"%s.plugins.tnc-ifmap.renew_session_interval",
+								 IFMAP_RENEW_SESSION_INTERVAL, lib->ns);
 
 	job = (job_t*)tnc_ifmap_renew_session_job_create(
 						this->ifmap->get_ref(this->ifmap), reschedule);
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index df7d2e2a1..8f24daea3 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -134,8 +134,8 @@ METHOD(tnc_ifmap_soap_t, newSession, bool,
 
 	/* set PEP and PDP device name (defaults to IF-MAP Publisher ID) */
 	this->device_name = lib->settings->get_str(lib->settings,
-									"%s.plugins.tnc-ifmap.device_name",
-									 this->ifmap_publisher_id, charon->name);
+										"%s.plugins.tnc-ifmap.device_name",
+										 this->ifmap_publisher_id, lib->ns);
 	this->device_name = strdup(this->device_name);
 
     return this->session_id && this->ifmap_publisher_id;
@@ -731,15 +731,15 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 
 	/* getting configuration parameters from strongswan.conf */
 	server_uri =  lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.server_uri", IFMAP_URI, charon->name);
+					"%s.plugins.tnc-ifmap.server_uri", IFMAP_URI, lib->ns);
 	server_cert = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.server_cert", NULL, charon->name);
+					"%s.plugins.tnc-ifmap.server_cert", NULL, lib->ns);
 	client_cert = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.client_cert", NULL, charon->name);
+					"%s.plugins.tnc-ifmap.client_cert", NULL, lib->ns);
 	client_key =  lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.client_key", NULL, charon->name);
+					"%s.plugins.tnc-ifmap.client_key", NULL, lib->ns);
 	user_pass =   lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.username_password", NULL, charon->name);
+					"%s.plugins.tnc-ifmap.username_password", NULL, lib->ns);
 
 	/* load [self-signed] MAP server certificate */
 	if (!server_cert)
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index d263bdec4..b2958efdb 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -222,8 +222,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -291,6 +289,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -379,12 +382,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -399,6 +406,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 31cee9e2b..89237f564 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -758,19 +758,19 @@ tnc_pdp_t *tnc_pdp_create(void)
 	bool radius_enable, pt_tls_enable;
 
 	server = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-pdp.server", NULL, charon->name);
+						"%s.plugins.tnc-pdp.server", NULL, lib->ns);
 	pt_tls_enable = lib->settings->get_bool(lib->settings,
-					"%s.plugins.tnc-pdp.pt_tls.enable", TRUE, charon->name);
+						"%s.plugins.tnc-pdp.pt_tls.enable", TRUE, lib->ns);
 	pt_tls_port = lib->settings->get_int(lib->settings,
-					"%s.plugins.tnc-pdp.pt_tls.port", PT_TLS_PORT, charon->name);
+						"%s.plugins.tnc-pdp.pt_tls.port", PT_TLS_PORT, lib->ns);
 	radius_enable = lib->settings->get_bool(lib->settings,
-					"%s.plugins.tnc-pdp.radius.enable", TRUE, charon->name);
+						"%s.plugins.tnc-pdp.radius.enable", TRUE, lib->ns);
 	radius_port = lib->settings->get_int(lib->settings,
-					"%s.plugins.tnc-pdp.radius.port", RADIUS_PORT, charon->name);
+						"%s.plugins.tnc-pdp.radius.port", RADIUS_PORT, lib->ns);
 	secret = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-pdp.radius.secret", NULL, charon->name);
+						"%s.plugins.tnc-pdp.radius.secret", NULL, lib->ns);
 	eap_type_str = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-pdp.radius.method", "ttls", charon->name);
+						"%s.plugins.tnc-pdp.radius.method", "ttls", lib->ns);
 
 	if (!pt_tls_enable && !radius_enable)
 	{
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
index f789c31d2..6c7659bb1 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
@@ -298,7 +298,7 @@ tnc_pdp_connections_t *tnc_pdp_connections_create(void)
 		.list = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.timeout = lib->settings->get_int(lib->settings,
-				"%s.plugins.tnc-pdp.timeout", DEFAULT_TIMEOUT, charon->name),
+						"%s.plugins.tnc-pdp.timeout", DEFAULT_TIMEOUT, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index b36a53394..b2b473c32 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 2f8a65c07..2d9f59678 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 11d6091db..65fe14e1d 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
index edff51a08..9f72a80da 100644
--- a/src/libcharon/plugins/unity/unity_narrow.c
+++ b/src/libcharon/plugins/unity/unity_narrow.c
@@ -97,9 +97,9 @@ static void narrow_initiator(private_unity_narrow_t *this, ike_sa_t *ike_sa,
 }
 
 /**
- * As initiator, bump up TS to 0.0.0.0/0 for on-the-wire bits
+ * As initiator and responder, bump up TS to 0.0.0.0/0 for on-the-wire bits
  */
-static void narrow_initiator_pre(linked_list_t *list)
+static void narrow_pre(linked_list_t *list, char *side)
 {
 	traffic_selector_t *ts;
 
@@ -112,7 +112,7 @@ static void narrow_initiator_pre(linked_list_t *list)
 											 "255.255.255.255", 65535);
 	if (ts)
 	{
-		DBG2(DBG_CFG, "changing proposed traffic selectors for other:");
+		DBG2(DBG_CFG, "changing proposed traffic selectors for %s:", side);
 		DBG2(DBG_CFG, " %R", ts);
 		list->insert_last(list, ts);
 	}
@@ -149,12 +149,15 @@ METHOD(listener_t, narrow, bool,
 		switch (type)
 		{
 			case NARROW_INITIATOR_PRE_AUTH:
-				narrow_initiator_pre(remote);
+				narrow_pre(remote, "other");
 				break;
 			case NARROW_INITIATOR_POST_AUTH:
 				narrow_initiator(this, ike_sa,
 								 child_sa->get_config(child_sa), remote);
 				break;
+			case NARROW_RESPONDER:
+				narrow_pre(local, "us");
+				break;
 			case NARROW_RESPONDER_POST:
 				narrow_responder_post(child_sa->get_config(child_sa), local);
 				break;
diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c
index ac6f93d69..86f81fcfb 100644
--- a/src/libcharon/plugins/unity/unity_provider.c
+++ b/src/libcharon/plugins/unity/unity_provider.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
  *
@@ -16,6 +19,7 @@
 #include "unity_provider.h"
 
 #include <daemon.h>
+#include <bio/bio_writer.h>
 
 typedef struct private_unity_provider_t private_unity_provider_t;
 
@@ -31,58 +35,70 @@ struct private_unity_provider_t {
 };
 
 /**
- * Attribute enumerator for traffic selector list
+ * Attribute enumerator for UNITY_SPLIT_INCLUDE attribute
  */
 typedef struct {
 	/** Implements enumerator_t */
 	enumerator_t public;
 	/** list of traffic selectors to enumerate */
 	linked_list_t *list;
-	/** currently enumerating subnet */
-	u_char subnet[4];
-	/** currently enumerating subnet mask */
-	u_char mask[4];
+	/** attribute value */
+	chunk_t attr;
 } attribute_enumerator_t;
 
+/**
+ * Append data from the given traffic selector to the attribute data
+ */
+static void append_ts(bio_writer_t *writer, traffic_selector_t *ts)
+{
+	host_t *net, *mask;
+	chunk_t padding;
+	u_int8_t bits;
+
+	if (!ts->to_subnet(ts, &net, &bits))
+	{
+		return;
+	}
+	mask = host_create_netmask(AF_INET, bits);
+	if (!mask)
+	{
+		net->destroy(net);
+		return;
+	}
+	writer->write_data(writer, net->get_address(net));
+	writer->write_data(writer, mask->get_address(mask));
+	/* the Cisco client parses the "padding" as protocol, src and dst port, the
+	 * first two in network order the last in host order - no other clients seem
+	 * to support these fields so we don't use them either */
+	padding = writer->skip(writer, 6);
+	memset(padding.ptr, 0, padding.len);
+	mask->destroy(mask);
+	net->destroy(net);
+}
+
 METHOD(enumerator_t, attribute_enumerate, bool,
 	attribute_enumerator_t *this, configuration_attribute_type_t *type,
 	chunk_t *attr)
 {
 	traffic_selector_t *ts;
-	u_int8_t i, mask;
-	host_t *net;
+	bio_writer_t *writer;
 
-	while (TRUE)
+	if (this->list->get_count(this->list) == 0)
 	{
-		if (this->list->remove_first(this->list, (void**)&ts) != SUCCESS)
-		{
-			return FALSE;
-		}
-		if (ts->to_subnet(ts, &net, &mask))
-		{
-			ts->destroy(ts);
-			break;
-		}
-		ts->destroy(ts);
+		return FALSE;
 	}
 
-	memset(this->mask, 0, sizeof(this->mask));
-	for (i = 0; i < sizeof(this->mask); i++)
+	writer = bio_writer_create(14);
+	while (this->list->remove_first(this->list, (void**)&ts) == SUCCESS)
 	{
-		if (mask < 8)
-		{
-			this->mask[i] = 0xFF << (8 - mask);
-			break;
-		}
-		this->mask[i] = 0xFF;
-		mask -= 8;
+		append_ts(writer, ts);
+		ts->destroy(ts);
 	}
-	memcpy(this->subnet, net->get_address(net).ptr, sizeof(this->subnet));
-	net->destroy(net);
 
 	*type = UNITY_SPLIT_INCLUDE;
-	*attr = chunk_create(this->subnet, sizeof(this->subnet) + sizeof(this->mask));
+	*attr = this->attr = writer->extract_buf(writer);
 
+	writer->destroy(writer);
 	return TRUE;
 }
 
@@ -90,6 +106,7 @@ METHOD(enumerator_t, attribute_destroy, void,
 	attribute_enumerator_t *this)
 {
 	this->list->destroy_offset(this->list, offsetof(traffic_selector_t, destroy));
+	chunk_free(&this->attr);
 	free(this);
 }
 
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 697c95917..e2d6d32fb 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
index 3a644380a..0894d2d07 100644
--- a/src/libcharon/plugins/updown/updown_handler.c
+++ b/src/libcharon/plugins/updown/updown_handler.c
@@ -188,7 +188,7 @@ METHOD(updown_handler_t, create_dns_enumerator, enumerator_t*,
 	ike_sa = charon->bus->get_sa(charon->bus);
 	if (!ike_sa)
 	{
-		return FALSE;
+		return enumerator_create_empty();
 	}
 
 	this->lock->read_lock(this->lock);
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 81adfdb13..2c3f93298 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -218,12 +219,12 @@ METHOD(listener_t, child_updown, bool,
 	enumerator = child_sa->create_policy_enumerator(child_sa);
 	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 	{
-		char command[1024];
+		char command[2048];
 		host_t *my_client, *other_client;
 		u_int8_t my_client_mask, other_client_mask;
 		char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns, *xauth;
 		mark_t mark;
-		bool is_host, is_ipv6;
+		bool is_host, is_ipv6, use_ipcomp;
 		FILE *shell;
 
 		my_ts->to_subnet(my_ts, &my_client, &my_client_mask);
@@ -322,6 +323,9 @@ METHOD(listener_t, child_updown, bool,
 
 		dns = make_dns_vars(this, ike_sa);
 
+		/* check for IPComp */
+		use_ipcomp = child_sa->get_ipcomp(child_sa) != IPCOMP_NONE;
+
 		/* determine IPv4/IPv6 and client/host situation */
 		is_host = my_ts->is_host(my_ts, me);
 		is_ipv6 = is_host ? (me->get_family(me) == AF_INET6) :
@@ -355,6 +359,7 @@ METHOD(listener_t, child_updown, bool,
 				"%s"
 				"%s"
 				"%s"
+				"%s"
 				"%s",
 				 up ? "up" : "down",
 				 is_host ? "-host" : "-client",
@@ -377,6 +382,7 @@ METHOD(listener_t, child_updown, bool,
 				 mark_in,
 				 mark_out,
 				 udp_enc,
+				 use_ipcomp ? "PLUTO_IPCOMP='1' " : "",
 				 config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "",
 				 dns,
 				 script);
diff --git a/src/libcharon/plugins/updown/updown_plugin.c b/src/libcharon/plugins/updown/updown_plugin.c
index 3c1aba5cc..d30267dee 100644
--- a/src/libcharon/plugins/updown/updown_plugin.c
+++ b/src/libcharon/plugins/updown/updown_plugin.c
@@ -58,7 +58,7 @@ static bool plugin_cb(private_updown_plugin_t *this,
 	if (reg)
 	{
 		if (lib->settings->get_bool(lib->settings,
-									"charon.plugins.updown.dns_handler", FALSE))
+							"%s.plugins.updown.dns_handler", FALSE, lib->ns))
 		{
 			this->handler = updown_handler_create();
 			hydra->attributes->add_handler(hydra->attributes,
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 218ecaaf7..aa8ad2e10 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -225,8 +225,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -294,6 +292,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -382,12 +385,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -402,6 +409,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/whitelist/whitelist_control.c b/src/libcharon/plugins/whitelist/whitelist_control.c
index 996f263c9..c1b619c3c 100644
--- a/src/libcharon/plugins/whitelist/whitelist_control.c
+++ b/src/libcharon/plugins/whitelist/whitelist_control.c
@@ -157,7 +157,7 @@ whitelist_control_t *whitelist_control_create(whitelist_listener_t *listener)
 
 	uri = lib->settings->get_str(lib->settings,
 				"%s.plugins.whitelist.socket", "unix://" WHITELIST_SOCKET,
-				charon->name);
+				lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 10);
 	if (!this->service)
 	{
diff --git a/src/libcharon/plugins/whitelist/whitelist_listener.c b/src/libcharon/plugins/whitelist/whitelist_listener.c
index 382ee3b8b..d0357b410 100644
--- a/src/libcharon/plugins/whitelist/whitelist_listener.c
+++ b/src/libcharon/plugins/whitelist/whitelist_listener.c
@@ -206,7 +206,7 @@ whitelist_listener_t *whitelist_listener_create()
 		.ids = hashtable_create((hashtable_hash_t)hash,
 								(hashtable_equals_t)equals, 32),
 		.enabled = lib->settings->get_bool(lib->settings,
-								"%s.plugins.whitelist.enable", FALSE, charon->name),
+								"%s.plugins.whitelist.enable", FALSE, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index c5eba1467..cf0c326e3 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap.c b/src/libcharon/plugins/xauth_eap/xauth_eap.c
index 5ac4f10d2..f597bb7ae 100644
--- a/src/libcharon/plugins/xauth_eap/xauth_eap.c
+++ b/src/libcharon/plugins/xauth_eap/xauth_eap.c
@@ -224,7 +224,7 @@ METHOD(xauth_method_t, process, status_t,
 
 	name = lib->settings->get_str(lib->settings,
 								  "%s.plugins.xauth-eap.backend", "radius",
-								  charon->name);
+								  lib->ns);
 	type = eap_type_from_string(name);
 	if (!type)
 	{
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 47c216177..2d18f60df 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index 22244930d..8173631ae 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.am b/src/libcharon/plugins/xauth_pam/Makefile.am
index a7d4f6436..1875f81d3 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.am
+++ b/src/libcharon/plugins/xauth_pam/Makefile.am
@@ -14,6 +14,7 @@ endif
 
 libstrongswan_xauth_pam_la_SOURCES = \
 	xauth_pam_plugin.h xauth_pam_plugin.c \
+	xauth_pam_listener.h xauth_pam_listener.c \
 	xauth_pam.h xauth_pam.c
 
 libstrongswan_xauth_pam_la_LDFLAGS = -module -avoid-version -lpam
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index dbcc4f405..1ee269e04 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -129,7 +129,7 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xauth_pam_la_LIBADD =
 am_libstrongswan_xauth_pam_la_OBJECTS = xauth_pam_plugin.lo \
-	xauth_pam.lo
+	xauth_pam_listener.lo xauth_pam.lo
 libstrongswan_xauth_pam_la_OBJECTS =  \
 	$(am_libstrongswan_xauth_pam_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -417,6 +425,7 @@ AM_CFLAGS = \
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-pam.la
 libstrongswan_xauth_pam_la_SOURCES = \
 	xauth_pam_plugin.h xauth_pam_plugin.c \
+	xauth_pam_listener.h xauth_pam_listener.c \
 	xauth_pam.h xauth_pam.c
 
 libstrongswan_xauth_pam_la_LDFLAGS = -module -avoid-version -lpam
@@ -511,6 +520,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam_listener.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam_plugin.Plo@am__quote@
 
 .c.o:
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam.c b/src/libcharon/plugins/xauth_pam/xauth_pam.c
index 8ba2c764d..71c79ecc0 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam.c
@@ -116,7 +116,11 @@ static void attr2string(char *buf, size_t len, chunk_t chunk)
 {
 	if (chunk.len && chunk.len < len)
 	{
-		snprintf(buf, len, "%.*s", (int)chunk.len, chunk.ptr);
+		chunk_t sane;
+
+		chunk_printable(chunk, &sane, '?');
+		snprintf(buf, len, "%.*s", (int)sane.len, sane.ptr);
+		chunk_clear(&sane);
 	}
 }
 
@@ -138,7 +142,7 @@ METHOD(xauth_method_t, process, status_t,
 				/* trim to username part if email address given */
 				if (lib->settings->get_bool(lib->settings,
 											"%s.plugins.xauth-pam.trim_email",
-											TRUE, charon->name))
+											TRUE, lib->ns))
 				{
 					pos = memchr(chunk.ptr, '@', chunk.len);
 					if (pos)
@@ -171,9 +175,8 @@ METHOD(xauth_method_t, process, status_t,
 	service = lib->settings->get_str(lib->settings,
 				"%s.plugins.xauth-pam.pam_service",
 					lib->settings->get_str(lib->settings,
-						"%s.plugins.eap-gtc.pam_service",
-						"login", charon->name),
-				charon->name);
+						"%s.plugins.eap-gtc.pam_service", "login", lib->ns),
+				lib->ns);
 
 	if (authenticate(service, user, pass))
 	{
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c
new file mode 100644
index 000000000..eb06f54bb
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2013 Endian srl
+ * Author: Andrea Bonomi - <a.bonomi@endian.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#include "xauth_pam_listener.h"
+
+#include <daemon.h>
+#include <library.h>
+
+#include <security/pam_appl.h>
+
+typedef struct private_xauth_pam_listener_t private_xauth_pam_listener_t;
+
+/**
+ * Private data of an xauth_pam_listener_t object.
+ */
+struct private_xauth_pam_listener_t {
+
+	/**
+	 * Public xauth_pam_listener_t interface.
+	 */
+	xauth_pam_listener_t public;
+
+	/**
+	 * PAM service
+	 */
+	char *service;
+};
+
+/**
+ * PAM conv callback function
+ */
+static int conv(int num_msg, const struct pam_message **msg,
+				struct pam_response **resp, void *data)
+{
+	int i;
+
+	for (i = 0; i < num_msg; i++)
+	{
+		/* ignore any text info, but fail on any interaction request */
+		if (msg[i]->msg_style != PAM_TEXT_INFO)
+		{
+			return PAM_CONV_ERR;
+		}
+	}
+	return PAM_SUCCESS;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_xauth_pam_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+	struct pam_conv null_conv = {
+		.conv = conv,
+	};
+	pam_handle_t *pamh = NULL;
+	char *user;
+	int ret;
+
+	if (asprintf(&user, "%Y", ike_sa->get_other_eap_id(ike_sa)) != -1)
+	{
+		ret = pam_start(this->service, user, &null_conv, &pamh);
+		if (ret == PAM_SUCCESS)
+		{
+			if (up)
+			{
+				ret = pam_open_session(pamh, 0);
+				if (ret != PAM_SUCCESS)
+				{
+					DBG1(DBG_IKE, "XAuth pam_open_session for '%s' failed: %s",
+						 user, pam_strerror(pamh, ret));
+				}
+			}
+			else
+			{
+				ret = pam_close_session(pamh, 0);
+				if (ret != PAM_SUCCESS)
+				{
+					DBG1(DBG_IKE, "XAuth pam_close_session for '%s' failed: %s",
+						 user, pam_strerror(pamh, ret));
+				}
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "XAuth pam_start for '%s' failed: %s",
+				 user, pam_strerror(pamh, ret));
+		}
+		pam_end(pamh, ret);
+		free(user);
+	}
+	return TRUE;
+}
+
+METHOD(xauth_pam_listener_t, listener_destroy, void,
+	private_xauth_pam_listener_t *this)
+{
+	free(this);
+}
+
+xauth_pam_listener_t *xauth_pam_listener_create()
+{
+	private_xauth_pam_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_updown = _ike_updown,
+			},
+			.destroy = _listener_destroy,
+		},
+		/* Look for PAM service, with a legacy fallback for the eap-gtc plugin.
+		 * Default to "login". */
+		.service = lib->settings->get_str(lib->settings,
+						"%s.plugins.xauth-pam.pam_service",
+							lib->settings->get_str(lib->settings,
+								"%s.plugins.eap-gtc.pam_service",
+							"login", lib->ns),
+						lib->ns),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h
new file mode 100644
index 000000000..5b15410f4
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2013 Endian srl
+ * Author: Andrea Bonomi - <a.bonomi@endian.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup xauth_pam_i xauth_pam
+ * @{ @ingroup xauth_pam
+ */
+
+#ifndef XAUTH_PAM_LISENER_H_
+#define XAUTH_PAM_LISTENER_H_
+
+typedef struct xauth_pam_listener_t xauth_pam_listener_t;
+
+#include <bus/listeners/listener.h>
+
+/**
+ * Listener
+ */
+struct xauth_pam_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a xauth_pam_listener_t.
+	 */
+	void (*destroy)(xauth_pam_listener_t *this);
+};
+
+/**
+ * Create a xauth_pam_listener instance.
+ */
+xauth_pam_listener_t *xauth_pam_listener_create();
+
+
+#endif /** XAUTH_PAM_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
index 2ef9a6c8f..497ad3dd9 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
@@ -15,6 +15,7 @@
 
 #include "xauth_pam_plugin.h"
 #include "xauth_pam.h"
+#include "xauth_pam_listener.h"
 
 #include <daemon.h>
 
@@ -22,26 +23,73 @@
 #define CAP_AUDIT_WRITE 29
 #endif
 
+typedef struct private_xauth_pam_plugin_t private_xauth_pam_plugin_t;
+
+/**
+ * private data of xauth_pam plugin
+ */
+struct private_xauth_pam_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	xauth_pam_plugin_t public;
+
+	/**
+	 * Listener
+	 */
+	xauth_pam_listener_t *listener;
+
+	/**
+	 * Do PAM session management?
+	 */
+	bool session;
+};
+
+/**
+ * Register XAuth method and listener
+ */
+static bool register_listener(private_xauth_pam_plugin_t *this,
+							  plugin_feature_t *feature, bool reg, void *data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
 METHOD(plugin_t, get_name, char*,
-	xauth_pam_plugin_t *this)
+	private_xauth_pam_plugin_t *this)
 {
 	return "xauth-pam";
 }
 
 METHOD(plugin_t, get_features, int,
-	xauth_pam_plugin_t *this, plugin_feature_t *features[])
+	private_xauth_pam_plugin_t *this, plugin_feature_t *features[])
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(xauth_method_register, xauth_pam_create_server),
 			PLUGIN_PROVIDE(XAUTH_SERVER, "pam"),
+		PLUGIN_CALLBACK((plugin_feature_callback_t)register_listener, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "pam-session"),
 	};
 	*features = f;
+	if (!this->session)
+	{
+		return 2;
+	}
 	return countof(f);
 }
 
 METHOD(plugin_t, destroy, void,
-	xauth_pam_plugin_t *this)
+	private_xauth_pam_plugin_t *this)
 {
+	this->listener->destroy(this->listener),
 	free(this);
 }
 
@@ -50,7 +98,7 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *xauth_pam_plugin_create()
 {
-	xauth_pam_plugin_t *this;
+	private_xauth_pam_plugin_t *this;
 
 	/* required for PAM authentication */
 	if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
@@ -60,12 +108,17 @@ plugin_t *xauth_pam_plugin_create()
 	}
 
 	INIT(this,
-		.plugin = {
-			.get_name = _get_name,
-			.get_features = _get_features,
-			.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
 		},
+		.session = lib->settings->get_str(lib->settings,
+						"%s.plugins.xauth-pam.session", FALSE, lib->ns),
+		.listener = xauth_pam_listener_create(),
 	);
 
-	return &this->plugin;
+	return &this->public.plugin;
 }
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 9ab69b417..197733979 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -73,12 +73,13 @@ METHOD(job_t, execute, job_requeue_t,
 		{
 			if (child_sa->get_reqid(child_sa) == this->reqid)
 			{
-				time_t in, out, diff;
+				time_t in, out, install, diff;
 
 				child_sa->get_usestats(child_sa, TRUE, &in, NULL, NULL);
 				child_sa->get_usestats(child_sa, FALSE, &out, NULL, NULL);
+				install = child_sa->get_installtime(child_sa);
 
-				diff = time_monotonic(NULL) - max(in, out);
+				diff = time_monotonic(NULL) - max(max(in, out), install);
 
 				if (diff >= this->timeout)
 				{
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 9c3876a94..720a58553 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -120,6 +120,11 @@ struct private_child_sa_t {
 	time_t expire_time;
 
 	/**
+	 * absolute time when SA has been installed
+	 */
+	time_t install_time;
+
+	/**
 	 * state of the CHILD_SA
 	 */
 	child_sa_state_t state;
@@ -586,6 +591,12 @@ METHOD(child_sa_t, get_lifetime, time_t,
 	return hard ? this->expire_time : this->rekey_time;
 }
 
+METHOD(child_sa_t, get_installtime, time_t,
+	private_child_sa_t *this)
+{
+	return this->install_time;
+}
+
 METHOD(child_sa_t, alloc_spi, u_int32_t,
 	   private_child_sa_t *this, protocol_id_t protocol)
 {
@@ -1140,6 +1151,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 			.get_proposal = _get_proposal,
 			.set_proposal = _set_proposal,
 			.get_lifetime = _get_lifetime,
+			.get_installtime = _get_installtime,
 			.get_usestats = _get_usestats,
 			.get_mark = _get_mark,
 			.has_encap = _has_encap,
@@ -1170,6 +1182,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		.reqid = config->get_reqid(config),
 		.mark_in = config->get_mark(config, TRUE),
 		.mark_out = config->get_mark(config, FALSE),
+		.install_time = time_monotonic(NULL),
 	);
 
 	this->config = config;
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index ed52d60b1..a0c6c357f 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -265,6 +265,13 @@ struct child_sa_t {
 	time_t (*get_lifetime)(child_sa_t *this, bool hard);
 
 	/**
+	 * Get the absolute time when this SA has been installed.
+	 *
+	 * @return			monotonic absolute install time
+	 */
+	time_t (*get_installtime)(child_sa_t *this);
+
+	/**
 	 * Get last use time and the number of bytes processed.
 	 *
 	 * @param inbound		TRUE for inbound traffic, FALSE for outbound
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 028208782..2c15dc5eb 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -687,6 +687,14 @@ METHOD(ike_sa_t, set_state, void,
 					DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
 				}
 				trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
+				if (trigger_dpd)
+				{
+					/* Some peers delay the DELETE after rekeying an IKE_SA.
+					 * If this delay is longer than our DPD delay, we would
+					 * send a DPD request here. The IKE_SA is not ready to do
+					 * so yet, so prevent that. */
+					this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
+				}
 			}
 			break;
 		}
@@ -1162,26 +1170,13 @@ METHOD(ike_sa_t, initiate, status_t,
 #endif /* ME */
 			)
 		{
-			bool is_anyaddr;
-			host_t *host;
 			char *addr;
 
-			addr = this->ike_cfg->get_my_addr(this->ike_cfg);
-			host = this->ike_cfg->resolve_other(this->ike_cfg, AF_UNSPEC);
-			is_anyaddr = host && host->is_anyaddr(host);
-			DESTROY_IF(host);
-
-			if (is_anyaddr || !this->retry_initiate_interval)
+			addr = this->ike_cfg->get_other_addr(this->ike_cfg);
+			if (!this->retry_initiate_interval)
 			{
-				if (is_anyaddr)
-				{
-					DBG1(DBG_IKE, "unable to initiate to %s", addr);
-				}
-				else
-				{
-					DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
-						 addr);
-				}
+				DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
+					 addr);
 				DESTROY_IF(child_cfg);
 				charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
 				return DESTROY_ME;
@@ -2130,7 +2125,10 @@ METHOD(ike_sa_t, destroy, void,
 	charon->bus->set_sa(charon->bus, &this->public);
 
 	set_state(this, IKE_DESTROYING);
-	DESTROY_IF(this->task_manager);
+	if (this->task_manager)
+	{
+		this->task_manager->flush(this->task_manager);
+	}
 
 	/* remove attributes first, as we pass the IKE_SA to the handler */
 	while (array_remove(this->attributes, ARRAY_TAIL, &entry))
@@ -2174,6 +2172,7 @@ METHOD(ike_sa_t, destroy, void,
 	charon->bus->set_sa(charon->bus, NULL);
 
 	array_destroy(this->child_sas);
+	DESTROY_IF(this->task_manager);
 	DESTROY_IF(this->keymat);
 	array_destroy(this->attributes);
 	array_destroy(this->my_vips);
@@ -2330,11 +2329,11 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 		.attributes = array_create(sizeof(attribute_entry_t), 0),
 		.unique_id = ref_get(&unique_id),
 		.keepalive_interval = lib->settings->get_time(lib->settings,
-							"%s.keep_alive", KEEPALIVE_INTERVAL, charon->name),
+								"%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
 		.retry_initiate_interval = lib->settings->get_time(lib->settings,
-							"%s.retry_initiate_interval", 0, charon->name),
+								"%s.retry_initiate_interval", 0, lib->ns),
 		.flush_auth_cfg = lib->settings->get_bool(lib->settings,
-							"%s.flush_auth_cfg", FALSE, charon->name),
+								"%s.flush_auth_cfg", FALSE, lib->ns),
 	);
 
 	if (version == IKEV2)
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 5768803aa..f2f81cf33 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -2150,17 +2150,17 @@ ike_sa_manager_t *ike_sa_manager_create()
 	}
 
 	this->ikesa_limit = lib->settings->get_int(lib->settings,
-									"%s.ikesa_limit", 0, charon->name);
+											   "%s.ikesa_limit", 0, lib->ns);
 
 	this->table_size = get_nearest_powerof2(lib->settings->get_int(
 									lib->settings, "%s.ikesa_table_size",
-									DEFAULT_HASHTABLE_SIZE, charon->name));
+									DEFAULT_HASHTABLE_SIZE, lib->ns));
 	this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
 	this->table_mask = this->table_size - 1;
 
 	this->segment_count = get_nearest_powerof2(lib->settings->get_int(
 									lib->settings, "%s.ikesa_table_segments",
-									DEFAULT_SEGMENT_COUNT, charon->name));
+									DEFAULT_SEGMENT_COUNT, lib->ns));
 	this->segment_count = max(1, min(this->segment_count, this->table_size));
 	this->segment_mask = this->segment_count - 1;
 
@@ -2200,6 +2200,6 @@ ike_sa_manager_t *ike_sa_manager_create()
 	}
 
 	this->reuse_ikesa = lib->settings->get_bool(lib->settings,
-										"%s.reuse_ikesa", TRUE, charon->name);
+											"%s.reuse_ikesa", TRUE, lib->ns);
 	return &this->public;
 }
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 597416e36..8fc158bba 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -339,10 +339,8 @@ METHOD(task_manager_t, flush_queue, void,
 	}
 }
 
-/**
- * flush all tasks in the task manager
- */
-static void flush(private_task_manager_t *this)
+METHOD(task_manager_t, flush, void,
+	private_task_manager_t *this)
 {
 	flush_queue(this, TASK_QUEUE_QUEUED);
 	flush_queue(this, TASK_QUEUE_PASSIVE);
@@ -1581,7 +1579,7 @@ METHOD(task_manager_t, process_message, status_t,
 			lib->scheduler->schedule_job(lib->scheduler, job,
 					lib->settings->get_int(lib->settings,
 							"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
-							charon->name));
+							lib->ns));
 		}
 		this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
 		charon->bus->message(charon->bus, msg, TRUE, TRUE);
@@ -2070,6 +2068,7 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 				.adopt_child_tasks = _adopt_child_tasks,
 				.busy = _busy,
 				.create_task_enumerator = _create_task_enumerator,
+				.flush = _flush,
 				.flush_queue = _flush_queue,
 				.destroy = _destroy,
 			},
@@ -2083,9 +2082,9 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 		.frag = {
 			.exchange = ID_PROT,
 			.max_packet = lib->settings->get_int(lib->settings,
-					"%s.max_packet", MAX_PACKET, charon->name),
+						"%s.max_packet", MAX_PACKET, lib->ns),
 			.size = lib->settings->get_int(lib->settings,
-					"%s.fragment_size", MAX_FRAGMENT_SIZE, charon->name),
+						"%s.fragment_size", MAX_FRAGMENT_SIZE, lib->ns),
 		},
 		.ike_sa = ike_sa,
 		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
@@ -2093,11 +2092,11 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 		.active_tasks = linked_list_create(),
 		.passive_tasks = linked_list_create(),
 		.retransmit_tries = lib->settings->get_int(lib->settings,
-					"%s.retransmit_tries", RETRANSMIT_TRIES, charon->name),
+						"%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
 		.retransmit_timeout = lib->settings->get_double(lib->settings,
-					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, charon->name),
+						"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
 		.retransmit_base = lib->settings->get_double(lib->settings,
-					"%s.retransmit_base", RETRANSMIT_BASE, charon->name),
+						"%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
 	);
 
 	if (!this->rng)
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 46cbb879b..6cc3e04b3 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -421,7 +421,7 @@ METHOD(task_t, process_r, status_t,
 				case AUTH_PSK:
 					if (!lib->settings->get_bool(lib->settings, "%s.i_dont_care"
 						"_about_security_and_use_aggressive_mode_psk",
-						FALSE, charon->name))
+						FALSE, lib->ns))
 					{
 						DBG1(DBG_IKE, "Aggressive Mode PSK disabled for "
 							 "security reasons");
@@ -478,7 +478,7 @@ METHOD(task_t, process_r, status_t,
 			while (TRUE)
 			{
 				if (this->ph1->verify_auth(this->ph1, this->method, message,
-										   this->id_data))
+										   chunk_clone(this->id_data)))
 				{
 					break;
 				}
@@ -487,12 +487,10 @@ METHOD(task_t, process_r, status_t,
 													this->method, TRUE, NULL);
 				if (!this->peer_cfg)
 				{
-					this->id_data = chunk_empty;
 					return send_delete(this);
 				}
 				this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
 			}
-			this->id_data = chunk_empty;
 
 			if (!charon->bus->authorize(charon->bus, FALSE))
 			{
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 11155b287..e07ac0ab4 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -191,9 +191,9 @@ static void build(private_isakmp_vendor_t *this, message_t *message)
 	int i;
 
 	strongswan = lib->settings->get_bool(lib->settings,
-								"%s.send_vendor_id", FALSE, charon->name);
+										 "%s.send_vendor_id", FALSE, lib->ns);
 	cisco_unity = lib->settings->get_bool(lib->settings,
-								"%s.cisco_unity", FALSE, charon->name);
+										 "%s.cisco_unity", FALSE, lib->ns);
 	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 	fragmentation = ike_cfg->fragmentation(ike_cfg) != FRAGMENTATION_NO;
 	if (!this->initiator && fragmentation)
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 12ee594b9..6e7da9852 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -194,7 +194,7 @@ static void schedule_inactivity_timeout(private_quick_mode_t *this)
 	if (timeout)
 	{
 		close_ike = lib->settings->get_bool(lib->settings,
-								"%s.inactivity_close_ike", FALSE, charon->name);
+									"%s.inactivity_close_ike", FALSE, lib->ns);
 		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
 				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
 									  timeout, close_ike), timeout);
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 4d0683f0a..8c7ba8d55 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -278,6 +278,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 	{
 		DBG1(DBG_IKE, "no %N selected",
 			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
+		chunk_clear(&secret);
 		return FALSE;
 	}
 	this->prf_alg = alg;
@@ -287,6 +288,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 		DBG1(DBG_IKE, "%N %N not supported!",
 			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
 			 pseudo_random_function_names, alg);
+		chunk_clear(&secret);
 		return FALSE;
 	}
 	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
@@ -339,6 +341,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 		{
 			DBG1(DBG_IKE, "PRF of old SA %N not supported!",
 				 pseudo_random_function_names, rekey_function);
+			chunk_clear(&secret);
 			chunk_free(&full_nonce);
 			chunk_free(&fixed_nonce);
 			chunk_clear(&prf_plus_seed);
@@ -450,17 +453,6 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
 	chunk_t seed, secret = chunk_empty;
 	prf_plus_t *prf_plus;
 
-	if (dh)
-	{
-		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
-		{
-			return FALSE;
-		}
-		DBG4(DBG_CHD, "DH secret %B", &secret);
-	}
-	seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
-	DBG4(DBG_CHD, "seed %B", &seed);
-
 	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
 								&enc_alg, &enc_size))
 	{
@@ -527,7 +519,21 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
 	{
 		return FALSE;
 	}
+
+	if (dh)
+	{
+		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+		{
+			return FALSE;
+		}
+		DBG4(DBG_CHD, "DH secret %B", &secret);
+	}
+	seed = chunk_cata("scc", secret, nonce_i, nonce_r);
+	DBG4(DBG_CHD, "seed %B", &seed);
+
 	prf_plus = prf_plus_create(this->prf, TRUE, seed);
+	memwipe(seed.ptr, seed.len);
+
 	if (!prf_plus)
 	{
 		return FALSE;
@@ -590,7 +596,7 @@ METHOD(keymat_v2_t, get_auth_octets, bool,
 	idx = chunk_cata("cc", chunk, id->get_encoding(id));
 
 	DBG3(DBG_IKE, "IDx' %B", &idx);
-	DBG3(DBG_IKE, "SK_p %B", &skp);
+	DBG4(DBG_IKE, "SK_p %B", &skp);
 	if (!this->prf->set_key(this->prf, skp) ||
 		!this->prf->allocate_bytes(this->prf, idx, &chunk))
 	{
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 8e6da1609..ac3be900f 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -184,10 +184,8 @@ METHOD(task_manager_t, flush_queue, void,
 	}
 }
 
-/**
- * flush all tasks in the task manager
- */
-static void flush(private_task_manager_t *this)
+METHOD(task_manager_t, flush, void,
+	private_task_manager_t *this)
 {
 	flush_queue(this, TASK_QUEUE_QUEUED);
 	flush_queue(this, TASK_QUEUE_PASSIVE);
@@ -1231,7 +1229,7 @@ METHOD(task_manager_t, process_message, status_t,
 		lib->scheduler->schedule_job(lib->scheduler, job,
 				lib->settings->get_int(lib->settings,
 						"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
-						charon->name));
+						lib->ns));
 	}
 	return SUCCESS;
 }
@@ -1569,6 +1567,7 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 				.adopt_child_tasks = _adopt_child_tasks,
 				.busy = _busy,
 				.create_task_enumerator = _create_task_enumerator,
+				.flush = _flush,
 				.flush_queue = _flush_queue,
 				.destroy = _destroy,
 			},
@@ -1579,11 +1578,11 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 		.active_tasks = array_create(0, 0),
 		.passive_tasks = array_create(0, 0),
 		.retransmit_tries = lib->settings->get_int(lib->settings,
-					"%s.retransmit_tries", RETRANSMIT_TRIES, charon->name),
+					"%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
 		.retransmit_timeout = lib->settings->get_double(lib->settings,
-					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, charon->name),
+					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
 		.retransmit_base = lib->settings->get_double(lib->settings,
-					"%s.retransmit_base", RETRANSMIT_BASE, charon->name),
+					"%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 7cfa537a9..df7bc96d6 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -293,7 +293,7 @@ static void schedule_inactivity_timeout(private_child_create_t *this)
 	if (timeout)
 	{
 		close_ike = lib->settings->get_bool(lib->settings,
-								"%s.inactivity_close_ike", FALSE, charon->name);
+									"%s.inactivity_close_ike", FALSE, lib->ns);
 		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
 				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
 									  timeout, close_ike), timeout);
@@ -1072,7 +1072,7 @@ static void handle_child_sa_failure(private_child_create_t *this,
 {
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		lib->settings->get_bool(lib->settings,
-								"%s.close_ike_on_child_failure", FALSE, charon->name))
+								"%s.close_ike_on_child_failure", FALSE, lib->ns))
 	{
 		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
 		 * first */
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 8f83c4884..800dab07e 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -120,7 +120,7 @@ struct private_ike_auth_t {
 static bool multiple_auth_enabled()
 {
 	return lib->settings->get_bool(lib->settings,
-							"%s.multiple_authentication", TRUE, charon->name);
+								   "%s.multiple_authentication", TRUE, lib->ns);
 }
 
 /**
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index 2cbe8f8c5..bd28b29d7 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -428,7 +428,7 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
 		message->add_payload(message, (payload_t*)req);
 
 		if (lib->settings->get_bool(lib->settings,
-									"%s.hash_and_url", FALSE, charon->name))
+									"%s.hash_and_url", FALSE, lib->ns))
 		{
 			message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
 								chunk_empty);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
index 2730f5876..16ac16673 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
@@ -42,24 +42,60 @@ struct private_ike_vendor_t {
 };
 
 /**
- * strongSwan specific vendor ID without version, MD5("strongSwan")
+ * Vendor ID database entry
  */
-static chunk_t strongswan_vid = chunk_from_chars(
-	0x88,0x2f,0xe5,0x6d,0x6f,0xd2,0x0d,0xbc,
-	0x22,0x51,0x61,0x3b,0x2e,0xbe,0x5b,0xeb
-);
+typedef struct {
+	/* Description */
+	char *desc;
+	/* extension flag negotiated with vendor ID, if any */
+	ike_extension_t extension;
+	/* length of vendor ID string, 0 for NULL terminated */
+	int len;
+	/* vendor ID string */
+	char *id;
+} vid_data_t;
+
+/**
+ * Get the data of a vendor ID as a chunk
+ */
+static chunk_t get_vid_data(vid_data_t *data)
+{
+	return chunk_create(data->id, data->len ?: strlen(data->id));
+}
+
+/**
+ * IKEv2 Vendor ID database entry
+ */
+static vid_data_t vids[] = {
+	/* strongSwan MD5("strongSwan") */
+	{ "strongSwan", EXT_STRONGSWAN, 16,
+	  "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
+	{ "Cisco Delete Reason", 0, 0,
+	  "CISCO-DELETE-REASON" },
+	{ "Cisco Copyright (c) 2009", 0, 0,
+	  "CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." },
+	{ "FRAGMENTATION", 0, 16,
+	  "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3"},
+};
 
 METHOD(task_t, build, status_t,
 	private_ike_vendor_t *this, message_t *message)
 {
-	if (lib->settings->get_bool(lib->settings,
-								"%s.send_vendor_id", FALSE, charon->name))
-	{
-		vendor_id_payload_t *vid;
+	vendor_id_payload_t *vid;
+	bool strongswan;
+	int i;
 
-		vid = vendor_id_payload_create_data(VENDOR_ID,
-											chunk_clone(strongswan_vid));
-		message->add_payload(message, &vid->payload_interface);
+	strongswan = lib->settings->get_bool(lib->settings,
+							"%s.send_vendor_id", FALSE, lib->ns);
+	for (i = 0; i < countof(vids); i++)
+	{
+		if (vids[i].extension == EXT_STRONGSWAN && strongswan)
+		{
+			DBG2(DBG_IKE, "sending %s vendor ID", vids[i].desc);
+			vid = vendor_id_payload_create_data(VENDOR_ID,
+										chunk_clone(get_vid_data(&vids[i])));
+			message->add_payload(message, &vid->payload_interface);
+		}
 	}
 
 	return this->initiator ? NEED_MORE : SUCCESS;
@@ -70,6 +106,7 @@ METHOD(task_t, process, status_t,
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
+	int i;
 
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
@@ -78,16 +115,26 @@ METHOD(task_t, process, status_t,
 		{
 			vendor_id_payload_t *vid;
 			chunk_t data;
+			bool found = FALSE;
 
 			vid = (vendor_id_payload_t*)payload;
 			data = vid->get_data(vid);
 
-			if (chunk_equals(data, strongswan_vid))
+			for (i = 0; i < countof(vids); i++)
 			{
-				DBG1(DBG_IKE, "received strongSwan vendor ID");
-				this->ike_sa->enable_extension(this->ike_sa, EXT_STRONGSWAN);
+				if (chunk_equals(get_vid_data(&vids[i]), data))
+				{
+					DBG1(DBG_IKE, "received %s vendor ID", vids[i].desc);
+					if (vids[i].extension)
+					{
+						this->ike_sa->enable_extension(this->ike_sa,
+													   vids[i].extension);
+					}
+					found = TRUE;
+					break;
+				}
 			}
-			else
+			if (!found)
 			{
 				DBG1(DBG_ENC, "received unknown vendor ID: %#B", &data);
 			}
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index a1ebb4117..e7a6bf463 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -261,6 +261,11 @@ struct task_manager_t {
 											task_queue_t queue);
 
 	/**
+	 * Flush all tasks, regardless of the queue.
+	 */
+	void (*flush)(task_manager_t *this);
+
+	/**
 	 * Flush a queue, cancelling all tasks.
 	 *
 	 * @param queue			queue to flush
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 1f66d6ceb..7e55d6b0f 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -19,7 +19,6 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
-#include <threading/thread_value.h>
 #include <collections/linked_list.h>
 
 
@@ -63,11 +62,6 @@ struct private_trap_manager_t {
 	rwlock_t *lock;
 
 	/**
-	 * track if the current thread is installing a trap policy
-	 */
-	thread_value_t *installing;
-
-	/**
 	 * listener to track acquiring IKE_SAs
 	 */
 	trap_listener_t listener;
@@ -77,6 +71,8 @@ struct private_trap_manager_t {
  * A installed trap entry
  */
 typedef struct {
+	/** name of the trapped CHILD_SA */
+	char *name;
 	/** ref to peer_cfg to initiate */
 	peer_cfg_t *peer_cfg;
 	/** ref to instanciated CHILD_SA */
@@ -94,6 +90,7 @@ static void destroy_entry(entry_t *entry)
 {
 	entry->child_sa->destroy(entry->child_sa);
 	entry->peer_cfg->destroy(entry->peer_cfg);
+	free(entry->name);
 	free(entry);
 }
 
@@ -137,27 +134,42 @@ METHOD(trap_manager_t, install, u_int32_t,
 	}
 
 	this->lock->write_lock(this->lock);
-	this->installing->set(this->installing, this);
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (streq(entry->child_sa->get_name(entry->child_sa),
-				  child->get_name(child)))
+		if (streq(entry->name, child->get_name(child)))
 		{
-			this->traps->remove_at(this->traps, enumerator);
 			found = entry;
+			if (entry->child_sa)
+			{	/* replace it with an updated version, if already installed */
+				this->traps->remove_at(this->traps, enumerator);
+			}
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 
 	if (found)
-	{	/* config might have changed so update everything */
-		DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'",
-			 child->get_name(child));
+	{
+		if (!found->child_sa)
+		{
+			DBG1(DBG_CFG, "CHILD_SA '%s' is already being routed", found->name);
+			this->lock->unlock(this->lock);
+			return 0;
+		}
+		/* config might have changed so update everything */
+		DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'", found->name);
 		reqid = found->child_sa->get_reqid(found->child_sa);
 	}
 
+	INIT(entry,
+		.name = strdup(child->get_name(child)),
+		.peer_cfg = peer->get_ref(peer),
+	);
+	this->traps->insert_first(this->traps, entry);
+	/* don't hold lock while creating CHILD_SA and installing policies */
+	this->lock->unlock(this->lock);
+
 	/* create and route CHILD_SA */
 	child_sa = child_sa_create(me, other, child, reqid, FALSE);
 
@@ -185,24 +197,19 @@ METHOD(trap_manager_t, install, u_int32_t,
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_CFG, "installing trap failed");
+		this->lock->write_lock(this->lock);
+		this->traps->remove(this->traps, entry, NULL);
+		this->lock->unlock(this->lock);
+		entry->child_sa = child_sa;
+		destroy_entry(entry);
 		reqid = 0;
-		/* hold off destroying the CHILD_SA until we released the lock */
 	}
 	else
 	{
-		INIT(entry,
-			.child_sa = child_sa,
-			.peer_cfg = peer->get_ref(peer),
-		);
-		this->traps->insert_last(this->traps, entry);
 		reqid = child_sa->get_reqid(child_sa);
-	}
-	this->installing->set(this->installing, NULL);
-	this->lock->unlock(this->lock);
-
-	if (status != SUCCESS)
-	{
-		child_sa->destroy(child_sa);
+		this->lock->write_lock(this->lock);
+		entry->child_sa = child_sa;
+		this->lock->unlock(this->lock);
 	}
 	if (found)
 	{
@@ -221,7 +228,8 @@ METHOD(trap_manager_t, uninstall, bool,
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
+		if (entry->child_sa &&
+			entry->child_sa->get_reqid(entry->child_sa) == reqid)
 		{
 			this->traps->remove_at(this->traps, enumerator);
 			found = entry;
@@ -236,7 +244,6 @@ METHOD(trap_manager_t, uninstall, bool,
 		DBG1(DBG_CFG, "trap %d not found to uninstall", reqid);
 		return FALSE;
 	}
-
 	destroy_entry(found);
 	return TRUE;
 }
@@ -247,6 +254,10 @@ METHOD(trap_manager_t, uninstall, bool,
 static bool trap_filter(rwlock_t *lock, entry_t **entry, peer_cfg_t **peer_cfg,
 						void *none, child_sa_t **child_sa)
 {
+	if (!(*entry)->child_sa)
+	{	/* skip entries that are currently being installed */
+		return FALSE;
+	}
 	if (peer_cfg)
 	{
 		*peer_cfg = (*entry)->peer_cfg;
@@ -271,28 +282,24 @@ METHOD(trap_manager_t, find_reqid, u_int32_t,
 	private_trap_manager_t *this, child_cfg_t *child)
 {
 	enumerator_t *enumerator;
-	child_cfg_t *current;
 	entry_t *entry;
 	u_int32_t reqid = 0;
 
-	if (this->installing->get(this->installing))
-	{	/* current thread holds the lock */
-		return reqid;
-	}
 	this->lock->read_lock(this->lock);
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		current = entry->child_sa->get_config(entry->child_sa);
-		if (streq(current->get_name(current), child->get_name(child)))
+		if (streq(entry->name, child->get_name(child)))
 		{
-			reqid = entry->child_sa->get_reqid(entry->child_sa);
+			if (entry->child_sa)
+			{
+				reqid = entry->child_sa->get_reqid(entry->child_sa);
+			}
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
-
 	return reqid;
 }
 
@@ -310,7 +317,8 @@ METHOD(trap_manager_t, acquire, void,
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
+		if (entry->child_sa &&
+			entry->child_sa->get_reqid(entry->child_sa) == reqid)
 		{
 			found = entry;
 			break;
@@ -365,6 +373,7 @@ METHOD(trap_manager_t, acquire, void,
 		else
 		{
 			ike_sa->destroy(ike_sa);
+			charon->bus->set_sa(charon->bus, NULL);
 		}
 	}
 	peer->destroy(peer);
@@ -445,7 +454,6 @@ METHOD(trap_manager_t, destroy, void,
 {
 	charon->bus->remove_listener(charon->bus, &this->listener.listener);
 	this->traps->destroy_function(this->traps, (void*)destroy_entry);
-	this->installing->destroy(this->installing);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -476,7 +484,6 @@ trap_manager_t *trap_manager_create(void)
 		},
 		.traps = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-		.installing = thread_value_create(NULL),
 	);
 	charon->bus->add_listener(charon->bus, &this->listener.listener);
 
diff --git a/src/libcharon/sa/xauth/xauth_manager.c b/src/libcharon/sa/xauth/xauth_manager.c
index 17eecc2c9..3aabe7eae 100644
--- a/src/libcharon/sa/xauth/xauth_manager.c
+++ b/src/libcharon/sa/xauth/xauth_manager.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "xauth_manager.h"
 
 #include <collections/linked_list.h>
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 032385431..dbfb9889b 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libfast/fast_request.c b/src/libfast/fast_request.c
index 0673750b7..a56a59167 100644
--- a/src/libfast/fast_request.c
+++ b/src/libfast/fast_request.c
@@ -23,7 +23,6 @@
 #include <pthread.h>
 #include <string.h>
 #include <unistd.h>
-#include <sys/mman.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 
@@ -294,31 +293,17 @@ METHOD(fast_request_t, serve, void,
 METHOD(fast_request_t, sendfile, bool,
 	private_fast_request_t *this, char *path, char *mime)
 {
-	struct stat sb;
-	chunk_t data;
-	void *addr;
-	int fd, written;
+	chunk_t *data;
+	int written;
 	char buf[24];
 
-	fd = open(path, O_RDONLY);
-	if (fd == -1)
+	data = chunk_map(path, FALSE);
+	if (!data)
 	{
 		return FALSE;
 	}
-	if (fstat(fd, &sb) == -1)
-	{
-		close(fd);
-		return FALSE;
-	}
-	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		close(fd);
-		return FALSE;
-	}
-
 	/* FCGX does not like large integers, print to a buffer using libc */
-	snprintf(buf, sizeof(buf), "%lld", (int64_t)sb.st_size);
+	snprintf(buf, sizeof(buf), "%lld", (int64_t)data->len);
 	FCGX_FPrintF(this->req.out, "Content-Length: %s\n", buf);
 	if (mime)
 	{
@@ -326,22 +311,18 @@ METHOD(fast_request_t, sendfile, bool,
 	}
 	FCGX_FPrintF(this->req.out, "\n");
 
-	data = chunk_create(addr, sb.st_size);
-
-	while (data.len)
+	while (data->len)
 	{
-		written = FCGX_PutStr(data.ptr, data.len, this->req.out);
+		written = FCGX_PutStr(data->ptr, data->len, this->req.out);
 		if (written == -1)
 		{
-			munmap(addr, sb.st_size);
-			close(fd);
+			chunk_unmap(data);
 			return FALSE;
 		}
-		data = chunk_skip(data, written);
+		*data = chunk_skip(*data, written);
 	}
 
-	munmap(addr, sb.st_size);
-	close(fd);
+	chunk_unmap(data);
 	return TRUE;
 }
 
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
index 429feed55..ff134da7b 100644
--- a/src/libhydra/Android.mk
+++ b/src/libhydra/Android.mk
@@ -26,7 +26,6 @@ LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
 # build libhydra ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/include \
 	$(strongswan_PATH)/src/libstrongswan
 
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index d3c3ed459..5e0bf3f17 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -275,8 +275,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -344,6 +342,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -432,12 +435,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -452,6 +459,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
index 77567ce48..cc45e5629 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libhydra/attributes/mem_pool.c
@@ -573,7 +573,7 @@ static private_mem_pool_t *create_generic(char *name)
 								   (hashtable_equals_t)id_equals, 16),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.reassign_online = lib->settings->get_bool(lib->settings,
-							"%s.mem-pool.reassign_online", FALSE, hydra->daemon),
+								"%s.mem-pool.reassign_online", FALSE, lib->ns),
 	);
 
 	return this;
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index f531bd5f4..1b5065081 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -59,7 +59,6 @@ void libhydra_deinit()
 
 	this->public.attributes->destroy(this->public.attributes);
 	this->public.kernel_interface->destroy(this->public.kernel_interface);
-	free((void*)this->public.daemon);
 	free(this);
 	hydra = NULL;
 }
@@ -67,7 +66,7 @@ void libhydra_deinit()
 /**
  * Described in header.
  */
-bool libhydra_init(const char *daemon)
+bool libhydra_init()
 {
 	private_hydra_t *this;
 
@@ -81,7 +80,6 @@ bool libhydra_init(const char *daemon)
 	INIT(this,
 		.public = {
 			.attributes = attribute_manager_create(),
-			.daemon = strdup(daemon ?: "libhydra"),
 		},
 		.ref = 1,
 	);
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
index 2a8709d72..94209ff59 100644
--- a/src/libhydra/hydra.h
+++ b/src/libhydra/hydra.h
@@ -53,11 +53,6 @@ struct hydra_t {
 	 * kernel interface to communicate with kernel
 	 */
 	kernel_interface_t *kernel_interface;
-
-	/**
-	 * name of the daemon that initialized the library
-	 */
-	const char *daemon;
 };
 
 /**
@@ -70,15 +65,12 @@ extern hydra_t *hydra;
 /**
  * Initialize libhydra.
  *
- * The daemon's name is used to load daemon-specific settings.
- *
  * libhydra_init() may be called multiple times in a single process, but each
- * caller should call libhydra_deinit() for each call to libhydra_init().
+ * caller must call libhydra_deinit() for each call to libhydra_init().
  *
- * @param daemon		name of the daemon that initializes the library
  * @return				FALSE if integrity check failed
  */
-bool libhydra_init(const char *daemon);
+bool libhydra_init();
 
 /**
  * Deinitialize libhydra.
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index cbfddd03b..3e34d20a6 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -796,12 +796,12 @@ kernel_interface_t *kernel_interface_create()
 	);
 
 	ifaces = lib->settings->get_str(lib->settings,
-					"%s.interfaces_use", NULL, hydra->daemon);
+									"%s.interfaces_use", NULL, lib->ns);
 	if (!ifaces)
 	{
 		this->ifaces_exclude = TRUE;
 		ifaces = lib->settings->get_str(lib->settings,
-					"%s.interfaces_ignore", NULL, hydra->daemon);
+									"%s.interfaces_ignore", NULL, lib->ns);
 	}
 	if (ifaces)
 	{
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index af0a77fe3..e762b7757 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index 1a2fa7f28..a27fd57b1 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -109,7 +109,7 @@ static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
 	host_t *host;
 	char *str;
 
-	str = lib->settings->get_str(lib->settings, "%s.%s%d", NULL, hydra->daemon,
+	str = lib->settings->get_str(lib->settings, "%s.%s%d", NULL, lib->ns,
 								 key, nr);
 	if (str)
 	{
@@ -179,7 +179,7 @@ static void load_entries(private_attr_provider_t *this)
 	}
 
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-											"%s.plugins.attr", hydra->daemon);
+													"%s.plugins.attr", lib->ns);
 	while (enumerator->enumerate(enumerator, &key, &value))
 	{
 		configuration_attribute_type_t type;
@@ -190,6 +190,10 @@ static void load_entries(private_attr_provider_t *this)
 		char *pos;
 		int i, mask = -1, family;
 
+		if (streq(key, "load"))
+		{
+			continue;
+		}
 		type = atoi(key);
 		if (!type)
 		{
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 7b7b5de05..1d258f2fb 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
index 702872c57..dde90051a 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
+++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
@@ -61,7 +61,7 @@ static bool open_database(private_attr_sql_plugin_t *this,
 		char *uri;
 
 		uri = lib->settings->get_str(lib->settings,
-								"libhydra.plugins.attr-sql.database", NULL);
+								"%s.plugins.attr-sql.database", NULL, lib->ns);
 		if (!uri)
 		{
 			DBG1(DBG_CFG, "attr-sql plugin: database URI not set");
@@ -122,6 +122,8 @@ plugin_t *attr_sql_plugin_create()
 			},
 		},
 	);
+	lib->settings->add_fallback(lib->settings, "%s.plugins.attr-sql",
+								"libhydra.plugins.attr-sql", lib->ns);
 
 	return &this->public.plugin;
 }
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c
index 0a06c419f..d527c3fba 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.c
+++ b/src/libhydra/plugins/attr_sql/sql_attribute.c
@@ -457,7 +457,7 @@ sql_attribute_t *sql_attribute_create(database_t *db)
 		},
 		.db = db,
 		.history = lib->settings->get_bool(lib->settings,
-							"libhydra.plugins.attr-sql.lease_history", TRUE),
+							"%s.plugins.attr-sql.lease_history", TRUE, lib->ns),
 	);
 
 	/* close any "online" leases in the case we crashed */
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index a639ef6c3..c804c8e81 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index a226162c3..a75ccf3b6 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -311,8 +311,8 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 	}
 
 	mtu = lib->settings->get_int(lib->settings,
-						"%s.plugins.kernel-klips.ipsec_dev_mtu", 0,
-						hydra->daemon);
+								 "%s.plugins.kernel-klips.ipsec_dev_mtu", 0,
+								 lib->ns);
 	if (mtu <= 0)
 	{
 		/* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
@@ -2505,8 +2505,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
 {
 	int i, count = lib->settings->get_int(lib->settings,
-						"%s.plugins.kernel-klips.ipsec_dev_count",
-						DEFAULT_IPSEC_DEV_COUNT, hydra->daemon);
+									"%s.plugins.kernel-klips.ipsec_dev_count",
+									DEFAULT_IPSEC_DEV_COUNT, lib->ns);
 
 	for (i = 0; i < count; ++i)
 	{
@@ -2611,7 +2611,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
 		.install_routes = lib->settings->get_bool(lib->settings,
 												  "%s.install_routes", TRUE,
-												  hydra->daemon),
+												  lib->ns),
 	);
 
 	/* initialize ipsec devices */
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index 5f85da653..5910cfd92 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 8352b9311..c864a92f4 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1203,6 +1203,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	struct nlmsghdr *hdr;
 	struct xfrm_usersa_info *sa;
 	u_int16_t icv_size = 64;
+	ipsec_mode_t original_mode = mode;
 	status_t status = FAILED;
 
 	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
@@ -1213,7 +1214,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
 			   tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
 			   chunk_empty, mode, ipcomp, 0, initiator, FALSE, FALSE, inbound,
-			   NULL, NULL);
+			   src_ts, dst_ts);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
 		mode = MODE_TRANSPORT;
@@ -1243,7 +1244,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			break;
 		case MODE_BEET:
 		case MODE_TRANSPORT:
-			if(src_ts && dst_ts)
+			if (original_mode == MODE_TUNNEL)
+			{	/* don't install selectors for switched SAs.  because only one
+				 * selector can be installed other traffic would get dropped */
+				break;
+			}
+			if (src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
 				/* don't install proto/port on SA. This would break
@@ -1459,8 +1465,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		goto failed;
 	}
 
-	if (tfc)
-	{
+	if (tfc && protocol == IPPROTO_ESP && mode == MODE_TUNNEL)
+	{	/* the kernel supports TFC padding only for tunnel mode ESP SAs */
 		u_int32_t *tfcpad;
 
 		tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD,
@@ -2679,15 +2685,15 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.policy_history = TRUE,
 		.install_routes = lib->settings->get_bool(lib->settings,
-					"%s.install_routes", TRUE, hydra->daemon),
+							"%s.install_routes", TRUE, lib->ns),
 		.replay_window = lib->settings->get_int(lib->settings,
-					"%s.replay_window", DEFAULT_REPLAY_WINDOW, hydra->daemon),
+							"%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
 	);
 
 	this->replay_bmp = (this->replay_window + sizeof(u_int32_t) * 8 - 1) /
 													(sizeof(u_int32_t) * 8);
 
-	if (streq(hydra->daemon, "starter"))
+	if (streq(lib->ns, "starter"))
 	{	/* starter has no threads, so we do not register for kernel events */
 		register_for_events = FALSE;
 	}
@@ -2697,7 +2703,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	{
 		fprintf(f, "%u", lib->settings->get_int(lib->settings,
 								"%s.plugins.kernel-netlink.xfrm_acq_expires",
-								DEFAULT_ACQUIRE_LIFETIME, hydra->daemon));
+								DEFAULT_ACQUIRE_LIFETIME, lib->ns));
 		fclose(f);
 	}
 
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index d27075082..3cf317634 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1962,10 +1962,13 @@ METHOD(kernel_net_t, add_route, status_t,
 		this->routes_lock->unlock(this->routes_lock);
 		return ALREADY_DONE;
 	}
-	found = route_entry_clone(&route);
-	this->routes->put(this->routes, found, found);
 	status = manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
 							 dst_net, prefixlen, gateway, src_ip, if_name);
+	if (status == SUCCESS)
+	{
+		found = route_entry_clone(&route);
+		this->routes->put(this->routes, found, found);
+	}
 	this->routes_lock->unlock(this->routes_lock);
 	return status;
 }
@@ -2122,7 +2125,7 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
 	netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
 
 	fwmark = lib->settings->get_str(lib->settings,
-					"%s.plugins.kernel-netlink.fwmark", NULL, hydra->daemon);
+							"%s.plugins.kernel-netlink.fwmark", NULL, lib->ns);
 	if (fwmark)
 	{
 #ifdef HAVE_LINUX_FIB_RULES_H
@@ -2282,30 +2285,30 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 		.condvar = rwlock_condvar_create(),
 		.roam_lock = spinlock_create(),
 		.routing_table = lib->settings->get_int(lib->settings,
-				"%s.routing_table", ROUTING_TABLE, hydra->daemon),
+						"%s.routing_table", ROUTING_TABLE, lib->ns),
 		.routing_table_prio = lib->settings->get_int(lib->settings,
-				"%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon),
+						"%s.routing_table_prio", ROUTING_TABLE_PRIO, lib->ns),
 		.process_route = lib->settings->get_bool(lib->settings,
-				"%s.process_route", TRUE, hydra->daemon),
+						"%s.process_route", TRUE, lib->ns),
 		.install_virtual_ip = lib->settings->get_bool(lib->settings,
-				"%s.install_virtual_ip", TRUE, hydra->daemon),
+						"%s.install_virtual_ip", TRUE, lib->ns),
 		.install_virtual_ip_on = lib->settings->get_str(lib->settings,
-				"%s.install_virtual_ip_on", NULL, hydra->daemon),
+						"%s.install_virtual_ip_on", NULL, lib->ns),
 		.roam_events = lib->settings->get_bool(lib->settings,
-				"%s.plugins.kernel-netlink.roam_events", TRUE, hydra->daemon),
+						"%s.plugins.kernel-netlink.roam_events", TRUE, lib->ns),
 	);
 	timerclear(&this->last_route_reinstall);
 	timerclear(&this->next_roam);
 
 	check_kernel_features(this);
 
-	if (streq(hydra->daemon, "starter"))
+	if (streq(lib->ns, "starter"))
 	{	/* starter has no threads, so we do not register for kernel events */
 		register_for_events = FALSE;
 	}
 
 	exclude = lib->settings->get_str(lib->settings,
-					"%s.ignore_routing_tables", NULL, hydra->daemon);
+									 "%s.ignore_routing_tables", NULL, lib->ns);
 	if (exclude)
 	{
 		char *token;
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 8903a460e..5d0e927de 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 98a6f81d5..4704d419f 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2861,10 +2861,10 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
 		.install_routes = lib->settings->get_bool(lib->settings,
 												  "%s.install_routes", TRUE,
-												  hydra->daemon),
+												  lib->ns),
 	);
 
-	if (streq(hydra->daemon, "starter"))
+	if (streq(lib->ns, "starter"))
 	{	/* starter has no threads, so we do not register for kernel events */
 		register_for_events = FALSE;
 	}
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 29a70799f..8e01d2992 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index bc10610cd..a8a57a5a2 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -1420,9 +1420,12 @@ METHOD(kernel_net_t, add_route, status_t,
 		this->routes_lock->unlock(this->routes_lock);
 		return ALREADY_DONE;
 	}
-	found = route_entry_clone(&route);
-	this->routes->put(this->routes, found, found);
 	status = manage_route(this, RTM_ADD, dst_net, prefixlen, gateway, if_name);
+	if (status == SUCCESS)
+	{
+		found = route_entry_clone(&route);
+		this->routes->put(this->routes, found, found);
+	}
 	this->routes_lock->unlock(this->routes_lock);
 	return status;
 }
@@ -1782,7 +1785,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 		.net_changes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
 		.roam_lock = spinlock_create(),
 		.vip_wait = lib->settings->get_int(lib->settings,
-					"%s.plugins.kernel-pfroute.vip_wait", 1000, hydra->daemon),
+						"%s.plugins.kernel-pfroute.vip_wait", 1000, lib->ns),
 	);
 	timerclear(&this->last_route_reinstall);
 	timerclear(&this->next_roam);
@@ -1796,7 +1799,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 		return NULL;
 	}
 
-	if (streq(hydra->daemon, "starter"))
+	if (streq(lib->ns, "starter"))
 	{
 		/* starter has no threads, so we do not register for kernel events */
 		if (shutdown(this->socket, SHUT_RD) != 0)
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index 28b4b8fcf..0e520f126 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c
index 2eee854a9..069466ab5 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.c
+++ b/src/libhydra/plugins/resolve/resolve_handler.c
@@ -361,7 +361,7 @@ resolve_handler_t *resolve_handler_create()
 		},
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.file = lib->settings->get_str(lib->settings, "%s.plugins.resolve.file",
-									   RESOLV_CONF, hydra->daemon),
+									   RESOLV_CONF, lib->ns),
 	);
 
 	if (stat(RESOLVCONF_EXEC, &st) == 0)
@@ -369,7 +369,7 @@ resolve_handler_t *resolve_handler_create()
 		this->use_resolvconf = TRUE;
 		this->iface_prefix = lib->settings->get_str(lib->settings,
 								"%s.plugins.resolve.resolvconf.iface_prefix",
-								RESOLVCONF_PREFIX, hydra->daemon);
+								RESOLVCONF_PREFIX, lib->ns);
 	}
 
 	return &this->public;
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index 86f172dd8..96e759724 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -24,7 +24,6 @@ libimcv_la_SOURCES = \
 	imv/imv_remediation_string.h imv/imv_remediation_string.c \
 	imv/imv_session.h imv/imv_session.c \
 	imv/imv_workitem.h imv/imv_workitem.c \
-	imv/tables.sql imv/data.sql \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
 	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
 	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
@@ -53,6 +52,9 @@ libimcv_la_SOURCES = \
 ipsec_SCRIPTS = imv/_imv_policy
 EXTRA_DIST = imv/_imv_policy
 
+templatesdir = $(pkgdatadir)/templates/database/imv
+dist_templates_DATA = imv/tables.sql imv/data.sql
+
 ipsec_PROGRAMS = imv_policy_manager
 imv_policy_manager_SOURCES = \
 	imv/imv_policy_manager.c \
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 2d488eabb..4c8287b70 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -16,6 +16,7 @@
 
 
 
+
 VPATH = @srcdir@
 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
@@ -89,7 +90,7 @@ ipsec_PROGRAMS = imv_policy_manager$(EXEEXT)
 @USE_IMV_OS_TRUE@am__append_6 = plugins/imv_os
 subdir = src/libimcv
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
+	$(top_srcdir)/depcomp $(dist_templates_DATA)
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -135,7 +136,7 @@ am__uninstall_files_from_dir = { \
          $(am__cd) "$$dir" && rm -f $$files; }; \
   }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" \
-	"$(DESTDIR)$(ipsecdir)"
+	"$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(templatesdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libimcv_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
@@ -224,6 +225,7 @@ am__can_run_installinfo = \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
+DATA = $(dist_templates_DATA)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 am__recursive_targets = \
@@ -293,8 +295,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -362,6 +362,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -450,12 +455,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -470,6 +479,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -505,7 +515,6 @@ libimcv_la_SOURCES = \
 	imv/imv_remediation_string.h imv/imv_remediation_string.c \
 	imv/imv_session.h imv/imv_session.c \
 	imv/imv_workitem.h imv/imv_workitem.c \
-	imv/tables.sql imv/data.sql \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
 	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
 	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
@@ -533,6 +542,8 @@ libimcv_la_SOURCES = \
 
 ipsec_SCRIPTS = imv/_imv_policy
 EXTRA_DIST = imv/_imv_policy
+templatesdir = $(pkgdatadir)/templates/database/imv
+dist_templates_DATA = imv/tables.sql imv/data.sql
 imv_policy_manager_SOURCES = \
 	imv/imv_policy_manager.c \
 	imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
@@ -891,6 +902,27 @@ clean-libtool:
 	-rm -rf ita/.libs ita/_libs
 	-rm -rf os_info/.libs os_info/_libs
 	-rm -rf pa_tnc/.libs pa_tnc/_libs
+install-dist_templatesDATA: $(dist_templates_DATA)
+	@$(NORMAL_INSTALL)
+	@list='$(dist_templates_DATA)'; test -n "$(templatesdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(templatesdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(templatesdir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(templatesdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(templatesdir)" || exit $$?; \
+	done
+
+uninstall-dist_templatesDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_templates_DATA)'; test -n "$(templatesdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(templatesdir)'; $(am__uninstall_files_from_dir)
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run 'make' without going through this Makefile.
@@ -1048,10 +1080,10 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-recursive
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) $(DATA)
 installdirs: installdirs-recursive
 installdirs-am:
-	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(ipsecdir)"; do \
+	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(templatesdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-recursive
@@ -1119,8 +1151,8 @@ info: info-recursive
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS install-ipsecSCRIPTS \
-	install-ipseclibLTLIBRARIES
+install-data-am: install-dist_templatesDATA install-ipsecPROGRAMS \
+	install-ipsecSCRIPTS install-ipseclibLTLIBRARIES
 
 install-dvi: install-dvi-recursive
 
@@ -1166,8 +1198,8 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-ipsecPROGRAMS uninstall-ipsecSCRIPTS \
-	uninstall-ipseclibLTLIBRARIES
+uninstall-am: uninstall-dist_templatesDATA uninstall-ipsecPROGRAMS \
+	uninstall-ipsecSCRIPTS uninstall-ipseclibLTLIBRARIES
 
 .MAKE: $(am__recursive_targets) install-am install-strip
 
@@ -1177,17 +1209,18 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-ipsecSCRIPTS \
 	ctags-am distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-ipsecSCRIPTS \
+	install-data-am install-dist_templatesDATA install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipsecPROGRAMS install-ipsecSCRIPTS \
 	install-ipseclibLTLIBRARIES install-man install-pdf \
 	install-pdf-am install-ps install-ps-am install-strip \
 	installcheck installcheck-am installdirs installdirs-am \
 	maintainer-clean maintainer-clean-generic mostlyclean \
 	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
-	uninstall-ipsecPROGRAMS uninstall-ipsecSCRIPTS \
-	uninstall-ipseclibLTLIBRARIES
+	uninstall-dist_templatesDATA uninstall-ipsecPROGRAMS \
+	uninstall-ipsecSCRIPTS uninstall-ipseclibLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c
index b5862daee..2a4fd33df 100644
--- a/src/libimcv/imcv.c
+++ b/src/libimcv/imcv.c
@@ -109,7 +109,7 @@ bool libimcv_init(bool is_imv)
 	else
 	{
 		/* we are the first to initialize libstrongswan */
-		if (!library_init(NULL))
+		if (!library_init(NULL, "libimcv"))
 		{
 			return FALSE;
 		}
@@ -134,6 +134,10 @@ bool libimcv_init(bool is_imv)
 	}
 	ref_get(&libstrongswan_ref);
 
+	lib->settings->add_fallback(lib->settings, "%s.imcv", "libimcv", lib->ns);
+	lib->settings->add_fallback(lib->settings, "%s.plugins", "libimcv.plugins",
+								lib->ns);
+
 	if (libimcv_ref == 0)
 	{
 		char *uri, *script;
@@ -149,9 +153,10 @@ bool libimcv_init(bool is_imv)
 		if (is_imv)
 		{
 			uri = lib->settings->get_str(lib->settings,
-						"libimcv.database", NULL);
+						"%s.imcv.database", NULL, lib->ns);
 			script = lib->settings->get_str(lib->settings,
-						"libimcv.policy_script", IMCV_DEFAULT_POLICY_SCRIPT);
+						"%s.imcv.policy_script", IMCV_DEFAULT_POLICY_SCRIPT,
+						lib->ns);
 			if (uri)
 			{
 				imcv_db = imv_database_create(uri, script);
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 241a99645..9d938b9b8 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -168,6 +168,42 @@ INSERT INTO products (			/* 28 */
  'Debian 7.2 x86_64'
 );
 
+INSERT INTO products (			/* 29 */
+  name
+) VALUES (
+ 'Android 4.1.2'
+);
+
+INSERT INTO products (			/* 30 */
+  name
+) VALUES (
+ 'Android 4.2.2'
+);
+
+INSERT INTO products (			/* 31 */
+  name
+) VALUES (
+ 'Android 4.3.1'
+);
+
+INSERT INTO products (			/* 32 */
+  name
+) VALUES (
+ 'Android 4.4'
+);
+
+INSERT INTO products (			/* 33 */
+  name
+) VALUES (
+ 'Android 4.4.1'
+);
+
+INSERT INTO products (			/* 34 */
+  name
+) VALUES (
+ 'Android 4.4.2'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -568,6 +604,24 @@ INSERT INTO groups (			/* 10 */
   'Ref. Linux', 8
 );
 
+INSERT INTO groups (            /* 11 */
+  name
+) VALUES (
+  'TPM BIOS'
+);
+
+INSERT INTO groups (            /* 12 */
+  name
+) VALUES (
+  'TPM IMA'
+);
+
+INSERT INTO groups (            /* 13 */
+  name
+) VALUES (
+  'TPM BIOS/IMA'
+);
+
 /* Default Product Groups */
 
 INSERT INTO groups_product_defaults (
@@ -732,6 +786,42 @@ INSERT INTO groups_product_defaults (
   3, 22
 );
 
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 29
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 30
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 31
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 32
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 33
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 34
+);
+
 /* Policies */
 
 INSERT INTO policies (			/*  1 */
@@ -842,6 +932,24 @@ INSERT INTO policies (			/* 18 */
   15, 'SWID Tags', '', 2, 2
 );
 
+INSERT INTO policies (          /* 19 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  16, 'TPM BIOS Measurements', 'B', 2, 2
+);
+
+INSERT INTO policies (          /* 20 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  16, 'TPM IMA Measurements', 'I', 2, 2
+);
+
+INSERT INTO policies (          /* 21 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  16, 'TPM BIOS/IMA Measurements', 'BI', 2, 2
+);
+
 /* Enforcements */
 
 INSERT INTO enforcements (		/*  1 */
@@ -928,6 +1036,24 @@ INSERT INTO enforcements (		/* 14 */
   15, 9, 0
 );
 
+INSERT INTO enforcements (      /* 15 */
+  policy, group_id, max_age
+) VALUES (
+  19, 11, 60
+);
+
+INSERT INTO enforcements (      /* 16 */
+  policy, group_id, max_age
+) VALUES (
+  20, 12, 60
+);
+
+INSERT INTO enforcements (      /* 17 */
+  policy, group_id, max_age
+) VALUES (
+  21, 13, 60
+);
+
 /* regids */
 
 INSERT INTO regids (			/*  1 */
@@ -1058,3 +1184,9 @@ INSERT INTO tags (
   10, 'strongSwan-5-1-1'
 );
 
+INSERT INTO tags (
+  regid, unique_sw_id
+) VALUES (
+  10, 'strongSwan-5-1-2'
+);
+
diff --git a/src/libimcv/imv/imv_msg.c b/src/libimcv/imv/imv_msg.c
index 642b47935..e7181750c 100644
--- a/src/libimcv/imv/imv_msg.c
+++ b/src/libimcv/imv/imv_msg.c
@@ -208,8 +208,8 @@ METHOD(imv_msg_t, send_assessment, TNC_Result,
 	}
 
 	/* Send an IETF Assessment Result attribute if enabled */
-	if (lib->settings->get_bool(lib->settings, "libimcv.assessment_result",
-								TRUE))
+	if (lib->settings->get_bool(lib->settings, "%s.imcv.assessment_result",
+								TRUE, lib->ns))
 	{
 		this->state->get_recommendation(this->state, &rec, &eval);
 		attr = ietf_attr_assess_result_create(eval);
diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
index 61e0cd05b..028721af3 100644
--- a/src/libimcv/imv/imv_policy_manager.c
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -188,7 +188,7 @@ static bool policy_start(database_t *db, int session_id)
 	e->destroy(e);
 
 	/* if a device ID with a creation date exists, get all group memberships */
-	if (device_id & created)
+	if (device_id && created)
 	{
 		e = db->query(db,
 				"SELECT group_id FROM groups_members WHERE device_id = ?",
@@ -288,7 +288,7 @@ int main(int argc, char *argv[])
 	atexit(library_deinit);
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "imv_policy_manager"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
@@ -328,7 +328,12 @@ int main(int argc, char *argv[])
 	session_id = atoi(tnc_session_id);
 
 	/* attach IMV database */
-	uri = lib->settings->get_str(lib->settings, "libimcv.database", NULL);
+	uri = lib->settings->get_str(lib->settings,
+			"imv_policy_manager.database",
+			lib->settings->get_str(lib->settings,
+				"charon.imcv.database",
+				lib->settings->get_str(lib->settings,
+					"libimcv.database", NULL)));
 	if (!uri)
 	{
 		fprintf(stderr, "database uri not defined.\n");
diff --git a/src/libimcv/imv/imv_reason_string.c b/src/libimcv/imv/imv_reason_string.c
index d1447ec35..c09b7bdba 100644
--- a/src/libimcv/imv/imv_reason_string.c
+++ b/src/libimcv/imv/imv_reason_string.c
@@ -35,6 +35,11 @@ struct private_imv_reason_string_t {
 	char *lang;
 
 	/**
+	 * Separator concatenating multiple reasons
+	 */
+	char *separator;
+
+	/**
 	 * Contains the concatenated reasons
 	 */
 	chunk_t reasons;
@@ -51,7 +56,8 @@ METHOD(imv_reason_string_t, add_reason, void,
 	if (this->reasons.len)
 	{
 		/* append any further reasons */
-		this->reasons = chunk_cat("mcc", this->reasons, chunk_from_chars('\n'),
+		this->reasons = chunk_cat("mcc", this->reasons,
+								  chunk_from_str(this->separator),
 								  chunk_create(s_reason, strlen(s_reason)));
 	}
 	else
@@ -77,7 +83,7 @@ METHOD(imv_reason_string_t, destroy, void,
 /**
  * Described in header.
  */
-imv_reason_string_t *imv_reason_string_create(char *lang)
+imv_reason_string_t *imv_reason_string_create(char *lang, char *separator)
 {
 	private_imv_reason_string_t *this;
 
@@ -88,6 +94,7 @@ imv_reason_string_t *imv_reason_string_create(char *lang)
 			.destroy = _destroy,
 		},
 		.lang = lang,
+		.separator = separator,
 	);
 
 	return &this->public;
diff --git a/src/libimcv/imv/imv_reason_string.h b/src/libimcv/imv/imv_reason_string.h
index cb4c27f93..c35ec36cc 100644
--- a/src/libimcv/imv/imv_reason_string.h
+++ b/src/libimcv/imv/imv_reason_string.h
@@ -58,7 +58,8 @@ struct imv_reason_string_t {
  * Creates an Reason String object
  *
  * @param lang				Preferred language
+ * @param separator			String separating multiple reasons
  */
- imv_reason_string_t* imv_reason_string_create(char *lang);
+ imv_reason_string_t* imv_reason_string_create(char *lang, char *separator);
 
 #endif /** IMV_REASON_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_workitem.c b/src/libimcv/imv/imv_workitem.c
index 2141f73e6..8784a0ccf 100644
--- a/src/libimcv/imv/imv_workitem.c
+++ b/src/libimcv/imv/imv_workitem.c
@@ -20,7 +20,7 @@
 
 typedef struct private_imv_workitem_t private_imv_workitem_t;
 
-ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_SWID_TAGS,
+ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_TPM_ATTEST,
 	"PCKGS",
 	"UNSRC",
 	"FWDEN",
@@ -35,7 +35,8 @@ ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_SWID_TAGS,
 	"TCPBL",
 	"UDPOP",
 	"UDPBL",
-	"SWIDT"
+	"SWIDT",
+	"TPMRA"
 );
 
 /**
diff --git a/src/libimcv/imv/imv_workitem.h b/src/libimcv/imv/imv_workitem.h
index 868997797..93a4b5874 100644
--- a/src/libimcv/imv/imv_workitem.h
+++ b/src/libimcv/imv/imv_workitem.h
@@ -44,7 +44,8 @@ enum imv_workitem_type_t {
 	IMV_WORKITEM_TCP_PORT_BLOCK = 12,
 	IMV_WORKITEM_UDP_PORT_OPEN =  13,
 	IMV_WORKITEM_UDP_PORT_BLOCK = 14,
-	IMV_WORKITEM_SWID_TAGS =      15
+	IMV_WORKITEM_SWID_TAGS =      15,
+	IMV_WORKITEM_TPM_ATTEST =     16
 };
 
 extern enum_name_t *imv_workitem_type_names;
diff --git a/src/libimcv/ita/ita_attr_command.c b/src/libimcv/ita/ita_attr_command.c
index f32ab2bfe..9692e1ffd 100644
--- a/src/libimcv/ita/ita_attr_command.c
+++ b/src/libimcv/ita/ita_attr_command.c
@@ -13,14 +13,15 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "ita_attr.h"
 #include "ita_attr_command.h"
 
 #include <pen/pen.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_ita_attr_command_t private_ita_attr_command_t;
 
 /**
diff --git a/src/libimcv/ita/ita_attr_get_settings.c b/src/libimcv/ita/ita_attr_get_settings.c
index 196613153..d0bc31d32 100644
--- a/src/libimcv/ita/ita_attr_get_settings.c
+++ b/src/libimcv/ita/ita_attr_get_settings.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "ita_attr.h"
 #include "ita_attr_get_settings.h"
 
@@ -22,8 +25,6 @@
 #include <pen/pen.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_ita_attr_get_settings_t private_ita_attr_get_settings_t;
 
 /**
@@ -166,7 +167,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	status = SUCCESS;
 
 end:
-	reader->destroy(reader);	
+	reader->destroy(reader);
 	return status;
 }
 
@@ -182,7 +183,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->list->destroy_function(this->list, free);	
+		this->list->destroy_function(this->list, free);
 		free(this->value.ptr);
 		free(this);
 	}
diff --git a/src/libimcv/ita/ita_attr_settings.c b/src/libimcv/ita/ita_attr_settings.c
index 9ce253d28..0d2967e66 100644
--- a/src/libimcv/ita/ita_attr_settings.c
+++ b/src/libimcv/ita/ita_attr_settings.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "ita_attr.h"
 #include "ita_attr_settings.h"
 
@@ -22,8 +25,6 @@
 #include <pen/pen.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_ita_attr_settings_t private_ita_attr_settings_t;
 typedef struct entry_t entry_t;
 
@@ -211,7 +212,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	status = SUCCESS;
 
 end:
-	reader->destroy(reader);	
+	reader->destroy(reader);
 	return status;
 }
 
@@ -227,7 +228,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->list->destroy_function(this->list, (void*)free_entry);	
+		this->list->destroy_function(this->list, (void*)free_entry);
 		free(this->value.ptr);
 		free(this);
 	}
diff --git a/src/libimcv/os_info/os_info.c b/src/libimcv/os_info/os_info.c
index 17000cd27..06427575c 100644
--- a/src/libimcv/os_info/os_info.c
+++ b/src/libimcv/os_info/os_info.c
@@ -560,9 +560,9 @@ os_info_t *os_info_create(void)
 
 	/* As an option OS name and OS version can be configured manually */
 	name.ptr = lib->settings->get_str(lib->settings,
-									  "libimcv.os_info.name", NULL);
+									  "%s.imcv.os_info.name", NULL, lib->ns);
 	version.ptr = lib->settings->get_str(lib->settings,
-									  "libimcv.os_info.version", NULL);
+									  "%s.imcv.os_info.version", NULL, lib->ns);
 	if (name.ptr && version.ptr)
 	{
 		name.len = strlen(name.ptr);
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index a44721b04..bfb3f0022 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -213,8 +213,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -282,6 +280,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -370,12 +373,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -390,6 +397,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c
index 2558be9f8..647a44957 100644
--- a/src/libimcv/plugins/imc_os/imc_os.c
+++ b/src/libimcv/plugins/imc_os/imc_os.c
@@ -387,7 +387,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 		return TNC_RESULT_FATAL;
 	}
 	if (lib->settings->get_bool(lib->settings,
-								"libimcv.plugins.imc-os.push_info", TRUE))
+								"%s.plugins.imc-os.push_info", TRUE, lib->ns))
 	{
 		out_msg = imc_msg_create(imc_os, state, connection_id, imc_id,
 								 TNC_IMVID_ANY, msg_types[0]);
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 44b50e69b..3db0f2ba2 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -214,8 +214,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -283,6 +281,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,12 +374,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -391,6 +398,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner.c b/src/libimcv/plugins/imc_scanner/imc_scanner.c
index c87e827cd..2be6a87df 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner.c
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner.c
@@ -274,7 +274,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 		return TNC_RESULT_FATAL;
 	}
 	if (lib->settings->get_bool(lib->settings,
-								"libimcv.plugins.imc-scanner.push_info", TRUE))
+							"%s.plugins.imc-scanner.push_info", TRUE, lib->ns))
 	{
 		out_msg = imc_msg_create(imc_scanner, state, connection_id, imc_id,
 								 TNC_IMVID_ANY, msg_types[0]);
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index afbd244c9..64e1c271c 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -213,8 +213,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -282,6 +280,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -370,12 +373,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -390,6 +397,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imc_test/imc_test.c b/src/libimcv/plugins/imc_test/imc_test.c
index c97d41628..ee982d93b 100644
--- a/src/libimcv/plugins/imc_test/imc_test.c
+++ b/src/libimcv/plugins/imc_test/imc_test.c
@@ -91,11 +91,11 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 	{
 		case TNC_CONNECTION_STATE_CREATE:
 			command = lib->settings->get_str(lib->settings,
-						 		"libimcv.plugins.imc-test.command", "none");
+								"%s.plugins.imc-test.command", "none", lib->ns);
 			dummy_size = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imc-test.dummy_size", 0);
+								"%s.plugins.imc-test.dummy_size", 0, lib->ns);
 			retry = lib->settings->get_bool(lib->settings,
-								"libimcv.plugins.imc-test.retry", FALSE);
+								"%s.plugins.imc-test.retry", FALSE, lib->ns);
 			state = imc_test_state_create(connection_id, command, dummy_size,
 										  retry);
 
@@ -107,7 +107,7 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 
 			/* Optionally reserve additional IMC IDs */
 			additional_ids = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imc-test.additional_ids", 0);
+							"%s.plugins.imc-test.additional_ids", 0, lib->ns);
 			imc_test->reserve_additional_ids(imc_test, additional_ids -
 								imc_test->count_additional_ids(imc_test));
 
@@ -127,8 +127,8 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 			if (!test_state->is_first_handshake(test_state))
 			{
 				command = lib->settings->get_str(lib->settings,
-								"libimcv.plugins.imc-test.retry_command",
-								test_state->get_command(test_state));
+								"%s.plugins.imc-test.retry_command",
+								test_state->get_command(test_state), lib->ns);
 				test_state->set_command(test_state, command);
 			}
 
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index ed3fbb285..856ced897 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c
index d2a08b0fa..12cf207d8 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.c
+++ b/src/libimcv/plugins/imv_os/imv_os_database.c
@@ -13,12 +13,13 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "imv_os_database.h"
 
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_imv_os_database_t private_imv_os_database_t;
 
 /**
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c
index f6d904c3c..4f5a4b039 100644
--- a/src/libimcv/plugins/imv_os/imv_os_state.c
+++ b/src/libimcv/plugins/imv_os/imv_os_state.c
@@ -421,7 +421,7 @@ METHOD(imv_state_t, get_reason_string, bool,
 
 	/* Instantiate a TNC Reason String object */
 	DESTROY_IF(this->reason_string);
-	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string = imv_reason_string_create(*reason_language, "\n");
 
 	if (this->count_update || this->count_blacklist)
 	{
@@ -494,7 +494,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
 
 	*string = this->remediation_string->get_encoding(this->remediation_string);
 	*uri = lib->settings->get_str(lib->settings,
-							"libimcv.plugins.imv-os.remediation_uri", NULL);
+							"%s.plugins.imv-os.remediation_uri", NULL, lib->ns);
 
 	return TRUE;
 }
diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c
index 57cc62a08..019e2adb8 100644
--- a/src/libimcv/plugins/imv_os/pacman.c
+++ b/src/libimcv/plugins/imv_os/pacman.c
@@ -466,12 +466,12 @@ int main(int argc, char *argv[])
 	atexit(cleanup);
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "pacman"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
 	if (!lib->plugins->load(lib->plugins,
-			lib->settings->get_str(lib->settings, "attest.load", "sqlite")))
+			lib->settings->get_str(lib->settings, "pacman.load", "sqlite")))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh
index 621905edf..3dfea3905 100755
--- a/src/libimcv/plugins/imv_os/pacman.sh
+++ b/src/libimcv/plugins/imv_os/pacman.sh
@@ -13,6 +13,7 @@ DEBIAN_ARCH="binary-amd64 binary-i386"
 PACMAN=/usr/libexec/ipsec/pacman
 PACMAN_LOG="$DIR/$DATE-pacman.log"
 
+mkdir -p $DIR/dists
 cd $DIR/dists
 
 for v in $UBUNTU_VERSIONS
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 52ac0144f..748b9a72d 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
index 4c570c46a..90475d34d 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
@@ -281,7 +281,7 @@ METHOD(imv_state_t, get_reason_string, bool,
 
 	/* Instantiate a TNC Reason String object */
 	DESTROY_IF(this->reason_string);
-	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string = imv_reason_string_create(*reason_language, "\n");
 	if (this->rec != TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
 	{
 		this->reason_string->add_reason(this->reason_string, reasons);
@@ -314,7 +314,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
 									this->violating_ports);
 	*string = this->remediation_string->get_encoding(this->remediation_string);
 	*uri = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-scanner.remediation_uri", NULL);
+					"%s.plugins.imv-scanner.remediation_uri", NULL, lib->ns);
 
 	return TRUE;
 }
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index ec5bb8332..3c73e8f95 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -214,8 +214,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -283,6 +281,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,12 +374,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -391,6 +398,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imv_test/imv_test_agent.c b/src/libimcv/plugins/imv_test/imv_test_agent.c
index cdf0e18cd..42630003b 100644
--- a/src/libimcv/plugins/imv_test/imv_test_agent.c
+++ b/src/libimcv/plugins/imv_test/imv_test_agent.c
@@ -103,7 +103,7 @@ static TNC_Result receive_msg(private_imv_test_agent_t *this, imv_state_t *state
 
 	/* add any new IMC and set its number of rounds */
 	rounds = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imv-test.rounds", 0);
+									"%s.plugins.imv-test.rounds", 0, lib->ns);
 	test_state = (imv_test_state_t*)state;
 	test_state->add_imc(test_state, in_msg->get_src_id(in_msg), rounds);
 
@@ -178,7 +178,7 @@ static TNC_Result receive_msg(private_imv_test_agent_t *this, imv_state_t *state
 		if (result != TNC_RESULT_SUCCESS)
 		{
 			return result;
-		}  
+		}
 		return this->agent->provide_recommendation(this->agent, state);
 	}
 
@@ -200,7 +200,7 @@ static TNC_Result receive_msg(private_imv_test_agent_t *this, imv_state_t *state
 		out_msg->add_attribute(out_msg, attr);
 
 		/* send PA-TNC message with excl flag set */
-		result = out_msg->send(out_msg, TRUE);	
+		result = out_msg->send(out_msg, TRUE);
 		out_msg->destroy(out_msg);
 
 		return result;
@@ -214,11 +214,11 @@ static TNC_Result receive_msg(private_imv_test_agent_t *this, imv_state_t *state
 		if (result != TNC_RESULT_SUCCESS)
 		{
 			return result;
-		}  
+		}
 		return this->agent->provide_recommendation(this->agent, state);
 	}
 	else
-	{	
+	{
 		return TNC_RESULT_SUCCESS;
 	}
  }
diff --git a/src/libimcv/plugins/imv_test/imv_test_state.c b/src/libimcv/plugins/imv_test/imv_test_state.c
index 0da09df67..f05db8027 100644
--- a/src/libimcv/plugins/imv_test/imv_test_state.c
+++ b/src/libimcv/plugins/imv_test/imv_test_state.c
@@ -228,7 +228,7 @@ METHOD(imv_state_t, get_reason_string, bool,
 
 	/* Instantiate a TNC Reason String object */
 	DESTROY_IF(this->reason_string);
-	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string = imv_reason_string_create(*reason_language, "\n");
 	this->reason_string->add_reason(this->reason_string, reasons);
 	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
diff --git a/src/libipsec/Android.mk b/src/libipsec/Android.mk
index 37f400fc3..c5d987977 100644
--- a/src/libipsec/Android.mk
+++ b/src/libipsec/Android.mk
@@ -20,7 +20,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(libipsec_la_SOURCES))
 # build libipsec ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/include \
 	$(strongswan_PATH)/src/libstrongswan
 
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index cf44fc6f8..737edad3f 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -255,8 +255,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -324,6 +322,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -412,12 +415,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -432,6 +439,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index a9b3f19ef..05c27d9cb 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -293,8 +293,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -362,6 +360,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -450,12 +453,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -470,6 +477,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index 2d9279119..7a539ef22 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.c b/src/libpts/plugins/imc_attestation/imc_attestation_process.c
index 92e2e3abe..fbe81ee48 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_process.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.c
@@ -109,8 +109,8 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 			int nonce_len, min_nonce_len;
 
 			nonce_len = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imc-attestation.nonce_len",
-								 DEFAULT_NONCE_LEN);
+								"%s.plugins.imc-attestation.nonce_len",
+								 DEFAULT_NONCE_LEN, lib->ns);
 
 			attr_cast = (tcg_pts_attr_dh_nonce_params_req_t*)attr;
 			min_nonce_len = attr_cast->get_min_nonce_len(attr_cast);
@@ -165,8 +165,8 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 			initiator_nonce = attr_cast->get_initiator_nonce(attr_cast);
 
 			nonce_len = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imc-attestation.nonce_len",
-								 DEFAULT_NONCE_LEN);
+								"%s.plugins.imc-attestation.nonce_len",
+								 DEFAULT_NONCE_LEN, lib->ns);
 			if (nonce_len != initiator_nonce.len)
 			{
 				DBG1(DBG_IMC, "initiator and responder DH nonces "
@@ -428,7 +428,8 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 			}
 
 			use_quote2 = lib->settings->get_bool(lib->settings,
-							"libimcv.plugins.imc-attestation.use_quote2", TRUE);
+							"%s.plugins.imc-attestation.use_quote2", TRUE,
+							lib->ns);
 			if (!pts->quote_tpm(pts, use_quote2, &pcr_composite, &quote_sig))
 			{
 				DBG1(DBG_IMC, "error occurred during TPM quote operation");
diff --git a/src/libpts/plugins/imc_swid/Makefile.in b/src/libpts/plugins/imc_swid/Makefile.in
index f62c05a3e..e1c932e45 100644
--- a/src/libpts/plugins/imc_swid/Makefile.in
+++ b/src/libpts/plugins/imc_swid/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/plugins/imc_swid/imc_swid.c b/src/libpts/plugins/imc_swid/imc_swid.c
index e1305805a..d4aaeff4d 100644
--- a/src/libpts/plugins/imc_swid/imc_swid.c
+++ b/src/libpts/plugins/imc_swid/imc_swid.c
@@ -181,8 +181,8 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
 		full_tags = (flags & TCG_SWID_ATTR_REQ_FLAG_R) == 0;
 
 		swid_directory = lib->settings->get_str(lib->settings,
-								"libimcv.plugins.imc-swid.swid_directory",
-								 SWID_DIRECTORY);
+								"%s.plugins.imc-swid.swid_directory",
+								 SWID_DIRECTORY, lib->ns);
 		swid_inventory = swid_inventory_create(full_tags);
 		if (!swid_inventory->collect(swid_inventory, swid_directory, targets))
 		{
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index 032d07a38..c1c14d476 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -227,8 +227,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -296,6 +294,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -384,12 +387,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -404,6 +411,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index 4d25df3f4..b8a6854cb 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -266,19 +266,20 @@ static void do_args(int argc, char *argv[])
 				continue;
 			case 'F':
 			{
-				char *path = strdup(optarg);
-				char *dir = dirname(path);
-				char *file = basename(optarg);
+				char *dir = path_dirname(optarg);
+				char *file = path_basename(optarg);
 
 				if (*dir != '.')
 				{
 					if (!attest->set_directory(attest, dir, op == OP_ADD))
 					{
-						free(path);
+						free(file);
+						free(dir);
 						exit(EXIT_FAILURE);
 					}
 				}
-				free(path);
+				free(file);
+				free(dir);
 				if (!attest->set_file(attest, file, op == OP_ADD))
 				{
 					exit(EXIT_FAILURE);
@@ -439,7 +440,7 @@ int main(int argc, char *argv[])
 	atexit(library_deinit);
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "attest"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index d7654ab43..7a8a1135a 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -1555,7 +1555,7 @@ METHOD(attest_db_t, list_sessions, void,
 			device_len = min(strlen(device), DEVICE_MAX_LEN);
 			identity = identity.len ? identity : chunk_from_str("-");
 			printf("%4d: %T %2d %-20s %.*s%*s%.*s - %N\n", session_id, &created,
-				   FALSE, conn_id, product, device_len, device,
+				   this->utc, conn_id, product, device_len, device,
 				   DEVICE_MAX_LEN - device_len + 1, " ", (int)identity.len,
 				   identity.ptr, TNC_IMV_Action_Recommendation_names, rec);
 		}
diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c
index 324fcafc3..8f4afdbad 100644
--- a/src/libpts/plugins/imv_attestation/attest_usage.c
+++ b/src/libpts/plugins/imv_attestation/attest_usage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -24,7 +24,7 @@ void usage(void)
 {
 	printf("\
 Usage:\n\
-  ipsec attest --components|--devices|--files|--hashes|--keys [options]\n\
+  ipsec attest --components|--devices|--sessions|--files|--hashes|--keys [options]\n\
   \n\
   ipsec attest --measurements|--packages|--products|--add|--del [options]\n\
   \n\
@@ -35,6 +35,9 @@ Usage:\n\
   ipsec attest --devices [--utc]\n\
     Show a list of registered devices and associated collected information\n\
   \n\
+  ipsec attest --sessions [--utc]\n\
+    Show a chronologically sorted list of all TNC sessions\n\
+  \n\
   ipsec attest --files [--product <name>|--pid <id>]\n\
     Show a list of files with a software product name or\n\
     its primary key as an optional selector.\n\
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
index 978c74001..e8c3c5e40 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
@@ -14,6 +14,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "imv_attestation_agent.h"
 #include "imv_attestation_state.h"
 #include "imv_attestation_process.h"
@@ -33,8 +36,11 @@
 #include <pts/pts.h>
 #include <pts/pts_database.h>
 #include <pts/pts_creds.h>
+#include <pts/components/ita/ita_comp_func_name.h>
 
 #include <tcg/tcg_attr.h>
+#include <tcg/pts/tcg_pts_attr_meas_algo.h>
+#include <tcg/pts/tcg_pts_attr_proto_caps.h>
 #include <tcg/pts/tcg_pts_attr_req_file_meas.h>
 #include <tcg/pts/tcg_pts_attr_req_file_meta.h>
 
@@ -289,10 +295,15 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	imv_state_t *state;
 	imv_session_t *session;
 	imv_attestation_state_t *attestation_state;
+	imv_attestation_handshake_state_t handshake_state;
+	imv_workitem_t *workitem;
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
 	TNC_IMVID imv_id;
 	TNC_Result result = TNC_RESULT_SUCCESS;
 	pts_t *pts;
 	char *platform_info;
+	enumerator_t *enumerator;
 
 	if (!this->agent->get_state(this->agent, id, &state))
 	{
@@ -300,6 +311,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	}
 	attestation_state = (imv_attestation_state_t*)state;
 	pts = attestation_state->get_pts(attestation_state);
+	handshake_state = attestation_state->get_handshake_state(attestation_state);
 	platform_info = pts->get_platform_info(pts);
 	session = state->get_session(state);
 	imv_id = this->agent->get_id(this->agent);
@@ -336,21 +348,57 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 		state->set_action_flags(state, IMV_ATTESTATION_FLAG_ATTR_REQ);
 	}
 
+	if (handshake_state == IMV_ATTESTATION_STATE_INIT)
+	{
+		pa_tnc_attr_t *attr;
+		pts_proto_caps_flag_t flags;
+
+		out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+								 msg_types[0]);
+
+		/* Send Request Protocol Capabilities attribute */
+		flags = pts->get_proto_caps(pts);
+		attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
+		attr->set_noskip_flag(attr, TRUE);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* Send Measurement Algorithms attribute */
+		attr = tcg_pts_attr_meas_algo_create(this->supported_algorithms, FALSE);
+		attr->set_noskip_flag(attr, TRUE);
+		out_msg->add_attribute(out_msg, attr);
+
+		attestation_state->set_handshake_state(attestation_state,
+										IMV_ATTESTATION_STATE_DISCOVERY);
+
+		/* send these initial PTS attributes and exit */
+		result = out_msg->send(out_msg, FALSE);
+		out_msg->destroy(out_msg);
+
+		return result;
+	}
+
+	/* exit if we are not ready yet for PTS measurements */
+	if (!platform_info || !session ||
+	    !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO))
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+
 	/* create an empty out message - we might need it */
 	out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
 							 msg_types[0]);
 
-	if (platform_info && session &&
-	   (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO) &&
-	  !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS))
+	/* establish the PTS measurements to be taken */
+	if (!(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS))
 	{
-		imv_workitem_t *workitem;
 		bool is_dir, no_workitems = TRUE;
 		u_int32_t delimiter = SOLIDUS_UTF;
 		u_int16_t request_id;
 		pa_tnc_attr_t *attr;
 		char *pathname;
-		enumerator_t *enumerator;
+
+		attestation_state->set_handshake_state(attestation_state,
+											   IMV_ATTESTATION_STATE_END);
 
 		enumerator = session->create_workitem_enumerator(session);
 		if (enumerator)
@@ -374,10 +422,75 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 					case IMV_WORKITEM_DIR_META:
 						is_dir = TRUE;
 						break;
+					case IMV_WORKITEM_TPM_ATTEST:
+					{
+						pts_component_t *comp;
+						pts_comp_func_name_t *comp_name;
+						bool no_d_flag, no_t_flag;
+						char result_str[BUF_LEN];
+
+						workitem->set_imv_id(workitem, imv_id);
+						no_workitems = FALSE;
+						no_d_flag = !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D);
+						no_t_flag = !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T);
+						if (no_d_flag || no_t_flag)
+						{
+							snprintf(result_str, BUF_LEN, "%s%s%s",
+									(no_t_flag) ? "no TPM available" : "",
+									(no_t_flag && no_d_flag) ? ", " : "",
+									(no_d_flag) ? "no DH nonce negotiation" : "");
+							eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+							session->remove_workitem(session, enumerator);
+							rec = workitem->set_result(workitem, result_str, eval);
+							state->update_recommendation(state, rec, eval);
+							imcv_db->finalize_workitem(imcv_db, workitem);
+							workitem->destroy(workitem);
+							continue;
+						}
+
+						/* do TPM BIOS measurements */
+						if (strchr(workitem->get_arg_str(workitem), 'B'))
+						{
+							comp_name = pts_comp_func_name_create(PEN_ITA,
+											PTS_ITA_COMP_FUNC_NAME_IMA,
+											PTS_ITA_QUALIFIER_FLAG_KERNEL |
+											PTS_ITA_QUALIFIER_TYPE_TRUSTED);
+							comp = attestation_state->create_component(
+											attestation_state, comp_name,
+											0, this->pts_db);
+							if (!comp)
+							{
+								comp_name->log(comp_name, "unregistered ");
+								comp_name->destroy(comp_name);
+							}
+						}
+
+						/* do TPM IMA measurements */
+						if (strchr(workitem->get_arg_str(workitem), 'I'))
+						{
+							comp_name = pts_comp_func_name_create(PEN_ITA,
+											PTS_ITA_COMP_FUNC_NAME_IMA,
+											PTS_ITA_QUALIFIER_FLAG_KERNEL |
+											PTS_ITA_QUALIFIER_TYPE_OS);
+							comp = attestation_state->create_component(
+											attestation_state, comp_name,
+											0, this->pts_db);
+							if (!comp)
+							{
+								comp_name->log(comp_name, "unregistered ");
+								comp_name->destroy(comp_name);
+							}
+						}
+
+						attestation_state->set_handshake_state(attestation_state,
+											IMV_ATTESTATION_STATE_NONCE_REQ);
+						continue;
+					}
 					default:
 						continue;
 				}
 
+				/* initiate file and directory measurements */
 				pathname = this->pts_db->get_pathname(this->pts_db, is_dir,
 											workitem->get_arg_int(workitem));
 				if (!pathname)
@@ -440,22 +553,35 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	}
 
 	/* check the IMV state for the next PA-TNC attributes to send */
-	if (!imv_attestation_build(out_msg, state, this->supported_algorithms,
-							   this->supported_dh_groups, this->pts_db))
+	enumerator = session->create_workitem_enumerator(session);
+	while (enumerator->enumerate(enumerator, &workitem))
 	{
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-		result = out_msg->send_assessment(out_msg);
-		out_msg->destroy(out_msg);
-		state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC);
-
-		if (result != TNC_RESULT_SUCCESS)
+		if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
 		{
-			return result;
+			if (!imv_attestation_build(out_msg, state,
+									   this->supported_dh_groups, this->pts_db))
+			{
+				imv_reason_string_t *reason_string;
+				chunk_t result;
+				char *result_str;
+
+				reason_string = imv_reason_string_create("en", ", ");
+				attestation_state->add_comp_evid_reasons(attestation_state,
+													 reason_string);
+				result = reason_string->get_encoding(reason_string);
+				result_str = strndup(result.ptr, result.len);
+				reason_string->destroy(reason_string);
+
+				eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+				session->remove_workitem(session, enumerator);
+				rec = workitem->set_result(workitem, result_str, eval);
+				state->update_recommendation(state, rec, eval);
+				imcv_db->finalize_workitem(imcv_db, workitem);
+			}
+			break;
 		}
-		return this->agent->provide_recommendation(this->agent, state);
 	}
+	enumerator->destroy(enumerator);
 
 	/* finalized all workitems? */
 	if (session && session->get_policy_started(session) &&
@@ -524,18 +650,22 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
 					case IMV_WORKITEM_FILE_MEAS:
 					case IMV_WORKITEM_DIR_REF_MEAS:
 					case IMV_WORKITEM_DIR_MEAS:
-						session->remove_workitem(session, enumerator);
-						result_str = "pending file measurements";
-						eval = TNC_IMV_EVALUATION_RESULT_ERROR;
-						rec = workitem->set_result(workitem, result_str, eval);
-						state->update_recommendation(state, rec, eval);
-						imcv_db->finalize_workitem(imcv_db, workitem);
-						workitem->destroy(workitem);
+						result_str = "Pending file measurements";
 						pending_file_meas++;
 						break;
-					default:
+					case IMV_WORKITEM_TPM_ATTEST:
+						attestation_state->finalize_components(attestation_state);
+						result_str = "Pending component evidence";
 						break;
+					default:
+						continue;
 				}
+				session->remove_workitem(session, enumerator);
+				eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+				rec = workitem->set_result(workitem, result_str, eval);
+				state->update_recommendation(state, rec, eval);
+				imcv_db->finalize_workitem(imcv_db, workitem);
+				workitem->destroy(workitem);
 			}
 			enumerator->destroy(enumerator);
 
@@ -585,11 +715,11 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
 	}
 
 	hash_alg = lib->settings->get_str(lib->settings,
-					"libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
+				"%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns);
 	dh_group = lib->settings->get_str(lib->settings,
-					"libimcv.plugins.imv-attestation.dh_group", "ecp256");
+				"%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns);
 	cadir = lib->settings->get_str(lib->settings,
-					"libimcv.plugins.imv-attestation.cadir", NULL);
+				"%s.plugins.imv-attestation.cadir", NULL, lib->ns);
 
 	INIT(this,
 		.public = {
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
index 1fbde2c6d..84023c6c6 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
+ * Copyright (C) 2011-2012 Sansar Choinyambuu
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,8 +17,6 @@
 #include "imv_attestation_build.h"
 #include "imv_attestation_state.h"
 
-#include <tcg/pts/tcg_pts_attr_proto_caps.h>
-#include <tcg/pts/tcg_pts_attr_meas_algo.h>
 #include <tcg/pts/tcg_pts_attr_dh_nonce_params_req.h>
 #include <tcg/pts/tcg_pts_attr_dh_nonce_finish.h>
 #include <tcg/pts/tcg_pts_attr_get_tpm_version_info.h>
@@ -27,9 +26,7 @@
 
 #include <utils/debug.h>
 
-bool imv_attestation_build(imv_msg_t *out_msg,
-						   imv_state_t *state,
-						   pts_meas_algorithms_t supported_algorithms,
+bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
 						   pts_dh_group_t supported_dh_groups,
 						   pts_database_t *pts_db)
 {
@@ -42,67 +39,15 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 	handshake_state = attestation_state->get_handshake_state(attestation_state);
 	pts = attestation_state->get_pts(attestation_state);
 
-	/**
-	 * Received a response form the Attestation IMC so we can proceeed
-	 */
-	if (handshake_state == IMV_ATTESTATION_STATE_DISCOVERY &&
-	   (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO))
-	{
-		handshake_state = IMV_ATTESTATION_STATE_NONCE_REQ;
-	}
-
-	/**
-	 * Skip DH Nonce Parameters Request attribute when
-	 *   DH Nonce Exchange is not selected by PTS-IMC side
-	 */
-	if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
-		!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
-	{
-		DBG2(DBG_IMV, "PTS-IMC does not support DH Nonce negotiation");
-		handshake_state = IMV_ATTESTATION_STATE_TPM_INIT;
-	}
-
-	/**
-	 * Skip TPM Version Info and AIK attributes when
-	 *   no TPM is available on the PTS-IMC side
-	 */
-	if (handshake_state == IMV_ATTESTATION_STATE_TPM_INIT &&
-		!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
-	{
-		DBG2(DBG_IMV, "PTS-IMC made no TPM available");
-		handshake_state = IMV_ATTESTATION_STATE_END;
-	}
-
 	switch (handshake_state)
 	{
-		case IMV_ATTESTATION_STATE_INIT:
-		{
-			pts_proto_caps_flag_t flags;
-
-			/* Send Request Protocol Capabilities attribute */
-			flags = pts->get_proto_caps(pts);
-			attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
-			attr->set_noskip_flag(attr, TRUE);
-			out_msg->add_attribute(out_msg, attr);
-
-			/* Send Measurement Algorithms attribute */
-			attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
-			attr->set_noskip_flag(attr, TRUE);
-			out_msg->add_attribute(out_msg, attr);
-
-			attestation_state->set_handshake_state(attestation_state,
-										IMV_ATTESTATION_STATE_DISCOVERY);
-			break;
-		}
-		case IMV_ATTESTATION_STATE_DISCOVERY:
-			break;
 		case IMV_ATTESTATION_STATE_NONCE_REQ:
 		{
 			int min_nonce_len;
 
 			/* Send DH nonce parameters request attribute */
 			min_nonce_len = lib->settings->get_int(lib->settings,
-						"libimcv.plugins.imv-attestation.min_nonce_len", 0);
+						"%s.plugins.imv-attestation.min_nonce_len", 0, lib->ns);
 			attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
 													 supported_dh_groups);
 			attr->set_noskip_flag(attr, TRUE);
@@ -117,16 +62,13 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 			pts_meas_algorithms_t selected_algorithm;
 			chunk_t initiator_value, initiator_nonce;
 
-			if ((pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
-			{
-				/* Send DH nonce finish attribute */
-				selected_algorithm = pts->get_meas_algorithm(pts);
-				pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
-				attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
+			/* Send DH nonce finish attribute */
+			selected_algorithm = pts->get_meas_algorithm(pts);
+			pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
+			attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
 											initiator_value, initiator_nonce);
-				attr->set_noskip_flag(attr, TRUE);
-				out_msg->add_attribute(out_msg, attr);
-			}
+			attr->set_noskip_flag(attr, TRUE);
+			out_msg->add_attribute(out_msg, attr);
 
 			/* Send Get TPM Version attribute */
 			attr = tcg_pts_attr_get_tpm_version_info_create();
@@ -146,73 +88,40 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 		{
 			tcg_pts_attr_req_func_comp_evid_t *attr_cast;
 			enumerator_t *enumerator;
-			pts_component_t *comp;
-			pts_comp_func_name_t *comp_name;
+			pts_comp_func_name_t *name;
 			chunk_t keyid;
-			int kid, vid, name, qualifier;
+			int kid;
 			u_int8_t flags;
 			u_int32_t depth;
-			bool first = TRUE, first_component = TRUE;
+			bool first_component = TRUE;
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_END);
 
-			if (!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T) ||
-				!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
-			{
-				DBG2(DBG_IMV, "PTS-IMC made no TPM available - "
-							  "skipping Component Measurements");
-				break;
-			}
-			if (!pts->get_aik_keyid(pts, &keyid))
-			{
-				DBG1(DBG_IMV, "retrieval of AIK keyid failed");
-				return FALSE;
-			}
-			if (!pts_db)
-			{
-				DBG1(DBG_IMV, "pts database not available");
-				break;
-			}
-			if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
+			if (!pts->get_aik_keyid(pts, &keyid) ||
+				 pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
 			{
+				attestation_state->set_measurement_error(attestation_state,
+									IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
 				return FALSE;
 			}
-			enumerator = pts_db->create_comp_evid_enumerator(pts_db, kid);
-			if (!enumerator)
-			{
-				break;
-			}
-			while (enumerator->enumerate(enumerator, &vid, &name,
-				&qualifier, &depth))
-			{
-				if (first)
-				{
-					DBG2(DBG_IMV, "evidence request by");
-					first = FALSE;
-				}
-				comp_name = pts_comp_func_name_create(vid, name, qualifier);
-				comp_name->log(comp_name, "  ");
 
-				comp = attestation_state->create_component(attestation_state,
-													comp_name, depth, pts_db);
-				if (!comp)
-				{
-					DBG2(DBG_IMV, "    not registered or duplicate"
-								  " - removed from request");
-					comp_name->destroy(comp_name);
-					continue;
-				}
+			enumerator = attestation_state->create_component_enumerator(
+													attestation_state);
+			while (enumerator->enumerate(enumerator, &flags, &depth, &name))
+			{
 				if (first_component)
 				{
 					attr = tcg_pts_attr_req_func_comp_evid_create();
 					attr->set_noskip_flag(attr, TRUE);
 					first_component = FALSE;
+					DBG2(DBG_IMV, "evidence request by");
 				}
-				flags = comp->get_evidence_flags(comp);
+				name->log(name, "  ");
+
 				/* TODO check flags against negotiated_caps */
 				attr_cast = (tcg_pts_attr_req_func_comp_evid_t *)attr;
-				attr_cast->add_component(attr_cast, flags, depth, comp_name);
+				attr_cast->add_component(attr_cast, flags, depth, name);
 			}
 			enumerator->destroy(enumerator);
 
@@ -231,17 +140,9 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 			}
 			break;
 		}
-		case IMV_ATTESTATION_STATE_EVID_FINAL:
-			if (attestation_state->components_finalized(attestation_state))
-			{
-				attestation_state->set_handshake_state(attestation_state,
-										IMV_ATTESTATION_STATE_END);
-			}
-			break;
-		case IMV_ATTESTATION_STATE_END:
-			attestation_state->set_handshake_state(attestation_state,
-										IMV_ATTESTATION_STATE_END);
+		default:
 			break;
 	}
+
 	return TRUE;
 }
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
index 0cee49b34..88538b198 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
@@ -35,14 +35,11 @@
  *
  * @param out_msg				outbound PA-TNC message to be built
  * @param state					state of a given connection
- * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
  * @param pts_db				PTS configuration database
  * @return						TRUE if successful
  */
-bool imv_attestation_build(imv_msg_t *out_msg,
-						   imv_state_t *state,
-						   pts_meas_algorithms_t supported_algorithms,
+bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
 						   pts_dh_group_t supported_dh_groups,
 						   pts_database_t *pts_db);
 
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
index 5137d64fe..e40c92a24 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011-2013 Sansar Choinyambuu, Andreas Steffen
+ * Copyright (C) 2011-2012 Sansar Choinyambuu
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,6 +14,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "imv_attestation_process.h"
 
 #include <imcv.h>
@@ -92,7 +96,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 
 			/* check compliance of responder nonce length */
 			min_nonce_len = lib->settings->get_int(lib->settings,
-						"libimcv.plugins.imv-attestation.min_nonce_len", 0);
+						"%s.plugins.imv-attestation.min_nonce_len", 0, lib->ns);
 			nonce_len = responder_nonce.len;
 			if (nonce_len < PTS_MIN_NONCE_LEN ||
 			   (min_nonce_len > 0 && nonce_len < min_nonce_len))
@@ -162,7 +166,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			if (!aik)
 			{
 				DBG1(DBG_IMV, "AIK unavailable");
-				return FALSE;
+				attestation_state->set_measurement_error(attestation_state,
+									IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
+				break;
 			}
 			if (aik->get_type(aik) == CERT_X509)
 			{
@@ -186,7 +192,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 							   trusted ? "" : "not ");
 				if (!trusted)
 				{
-					return FALSE;
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
+					break;
 				}
 			}
 			pts->set_aik(pts, aik);
@@ -242,7 +250,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 				}
 				type =    found->get_type(found);
 				arg_int = found->get_arg_int(found);
- 
+
 				switch (type)
 				{
 					default:
@@ -295,7 +303,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 						e = measurements->create_enumerator(measurements);
 						while (e->enumerate(e, &filename, &measurement))
 						{
-							if (pts_db->add_file_measurement(pts_db, 
+							if (pts_db->add_file_measurement(pts_db,
 									platform_info, algo, measurement, filename,
 									is_dir, arg_int) != SUCCESS)
 							{
@@ -366,6 +374,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			pts_comp_evidence_t *evidence;
 			pts_component_t *comp;
 			u_int32_t depth;
+			status_t status;
 
 			attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
 			evidence = attr_cast->get_comp_evidence(attr_cast);
@@ -377,12 +386,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 				DBG1(DBG_IMV, "  no entry found for component evidence request");
 				break;
 			}
-			if (comp->verify(comp, name->get_qualifier(name), pts,
-							 evidence) != SUCCESS)
+			status = comp->verify(comp, name->get_qualifier(name), pts, evidence);
+			if (status == VERIFY_ERROR || status == FAILED)
 			{
-				state->update_recommendation(state,
-							TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-							TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
 				attestation_state->set_measurement_error(attestation_state,
 									IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
 				name->log(name, "  measurement mismatch for ");
@@ -396,6 +402,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			pts_meas_algorithms_t comp_hash_algorithm;
 			chunk_t pcr_comp, tpm_quote_sig, evid_sig;
 			chunk_t pcr_composite, quote_info;
+			imv_session_t *session;
+			imv_workitem_t *workitem;
+			enumerator_t *enumerator;
 			bool use_quote2, use_ver_info;
 
 			attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
@@ -420,9 +429,6 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 				{
 					DBG1(DBG_IMV, "received PCR Composite does not match "
 								  "constructed one");
-					state->update_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
 					attestation_state->set_measurement_error(attestation_state,
 										IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
 					goto quote_error;
@@ -431,9 +437,6 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 
 				if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
 				{
-					state->update_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
 					attestation_state->set_measurement_error(attestation_state,
 										IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
 					goto quote_error;
@@ -449,6 +452,52 @@ quote_error:
 				 * if all expected component measurements were received
 				 */
 				attestation_state->finalize_components(attestation_state);
+
+				session = state->get_session(state);
+				enumerator = session->create_workitem_enumerator(session);
+				while (enumerator->enumerate(enumerator, &workitem))
+				{
+					if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
+					{
+						TNC_IMV_Action_Recommendation rec;
+						TNC_IMV_Evaluation_Result eval;
+						char *result_str;
+						u_int32_t error;
+
+						error = attestation_state->get_measurement_error(
+														attestation_state);
+						if (error & (IMV_ATTESTATION_ERROR_COMP_EVID_FAIL |
+									 IMV_ATTESTATION_ERROR_COMP_EVID_PEND |
+									 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL))
+						{
+							imv_reason_string_t *reason_string;
+							chunk_t result;
+
+							reason_string = imv_reason_string_create("en", ", ");
+							attestation_state->add_comp_evid_reasons(
+											attestation_state, reason_string);
+							result = reason_string->get_encoding(reason_string);
+							result_str = strndup(result.ptr, result.len);
+							reason_string->destroy(reason_string);
+							eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
+						}
+						else
+						{
+							result_str = strdup("attestation successful");
+							eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+						}
+						session->remove_workitem(session, enumerator);
+						rec = workitem->set_result(workitem, result_str, eval);
+						state->update_recommendation(state, rec, eval);
+						imcv_db->finalize_workitem(imcv_db, workitem);
+						workitem->destroy(workitem);
+						free(result_str);
+						attestation_state->set_handshake_state(attestation_state,
+													IMV_ATTESTATION_STATE_END);
+						break;
+					}
+				}
+				enumerator->destroy(enumerator);
 			}
 
 			if (attr_cast->get_evid_sig(attr_cast, &evid_sig))
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
index 47011751d..9304b9a13 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2011-2012 Sansar Choinyambuu
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -127,7 +127,7 @@ struct private_imv_attestation_state_t {
  */
 struct func_comp_t {
 	pts_component_t *comp;
-	u_int8_t qualifier;
+	pts_comp_func_name_t* name;
 };
 
 /**
@@ -136,6 +136,7 @@ struct func_comp_t {
 static void free_func_comp(func_comp_t *this)
 {
 	this->comp->destroy(this->comp);
+	this->name->destroy(this->name);
 	free(this);
 }
 
@@ -161,6 +162,12 @@ static imv_lang_string_t reason_file_meas_pend[] = {
 	{ NULL, NULL }
 };
 
+static imv_lang_string_t reason_no_trusted_aik[] = {
+	{ "en", "No trusted AIK available" },
+	{ "de", "Kein vetrauenswürdiger AIK verfügbar" },
+	{ NULL, NULL }
+};
+
 static imv_lang_string_t reason_comp_evid_fail[] = {
 	{ "en", "Incorrect component evidence" },
 	{ "de", "Falsche Komponenten-Evidenz" },
@@ -290,42 +297,52 @@ METHOD(imv_state_t, update_recommendation, void,
 	this->eval = tncif_policy_update_evaluation(this->eval, eval);
 }
 
-METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
-	chunk_t *reason_string, char **reason_language)
+METHOD(imv_attestation_state_t, add_file_meas_reasons, void,
+	private_imv_attestation_state_t *this, imv_reason_string_t *reason_string)
 {
-	*reason_language = imv_lang_string_select_lang(language_enumerator,
-											  languages, countof(languages));
-
-	/* Instantiate a TNC Reason String object */
-	DESTROY_IF(this->reason_string);
-	this->reason_string = imv_reason_string_create(*reason_language);
-
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL)
 	{
-		this->reason_string->add_reason(this->reason_string,
-										reason_file_meas_fail);
+		reason_string->add_reason(reason_string, reason_file_meas_fail);
 	}
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_PEND)
 	{
-		this->reason_string->add_reason(this->reason_string,
-										reason_file_meas_pend);
+		reason_string->add_reason(reason_string, reason_file_meas_pend);
+	}
+}
+
+METHOD(imv_attestation_state_t, add_comp_evid_reasons, void,
+	private_imv_attestation_state_t *this, imv_reason_string_t *reason_string)
+{
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK)
+	{
+		reason_string->add_reason(reason_string, reason_no_trusted_aik);
 	}
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL)
 	{
-		this->reason_string->add_reason(this->reason_string,
-										reason_comp_evid_fail);
+		reason_string->add_reason(reason_string, reason_comp_evid_fail);
 	}
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_PEND)
 	{
-		this->reason_string->add_reason(this->reason_string,
-										reason_comp_evid_pend);
+		reason_string->add_reason(reason_string, reason_comp_evid_pend);
 	}
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL)
 	{
-		this->reason_string->add_reason(this->reason_string,
-										reason_tpm_quote_fail);
+		reason_string->add_reason(reason_string, reason_tpm_quote_fail);
 	}
+}
+
+METHOD(imv_state_t, get_reason_string, bool,
+	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
+{
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
+
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language, "\n");
+	add_file_meas_reasons(this, this->reason_string);
+	add_comp_evid_reasons(this, this->reason_string);
 	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
 	return TRUE;
@@ -390,13 +407,13 @@ METHOD(imv_attestation_state_t, create_component, pts_component_t*,
 
 	if (found)
 	{
-		if (name->get_qualifier(name) == entry->qualifier)
+		if (name->equals(name, entry->name))
 		{
 			/* duplicate entry */
 			return NULL;
 		}
 		new_entry = malloc_thing(func_comp_t);
-		new_entry->qualifier = name->get_qualifier(name);
+		new_entry->name = name->clone(name);
 		new_entry->comp = entry->comp->get_ref(entry->comp);
 		this->components->insert_last(this->components, new_entry);
 		return entry->comp;
@@ -410,13 +427,41 @@ METHOD(imv_attestation_state_t, create_component, pts_component_t*,
 			return NULL;
 		}
 		new_entry = malloc_thing(func_comp_t);
-		new_entry->qualifier = name->get_qualifier(name);
+		new_entry->name = name->clone(name);
 		new_entry->comp = component;
 		this->components->insert_last(this->components, new_entry);
 		return component;
 	}
 }
 
+/**
+ * Enumerate file measurement entries
+ */
+static bool entry_filter(void *null, func_comp_t **entry, u_int8_t *flags,
+						 void *i2, u_int32_t *depth,
+						 void *i3, pts_comp_func_name_t **comp_name)
+{
+	pts_component_t *comp;
+	pts_comp_func_name_t *name;
+
+	comp = (*entry)->comp;
+	name = (*entry)->name;
+
+	*flags = comp->get_evidence_flags(comp);
+	*depth = comp->get_depth(comp);
+	*comp_name = name;
+
+	return TRUE;
+}
+
+METHOD(imv_attestation_state_t, create_component_enumerator, enumerator_t*,
+	private_imv_attestation_state_t *this)
+{
+	return enumerator_create_filter(
+				this->components->create_enumerator(this->components),
+				(void*)entry_filter, NULL, NULL);
+}
+
 METHOD(imv_attestation_state_t, get_component, pts_component_t*,
 	private_imv_attestation_state_t *this, pts_comp_func_name_t *name)
 {
@@ -427,8 +472,7 @@ METHOD(imv_attestation_state_t, get_component, pts_component_t*,
 	enumerator = this->components->create_enumerator(this->components);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (name->equals(name, entry->comp->get_comp_func_name(entry->comp)) &&
-			name->get_qualifier(name) == entry->qualifier)
+		if (name->equals(name, entry->name))
 		{
 			found = entry->comp;
 			break;
@@ -458,23 +502,15 @@ METHOD(imv_attestation_state_t, finalize_components, void,
 	while (this->components->remove_last(this->components,
 										(void**)&entry) == SUCCESS)
 	{
-		if (!entry->comp->finalize(entry->comp, entry->qualifier))
+		if (!entry->comp->finalize(entry->comp,
+								   entry->name->get_qualifier(entry->name)))
 		{
 			set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND);
-			update_recommendation(this,
-					 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-					 TNC_IMV_EVALUATION_RESULT_ERROR);
 		}
 		free_func_comp(entry);
 	}
 }
 
-METHOD(imv_attestation_state_t, components_finalized, bool,
-	private_imv_attestation_state_t *this)
-{
-	return this->components->get_count(this->components) == 0;
-}
-
 /**
  * Described in header.
  */
@@ -509,11 +545,13 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 			.set_handshake_state = _set_handshake_state,
 			.get_pts = _get_pts,
 			.create_component = _create_component,
+			.create_component_enumerator = _create_component_enumerator,
 			.get_component = _get_component,
 			.finalize_components = _finalize_components,
-			.components_finalized = _components_finalized,
 			.get_measurement_error = _get_measurement_error,
 			.set_measurement_error = _set_measurement_error,
+			.add_file_meas_reasons = _add_file_meas_reasons,
+			.add_comp_evid_reasons = _add_comp_evid_reasons,
 		},
 		.connection_id = connection_id,
 		.state = TNC_CONNECTION_STATE_CREATE,
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
index 27d1ae8db..9369d30a2 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
@@ -25,6 +25,7 @@
 #define IMV_ATTESTATION_STATE_H_
 
 #include <imv/imv_state.h>
+#include <imv/imv_reason_string.h>
 #include <pts/pts.h>
 #include <pts/pts_database.h>
 #include <pts/components/pts_component.h>
@@ -64,9 +65,10 @@ enum imv_attestation_handshake_state_t {
 enum imv_meas_error_t {
 	IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL =  1,
 	IMV_ATTESTATION_ERROR_FILE_MEAS_PEND =  2,
-	IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  4,
-	IMV_ATTESTATION_ERROR_COMP_EVID_PEND =  8,
-	IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16
+	IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK =  4,
+	IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  8,
+	IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 16,
+	IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 32
 };
 
 /**
@@ -116,6 +118,13 @@ struct imv_attestation_state_t {
 										 pts_database_t *pts_db);
 
 	/**
+	 * Enumerate over all Functional Components
+	 *
+	 * @return					Functional Component enumerator
+	 */
+	enumerator_t* (*create_component_enumerator)(imv_attestation_state_t *this);
+
+	/**
 	 * Get a Functional Component with a given name
 	 *
 	 * @param name				Name of the requested Functional Component
@@ -131,11 +140,6 @@ struct imv_attestation_state_t {
 	void (*finalize_components)(imv_attestation_state_t *this);
 
 	/**
-	 * Have the Functional Component measurements been finalized?
-	 */
-	bool (*components_finalized)(imv_attestation_state_t *this);
-
-	/**
 	 * Indicates the types of measurement errors that occurred
 	 *
 	 * @return					Measurement error flags
@@ -150,6 +154,21 @@ struct imv_attestation_state_t {
 	void (*set_measurement_error)(imv_attestation_state_t *this,
 								  u_int32_t error);
 
+	/**
+	 * Returns a concatenation of File Measurement reason strings
+	 *
+	 * @param reason_string		Concatenated reason strings
+	 */
+	void (*add_file_meas_reasons)(imv_attestation_state_t *this,
+								  imv_reason_string_t *reason_string);
+
+	/**
+	 * Returns a concatenation of Component Evidence reason strings
+	 *
+	 * @param reason_string		Concatenated reason strings
+	 */
+	void (*add_comp_evid_reasons)(imv_attestation_state_t *this,
+								  imv_reason_string_t *reason_string);
 };
 
 /**
diff --git a/src/libpts/plugins/imv_swid/Makefile.in b/src/libpts/plugins/imv_swid/Makefile.in
index 852cd3d04..b92f7d4d0 100644
--- a/src/libpts/plugins/imv_swid/Makefile.in
+++ b/src/libpts/plugins/imv_swid/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/pts/components/ita/ita_comp_ima.c b/src/libpts/pts/components/ita/ita_comp_ima.c
index 02470f5f5..c6b4131bf 100644
--- a/src/libpts/pts/components/ita/ita_comp_ima.c
+++ b/src/libpts/pts/components/ita/ita_comp_ima.c
@@ -683,7 +683,7 @@ METHOD(pts_component_t, verify, status_t,
 					status = this->pts_db->check_comp_measurement(this->pts_db,
 										measurement, this->bios_cid, this->kid,
 										++this->seq_no,	pcr, algo);
-					if (status != SUCCESS)
+					if (status == FAILED)
 					{
 						return status;
 					}
@@ -803,7 +803,7 @@ METHOD(pts_component_t, verify, status_t,
 		}
 		if (pcrs->set(pcrs, pcr, pcr_after))
 		{
-			return SUCCESS;
+			return status;
 		}
 	}
 	else
@@ -811,7 +811,7 @@ METHOD(pts_component_t, verify, status_t,
 		pcr_after = pcrs->extend(pcrs, pcr, measurement);
 		if (pcr_after.ptr)
 		{
-			return SUCCESS;
+			return status;
 		}
 	}
 	return FAILED;
@@ -951,7 +951,7 @@ pts_component_t *pts_ita_comp_ima_create(u_int32_t depth,
 		.bios_list = linked_list_create(),
 		.ima_list = linked_list_create(),
 		.pcr_info = lib->settings->get_bool(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr_info", TRUE),
+						"%s.plugins.imc-attestation.pcr_info", TRUE, lib->ns),
 		.ref = 1,
 	);
 
diff --git a/src/libpts/pts/components/ita/ita_comp_tboot.c b/src/libpts/pts/components/ita/ita_comp_tboot.c
index 8fb5abddf..f4859f801 100644
--- a/src/libpts/pts/components/ita/ita_comp_tboot.c
+++ b/src/libpts/pts/components/ita/ita_comp_tboot.c
@@ -130,21 +130,21 @@ METHOD(pts_component_t, measure, status_t,
 			/* dummy data since currently the TBOOT log is not retrieved */
 			time(&this->measurement_time);
 			meas_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr17_meas", NULL);
+						"%s.plugins.imc-attestation.pcr17_meas", NULL, lib->ns);
 			pcr_before_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr17_before", NULL);
+						"%s.plugins.imc-attestation.pcr17_before", NULL, lib->ns);
 			pcr_after_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr17_after", NULL);
+						"%s.plugins.imc-attestation.pcr17_after", NULL, lib->ns);
 			extended_pcr = PCR_TBOOT_POLICY;
 			break;
 		case 1:
 			/* dummy data since currently the TBOOT log is not retrieved */
 			meas_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr18_meas", NULL);
+						"%s.plugins.imc-attestation.pcr18_meas", NULL, lib->ns);
 			pcr_before_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr18_before", NULL);
+						"%s.plugins.imc-attestation.pcr18_before", NULL, lib->ns);
 			pcr_after_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr18_after", NULL);
+						"%s.plugins.imc-attestation.pcr18_after", NULL, lib->ns);
 			extended_pcr = PCR_TBOOT_MLE;
 			break;
 		default:
diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c
index f646d67e1..8699282f0 100644
--- a/src/libpts/pts/pts.c
+++ b/src/libpts/pts/pts.c
@@ -377,7 +377,7 @@ static void load_aik_blob(private_pts_t *this)
 	u_int32_t aikBlobLen;
 
 	blob_path = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.aik_blob", NULL);
+						"%s.plugins.imc-attestation.aik_blob", NULL, lib->ns);
 
 	if (blob_path)
 	{
@@ -418,9 +418,9 @@ static void load_aik(private_pts_t *this)
 	char *cert_path, *key_path;
 
 	cert_path = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.aik_cert", NULL);
+						"%s.plugins.imc-attestation.aik_cert", NULL, lib->ns);
 	key_path = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.aik_key", NULL);
+						"%s.plugins.imc-attestation.aik_key", NULL, lib->ns);
 
 	if (cert_path)
 	{
@@ -627,7 +627,7 @@ METHOD(pts_t, get_metadata, pts_file_meta_t*,
 			metadata->destroy(metadata);
 			return NULL;
 		}
-		entry->filename = strdup(basename(pathname));
+		entry->filename = path_basename(pathname);
 		metadata->add(metadata, entry);
 	}
 
diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c
index e5a06cc8d..07e8ae1da 100644
--- a/src/libpts/pts/pts_database.c
+++ b/src/libpts/pts/pts_database.c
@@ -15,6 +15,7 @@
 
 #define _GNU_SOURCE
 #include <stdio.h>
+#include <libgen.h>
 
 #include "pts_database.h"
 
@@ -248,13 +249,62 @@ METHOD(pts_database_t, check_file_measurement, status_t,
 	enumerator_t *e;
 	chunk_t hash;
 	status_t status = NOT_FOUND;
+	char *dir, *file;
+
+	if (strlen(filename) < 1)
+	{
+		return INVALID_ARG;
+	}
+
+	/* separate filename into directory and basename components */
+	dir = path_dirname(filename);
+	file = path_basename(filename);
+
+	if (*dir == '.')
+	{	/* relative pathname */
+		e = this->db->query(this->db,
+				"SELECT fh.hash FROM file_hashes AS fh "
+				"JOIN files AS f ON f.id = fh.file "
+				"JOIN products AS p ON p.id = fh.product "
+				"WHERE p.name = ? AND f.name = ? AND fh.algo = ?",
+		DB_TEXT, product, DB_TEXT, file, DB_INT, algo, DB_BLOB);
+	}
+	else
+	{	/* absolute pathname */
+		bool dir_found;
+		int did;
+
+		/* find directory entry first */
+		e = this->db->query(this->db,
+				"SELECT id FROM directories WHERE path = ?",
+				DB_TEXT, dir, DB_INT);
+		if (!e)
+		{
+			free(file);
+			free(dir);
+			return FAILED;
+		}
+		dir_found = e->enumerate(e, &did);
+		e->destroy(e);
+
+		if (!dir_found)
+		{
+			free(file);
+			free(dir);
+			return NOT_FOUND;
+		}
+
+		e = this->db->query(this->db,
+				"SELECT fh.hash FROM file_hashes AS fh "
+				"JOIN files AS f ON f.id = fh.file "
+				"JOIN products AS p ON p.id = fh.product "
+				"WHERE p.name = ? AND f.dir = ? AND f.name = ? AND fh.algo = ?",
+				DB_TEXT, product, DB_INT, did, DB_TEXT, file, DB_INT, algo,
+				DB_BLOB);
+	}
+	free(file);
+	free(dir);
 
-	e = this->db->query(this->db,
-		"SELECT fh.hash FROM file_hashes AS fh "
-		"JOIN files AS f ON f.id = fh.file "
-		"JOIN products AS p ON p.id = fh.product "
-		"WHERE p.name = ? AND f.path = ? AND fh.algo = ?",
-		DB_TEXT, product, DB_TEXT, filename, DB_INT, algo, DB_BLOB);
 	if (!e)
 	{
 		return FAILED;
diff --git a/src/libpts/pts/pts_file_meas.c b/src/libpts/pts/pts_file_meas.c
index f684087d7..77a0957bb 100644
--- a/src/libpts/pts/pts_file_meas.c
+++ b/src/libpts/pts/pts_file_meas.c
@@ -341,9 +341,10 @@ pts_file_meas_t *pts_file_meas_create_from_path(u_int16_t request_id,
 			success = FALSE;
 			goto end;
 		}
-		filename = use_rel_name ? basename(pathname) : pathname;
+		filename = use_rel_name ? path_basename(pathname) : strdup(pathname);
 		DBG2(DBG_PTS, "  %#B for '%s'", &measurement, filename);
 		add(this, filename, measurement);
+		free(filename);
 	}
 
 end:
diff --git a/src/libpts/swid/swid_inventory.c b/src/libpts/swid/swid_inventory.c
index a689ccdaa..a71682f43 100644
--- a/src/libpts/swid/swid_inventory.c
+++ b/src/libpts/swid/swid_inventory.c
@@ -24,7 +24,6 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <sys/stat.h>
-#include <sys/mman.h>
 #include <libgen.h>
 #include <errno.h>
 
@@ -178,40 +177,19 @@ static bool collect_tags(private_swid_inventory_t *this, char *pathname,
 		if (this->full_tags)
 		{
 			swid_tag_t *tag;
-			chunk_t xml_tag;
-			struct stat sb;
-			void *addr;
-			int fd;
+			chunk_t *xml_tag;
 
-			fd = open(abs_name, O_RDONLY);
-			if (fd == -1)
+			xml_tag = chunk_map(abs_name, FALSE);
+			if (!xml_tag)
 			{
 				DBG1(DBG_IMC, "  opening '%s' failed: %s", abs_name,
 					 strerror(errno));
 				goto end;
 			}
 
-			if (fstat(fd, &sb) == -1)
-			{
-				DBG1(DBG_IMC, "  getting file size of '%s' failed: %s", abs_name,
-			 		 strerror(errno));
-				close(fd);
-				goto end;
-			}
-
-			addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-			if (addr == MAP_FAILED)
-			{
-				DBG1(DBG_IMC, "  mapping '%s' failed: %s", abs_name,
-					 strerror(errno));
-				close(fd);
-				goto end;
-			}
-			xml_tag = chunk_create(addr, sb.st_size);
-			tag = swid_tag_create(xml_tag, unique_seq_id);
+			tag = swid_tag_create(*xml_tag, unique_seq_id);
 			this->list->insert_last(this->list, tag);
-			munmap(addr, sb.st_size);
-			close(fd);
+			chunk_unmap(xml_tag);
 		}
 		else
 		{
@@ -290,5 +268,3 @@ swid_inventory_t *swid_inventory_create(bool full_tags)
 
 	return &this->public;
 }
-
-
diff --git a/src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.c b/src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.c
index f0bc7cf60..c5a2f4b8a 100644
--- a/src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.c
+++ b/src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "tcg_pts_attr_req_file_meas.h"
 
 #include <pa_tnc/pa_tnc_msg.h>
@@ -20,8 +23,6 @@
 #include <bio/bio_reader.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_tcg_pts_attr_req_file_meas_t private_tcg_pts_attr_req_file_meas_t;
 
 /**
diff --git a/src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.c b/src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.c
index e475cd35b..8d703af65 100644
--- a/src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.c
+++ b/src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "tcg_pts_attr_req_file_meta.h"
 
 #include <pa_tnc/pa_tnc_msg.h>
@@ -20,8 +23,6 @@
 #include <bio/bio_reader.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_tcg_pts_attr_req_file_meta_t private_tcg_pts_attr_req_file_meta_t;
 
 /**
diff --git a/src/libpts/tcg/pts/tcg_pts_attr_req_func_comp_evid.c b/src/libpts/tcg/pts/tcg_pts_attr_req_func_comp_evid.c
index 5249fa2ad..e10845bbb 100644
--- a/src/libpts/tcg/pts/tcg_pts_attr_req_func_comp_evid.c
+++ b/src/libpts/tcg/pts/tcg_pts_attr_req_func_comp_evid.c
@@ -286,7 +286,7 @@ METHOD(tcg_pts_attr_req_func_comp_evid_t, add_component, void,
 	entry = malloc_thing(entry_t);
 	entry->flags = flags;
 	entry->depth = depth;
-	entry->name = name;
+	entry->name = name->clone(name);
 	this->list->insert_last(this->list, entry);
 }
 
diff --git a/src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.c b/src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.c
index f96371b8b..eff64c229 100644
--- a/src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.c
+++ b/src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "tcg_pts_attr_unix_file_meta.h"
 
 #include <pa_tnc/pa_tnc_msg.h>
@@ -21,8 +24,6 @@
 #include <collections/linked_list.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_tcg_pts_attr_file_meta_t private_tcg_pts_attr_file_meta_t;
 
 /**
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index c9d6c3935..c827cb598 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -214,8 +214,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -283,6 +281,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,12 +374,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -391,6 +398,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index 8af48522c..d903de883 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -211,8 +211,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -280,6 +278,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,12 +371,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -388,6 +395,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index 8e6050291..ee824abdb 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -211,8 +211,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -280,6 +278,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,12 +371,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -388,6 +395,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 1a13fdd71..440913071 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -36,7 +36,8 @@ selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
 utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \
-utils/printf_hook/printf_hook_vstr.c utils/settings.c
+utils/printf_hook/printf_hook_builtin.c utils/settings.c utils/test.c \
+utils/utils/strerror.c
 
 # adding the plugin source files
 
@@ -96,9 +97,6 @@ LOCAL_SRC_FILES += $(call add_plugin, xcbc)
 
 # build libstrongswan ----------------------------------------------------------
 
-LOCAL_C_INCLUDES += \
-	$(libvstr_PATH)
-
 LOCAL_CFLAGS := $(strongswan_CFLAGS) \
 	-include $(LOCAL_PATH)/AndroidConfigLocal.h
 
@@ -110,6 +108,6 @@ LOCAL_ARM_MODE := arm
 
 LOCAL_PRELINK_MODULE := false
 
-LOCAL_SHARED_LIBRARIES += libdl libvstr
+LOCAL_SHARED_LIBRARIES += libdl
 
 include $(BUILD_SHARED_LIBRARY)
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 3804adb03..b3a4eda99 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -34,7 +34,8 @@ selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
 utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \
-utils/settings.c
+utils/settings.c utils/test.c \
+utils/utils/strerror.c
 
 if USE_DEV_HEADERS
 strongswan_includedir = ${dev_headers}
@@ -82,7 +83,8 @@ utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \
 utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
 utils/leak_detective.h utils/printf_hook/printf_hook.h \
 utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \
-utils/settings.h utils/integrity_checker.h
+utils/settings.h utils/test.h utils/integrity_checker.h \
+utils/utils/strerror.h
 endif
 
 library.lo :	$(top_builddir)/config.status
@@ -481,6 +483,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_NTRU
+  SUBDIRS += plugins/ntru
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/ntru/libstrongswan-ntru.la
+endif
+endif
+
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 if MONOLITHIC
@@ -488,9 +497,7 @@ if MONOLITHIC
 endif
 endif
 
-if UNITTESTS
 if MONOLITHIC
   SUBDIRS += .
 endif
-  SUBDIRS += tests
-endif
+SUBDIRS += tests
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index c9718e659..64396b51f 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -178,10 +178,10 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_97 = plugins/ccm/libstrongswan-ccm.la
 @USE_GCM_TRUE@am__append_98 = plugins/gcm
 @MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_99 = plugins/gcm/libstrongswan-gcm.la
-@USE_TEST_VECTORS_TRUE@am__append_100 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_101 = plugins/test_vectors/libstrongswan-test-vectors.la
-@MONOLITHIC_TRUE@@UNITTESTS_TRUE@am__append_102 = .
-@UNITTESTS_TRUE@am__append_103 = tests
+@USE_NTRU_TRUE@am__append_100 = plugins/ntru
+@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_101 = plugins/ntru/libstrongswan-ntru.la
+@USE_TEST_VECTORS_TRUE@am__append_102 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_103 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp \
@@ -254,7 +254,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_83) $(am__append_85) $(am__append_87) \
 	$(am__append_89) $(am__append_91) $(am__append_93) \
 	$(am__append_95) $(am__append_97) $(am__append_99) \
-	$(am__append_101)
+	$(am__append_101) $(am__append_103)
 am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
 	bio/bio_writer.c collections/blocking_queue.c \
@@ -300,8 +300,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
 	utils/identification.c utils/lexparser.c utils/optionsfrom.c \
 	utils/capabilities.c utils/backtrace.c utils/settings.c \
-	utils/leak_detective.c utils/integrity_checker.c \
-	utils/printf_hook/printf_hook_vstr.c \
+	utils/test.c utils/utils/strerror.c utils/leak_detective.c \
+	utils/integrity_checker.c utils/printf_hook/printf_hook_vstr.c \
 	utils/printf_hook/printf_hook_builtin.c \
 	utils/printf_hook/printf_hook_glibc.c
 am__dirstamp = $(am__leading_dot)dirstamp
@@ -355,9 +355,9 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
 	threading/spinlock.lo utils/utils.lo utils/chunk.lo \
 	utils/debug.lo utils/enum.lo utils/identification.lo \
 	utils/lexparser.lo utils/optionsfrom.lo utils/capabilities.lo \
-	utils/backtrace.lo utils/settings.lo $(am__objects_1) \
-	$(am__objects_2) $(am__objects_3) $(am__objects_4) \
-	$(am__objects_5)
+	utils/backtrace.lo utils/settings.lo utils/test.lo \
+	utils/utils/strerror.lo $(am__objects_1) $(am__objects_2) \
+	$(am__objects_3) $(am__objects_4) $(am__objects_5)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -468,7 +468,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	utils/printf_hook/printf_hook.h \
 	utils/printf_hook/printf_hook_vstr.h \
 	utils/printf_hook/printf_hook_builtin.h utils/settings.h \
-	utils/integrity_checker.h
+	utils/test.h utils/integrity_checker.h utils/utils/strerror.h
 HEADERS = $(nobase_strongswan_include_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
@@ -508,7 +508,8 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
 	plugins/soup plugins/ldap plugins/mysql plugins/sqlite \
 	plugins/padlock plugins/openssl plugins/gcrypt \
 	plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \
-	plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors tests
+	plugins/ctr plugins/ccm plugins/gcm plugins/ntru \
+	plugins/test_vectors tests
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -549,8 +550,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -618,6 +617,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -706,12 +710,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -726,6 +734,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -781,8 +790,9 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
 	utils/identification.c utils/lexparser.c utils/optionsfrom.c \
 	utils/capabilities.c utils/backtrace.c utils/settings.c \
-	$(am__append_2) $(am__append_5) $(am__append_6) \
-	$(am__append_8) $(am__append_10)
+	utils/test.c utils/utils/strerror.c $(am__append_2) \
+	$(am__append_5) $(am__append_6) $(am__append_8) \
+	$(am__append_10)
 @USE_DEV_HEADERS_TRUE@strongswan_includedir = ${dev_headers}
 @USE_DEV_HEADERS_TRUE@nobase_strongswan_include_HEADERS = \
 @USE_DEV_HEADERS_TRUE@library.h \
@@ -828,7 +838,8 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 @USE_DEV_HEADERS_TRUE@utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
 @USE_DEV_HEADERS_TRUE@utils/leak_detective.h utils/printf_hook/printf_hook.h \
 @USE_DEV_HEADERS_TRUE@utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \
-@USE_DEV_HEADERS_TRUE@utils/settings.h utils/integrity_checker.h
+@USE_DEV_HEADERS_TRUE@utils/settings.h utils/test.h utils/integrity_checker.h \
+@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h
 
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(RTLIB) $(BFDLIB) $(UNWINDLIB) $(am__append_7) \
@@ -847,7 +858,7 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_81) $(am__append_83) $(am__append_85) \
 	$(am__append_87) $(am__append_89) $(am__append_91) \
 	$(am__append_93) $(am__append_95) $(am__append_97) \
-	$(am__append_99) $(am__append_101)
+	$(am__append_99) $(am__append_101) $(am__append_103)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
 	-DPLUGINDIR=\"${plugindir}\" \
@@ -894,8 +905,7 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_FALSE@	$(am__append_88) $(am__append_90) \
 @MONOLITHIC_FALSE@	$(am__append_92) $(am__append_94) \
 @MONOLITHIC_FALSE@	$(am__append_96) $(am__append_98) \
-@MONOLITHIC_FALSE@	$(am__append_100) $(am__append_102) \
-@MONOLITHIC_FALSE@	$(am__append_103)
+@MONOLITHIC_FALSE@	$(am__append_100) $(am__append_102) tests
 
 # build plugins with their own Makefile
 #######################################
@@ -921,8 +931,7 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_TRUE@	$(am__append_88) $(am__append_90) \
 @MONOLITHIC_TRUE@	$(am__append_92) $(am__append_94) \
 @MONOLITHIC_TRUE@	$(am__append_96) $(am__append_98) \
-@MONOLITHIC_TRUE@	$(am__append_100) $(am__append_102) \
-@MONOLITHIC_TRUE@	$(am__append_103)
+@MONOLITHIC_TRUE@	$(am__append_100) $(am__append_102) . tests
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -1354,6 +1363,15 @@ utils/backtrace.lo: utils/$(am__dirstamp) \
 	utils/$(DEPDIR)/$(am__dirstamp)
 utils/settings.lo: utils/$(am__dirstamp) \
 	utils/$(DEPDIR)/$(am__dirstamp)
+utils/test.lo: utils/$(am__dirstamp) utils/$(DEPDIR)/$(am__dirstamp)
+utils/utils/$(am__dirstamp):
+	@$(MKDIR_P) utils/utils
+	@: > utils/utils/$(am__dirstamp)
+utils/utils/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) utils/utils/$(DEPDIR)
+	@: > utils/utils/$(DEPDIR)/$(am__dirstamp)
+utils/utils/strerror.lo: utils/utils/$(am__dirstamp) \
+	utils/utils/$(DEPDIR)/$(am__dirstamp)
 utils/leak_detective.lo: utils/$(am__dirstamp) \
 	utils/$(DEPDIR)/$(am__dirstamp)
 utils/integrity_checker.lo: utils/$(am__dirstamp) \
@@ -1443,6 +1461,8 @@ mostlyclean-compile:
 	-rm -f utils/*.lo
 	-rm -f utils/printf_hook/*.$(OBJEXT)
 	-rm -f utils/printf_hook/*.lo
+	-rm -f utils/utils/*.$(OBJEXT)
+	-rm -f utils/utils/*.lo
 
 distclean-compile:
 	-rm -f *.tab.c
@@ -1536,10 +1556,12 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/lexparser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/optionsfrom.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/settings.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/test.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/utils.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_builtin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_glibc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_vstr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/strerror.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -1602,6 +1624,7 @@ clean-libtool:
 	-rm -rf threading/.libs threading/_libs
 	-rm -rf utils/.libs utils/_libs
 	-rm -rf utils/printf_hook/.libs utils/printf_hook/_libs
+	-rm -rf utils/utils/.libs utils/utils/_libs
 install-nobase_strongswan_includeHEADERS: $(nobase_strongswan_include_HEADERS)
 	@$(NORMAL_INSTALL)
 	@list='$(nobase_strongswan_include_HEADERS)'; test -n "$(strongswan_includedir)" || list=; \
@@ -1881,6 +1904,8 @@ distclean-generic:
 	-rm -f utils/$(am__dirstamp)
 	-rm -f utils/printf_hook/$(DEPDIR)/$(am__dirstamp)
 	-rm -f utils/printf_hook/$(am__dirstamp)
+	-rm -f utils/utils/$(DEPDIR)/$(am__dirstamp)
+	-rm -f utils/utils/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -1893,7 +1918,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
 	mostlyclean-am
 
 distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -1940,7 +1965,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index d860ad9a2..38a6ad688 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -88,7 +88,7 @@ int asn1_known_oid(chunk_t object)
 			}
 		}
 	}
-	return -1;
+	return OID_UNKNOWN;
 }
 
 /*
@@ -129,7 +129,8 @@ chunk_t asn1_build_known_oid(int n)
 chunk_t asn1_oid_from_string(char *str)
 {
 	enumerator_t *enumerator;
-	u_char buf[64];
+	size_t buf_len = 64;
+	u_char buf[buf_len];
 	char *end;
 	int i = 0, pos = 0, shift;
 	u_int val, shifted_val, first = 0;
@@ -138,7 +139,7 @@ chunk_t asn1_oid_from_string(char *str)
 	while (enumerator->enumerate(enumerator, &str))
 	{
 		val = strtoul(str, &end, 10);
-		if (end == str || pos > countof(buf))
+		if (end == str || pos > buf_len-4)
 		{
 			pos = 0;
 			break;
@@ -175,8 +176,9 @@ chunk_t asn1_oid_from_string(char *str)
  */
 char *asn1_oid_to_string(chunk_t oid)
 {
-	char buf[64], *pos = buf;
-	int len;
+	size_t len = 64;
+	char buf[len], *pos = buf;
+	int written;
 	u_int val;
 
 	if (!oid.len)
@@ -184,13 +186,14 @@ char *asn1_oid_to_string(chunk_t oid)
 		return NULL;
 	}
 	val = oid.ptr[0] / 40;
-	len = snprintf(buf, sizeof(buf), "%u.%u", val, oid.ptr[0] - val * 40);
+	written = snprintf(buf, len, "%u.%u", val, oid.ptr[0] - val * 40);
 	oid = chunk_skip(oid, 1);
-	if (len < 0 || len >= sizeof(buf))
+	if (written < 0 || written >= len)
 	{
 		return NULL;
 	}
-	pos += len;
+	pos += written;
+	len -= written;
 	val = 0;
 
 	while (oid.len)
@@ -199,12 +202,13 @@ char *asn1_oid_to_string(chunk_t oid)
 
 		if (oid.ptr[0] < 128)
 		{
-			len = snprintf(pos, sizeof(buf) + buf - pos, ".%u", val);
-			if (len < 0 || len >= sizeof(buf) + buf - pos)
+			written = snprintf(pos, len, ".%u", val);
+			if (written < 0 || written >= len)
 			{
 				return NULL;
 			}
-			pos += len;
+			pos += written;
+			len -= written;
 			val = 0;
 		}
 		oid = chunk_skip(oid, 1);
@@ -296,7 +300,7 @@ int asn1_unwrap(chunk_t *blob, chunk_t *inner)
 	else
 	{	/* composite length, determine number of length octets */
 		len &= 0x7f;
-		if (len == 0 || len > sizeof(res.len))
+		if (len == 0 || len > blob->len || len > sizeof(res.len))
 		{
 			return ASN1_INVALID;
 		}
@@ -389,8 +393,8 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 		tm_year += (tm_year < 50) ? 2000 : 1900;
 	}
 
-	/* prevent large 32 bit integer overflows */
-	if (sizeof(time_t) == 4 && tm_year > 2038)
+	/* prevent obvious 32 bit integer overflows */
+	if (sizeof(time_t) == 4 && (tm_year > 2038 || tm_year < 1901))
 	{
 		return TIME_32_BIT_SIGNED_MAX;
 	}
@@ -398,13 +402,24 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	/* representation of months as 0..11*/
 	if (tm_mon < 1 || tm_mon > 12)
 	{
-		return 0; /* error in month format */
+		return 0;
 	}
 	tm_mon--;
 
 	/* representation of days as 0..30 */
+	if (tm_day < 1 || tm_day > 31)
+	{	/* we don't actually validate the day in relation to tm_year/tm_mon */
+		return 0;
+	}
 	tm_day--;
 
+	if (tm_hour < 0 || tm_hour > 23 ||
+		tm_min < 0 || tm_min > 59 ||
+		tm_sec < 0 || tm_sec > 60 /* allow leap seconds */)
+	{
+		return 0;
+	}
+
 	/* number of leap years between last year and 1970? */
 	tm_leap_4 = (tm_year - 1) / 4;
 	tm_leap_100 = tm_leap_4 / 25;
@@ -420,8 +435,20 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	tm_days = 365 * (tm_year - 1970) + days[tm_mon] + tm_day + tm_leap;
 	tm_secs = 60 * (60 * (24 * tm_days + tm_hour) + tm_min) + tm_sec - tz_offset;
 
-	/* has a 32 bit signed integer overflow occurred? */
-	return (tm_secs < 0) ? TIME_32_BIT_SIGNED_MAX : tm_secs;
+	if (sizeof(time_t) == 4)
+	{	/* has a 32 bit signed integer overflow occurred? */
+		if (tm_year > 1970 && tm_secs < 0)
+		{	/* depending on the time zone, the first days in 1970 may result in
+			 * a negative value, but dates after 1970 never will */
+			return TIME_32_BIT_SIGNED_MAX;
+		}
+		if (tm_year < 1969 && tm_secs > 0)
+		{	/* similarly, tm_secs is not positive for dates before 1970, except
+			 * for the last days in 1969, depending on the time zone */
+			return TIME_32_BIT_SIGNED_MAX;
+		}
+	}
+	return tm_secs;
 }
 
 /**
@@ -537,7 +564,7 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level, const c
 
 	len = asn1_length(object);
 
-	if (len == ASN1_INVALID_LENGTH || object->len < len)
+	if (len == ASN1_INVALID_LENGTH)
 	{
 		DBG2(DBG_ASN, "L%d - %s:  length of ASN.1 object invalid or too large",
 			 level, name);
@@ -675,7 +702,9 @@ bool asn1_is_printablestring(chunk_t str)
 	for (i = 0; i < str.len; i++)
 	{
 		if (strchr(printablestring_charset, str.ptr[i]) == NULL)
+		{
 			return FALSE;
+		}
 	}
 	return TRUE;
 }
@@ -781,10 +810,17 @@ chunk_t asn1_integer(const char *mode, chunk_t content)
 	chunk_t object;
 	size_t len;
 	u_char *pos;
+	bool move;
+
 
 	if (content.len == 0)
 	{	/* make sure 0 is encoded properly */
 		content = chunk_from_chars(0x00);
+		move = FALSE;
+	}
+	else
+	{
+		move = (*mode == 'm');
 	}
 
 	/* ASN.1 integers must be positive numbers in two's complement */
@@ -794,11 +830,9 @@ chunk_t asn1_integer(const char *mode, chunk_t content)
 	{
 		*pos++ = 0x00;
 	}
-	if (len)
-	{
-		memcpy(pos, content.ptr, content.len);
-	}
-	if (*mode == 'm')
+	memcpy(pos, content.ptr, content.len);
+
+	if (move)
 	{
 		free(content.ptr);
 	}
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index a1d625380..7a48292af 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -191,6 +191,13 @@ void asn1_debug_simple_object(chunk_t object, asn1_t type, bool private);
 /**
  * Converts an ASN.1 UTCTIME or GENERALIZEDTIME string to time_t
  *
+ * On systems where sizeof(time_t) == 4 there will be an overflow
+ * for dates
+ *   > Tue, 19 Jan 2038 03:14:07 UTC (0x7fffffff)
+ * and
+ *   < Fri, 13 Dec 1901 20:45:52 UTC (0x80000000)
+ * in both cases TIME_32_BIT_SIGNED_MAX is returned.
+ *
  * @param utctime	body of an ASN.1 coded time object
  * @param type		ASN1_UTCTIME or ASN1_GENERALIZEDTIME
  * @return			time_t in UTC
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index c31fb75f0..e7b7a428d 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -160,6 +160,7 @@ METHOD(asn1_parser_t, iterate, bool,
 		DBG1(DBG_ASN, "L%d - %s:  length of ASN.1 object invalid or too large",
 					level, obj.name);
 		this->success = FALSE;
+		goto end;
 	}
 
 	blob1->ptr = blob->ptr;
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index a0e882b2c..6fa8f4e54 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -75,7 +75,7 @@ const oid_t oid_names[] = {
  {    0x36,                    63, 0,  2, "inhibitAnyPolicy"               }, /*  62 */
  {    0x37,                    64, 0,  2, "targetInformation"              }, /*  63 */
  {    0x38,                     0, 0,  2, "noRevAvail"                     }, /*  64 */
- {0x2A,                       188, 1,  0, ""                               }, /*  65 */
+ {0x2A,                       189, 1,  0, ""                               }, /*  65 */
  {  0x83,                      78, 1,  1, ""                               }, /*  66 */
  {    0x08,                     0, 1,  2, "jp"                             }, /*  67 */
  {      0x8C,                   0, 1,  3, ""                               }, /*  68 */
@@ -90,7 +90,7 @@ const oid_t oid_names[] = {
  {                    0x04,     0, 0, 10, "camellia256-cbc"                }, /*  77 */
  {  0x86,                       0, 1,  1, ""                               }, /*  78 */
  {    0x48,                     0, 1,  2, "us"                             }, /*  79 */
- {      0x86,                 147, 1,  3, ""                               }, /*  80 */
+ {      0x86,                 148, 1,  3, ""                               }, /*  80 */
  {        0xF6,                86, 1,  4, ""                               }, /*  81 */
  {          0x7D,               0, 1,  5, "NortelNetworks"                 }, /*  82 */
  {            0x07,             0, 1,  6, "Entrust"                        }, /*  83 */
@@ -98,320 +98,344 @@ const oid_t oid_names[] = {
  {                0x00,         0, 0,  8, "entrustVersInfo"                }, /*  85 */
  {        0xF7,                 0, 1,  4, ""                               }, /*  86 */
  {          0x0D,               0, 1,  5, "RSADSI"                         }, /*  87 */
- {            0x01,           142, 1,  6, "PKCS"                           }, /*  88 */
- {              0x01,         100, 1,  7, "PKCS-1"                         }, /*  89 */
+ {            0x01,           143, 1,  6, "PKCS"                           }, /*  88 */
+ {              0x01,         101, 1,  7, "PKCS-1"                         }, /*  89 */
  {                0x01,        91, 0,  8, "rsaEncryption"                  }, /*  90 */
  {                0x02,        92, 0,  8, "md2WithRSAEncryption"           }, /*  91 */
  {                0x04,        93, 0,  8, "md5WithRSAEncryption"           }, /*  92 */
  {                0x05,        94, 0,  8, "sha-1WithRSAEncryption"         }, /*  93 */
  {                0x07,        95, 0,  8, "id-RSAES-OAEP"                  }, /*  94 */
- {                0x09,        96, 0,  8, "id-pSpecified"                  }, /*  95 */
- {                0x0B,        97, 0,  8, "sha256WithRSAEncryption"        }, /*  96 */
- {                0x0C,        98, 0,  8, "sha384WithRSAEncryption"        }, /*  97 */
- {                0x0D,        99, 0,  8, "sha512WithRSAEncryption"        }, /*  98 */
- {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /*  99 */
- {              0x05,         105, 1,  7, "PKCS-5"                         }, /* 100 */
- {                0x03,       102, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 101 */
- {                0x0A,       103, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 102 */
- {                0x0C,       104, 0,  8, "id-PBKDF2"                      }, /* 103 */
- {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 104 */
- {              0x07,         112, 1,  7, "PKCS-7"                         }, /* 105 */
- {                0x01,       107, 0,  8, "data"                           }, /* 106 */
- {                0x02,       108, 0,  8, "signedData"                     }, /* 107 */
- {                0x03,       109, 0,  8, "envelopedData"                  }, /* 108 */
- {                0x04,       110, 0,  8, "signedAndEnvelopedData"         }, /* 109 */
- {                0x05,       111, 0,  8, "digestedData"                   }, /* 110 */
- {                0x06,         0, 0,  8, "encryptedData"                  }, /* 111 */
- {              0x09,         126, 1,  7, "PKCS-9"                         }, /* 112 */
- {                0x01,       114, 0,  8, "E"                              }, /* 113 */
- {                0x02,       115, 0,  8, "unstructuredName"               }, /* 114 */
- {                0x03,       116, 0,  8, "contentType"                    }, /* 115 */
- {                0x04,       117, 0,  8, "messageDigest"                  }, /* 116 */
- {                0x05,       118, 0,  8, "signingTime"                    }, /* 117 */
- {                0x06,       119, 0,  8, "counterSignature"               }, /* 118 */
- {                0x07,       120, 0,  8, "challengePassword"              }, /* 119 */
- {                0x08,       121, 0,  8, "unstructuredAddress"            }, /* 120 */
- {                0x0E,       122, 0,  8, "extensionRequest"               }, /* 121 */
- {                0x0F,       123, 0,  8, "S/MIME Capabilities"            }, /* 122 */
- {                0x16,         0, 1,  8, "certTypes"                      }, /* 123 */
- {                  0x01,     125, 0,  9, "X.509"                          }, /* 124 */
- {                  0x02,       0, 0,  9, "SDSI"                           }, /* 125 */
- {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 126 */
- {                0x01,       134, 1,  8, "pbeIds"                         }, /* 127 */
- {                  0x01,     129, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 128 */
- {                  0x02,     130, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 129 */
- {                  0x03,     131, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 130 */
- {                  0x04,     132, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 131 */
- {                  0x05,     133, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 132 */
- {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 133 */
- {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 134 */
- {                  0x01,       0, 1,  9, "bagIds"                         }, /* 135 */
- {                    0x01,   137, 0, 10, "keyBag"                         }, /* 136 */
- {                    0x02,   138, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 137 */
- {                    0x03,   139, 0, 10, "certBag"                        }, /* 138 */
- {                    0x04,   140, 0, 10, "crlBag"                         }, /* 139 */
- {                    0x05,   141, 0, 10, "secretBag"                      }, /* 140 */
- {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 141 */
- {            0x02,           145, 1,  6, "digestAlgorithm"                }, /* 142 */
- {              0x02,         144, 0,  7, "md2"                            }, /* 143 */
- {              0x05,           0, 0,  7, "md5"                            }, /* 144 */
- {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 145 */
- {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 146 */
- {      0xCE,                   0, 1,  3, ""                               }, /* 147 */
- {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 148 */
- {          0x02,             151, 1,  5, "id-publicKeyType"               }, /* 149 */
- {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 150 */
- {          0x03,             181, 1,  5, "ellipticCurve"                  }, /* 151 */
- {            0x00,           173, 1,  6, "c-TwoCurve"                     }, /* 152 */
- {              0x01,         154, 0,  7, "c2pnb163v1"                     }, /* 153 */
- {              0x02,         155, 0,  7, "c2pnb163v2"                     }, /* 154 */
- {              0x03,         156, 0,  7, "c2pnb163v3"                     }, /* 155 */
- {              0x04,         157, 0,  7, "c2pnb176w1"                     }, /* 156 */
- {              0x05,         158, 0,  7, "c2tnb191v1"                     }, /* 157 */
- {              0x06,         159, 0,  7, "c2tnb191v2"                     }, /* 158 */
- {              0x07,         160, 0,  7, "c2tnb191v3"                     }, /* 159 */
- {              0x08,         161, 0,  7, "c2onb191v4"                     }, /* 160 */
- {              0x09,         162, 0,  7, "c2onb191v5"                     }, /* 161 */
- {              0x0A,         163, 0,  7, "c2pnb208w1"                     }, /* 162 */
- {              0x0B,         164, 0,  7, "c2tnb239v1"                     }, /* 163 */
- {              0x0C,         165, 0,  7, "c2tnb239v2"                     }, /* 164 */
- {              0x0D,         166, 0,  7, "c2tnb239v3"                     }, /* 165 */
- {              0x0E,         167, 0,  7, "c2onb239v4"                     }, /* 166 */
- {              0x0F,         168, 0,  7, "c2onb239v5"                     }, /* 167 */
- {              0x10,         169, 0,  7, "c2pnb272w1"                     }, /* 168 */
- {              0x11,         170, 0,  7, "c2pnb304w1"                     }, /* 169 */
- {              0x12,         171, 0,  7, "c2tnb359v1"                     }, /* 170 */
- {              0x13,         172, 0,  7, "c2pnb368w1"                     }, /* 171 */
- {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 172 */
- {            0x01,             0, 1,  6, "primeCurve"                     }, /* 173 */
- {              0x01,         175, 0,  7, "prime192v1"                     }, /* 174 */
- {              0x02,         176, 0,  7, "prime192v2"                     }, /* 175 */
- {              0x03,         177, 0,  7, "prime192v3"                     }, /* 176 */
- {              0x04,         178, 0,  7, "prime239v1"                     }, /* 177 */
- {              0x05,         179, 0,  7, "prime239v2"                     }, /* 178 */
- {              0x06,         180, 0,  7, "prime239v3"                     }, /* 179 */
- {              0x07,           0, 0,  7, "prime256v1"                     }, /* 180 */
- {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 181 */
- {            0x01,           183, 0,  6, "ecdsa-with-SHA1"                }, /* 182 */
- {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 183 */
- {              0x01,         185, 0,  7, "ecdsa-with-SHA224"              }, /* 184 */
- {              0x02,         186, 0,  7, "ecdsa-with-SHA256"              }, /* 185 */
- {              0x03,         187, 0,  7, "ecdsa-with-SHA384"              }, /* 186 */
- {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 187 */
- {0x2B,                       348, 1,  0, ""                               }, /* 188 */
- {  0x06,                     262, 1,  1, "dod"                            }, /* 189 */
- {    0x01,                     0, 1,  2, "internet"                       }, /* 190 */
- {      0x04,                 213, 1,  3, "private"                        }, /* 191 */
- {        0x01,                 0, 1,  4, "enterprise"                     }, /* 192 */
- {          0x82,             206, 1,  5, ""                               }, /* 193 */
- {            0x37,           203, 1,  6, "Microsoft"                      }, /* 194 */
- {              0x0A,         199, 1,  7, ""                               }, /* 195 */
- {                0x03,         0, 1,  8, ""                               }, /* 196 */
- {                  0x03,     198, 0,  9, "msSGC"                          }, /* 197 */
- {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 198 */
- {              0x14,           0, 1,  7, "msEnrollmentInfrastructure"     }, /* 199 */
- {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 200 */
- {                  0x02,     202, 0,  9, "msSmartcardLogon"               }, /* 201 */
- {                  0x03,       0, 0,  9, "msUPN"                          }, /* 202 */
- {            0xA0,             0, 1,  6, ""                               }, /* 203 */
- {              0x2A,           0, 1,  7, "ITA"                            }, /* 204 */
- {                0x01,         0, 0,  8, "strongSwan"                     }, /* 205 */
- {          0x89,               0, 1,  5, ""                               }, /* 206 */
- {            0x31,             0, 1,  6, ""                               }, /* 207 */
- {              0x01,           0, 1,  7, ""                               }, /* 208 */
- {                0x01,         0, 1,  8, ""                               }, /* 209 */
- {                  0x02,       0, 1,  9, ""                               }, /* 210 */
- {                    0x02,     0, 1, 10, ""                               }, /* 211 */
- {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 212 */
- {      0x05,                   0, 1,  3, "security"                       }, /* 213 */
- {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 214 */
- {          0x07,             259, 1,  5, "id-pkix"                        }, /* 215 */
- {            0x01,           220, 1,  6, "id-pe"                          }, /* 216 */
- {              0x01,         218, 0,  7, "authorityInfoAccess"            }, /* 217 */
- {              0x03,         219, 0,  7, "qcStatements"                   }, /* 218 */
- {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 219 */
- {            0x02,           223, 1,  6, "id-qt"                          }, /* 220 */
- {              0x01,         222, 0,  7, "cps"                            }, /* 221 */
- {              0x02,           0, 0,  7, "unotice"                        }, /* 222 */
- {            0x03,           233, 1,  6, "id-kp"                          }, /* 223 */
- {              0x01,         225, 0,  7, "serverAuth"                     }, /* 224 */
- {              0x02,         226, 0,  7, "clientAuth"                     }, /* 225 */
- {              0x03,         227, 0,  7, "codeSigning"                    }, /* 226 */
- {              0x04,         228, 0,  7, "emailProtection"                }, /* 227 */
- {              0x05,         229, 0,  7, "ipsecEndSystem"                 }, /* 228 */
- {              0x06,         230, 0,  7, "ipsecTunnel"                    }, /* 229 */
- {              0x07,         231, 0,  7, "ipsecUser"                      }, /* 230 */
- {              0x08,         232, 0,  7, "timeStamping"                   }, /* 231 */
- {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 232 */
- {            0x08,           241, 1,  6, "id-otherNames"                  }, /* 233 */
- {              0x01,         235, 0,  7, "personalData"                   }, /* 234 */
- {              0x02,         236, 0,  7, "userGroup"                      }, /* 235 */
- {              0x03,         237, 0,  7, "id-on-permanentIdentifier"      }, /* 236 */
- {              0x04,         238, 0,  7, "id-on-hardwareModuleName"       }, /* 237 */
- {              0x05,         239, 0,  7, "xmppAddr"                       }, /* 238 */
- {              0x06,         240, 0,  7, "id-on-SIM"                      }, /* 239 */
- {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 240 */
- {            0x0A,           246, 1,  6, "id-aca"                         }, /* 241 */
- {              0x01,         243, 0,  7, "authenticationInfo"             }, /* 242 */
- {              0x02,         244, 0,  7, "accessIdentity"                 }, /* 243 */
- {              0x03,         245, 0,  7, "chargingIdentity"               }, /* 244 */
- {              0x04,           0, 0,  7, "group"                          }, /* 245 */
- {            0x0B,           247, 0,  6, "subjectInfoAccess"              }, /* 246 */
- {            0x30,             0, 1,  6, "id-ad"                          }, /* 247 */
- {              0x01,         256, 1,  7, "ocsp"                           }, /* 248 */
- {                0x01,       250, 0,  8, "basic"                          }, /* 249 */
- {                0x02,       251, 0,  8, "nonce"                          }, /* 250 */
- {                0x03,       252, 0,  8, "crl"                            }, /* 251 */
- {                0x04,       253, 0,  8, "response"                       }, /* 252 */
- {                0x05,       254, 0,  8, "noCheck"                        }, /* 253 */
- {                0x06,       255, 0,  8, "archiveCutoff"                  }, /* 254 */
- {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 255 */
- {              0x02,         257, 0,  7, "caIssuers"                      }, /* 256 */
- {              0x03,         258, 0,  7, "timeStamping"                   }, /* 257 */
- {              0x05,           0, 0,  7, "caRepository"                   }, /* 258 */
- {          0x08,               0, 1,  5, "ipsec"                          }, /* 259 */
- {            0x02,             0, 1,  6, "certificate"                    }, /* 260 */
- {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 261 */
- {  0x0E,                     268, 1,  1, "oiw"                            }, /* 262 */
- {    0x03,                     0, 1,  2, "secsig"                         }, /* 263 */
- {      0x02,                   0, 1,  3, "algorithms"                     }, /* 264 */
- {        0x07,               266, 0,  4, "des-cbc"                        }, /* 265 */
- {        0x1A,               267, 0,  4, "sha-1"                          }, /* 266 */
- {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 267 */
- {  0x24,                     314, 1,  1, "TeleTrusT"                      }, /* 268 */
- {    0x03,                     0, 1,  2, "algorithm"                      }, /* 269 */
- {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 270 */
- {        0x01,               275, 1,  4, "rsaSignature"                   }, /* 271 */
- {          0x02,             273, 0,  5, "rsaSigWithripemd160"            }, /* 272 */
- {          0x03,             274, 0,  5, "rsaSigWithripemd128"            }, /* 273 */
- {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 274 */
- {        0x02,                 0, 1,  4, "ecSign"                         }, /* 275 */
- {          0x01,             277, 0,  5, "ecSignWithsha1"                 }, /* 276 */
- {          0x02,             278, 0,  5, "ecSignWithripemd160"            }, /* 277 */
- {          0x03,             279, 0,  5, "ecSignWithmd2"                  }, /* 278 */
- {          0x04,             280, 0,  5, "ecSignWithmd5"                  }, /* 279 */
- {          0x05,             297, 1,  5, "ttt-ecg"                        }, /* 280 */
- {            0x01,           285, 1,  6, "fieldType"                      }, /* 281 */
- {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 282 */
- {                0x01,         0, 1,  8, "basisType"                      }, /* 283 */
- {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 284 */
- {            0x02,           287, 1,  6, "keyType"                        }, /* 285 */
- {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 286 */
- {            0x03,           288, 0,  6, "curve"                          }, /* 287 */
- {            0x04,           295, 1,  6, "signatures"                     }, /* 288 */
- {              0x01,         290, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 289 */
- {              0x02,         291, 0,  7, "ecgdsa-with-SHA1"               }, /* 290 */
- {              0x03,         292, 0,  7, "ecgdsa-with-SHA224"             }, /* 291 */
- {              0x04,         293, 0,  7, "ecgdsa-with-SHA256"             }, /* 292 */
- {              0x05,         294, 0,  7, "ecgdsa-with-SHA384"             }, /* 293 */
- {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 294 */
- {            0x05,             0, 1,  6, "module"                         }, /* 295 */
- {              0x01,           0, 0,  7, "1"                              }, /* 296 */
- {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 297 */
- {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 298 */
- {              0x01,           0, 1,  7, "versionOne"                     }, /* 299 */
- {                0x01,       301, 0,  8, "brainpoolP160r1"                }, /* 300 */
- {                0x02,       302, 0,  8, "brainpoolP160t1"                }, /* 301 */
- {                0x03,       303, 0,  8, "brainpoolP192r1"                }, /* 302 */
- {                0x04,       304, 0,  8, "brainpoolP192t1"                }, /* 303 */
- {                0x05,       305, 0,  8, "brainpoolP224r1"                }, /* 304 */
- {                0x06,       306, 0,  8, "brainpoolP224t1"                }, /* 305 */
- {                0x07,       307, 0,  8, "brainpoolP256r1"                }, /* 306 */
- {                0x08,       308, 0,  8, "brainpoolP256t1"                }, /* 307 */
- {                0x09,       309, 0,  8, "brainpoolP320r1"                }, /* 308 */
- {                0x0A,       310, 0,  8, "brainpoolP320t1"                }, /* 309 */
- {                0x0B,       311, 0,  8, "brainpoolP384r1"                }, /* 310 */
- {                0x0C,       312, 0,  8, "brainpoolP384t1"                }, /* 311 */
- {                0x0D,       313, 0,  8, "brainpoolP512r1"                }, /* 312 */
- {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 313 */
- {  0x81,                       0, 1,  1, ""                               }, /* 314 */
- {    0x04,                     0, 1,  2, "Certicom"                       }, /* 315 */
- {      0x00,                   0, 1,  3, "curve"                          }, /* 316 */
- {        0x01,               318, 0,  4, "sect163k1"                      }, /* 317 */
- {        0x02,               319, 0,  4, "sect163r1"                      }, /* 318 */
- {        0x03,               320, 0,  4, "sect239k1"                      }, /* 319 */
- {        0x04,               321, 0,  4, "sect113r1"                      }, /* 320 */
- {        0x05,               322, 0,  4, "sect113r2"                      }, /* 321 */
- {        0x06,               323, 0,  4, "secp112r1"                      }, /* 322 */
- {        0x07,               324, 0,  4, "secp112r2"                      }, /* 323 */
- {        0x08,               325, 0,  4, "secp160r1"                      }, /* 324 */
- {        0x09,               326, 0,  4, "secp160k1"                      }, /* 325 */
- {        0x0A,               327, 0,  4, "secp256k1"                      }, /* 326 */
- {        0x0F,               328, 0,  4, "sect163r2"                      }, /* 327 */
- {        0x10,               329, 0,  4, "sect283k1"                      }, /* 328 */
- {        0x11,               330, 0,  4, "sect283r1"                      }, /* 329 */
- {        0x16,               331, 0,  4, "sect131r1"                      }, /* 330 */
- {        0x17,               332, 0,  4, "sect131r2"                      }, /* 331 */
- {        0x18,               333, 0,  4, "sect193r1"                      }, /* 332 */
- {        0x19,               334, 0,  4, "sect193r2"                      }, /* 333 */
- {        0x1A,               335, 0,  4, "sect233k1"                      }, /* 334 */
- {        0x1B,               336, 0,  4, "sect233r1"                      }, /* 335 */
- {        0x1C,               337, 0,  4, "secp128r1"                      }, /* 336 */
- {        0x1D,               338, 0,  4, "secp128r2"                      }, /* 337 */
- {        0x1E,               339, 0,  4, "secp160r2"                      }, /* 338 */
- {        0x1F,               340, 0,  4, "secp192k1"                      }, /* 339 */
- {        0x20,               341, 0,  4, "secp224k1"                      }, /* 340 */
- {        0x21,               342, 0,  4, "secp224r1"                      }, /* 341 */
- {        0x22,               343, 0,  4, "secp384r1"                      }, /* 342 */
- {        0x23,               344, 0,  4, "secp521r1"                      }, /* 343 */
- {        0x24,               345, 0,  4, "sect409k1"                      }, /* 344 */
- {        0x25,               346, 0,  4, "sect409r1"                      }, /* 345 */
- {        0x26,               347, 0,  4, "sect571k1"                      }, /* 346 */
- {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 347 */
- {0x60,                       396, 1,  0, ""                               }, /* 348 */
- {  0x86,                       0, 1,  1, ""                               }, /* 349 */
- {    0x48,                     0, 1,  2, ""                               }, /* 350 */
- {      0x01,                   0, 1,  3, "organization"                   }, /* 351 */
- {        0x65,               372, 1,  4, "gov"                            }, /* 352 */
- {          0x03,               0, 1,  5, "csor"                           }, /* 353 */
- {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 354 */
- {              0x01,         365, 1,  7, "aes"                            }, /* 355 */
- {                0x02,       357, 0,  8, "id-aes128-CBC"                  }, /* 356 */
- {                0x06,       358, 0,  8, "id-aes128-GCM"                  }, /* 357 */
- {                0x07,       359, 0,  8, "id-aes128-CCM"                  }, /* 358 */
- {                0x16,       360, 0,  8, "id-aes192-CBC"                  }, /* 359 */
- {                0x1A,       361, 0,  8, "id-aes192-GCM"                  }, /* 360 */
- {                0x1B,       362, 0,  8, "id-aes192-CCM"                  }, /* 361 */
- {                0x2A,       363, 0,  8, "id-aes256-CBC"                  }, /* 362 */
- {                0x2E,       364, 0,  8, "id-aes256-GCM"                  }, /* 363 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 364 */
- {              0x02,           0, 1,  7, "hashalgs"                       }, /* 365 */
- {                0x01,       367, 0,  8, "id-SHA-256"                     }, /* 366 */
- {                0x02,       368, 0,  8, "id-SHA-384"                     }, /* 367 */
- {                0x03,       369, 0,  8, "id-SHA-512"                     }, /* 368 */
- {                0x04,       370, 0,  8, "id-SHA-224"                     }, /* 369 */
- {                0x05,       371, 0,  8, "id-SHA-512-224"                 }, /* 370 */
- {                0x06,         0, 0,  8, "id-SHA-512-256"                 }, /* 371 */
- {        0x86,                 0, 1,  4, ""                               }, /* 372 */
- {          0xf8,               0, 1,  5, ""                               }, /* 373 */
- {            0x42,           386, 1,  6, "netscape"                       }, /* 374 */
- {              0x01,         381, 1,  7, ""                               }, /* 375 */
- {                0x01,       377, 0,  8, "nsCertType"                     }, /* 376 */
- {                0x03,       378, 0,  8, "nsRevocationUrl"                }, /* 377 */
- {                0x04,       379, 0,  8, "nsCaRevocationUrl"              }, /* 378 */
- {                0x08,       380, 0,  8, "nsCaPolicyUrl"                  }, /* 379 */
- {                0x0d,         0, 0,  8, "nsComment"                      }, /* 380 */
- {              0x03,         384, 1,  7, "directory"                      }, /* 381 */
- {                0x01,         0, 1,  8, ""                               }, /* 382 */
- {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 383 */
- {              0x04,           0, 1,  7, "policy"                         }, /* 384 */
- {                0x01,         0, 0,  8, "nsSGC"                          }, /* 385 */
- {            0x45,             0, 1,  6, "verisign"                       }, /* 386 */
- {              0x01,           0, 1,  7, "pki"                            }, /* 387 */
- {                0x09,         0, 1,  8, "attributes"                     }, /* 388 */
- {                  0x02,     390, 0,  9, "messageType"                    }, /* 389 */
- {                  0x03,     391, 0,  9, "pkiStatus"                      }, /* 390 */
- {                  0x04,     392, 0,  9, "failInfo"                       }, /* 391 */
- {                  0x05,     393, 0,  9, "senderNonce"                    }, /* 392 */
- {                  0x06,     394, 0,  9, "recipientNonce"                 }, /* 393 */
- {                  0x07,     395, 0,  9, "transID"                        }, /* 394 */
- {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 395 */
- {0x67,                         0, 1,  0, ""                               }, /* 396 */
- {  0x81,                       0, 1,  1, ""                               }, /* 397 */
- {    0x05,                     0, 1,  2, ""                               }, /* 398 */
- {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 399 */
- {        0x01,               401, 0,  4, "tcg-at-tpmManufacturer"         }, /* 400 */
- {        0x02,               402, 0,  4, "tcg-at-tpmModel"                }, /* 401 */
- {        0x03,               403, 0,  4, "tcg-at-tpmVersion"              }, /* 402 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 403 */
+ {                0x08,        96, 0,  8, "id-mgf1"                        }, /*  95 */
+ {                0x09,        97, 0,  8, "id-pSpecified"                  }, /*  96 */
+ {                0x0B,        98, 0,  8, "sha256WithRSAEncryption"        }, /*  97 */
+ {                0x0C,        99, 0,  8, "sha384WithRSAEncryption"        }, /*  98 */
+ {                0x0D,       100, 0,  8, "sha512WithRSAEncryption"        }, /*  99 */
+ {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /* 100 */
+ {              0x05,         106, 1,  7, "PKCS-5"                         }, /* 101 */
+ {                0x03,       103, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 102 */
+ {                0x0A,       104, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 103 */
+ {                0x0C,       105, 0,  8, "id-PBKDF2"                      }, /* 104 */
+ {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 105 */
+ {              0x07,         113, 1,  7, "PKCS-7"                         }, /* 106 */
+ {                0x01,       108, 0,  8, "data"                           }, /* 107 */
+ {                0x02,       109, 0,  8, "signedData"                     }, /* 108 */
+ {                0x03,       110, 0,  8, "envelopedData"                  }, /* 109 */
+ {                0x04,       111, 0,  8, "signedAndEnvelopedData"         }, /* 110 */
+ {                0x05,       112, 0,  8, "digestedData"                   }, /* 111 */
+ {                0x06,         0, 0,  8, "encryptedData"                  }, /* 112 */
+ {              0x09,         127, 1,  7, "PKCS-9"                         }, /* 113 */
+ {                0x01,       115, 0,  8, "E"                              }, /* 114 */
+ {                0x02,       116, 0,  8, "unstructuredName"               }, /* 115 */
+ {                0x03,       117, 0,  8, "contentType"                    }, /* 116 */
+ {                0x04,       118, 0,  8, "messageDigest"                  }, /* 117 */
+ {                0x05,       119, 0,  8, "signingTime"                    }, /* 118 */
+ {                0x06,       120, 0,  8, "counterSignature"               }, /* 119 */
+ {                0x07,       121, 0,  8, "challengePassword"              }, /* 120 */
+ {                0x08,       122, 0,  8, "unstructuredAddress"            }, /* 121 */
+ {                0x0E,       123, 0,  8, "extensionRequest"               }, /* 122 */
+ {                0x0F,       124, 0,  8, "S/MIME Capabilities"            }, /* 123 */
+ {                0x16,         0, 1,  8, "certTypes"                      }, /* 124 */
+ {                  0x01,     126, 0,  9, "X.509"                          }, /* 125 */
+ {                  0x02,       0, 0,  9, "SDSI"                           }, /* 126 */
+ {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 127 */
+ {                0x01,       135, 1,  8, "pbeIds"                         }, /* 128 */
+ {                  0x01,     130, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 129 */
+ {                  0x02,     131, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 130 */
+ {                  0x03,     132, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 131 */
+ {                  0x04,     133, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 132 */
+ {                  0x05,     134, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 133 */
+ {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 134 */
+ {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 135 */
+ {                  0x01,       0, 1,  9, "bagIds"                         }, /* 136 */
+ {                    0x01,   138, 0, 10, "keyBag"                         }, /* 137 */
+ {                    0x02,   139, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 138 */
+ {                    0x03,   140, 0, 10, "certBag"                        }, /* 139 */
+ {                    0x04,   141, 0, 10, "crlBag"                         }, /* 140 */
+ {                    0x05,   142, 0, 10, "secretBag"                      }, /* 141 */
+ {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 142 */
+ {            0x02,           146, 1,  6, "digestAlgorithm"                }, /* 143 */
+ {              0x02,         145, 0,  7, "md2"                            }, /* 144 */
+ {              0x05,           0, 0,  7, "md5"                            }, /* 145 */
+ {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 146 */
+ {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 147 */
+ {      0xCE,                   0, 1,  3, ""                               }, /* 148 */
+ {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 149 */
+ {          0x02,             152, 1,  5, "id-publicKeyType"               }, /* 150 */
+ {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 151 */
+ {          0x03,             182, 1,  5, "ellipticCurve"                  }, /* 152 */
+ {            0x00,           174, 1,  6, "c-TwoCurve"                     }, /* 153 */
+ {              0x01,         155, 0,  7, "c2pnb163v1"                     }, /* 154 */
+ {              0x02,         156, 0,  7, "c2pnb163v2"                     }, /* 155 */
+ {              0x03,         157, 0,  7, "c2pnb163v3"                     }, /* 156 */
+ {              0x04,         158, 0,  7, "c2pnb176w1"                     }, /* 157 */
+ {              0x05,         159, 0,  7, "c2tnb191v1"                     }, /* 158 */
+ {              0x06,         160, 0,  7, "c2tnb191v2"                     }, /* 159 */
+ {              0x07,         161, 0,  7, "c2tnb191v3"                     }, /* 160 */
+ {              0x08,         162, 0,  7, "c2onb191v4"                     }, /* 161 */
+ {              0x09,         163, 0,  7, "c2onb191v5"                     }, /* 162 */
+ {              0x0A,         164, 0,  7, "c2pnb208w1"                     }, /* 163 */
+ {              0x0B,         165, 0,  7, "c2tnb239v1"                     }, /* 164 */
+ {              0x0C,         166, 0,  7, "c2tnb239v2"                     }, /* 165 */
+ {              0x0D,         167, 0,  7, "c2tnb239v3"                     }, /* 166 */
+ {              0x0E,         168, 0,  7, "c2onb239v4"                     }, /* 167 */
+ {              0x0F,         169, 0,  7, "c2onb239v5"                     }, /* 168 */
+ {              0x10,         170, 0,  7, "c2pnb272w1"                     }, /* 169 */
+ {              0x11,         171, 0,  7, "c2pnb304w1"                     }, /* 170 */
+ {              0x12,         172, 0,  7, "c2tnb359v1"                     }, /* 171 */
+ {              0x13,         173, 0,  7, "c2pnb368w1"                     }, /* 172 */
+ {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 173 */
+ {            0x01,             0, 1,  6, "primeCurve"                     }, /* 174 */
+ {              0x01,         176, 0,  7, "prime192v1"                     }, /* 175 */
+ {              0x02,         177, 0,  7, "prime192v2"                     }, /* 176 */
+ {              0x03,         178, 0,  7, "prime192v3"                     }, /* 177 */
+ {              0x04,         179, 0,  7, "prime239v1"                     }, /* 178 */
+ {              0x05,         180, 0,  7, "prime239v2"                     }, /* 179 */
+ {              0x06,         181, 0,  7, "prime239v3"                     }, /* 180 */
+ {              0x07,           0, 0,  7, "prime256v1"                     }, /* 181 */
+ {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 182 */
+ {            0x01,           184, 0,  6, "ecdsa-with-SHA1"                }, /* 183 */
+ {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 184 */
+ {              0x01,         186, 0,  7, "ecdsa-with-SHA224"              }, /* 185 */
+ {              0x02,         187, 0,  7, "ecdsa-with-SHA256"              }, /* 186 */
+ {              0x03,         188, 0,  7, "ecdsa-with-SHA384"              }, /* 187 */
+ {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 188 */
+ {0x2B,                       372, 1,  0, ""                               }, /* 189 */
+ {  0x06,                     286, 1,  1, "dod"                            }, /* 190 */
+ {    0x01,                     0, 1,  2, "internet"                       }, /* 191 */
+ {      0x04,                 237, 1,  3, "private"                        }, /* 192 */
+ {        0x01,                 0, 1,  4, "enterprise"                     }, /* 193 */
+ {          0x82,             207, 1,  5, ""                               }, /* 194 */
+ {            0x37,           204, 1,  6, "Microsoft"                      }, /* 195 */
+ {              0x0A,         200, 1,  7, ""                               }, /* 196 */
+ {                0x03,         0, 1,  8, ""                               }, /* 197 */
+ {                  0x03,     199, 0,  9, "msSGC"                          }, /* 198 */
+ {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 199 */
+ {              0x14,           0, 1,  7, "msEnrollmentInfrastructure"     }, /* 200 */
+ {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 201 */
+ {                  0x02,     203, 0,  9, "msSmartcardLogon"               }, /* 202 */
+ {                  0x03,       0, 0,  9, "msUPN"                          }, /* 203 */
+ {            0xA0,             0, 1,  6, ""                               }, /* 204 */
+ {              0x2A,           0, 1,  7, "ITA"                            }, /* 205 */
+ {                0x01,         0, 0,  8, "strongSwan"                     }, /* 206 */
+ {          0x89,             214, 1,  5, ""                               }, /* 207 */
+ {            0x31,             0, 1,  6, ""                               }, /* 208 */
+ {              0x01,           0, 1,  7, ""                               }, /* 209 */
+ {                0x01,         0, 1,  8, ""                               }, /* 210 */
+ {                  0x02,       0, 1,  9, ""                               }, /* 211 */
+ {                    0x02,     0, 1, 10, ""                               }, /* 212 */
+ {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 213 */
+ {          0xc1,               0, 1,  5, ""                               }, /* 214 */
+ {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 215 */
+ {              0x01,           0, 1,  7, "eess"                           }, /* 216 */
+ {                0x01,         0, 1,  8, "eess1"                          }, /* 217 */
+ {                  0x01,     222, 1,  9, "eess1-algs"                     }, /* 218 */
+ {                    0x01,   220, 0, 10, "ntru-EESS1v1-SVES"              }, /* 219 */
+ {                    0x02,   221, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 220 */
+ {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 221 */
+ {                  0x02,     236, 1,  9, "eess1-params"                   }, /* 222 */
+ {                    0x01,   224, 0, 10, "ees251ep1"                      }, /* 223 */
+ {                    0x02,   225, 0, 10, "ees347ep1"                      }, /* 224 */
+ {                    0x03,   226, 0, 10, "ees503ep1"                      }, /* 225 */
+ {                    0x07,   227, 0, 10, "ees251sp2"                      }, /* 226 */
+ {                    0x0C,   228, 0, 10, "ees251ep4"                      }, /* 227 */
+ {                    0x0D,   229, 0, 10, "ees251ep5"                      }, /* 228 */
+ {                    0x0E,   230, 0, 10, "ees251sp3"                      }, /* 229 */
+ {                    0x0F,   231, 0, 10, "ees251sp4"                      }, /* 230 */
+ {                    0x10,   232, 0, 10, "ees251sp5"                      }, /* 231 */
+ {                    0x11,   233, 0, 10, "ees251sp6"                      }, /* 232 */
+ {                    0x12,   234, 0, 10, "ees251sp7"                      }, /* 233 */
+ {                    0x13,   235, 0, 10, "ees251sp8"                      }, /* 234 */
+ {                    0x14,     0, 0, 10, "ees251sp9"                      }, /* 235 */
+ {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 236 */
+ {      0x05,                   0, 1,  3, "security"                       }, /* 237 */
+ {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 238 */
+ {          0x07,             283, 1,  5, "id-pkix"                        }, /* 239 */
+ {            0x01,           244, 1,  6, "id-pe"                          }, /* 240 */
+ {              0x01,         242, 0,  7, "authorityInfoAccess"            }, /* 241 */
+ {              0x03,         243, 0,  7, "qcStatements"                   }, /* 242 */
+ {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 243 */
+ {            0x02,           247, 1,  6, "id-qt"                          }, /* 244 */
+ {              0x01,         246, 0,  7, "cps"                            }, /* 245 */
+ {              0x02,           0, 0,  7, "unotice"                        }, /* 246 */
+ {            0x03,           257, 1,  6, "id-kp"                          }, /* 247 */
+ {              0x01,         249, 0,  7, "serverAuth"                     }, /* 248 */
+ {              0x02,         250, 0,  7, "clientAuth"                     }, /* 249 */
+ {              0x03,         251, 0,  7, "codeSigning"                    }, /* 250 */
+ {              0x04,         252, 0,  7, "emailProtection"                }, /* 251 */
+ {              0x05,         253, 0,  7, "ipsecEndSystem"                 }, /* 252 */
+ {              0x06,         254, 0,  7, "ipsecTunnel"                    }, /* 253 */
+ {              0x07,         255, 0,  7, "ipsecUser"                      }, /* 254 */
+ {              0x08,         256, 0,  7, "timeStamping"                   }, /* 255 */
+ {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 256 */
+ {            0x08,           265, 1,  6, "id-otherNames"                  }, /* 257 */
+ {              0x01,         259, 0,  7, "personalData"                   }, /* 258 */
+ {              0x02,         260, 0,  7, "userGroup"                      }, /* 259 */
+ {              0x03,         261, 0,  7, "id-on-permanentIdentifier"      }, /* 260 */
+ {              0x04,         262, 0,  7, "id-on-hardwareModuleName"       }, /* 261 */
+ {              0x05,         263, 0,  7, "xmppAddr"                       }, /* 262 */
+ {              0x06,         264, 0,  7, "id-on-SIM"                      }, /* 263 */
+ {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 264 */
+ {            0x0A,           270, 1,  6, "id-aca"                         }, /* 265 */
+ {              0x01,         267, 0,  7, "authenticationInfo"             }, /* 266 */
+ {              0x02,         268, 0,  7, "accessIdentity"                 }, /* 267 */
+ {              0x03,         269, 0,  7, "chargingIdentity"               }, /* 268 */
+ {              0x04,           0, 0,  7, "group"                          }, /* 269 */
+ {            0x0B,           271, 0,  6, "subjectInfoAccess"              }, /* 270 */
+ {            0x30,             0, 1,  6, "id-ad"                          }, /* 271 */
+ {              0x01,         280, 1,  7, "ocsp"                           }, /* 272 */
+ {                0x01,       274, 0,  8, "basic"                          }, /* 273 */
+ {                0x02,       275, 0,  8, "nonce"                          }, /* 274 */
+ {                0x03,       276, 0,  8, "crl"                            }, /* 275 */
+ {                0x04,       277, 0,  8, "response"                       }, /* 276 */
+ {                0x05,       278, 0,  8, "noCheck"                        }, /* 277 */
+ {                0x06,       279, 0,  8, "archiveCutoff"                  }, /* 278 */
+ {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 279 */
+ {              0x02,         281, 0,  7, "caIssuers"                      }, /* 280 */
+ {              0x03,         282, 0,  7, "timeStamping"                   }, /* 281 */
+ {              0x05,           0, 0,  7, "caRepository"                   }, /* 282 */
+ {          0x08,               0, 1,  5, "ipsec"                          }, /* 283 */
+ {            0x02,             0, 1,  6, "certificate"                    }, /* 284 */
+ {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 285 */
+ {  0x0E,                     292, 1,  1, "oiw"                            }, /* 286 */
+ {    0x03,                     0, 1,  2, "secsig"                         }, /* 287 */
+ {      0x02,                   0, 1,  3, "algorithms"                     }, /* 288 */
+ {        0x07,               290, 0,  4, "des-cbc"                        }, /* 289 */
+ {        0x1A,               291, 0,  4, "sha-1"                          }, /* 290 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 291 */
+ {  0x24,                     338, 1,  1, "TeleTrusT"                      }, /* 292 */
+ {    0x03,                     0, 1,  2, "algorithm"                      }, /* 293 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 294 */
+ {        0x01,               299, 1,  4, "rsaSignature"                   }, /* 295 */
+ {          0x02,             297, 0,  5, "rsaSigWithripemd160"            }, /* 296 */
+ {          0x03,             298, 0,  5, "rsaSigWithripemd128"            }, /* 297 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 298 */
+ {        0x02,                 0, 1,  4, "ecSign"                         }, /* 299 */
+ {          0x01,             301, 0,  5, "ecSignWithsha1"                 }, /* 300 */
+ {          0x02,             302, 0,  5, "ecSignWithripemd160"            }, /* 301 */
+ {          0x03,             303, 0,  5, "ecSignWithmd2"                  }, /* 302 */
+ {          0x04,             304, 0,  5, "ecSignWithmd5"                  }, /* 303 */
+ {          0x05,             321, 1,  5, "ttt-ecg"                        }, /* 304 */
+ {            0x01,           309, 1,  6, "fieldType"                      }, /* 305 */
+ {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 306 */
+ {                0x01,         0, 1,  8, "basisType"                      }, /* 307 */
+ {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 308 */
+ {            0x02,           311, 1,  6, "keyType"                        }, /* 309 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 310 */
+ {            0x03,           312, 0,  6, "curve"                          }, /* 311 */
+ {            0x04,           319, 1,  6, "signatures"                     }, /* 312 */
+ {              0x01,         314, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 313 */
+ {              0x02,         315, 0,  7, "ecgdsa-with-SHA1"               }, /* 314 */
+ {              0x03,         316, 0,  7, "ecgdsa-with-SHA224"             }, /* 315 */
+ {              0x04,         317, 0,  7, "ecgdsa-with-SHA256"             }, /* 316 */
+ {              0x05,         318, 0,  7, "ecgdsa-with-SHA384"             }, /* 317 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 318 */
+ {            0x05,             0, 1,  6, "module"                         }, /* 319 */
+ {              0x01,           0, 0,  7, "1"                              }, /* 320 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 321 */
+ {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 322 */
+ {              0x01,           0, 1,  7, "versionOne"                     }, /* 323 */
+ {                0x01,       325, 0,  8, "brainpoolP160r1"                }, /* 324 */
+ {                0x02,       326, 0,  8, "brainpoolP160t1"                }, /* 325 */
+ {                0x03,       327, 0,  8, "brainpoolP192r1"                }, /* 326 */
+ {                0x04,       328, 0,  8, "brainpoolP192t1"                }, /* 327 */
+ {                0x05,       329, 0,  8, "brainpoolP224r1"                }, /* 328 */
+ {                0x06,       330, 0,  8, "brainpoolP224t1"                }, /* 329 */
+ {                0x07,       331, 0,  8, "brainpoolP256r1"                }, /* 330 */
+ {                0x08,       332, 0,  8, "brainpoolP256t1"                }, /* 331 */
+ {                0x09,       333, 0,  8, "brainpoolP320r1"                }, /* 332 */
+ {                0x0A,       334, 0,  8, "brainpoolP320t1"                }, /* 333 */
+ {                0x0B,       335, 0,  8, "brainpoolP384r1"                }, /* 334 */
+ {                0x0C,       336, 0,  8, "brainpoolP384t1"                }, /* 335 */
+ {                0x0D,       337, 0,  8, "brainpoolP512r1"                }, /* 336 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 337 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 338 */
+ {    0x04,                     0, 1,  2, "Certicom"                       }, /* 339 */
+ {      0x00,                   0, 1,  3, "curve"                          }, /* 340 */
+ {        0x01,               342, 0,  4, "sect163k1"                      }, /* 341 */
+ {        0x02,               343, 0,  4, "sect163r1"                      }, /* 342 */
+ {        0x03,               344, 0,  4, "sect239k1"                      }, /* 343 */
+ {        0x04,               345, 0,  4, "sect113r1"                      }, /* 344 */
+ {        0x05,               346, 0,  4, "sect113r2"                      }, /* 345 */
+ {        0x06,               347, 0,  4, "secp112r1"                      }, /* 346 */
+ {        0x07,               348, 0,  4, "secp112r2"                      }, /* 347 */
+ {        0x08,               349, 0,  4, "secp160r1"                      }, /* 348 */
+ {        0x09,               350, 0,  4, "secp160k1"                      }, /* 349 */
+ {        0x0A,               351, 0,  4, "secp256k1"                      }, /* 350 */
+ {        0x0F,               352, 0,  4, "sect163r2"                      }, /* 351 */
+ {        0x10,               353, 0,  4, "sect283k1"                      }, /* 352 */
+ {        0x11,               354, 0,  4, "sect283r1"                      }, /* 353 */
+ {        0x16,               355, 0,  4, "sect131r1"                      }, /* 354 */
+ {        0x17,               356, 0,  4, "sect131r2"                      }, /* 355 */
+ {        0x18,               357, 0,  4, "sect193r1"                      }, /* 356 */
+ {        0x19,               358, 0,  4, "sect193r2"                      }, /* 357 */
+ {        0x1A,               359, 0,  4, "sect233k1"                      }, /* 358 */
+ {        0x1B,               360, 0,  4, "sect233r1"                      }, /* 359 */
+ {        0x1C,               361, 0,  4, "secp128r1"                      }, /* 360 */
+ {        0x1D,               362, 0,  4, "secp128r2"                      }, /* 361 */
+ {        0x1E,               363, 0,  4, "secp160r2"                      }, /* 362 */
+ {        0x1F,               364, 0,  4, "secp192k1"                      }, /* 363 */
+ {        0x20,               365, 0,  4, "secp224k1"                      }, /* 364 */
+ {        0x21,               366, 0,  4, "secp224r1"                      }, /* 365 */
+ {        0x22,               367, 0,  4, "secp384r1"                      }, /* 366 */
+ {        0x23,               368, 0,  4, "secp521r1"                      }, /* 367 */
+ {        0x24,               369, 0,  4, "sect409k1"                      }, /* 368 */
+ {        0x25,               370, 0,  4, "sect409r1"                      }, /* 369 */
+ {        0x26,               371, 0,  4, "sect571k1"                      }, /* 370 */
+ {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 371 */
+ {0x60,                       420, 1,  0, ""                               }, /* 372 */
+ {  0x86,                       0, 1,  1, ""                               }, /* 373 */
+ {    0x48,                     0, 1,  2, ""                               }, /* 374 */
+ {      0x01,                   0, 1,  3, "organization"                   }, /* 375 */
+ {        0x65,               396, 1,  4, "gov"                            }, /* 376 */
+ {          0x03,               0, 1,  5, "csor"                           }, /* 377 */
+ {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 378 */
+ {              0x01,         389, 1,  7, "aes"                            }, /* 379 */
+ {                0x02,       381, 0,  8, "id-aes128-CBC"                  }, /* 380 */
+ {                0x06,       382, 0,  8, "id-aes128-GCM"                  }, /* 381 */
+ {                0x07,       383, 0,  8, "id-aes128-CCM"                  }, /* 382 */
+ {                0x16,       384, 0,  8, "id-aes192-CBC"                  }, /* 383 */
+ {                0x1A,       385, 0,  8, "id-aes192-GCM"                  }, /* 384 */
+ {                0x1B,       386, 0,  8, "id-aes192-CCM"                  }, /* 385 */
+ {                0x2A,       387, 0,  8, "id-aes256-CBC"                  }, /* 386 */
+ {                0x2E,       388, 0,  8, "id-aes256-GCM"                  }, /* 387 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 388 */
+ {              0x02,           0, 1,  7, "hashalgs"                       }, /* 389 */
+ {                0x01,       391, 0,  8, "id-SHA-256"                     }, /* 390 */
+ {                0x02,       392, 0,  8, "id-SHA-384"                     }, /* 391 */
+ {                0x03,       393, 0,  8, "id-SHA-512"                     }, /* 392 */
+ {                0x04,       394, 0,  8, "id-SHA-224"                     }, /* 393 */
+ {                0x05,       395, 0,  8, "id-SHA-512-224"                 }, /* 394 */
+ {                0x06,         0, 0,  8, "id-SHA-512-256"                 }, /* 395 */
+ {        0x86,                 0, 1,  4, ""                               }, /* 396 */
+ {          0xf8,               0, 1,  5, ""                               }, /* 397 */
+ {            0x42,           410, 1,  6, "netscape"                       }, /* 398 */
+ {              0x01,         405, 1,  7, ""                               }, /* 399 */
+ {                0x01,       401, 0,  8, "nsCertType"                     }, /* 400 */
+ {                0x03,       402, 0,  8, "nsRevocationUrl"                }, /* 401 */
+ {                0x04,       403, 0,  8, "nsCaRevocationUrl"              }, /* 402 */
+ {                0x08,       404, 0,  8, "nsCaPolicyUrl"                  }, /* 403 */
+ {                0x0d,         0, 0,  8, "nsComment"                      }, /* 404 */
+ {              0x03,         408, 1,  7, "directory"                      }, /* 405 */
+ {                0x01,         0, 1,  8, ""                               }, /* 406 */
+ {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 407 */
+ {              0x04,           0, 1,  7, "policy"                         }, /* 408 */
+ {                0x01,         0, 0,  8, "nsSGC"                          }, /* 409 */
+ {            0x45,             0, 1,  6, "verisign"                       }, /* 410 */
+ {              0x01,           0, 1,  7, "pki"                            }, /* 411 */
+ {                0x09,         0, 1,  8, "attributes"                     }, /* 412 */
+ {                  0x02,     414, 0,  9, "messageType"                    }, /* 413 */
+ {                  0x03,     415, 0,  9, "pkiStatus"                      }, /* 414 */
+ {                  0x04,     416, 0,  9, "failInfo"                       }, /* 415 */
+ {                  0x05,     417, 0,  9, "senderNonce"                    }, /* 416 */
+ {                  0x06,     418, 0,  9, "recipientNonce"                 }, /* 417 */
+ {                  0x07,     419, 0,  9, "transID"                        }, /* 418 */
+ {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 419 */
+ {0x67,                         0, 1,  0, ""                               }, /* 420 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 421 */
+ {    0x05,                     0, 1,  2, ""                               }, /* 422 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 423 */
+ {        0x01,               425, 0,  4, "tcg-at-tpmManufacturer"         }, /* 424 */
+ {        0x02,               426, 0,  4, "tcg-at-tpmModel"                }, /* 425 */
+ {        0x03,               427, 0,  4, "tcg-at-tpmVersion"              }, /* 426 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 427 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 236c86737..14f774adb 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -69,170 +69,170 @@ extern const oid_t oid_names[];
 #define OID_MD5_WITH_RSA					92
 #define OID_SHA1_WITH_RSA					93
 #define OID_RSAES_OAEP						94
-#define OID_SHA256_WITH_RSA					96
-#define OID_SHA384_WITH_RSA					97
-#define OID_SHA512_WITH_RSA					98
-#define OID_SHA224_WITH_RSA					99
-#define OID_PBE_MD5_DES_CBC					101
-#define OID_PBE_SHA1_DES_CBC				102
-#define OID_PBKDF2							103
-#define OID_PBES2							104
-#define OID_PKCS7_DATA						106
-#define OID_PKCS7_SIGNED_DATA				107
-#define OID_PKCS7_ENVELOPED_DATA			108
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA		109
-#define OID_PKCS7_DIGESTED_DATA				110
-#define OID_PKCS7_ENCRYPTED_DATA			111
-#define OID_EMAIL_ADDRESS					113
-#define OID_UNSTRUCTURED_NAME				114
-#define OID_PKCS9_CONTENT_TYPE				115
-#define OID_PKCS9_MESSAGE_DIGEST			116
-#define OID_PKCS9_SIGNING_TIME				117
-#define OID_CHALLENGE_PASSWORD				119
-#define OID_UNSTRUCTURED_ADDRESS			120
-#define OID_EXTENSION_REQUEST				121
-#define OID_X509_CERTIFICATE				124
-#define OID_PBE_SHA1_RC4_128				128
-#define OID_PBE_SHA1_RC4_40					129
-#define OID_PBE_SHA1_3DES_CBC				130
-#define OID_PBE_SHA1_3DES_2KEY_CBC			131
-#define OID_PBE_SHA1_RC2_CBC_128			132
-#define OID_PBE_SHA1_RC2_CBC_40				133
-#define OID_P12_KEY_BAG						136
-#define OID_P12_PKCS8_KEY_BAG				137
-#define OID_P12_CERT_BAG					138
-#define OID_P12_CRL_BAG						139
-#define OID_MD2								143
-#define OID_MD5								144
-#define OID_3DES_EDE_CBC					146
-#define OID_EC_PUBLICKEY					150
-#define OID_C2PNB163V1						153
-#define OID_C2PNB163V2						154
-#define OID_C2PNB163V3						155
-#define OID_C2PNB176W1						156
-#define OID_C2PNB191V1						157
-#define OID_C2PNB191V2						158
-#define OID_C2PNB191V3						159
-#define OID_C2PNB191V4						160
-#define OID_C2PNB191V5						161
-#define OID_C2PNB208W1						162
-#define OID_C2PNB239V1						163
-#define OID_C2PNB239V2						164
-#define OID_C2PNB239V3						165
-#define OID_C2PNB239V4						166
-#define OID_C2PNB239V5						167
-#define OID_C2PNB272W1						168
-#define OID_C2PNB304W1						169
-#define OID_C2PNB359V1						170
-#define OID_C2PNB368W1						171
-#define OID_C2PNB431R1						172
-#define OID_PRIME192V1						174
-#define OID_PRIME192V2						175
-#define OID_PRIME192V3						176
-#define OID_PRIME239V1						177
-#define OID_PRIME239V2						178
-#define OID_PRIME239V3						179
-#define OID_PRIME256V1						180
-#define OID_ECDSA_WITH_SHA1					182
-#define OID_ECDSA_WITH_SHA224				184
-#define OID_ECDSA_WITH_SHA256				185
-#define OID_ECDSA_WITH_SHA384				186
-#define OID_ECDSA_WITH_SHA512				187
-#define OID_USER_PRINCIPAL_NAME				202
-#define OID_STRONGSWAN						205
-#define OID_TCGID							212
-#define OID_AUTHORITY_INFO_ACCESS			217
-#define OID_IP_ADDR_BLOCKS					219
-#define OID_POLICY_QUALIFIER_CPS			221
-#define OID_POLICY_QUALIFIER_UNOTICE		222
-#define OID_SERVER_AUTH						224
-#define OID_CLIENT_AUTH						225
-#define OID_OCSP_SIGNING					232
-#define OID_XMPP_ADDR						238
-#define OID_AUTHENTICATION_INFO				242
-#define OID_ACCESS_IDENTITY					243
-#define OID_CHARGING_IDENTITY				244
-#define OID_GROUP							245
-#define OID_OCSP							248
-#define OID_BASIC							249
-#define OID_NONCE							250
-#define OID_CRL								251
-#define OID_RESPONSE						252
-#define OID_NO_CHECK						253
-#define OID_ARCHIVE_CUTOFF					254
-#define OID_SERVICE_LOCATOR					255
-#define OID_CA_ISSUERS						256
-#define OID_IKE_INTERMEDIATE				261
-#define OID_DES_CBC							265
-#define OID_SHA1							266
-#define OID_SHA1_WITH_RSA_OIW				267
-#define OID_ECGDSA_PUBKEY					286
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		289
-#define OID_ECGDSA_SIG_WITH_SHA1			290
-#define OID_ECGDSA_SIG_WITH_SHA224			291
-#define OID_ECGDSA_SIG_WITH_SHA256			292
-#define OID_ECGDSA_SIG_WITH_SHA384			293
-#define OID_ECGDSA_SIG_WITH_SHA512			294
-#define OID_SECT163K1						317
-#define OID_SECT163R1						318
-#define OID_SECT239K1						319
-#define OID_SECT113R1						320
-#define OID_SECT113R2						321
-#define OID_SECT112R1						322
-#define OID_SECT112R2						323
-#define OID_SECT160R1						324
-#define OID_SECT160K1						325
-#define OID_SECT256K1						326
-#define OID_SECT163R2						327
-#define OID_SECT283K1						328
-#define OID_SECT283R1						329
-#define OID_SECT131R1						330
-#define OID_SECT131R2						331
-#define OID_SECT193R1						332
-#define OID_SECT193R2						333
-#define OID_SECT233K1						334
-#define OID_SECT233R1						335
-#define OID_SECT128R1						336
-#define OID_SECT128R2						337
-#define OID_SECT160R2						338
-#define OID_SECT192K1						339
-#define OID_SECT224K1						340
-#define OID_SECT224R1						341
-#define OID_SECT384R1						342
-#define OID_SECT521R1						343
-#define OID_SECT409K1						344
-#define OID_SECT409R1						345
-#define OID_SECT571K1						346
-#define OID_SECT571R1						347
-#define OID_AES128_CBC						356
-#define OID_AES128_GCM						357
-#define OID_AES128_CCM						358
-#define OID_AES192_CBC						359
-#define OID_AES192_GCM						360
-#define OID_AES192_CCM						361
-#define OID_AES256_CBC						362
-#define OID_AES256_GCM						363
-#define OID_AES256_CCM						364
-#define OID_SHA256							366
-#define OID_SHA384							367
-#define OID_SHA512							368
-#define OID_SHA224							369
-#define OID_NS_REVOCATION_URL				377
-#define OID_NS_CA_REVOCATION_URL			378
-#define OID_NS_CA_POLICY_URL				379
-#define OID_NS_COMMENT						380
-#define OID_EMPLOYEE_NUMBER					383
-#define OID_PKI_MESSAGE_TYPE				389
-#define OID_PKI_STATUS						390
-#define OID_PKI_FAIL_INFO					391
-#define OID_PKI_SENDER_NONCE				392
-#define OID_PKI_RECIPIENT_NONCE				393
-#define OID_PKI_TRANS_ID					394
-#define OID_TPM_MANUFACTURER				400
-#define OID_TPM_MODEL						401
-#define OID_TPM_VERSION						402
-#define OID_TPM_ID_LABEL					403
+#define OID_SHA256_WITH_RSA					97
+#define OID_SHA384_WITH_RSA					98
+#define OID_SHA512_WITH_RSA					99
+#define OID_SHA224_WITH_RSA					100
+#define OID_PBE_MD5_DES_CBC					102
+#define OID_PBE_SHA1_DES_CBC				103
+#define OID_PBKDF2							104
+#define OID_PBES2							105
+#define OID_PKCS7_DATA						107
+#define OID_PKCS7_SIGNED_DATA				108
+#define OID_PKCS7_ENVELOPED_DATA			109
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA		110
+#define OID_PKCS7_DIGESTED_DATA				111
+#define OID_PKCS7_ENCRYPTED_DATA			112
+#define OID_EMAIL_ADDRESS					114
+#define OID_UNSTRUCTURED_NAME				115
+#define OID_PKCS9_CONTENT_TYPE				116
+#define OID_PKCS9_MESSAGE_DIGEST			117
+#define OID_PKCS9_SIGNING_TIME				118
+#define OID_CHALLENGE_PASSWORD				120
+#define OID_UNSTRUCTURED_ADDRESS			121
+#define OID_EXTENSION_REQUEST				122
+#define OID_X509_CERTIFICATE				125
+#define OID_PBE_SHA1_RC4_128				129
+#define OID_PBE_SHA1_RC4_40					130
+#define OID_PBE_SHA1_3DES_CBC				131
+#define OID_PBE_SHA1_3DES_2KEY_CBC			132
+#define OID_PBE_SHA1_RC2_CBC_128			133
+#define OID_PBE_SHA1_RC2_CBC_40				134
+#define OID_P12_KEY_BAG						137
+#define OID_P12_PKCS8_KEY_BAG				138
+#define OID_P12_CERT_BAG					139
+#define OID_P12_CRL_BAG						140
+#define OID_MD2								144
+#define OID_MD5								145
+#define OID_3DES_EDE_CBC					147
+#define OID_EC_PUBLICKEY					151
+#define OID_C2PNB163V1						154
+#define OID_C2PNB163V2						155
+#define OID_C2PNB163V3						156
+#define OID_C2PNB176W1						157
+#define OID_C2PNB191V1						158
+#define OID_C2PNB191V2						159
+#define OID_C2PNB191V3						160
+#define OID_C2PNB191V4						161
+#define OID_C2PNB191V5						162
+#define OID_C2PNB208W1						163
+#define OID_C2PNB239V1						164
+#define OID_C2PNB239V2						165
+#define OID_C2PNB239V3						166
+#define OID_C2PNB239V4						167
+#define OID_C2PNB239V5						168
+#define OID_C2PNB272W1						169
+#define OID_C2PNB304W1						170
+#define OID_C2PNB359V1						171
+#define OID_C2PNB368W1						172
+#define OID_C2PNB431R1						173
+#define OID_PRIME192V1						175
+#define OID_PRIME192V2						176
+#define OID_PRIME192V3						177
+#define OID_PRIME239V1						178
+#define OID_PRIME239V2						179
+#define OID_PRIME239V3						180
+#define OID_PRIME256V1						181
+#define OID_ECDSA_WITH_SHA1					183
+#define OID_ECDSA_WITH_SHA224				185
+#define OID_ECDSA_WITH_SHA256				186
+#define OID_ECDSA_WITH_SHA384				187
+#define OID_ECDSA_WITH_SHA512				188
+#define OID_USER_PRINCIPAL_NAME				203
+#define OID_STRONGSWAN						206
+#define OID_TCGID							213
+#define OID_AUTHORITY_INFO_ACCESS			241
+#define OID_IP_ADDR_BLOCKS					243
+#define OID_POLICY_QUALIFIER_CPS			245
+#define OID_POLICY_QUALIFIER_UNOTICE		246
+#define OID_SERVER_AUTH						248
+#define OID_CLIENT_AUTH						249
+#define OID_OCSP_SIGNING					256
+#define OID_XMPP_ADDR						262
+#define OID_AUTHENTICATION_INFO				266
+#define OID_ACCESS_IDENTITY					267
+#define OID_CHARGING_IDENTITY				268
+#define OID_GROUP							269
+#define OID_OCSP							272
+#define OID_BASIC							273
+#define OID_NONCE							274
+#define OID_CRL								275
+#define OID_RESPONSE						276
+#define OID_NO_CHECK						277
+#define OID_ARCHIVE_CUTOFF					278
+#define OID_SERVICE_LOCATOR					279
+#define OID_CA_ISSUERS						280
+#define OID_IKE_INTERMEDIATE				285
+#define OID_DES_CBC							289
+#define OID_SHA1							290
+#define OID_SHA1_WITH_RSA_OIW				291
+#define OID_ECGDSA_PUBKEY					310
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		313
+#define OID_ECGDSA_SIG_WITH_SHA1			314
+#define OID_ECGDSA_SIG_WITH_SHA224			315
+#define OID_ECGDSA_SIG_WITH_SHA256			316
+#define OID_ECGDSA_SIG_WITH_SHA384			317
+#define OID_ECGDSA_SIG_WITH_SHA512			318
+#define OID_SECT163K1						341
+#define OID_SECT163R1						342
+#define OID_SECT239K1						343
+#define OID_SECT113R1						344
+#define OID_SECT113R2						345
+#define OID_SECT112R1						346
+#define OID_SECT112R2						347
+#define OID_SECT160R1						348
+#define OID_SECT160K1						349
+#define OID_SECT256K1						350
+#define OID_SECT163R2						351
+#define OID_SECT283K1						352
+#define OID_SECT283R1						353
+#define OID_SECT131R1						354
+#define OID_SECT131R2						355
+#define OID_SECT193R1						356
+#define OID_SECT193R2						357
+#define OID_SECT233K1						358
+#define OID_SECT233R1						359
+#define OID_SECT128R1						360
+#define OID_SECT128R2						361
+#define OID_SECT160R2						362
+#define OID_SECT192K1						363
+#define OID_SECT224K1						364
+#define OID_SECT224R1						365
+#define OID_SECT384R1						366
+#define OID_SECT521R1						367
+#define OID_SECT409K1						368
+#define OID_SECT409R1						369
+#define OID_SECT571K1						370
+#define OID_SECT571R1						371
+#define OID_AES128_CBC						380
+#define OID_AES128_GCM						381
+#define OID_AES128_CCM						382
+#define OID_AES192_CBC						383
+#define OID_AES192_GCM						384
+#define OID_AES192_CCM						385
+#define OID_AES256_CBC						386
+#define OID_AES256_GCM						387
+#define OID_AES256_CCM						388
+#define OID_SHA256							390
+#define OID_SHA384							391
+#define OID_SHA512							392
+#define OID_SHA224							393
+#define OID_NS_REVOCATION_URL				401
+#define OID_NS_CA_REVOCATION_URL			402
+#define OID_NS_CA_POLICY_URL				403
+#define OID_NS_COMMENT						404
+#define OID_EMPLOYEE_NUMBER					407
+#define OID_PKI_MESSAGE_TYPE				413
+#define OID_PKI_STATUS						414
+#define OID_PKI_FAIL_INFO					415
+#define OID_PKI_SENDER_NONCE				416
+#define OID_PKI_RECIPIENT_NONCE				417
+#define OID_PKI_TRANS_ID					418
+#define OID_TPM_MANUFACTURER				424
+#define OID_TPM_MODEL						425
+#define OID_TPM_VERSION						426
+#define OID_TPM_ID_LABEL					427
 
-#define OID_MAX								404
+#define OID_MAX								428
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 740dc5073..c15a1cc2a 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -93,6 +93,7 @@
                 0x04         "md5WithRSAEncryption"		OID_MD5_WITH_RSA
                 0x05         "sha-1WithRSAEncryption"	OID_SHA1_WITH_RSA
                 0x07         "id-RSAES-OAEP"			OID_RSAES_OAEP
+                0x08         "id-mgf1"
                 0x09         "id-pSpecified"
                 0x0B         "sha256WithRSAEncryption"	OID_SHA256_WITH_RSA
                 0x0C         "sha384WithRSAEncryption"	OID_SHA384_WITH_RSA
@@ -211,6 +212,29 @@
                   0x02       ""
                     0x02     ""
                       0x4B   "TCGID"					OID_TCGID
+          0xc1               ""
+            0x16             "ntruCryptosystems"
+              0x01           "eess"
+                0x01         "eess1"
+                  0x01       "eess1-algs"
+                    0x01     "ntru-EESS1v1-SVES"
+                    0x02     "ntru-EESS1v1-SVSSA"
+                    0x03     "ntru-EESS1v1-NTRUSign"
+                  0x02       "eess1-params"
+                    0x01     "ees251ep1"
+                    0x02     "ees347ep1"
+                    0x03     "ees503ep1"
+                    0x07     "ees251sp2"
+                    0x0C     "ees251ep4"
+                    0x0D     "ees251ep5"
+                    0x0E     "ees251sp3"
+                    0x0F     "ees251sp4"
+                    0x10     "ees251sp5"
+                    0x11     "ees251sp6"
+                    0x12     "ees251sp7"
+                    0x13     "ees251sp8"
+                    0x14     "ees251sp9"
+                  0x03       "eess1-encodingMethods"
       0x05                   "security"
         0x05                 "mechanisms"
           0x07               "id-pkix"
diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
index 387e2a57d..314e8e916 100644
--- a/src/libstrongswan/collections/array.c
+++ b/src/libstrongswan/collections/array.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -13,8 +16,15 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for qsort_r() */
+#include <stdlib.h>
+
 #include "array.h"
 
+#ifndef HAVE_QSORT_R
+#include <threading/thread_value.h>
+#endif
+
 /**
  * Data is an allocated block, with potentially unused head and tail:
  *
@@ -43,6 +53,11 @@ struct array_t {
 	void *data;
 };
 
+#ifndef HAVE_QSORT_R
+	/* store data to replicate qsort_r in thread local storage */
+	static thread_value_t *sort_data;
+#endif
+
 /** maximum number of unused head/tail elements before cleanup */
 #define ARRAY_MAX_UNUSED 32
 
@@ -314,7 +329,7 @@ void array_insert(array_t *array, int idx, void *data)
 	}
 }
 
-bool array_remove(array_t *array, int idx, void *data)
+bool array_get(array_t *array, int idx, void *data)
 {
 	if (!array)
 	{
@@ -337,12 +352,25 @@ bool array_remove(array_t *array, int idx, void *data)
 		memcpy(data, array->data + get_size(array, array->head + idx),
 			   get_size(array, 1));
 	}
+	return TRUE;
+}
+
+bool array_remove(array_t *array, int idx, void *data)
+{
+	if (!array_get(array, idx, data))
+	{
+		return FALSE;
+	}
 	if (idx > array_count(array) / 2)
 	{
 		remove_tail(array, idx);
 	}
 	else
 	{
+		if (idx < 0)
+		{
+			idx = array_count(array) - 1;
+		}
 		remove_head(array, idx);
 	}
 	if (array->head + array->tail > ARRAY_MAX_UNUSED)
@@ -352,6 +380,113 @@ bool array_remove(array_t *array, int idx, void *data)
 	return TRUE;
 }
 
+typedef struct {
+	/** the array */
+	array_t *array;
+	/** comparison function */
+	int (*cmp)(const void*,const void*,void*);
+	/** optional user arg */
+	void *arg;
+} sort_data_t;
+
+#ifdef HAVE_QSORT_R_GNU
+static int compare_elements(const void *a, const void *b, void *arg)
+#elif defined(HAVE_QSORT_R_BSD)
+static int compare_elements(void *arg, const void *a, const void *b)
+#else /* !HAVE_QSORT_R */
+static int compare_elements(const void *a, const void *b)
+#endif
+{
+#ifdef HAVE_QSORT_R
+	sort_data_t *data = (sort_data_t*)arg;
+#else
+	sort_data_t *data = sort_data->get(sort_data);
+#endif
+
+	if (data->array->esize)
+	{
+		return data->cmp(a, b, data->arg);
+	}
+	return data->cmp(*(void**)a, *(void**)b, data->arg);
+}
+
+void array_sort(array_t *array, int (*cmp)(const void*,const void*,void*),
+				void *user)
+{
+	if (array)
+	{
+		sort_data_t data = {
+			.array = array,
+			.cmp = cmp,
+			.arg = user,
+		};
+		void *start;
+
+		start = array->data + get_size(array, array->head);
+
+#ifdef HAVE_QSORT_R_GNU
+		qsort_r(start, array->count, get_size(array, 1), compare_elements,
+				&data);
+#elif defined(HAVE_QSORT_R_BSD)
+		qsort_r(start, array->count, get_size(array, 1), &data,
+				compare_elements);
+#else /* !HAVE_QSORT_R */
+		sort_data->set(sort_data, &data);
+		qsort(start, array->count, get_size(array, 1), compare_elements);
+#endif
+	}
+}
+
+typedef struct {
+	/** the array */
+	array_t *array;
+	/** the key */
+	const void *key;
+	/** comparison function */
+	int (*cmp)(const void*,const void*);
+} bsearch_data_t;
+
+static int search_elements(const void *a, const void *b)
+{
+	bsearch_data_t *data = (bsearch_data_t*)a;
+
+	if (data->array->esize)
+	{
+		return data->cmp(data->key, b);
+	}
+	return data->cmp(data->key, *(void**)b);
+}
+
+int array_bsearch(array_t *array, const void *key,
+				  int (*cmp)(const void*,const void*), void *out)
+{
+	int idx = -1;
+
+	if (array)
+	{
+		bsearch_data_t data = {
+			.array = array,
+			.key = key,
+			.cmp = cmp,
+		};
+		void *start, *item;
+
+		start = array->data + get_size(array, array->head);
+
+		item = bsearch(&data, start, array->count, get_size(array, 1),
+					   search_elements);
+		if (item)
+		{
+			if (out)
+			{
+				memcpy(out, item, get_size(array, 1));
+			}
+			idx = (item - start) / get_size(array, 1);
+		}
+	}
+	return idx;
+}
+
 void array_invoke(array_t *array, array_callback_t cb, void *user)
 {
 	if (array)
@@ -414,3 +549,17 @@ void array_destroy_offset(array_t *array, size_t offset)
 	array_invoke_offset(array, offset);
 	array_destroy(array);
 }
+
+void arrays_init()
+{
+#ifndef HAVE_QSORT_R
+	sort_data =  thread_value_create(NULL);
+#endif
+}
+
+void arrays_deinit()
+{
+#ifndef HAVE_QSORT_R
+	sort_data->destroy(sort_data);
+#endif
+}
diff --git a/src/libstrongswan/collections/array.h b/src/libstrongswan/collections/array.h
index 0dc7b2250..ce702ebfa 100644
--- a/src/libstrongswan/collections/array.h
+++ b/src/libstrongswan/collections/array.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -87,7 +90,7 @@ void array_compress(array_t *array);
  * The enumerater enumerates directly over the array element (pass a pointer to
  * element types), unless the array is pointer based. If zero is passed as
  * element size during construction, the enumerator enumerates over the
- * deferenced pointer values.
+ * dereferenced pointer values.
  *
  * @param array			array to create enumerator for, or NULL
  * @return				enumerator, over elements or pointers
@@ -140,6 +143,18 @@ void array_insert_create(array_t **array, int idx, void *ptr);
 void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator);
 
 /**
+ * Get an element from the array.
+ *
+ * If data is given, the element is copied to that position.
+ *
+ * @param array			array to get element from, or NULL
+ * @param idx			index of the item to get
+ * @param data			data to copy element to, or NULL
+ * @return				TRUE if idx valid and item returned
+ */
+bool array_get(array_t *array, int idx, void *data);
+
+/**
  * Remove an element from the array.
  *
  * If data is given, the element is copied to that position.
@@ -152,6 +167,50 @@ void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator);
 bool array_remove(array_t *array, int idx, void *data);
 
 /**
+ * Sort the array.
+ *
+ * The comparison function must return an integer less than, equal to, or
+ * greater than zero if the first argument is considered to be respectively less
+ * than, equal to, or greater than the second.  If two elements compare as
+ * equal, their order in the sorted array is undefined.
+ *
+ * The comparison function receives pointers to the array elements (esize != 0)
+ * or the actual pointers (esize = 0). The third argument is the user data
+ * supplied to this function.
+ *
+ * @param array			array to sort, or NULL
+ * @param cmp			comparison function
+ * @param user			user data to pass to comparison function
+ */
+void array_sort(array_t *array, int (*cmp)(const void*,const void*,void*),
+				void *user);
+
+/**
+ * Binary search of a sorted array.
+ *
+ * The array should be sorted in ascending order according to the given
+ * comparison function.
+ *
+ * The comparison function must return an integer less than, equal to, or
+ * greater than zero if the first argument (the key) is considered to be
+ * respectively less than, equal to, or greater than the second.
+ *
+ * If there are multiple elements that match the key it is not specified which
+ * element is returned.
+ *
+ * The comparison function receives the key object and a pointer to an array
+ * element (esize != 0) or an actual pointer (esize = 0).
+ *
+ * @param array			array to search, or NULL
+ * @param key			key to search for
+ * @param cmp			comparison function
+ * @param data			data to copy element to, or NULL
+ * @return				index of the element if found, -1 if not
+ */
+int array_bsearch(array_t *array, const void *key,
+				  int (*cmp)(const void*,const void*), void *data);
+
+/**
  * Invoke a callback for all array members.
  *
  * @param array			array to traverse, or NULL
@@ -192,4 +251,16 @@ void array_destroy_function(array_t *array, array_callback_t cb, void *user);
  */
 void array_destroy_offset(array_t *array, size_t offset);
 
+
+/**
+ * Required on some platforms to initialize thread local value to implement
+ * array_sort().
+ */
+void arrays_init();
+
+/**
+ * Destroys the thread local value if required.
+ */
+void arrays_deinit();
+
 #endif /** ARRAY_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index de19c8d96..3ec0714b6 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -1349,7 +1349,7 @@ credential_manager_t *credential_manager_create()
 
 	this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
 	this->exclusive_local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
-	if (lib->settings->get_bool(lib->settings, "libstrongswan.cert_cache", TRUE))
+	if (lib->settings->get_bool(lib->settings, "%s.cert_cache", TRUE, lib->ns))
 	{
 		this->cache = cert_cache_create();
 		this->sets->insert_first(this->sets, this->cache);
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index edcabfe58..dba3f6f6d 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -967,11 +967,11 @@ crypto_factory_t *crypto_factory_create()
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.tester = crypto_tester_create(),
 		.test_on_add = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.on_add", FALSE),
+								"%s.crypto_test.on_add", FALSE, lib->ns),
 		.test_on_create = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.on_create", FALSE),
+								"%s.crypto_test.on_create", FALSE, lib->ns),
 		.bench = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.bench", FALSE),
+								"%s.crypto_test.bench", FALSE, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 5a0dccced..30724b16d 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -1207,13 +1207,13 @@ crypto_tester_t *crypto_tester_create()
 		.rng = linked_list_create(),
 
 		.required = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.required", FALSE),
+								"%s.crypto_test.required", FALSE, lib->ns),
 		.rng_true = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.rng_true", FALSE),
+								"%s.crypto_test.rng_true", FALSE, lib->ns),
 		.bench_time = lib->settings->get_int(lib->settings,
-								"libstrongswan.crypto_test.bench_time", 50),
+								"%s.crypto_test.bench_time", 50, lib->ns),
 		.bench_size = lib->settings->get_int(lib->settings,
-								"libstrongswan.crypto_test.bench_size", 1024),
+								"%s.crypto_test.bench_size", 1024, lib->ns),
 	);
 
 	/* enforce a block size of 16, should be fine for all algorithms */
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 3d319d2d4..5c1d08de2 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -45,7 +45,12 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
 ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP,
 	"MODP_NULL",
 	"MODP_CUSTOM");
-ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
+ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM,
+	"NTRU_112",
+	"NTRU_128",
+	"NTRU_192",
+	"NTRU_256");
+ENUM_END(diffie_hellman_group_names, NTRU_256_BIT);
 
 
 /**
@@ -439,7 +444,7 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
 			{
 				if (!dh_params[i].public.subgroup.len &&
 					lib->settings->get_int(lib->settings,
-								"libstrongswan.dh_exponent_ansi_x9_42", TRUE))
+									"%s.dh_exponent_ansi_x9_42", TRUE, lib->ns))
 				{
 					dh_params[i].public.exp_len = dh_params[i].public.prime.len;
 				}
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index edf6bbd6d..00d700314 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -64,6 +64,11 @@ enum diffie_hellman_group_t {
 	MODP_NULL = 1024,
 	/** MODP group with custom generator/prime */
 	MODP_CUSTOM = 1025,
+	/** Parameters defined by IEEE 1363.1, in PRIVATE USE */
+	NTRU_112_BIT = 1030,
+	NTRU_128_BIT = 1031,
+	NTRU_192_BIT = 1032,
+	NTRU_256_BIT = 1033
 };
 
 /**
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index 4db504eb0..bbb97d088 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -56,6 +56,11 @@ struct private_proposal_keywords_t {
 	linked_list_t * tokens;
 
 	/**
+	 * registered algname parsers, as proposal_algname_parser_t
+	 */
+	linked_list_t *parsers;
+
+	/**
 	 * rwlock to lock access to modules
 	 */
 	rwlock_t *lock;
@@ -85,11 +90,46 @@ static const proposal_token_t* find_token(private_proposal_keywords_t *this,
 	return found;
 }
 
+/**
+ * Parse the given algorithm into a token with user defined parser functions.
+ */
+static const proposal_token_t* parse_token(private_proposal_keywords_t *this,
+										   const char *str)
+{
+	proposal_algname_parser_t parser;
+	enumerator_t *enumerator;
+	proposal_token_t *found = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->parsers->create_enumerator(this->parsers);
+	while (enumerator->enumerate(enumerator, &parser))
+	{
+		found = parser(str);
+		if (found)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return found;
+}
+
 METHOD(proposal_keywords_t, get_token, const proposal_token_t*,
 	private_proposal_keywords_t *this, const char *str)
 {
-	const proposal_token_t *token = proposal_get_token_static(str, strlen(str));
-	return token ?: find_token(this, str);
+	const proposal_token_t *token;
+
+	token = proposal_get_token_static(str, strlen(str));
+	if (!token)
+	{
+		token = find_token(this, str);
+	}
+	if (!token)
+	{
+		token = parse_token(this, str);
+	}
+	return token;
 }
 
 METHOD(proposal_keywords_t, register_token, void,
@@ -110,6 +150,14 @@ METHOD(proposal_keywords_t, register_token, void,
 	this->lock->unlock(this->lock);
 }
 
+METHOD(proposal_keywords_t, register_algname_parser, void,
+	private_proposal_keywords_t *this, proposal_algname_parser_t parser)
+{
+	this->lock->write_lock(this->lock);
+	this->tokens->insert_first(this->parsers, parser);
+	this->lock->unlock(this->lock);
+}
+
 METHOD(proposal_keywords_t, destroy, void,
 	private_proposal_keywords_t *this)
 {
@@ -121,6 +169,7 @@ METHOD(proposal_keywords_t, destroy, void,
 		free(token);
 	}
 	this->tokens->destroy(this->tokens);
+	this->parsers->destroy(this->parsers);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -136,9 +185,11 @@ proposal_keywords_t *proposal_keywords_create()
 		.public = {
 			.get_token = _get_token,
 			.register_token = _register_token,
+			.register_algname_parser = _register_algname_parser,
 			.destroy = _destroy,
 		},
 		.tokens = linked_list_create(),
+		.parsers = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.h b/src/libstrongswan/crypto/proposal/proposal_keywords.h
index d6107abc0..5cdbafc51 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.h
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.h
@@ -46,6 +46,8 @@
 typedef struct proposal_token_t proposal_token_t;
 typedef struct proposal_keywords_t proposal_keywords_t;
 
+typedef proposal_token_t*(*proposal_algname_parser_t)(const char *algname);
+
 #include <library.h>
 #include <crypto/transform.h>
 
@@ -102,6 +104,17 @@ struct proposal_keywords_t {
 						   u_int16_t keysize);
 
 	/**
+	 * Register an algorithm name parser.
+	 *
+	 * It is meant to parse an algorithm name into a proposal token in a
+	 * generic, user defined way.
+	 *
+	 * @param parser	a pointer to the parser function
+	 */
+	void (*register_algname_parser)(proposal_keywords_t *this,
+									proposal_algname_parser_t parser);
+
+	/**
 	 * Destroy a proposal_keywords_t instance.
 	 */
 	void (*destroy)(proposal_keywords_t *this);
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
index a238f640e..1da1421f4 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -1,6 +1,6 @@
 /* C code produced by gperf version 3.0.4 */
 /* Command-line: /usr/bin/gperf -N proposal_get_token_static -m 10 -C -G -c -t -D  */
-/* Computed positions: -k'1,5,7,10,15,$' */
+/* Computed positions: -k'1,5-7,10,15,$' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
       && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
@@ -31,8 +31,8 @@ error "gperf generated tables don't work with this execution character set. Plea
 
 
 /*
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
+ * Copyright (C) 2009-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil, Switzerland
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -59,12 +59,12 @@ struct proposal_token {
 	u_int16_t         keysize;
 };
 
-#define TOTAL_KEYWORDS 134
+#define TOTAL_KEYWORDS 138
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 4
-#define MAX_HASH_VALUE 215
-/* maximum key range = 212, duplicates = 0 */
+#define MIN_HASH_VALUE 20
+#define MAX_HASH_VALUE 295
+/* maximum key range = 276, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -78,34 +78,34 @@ hash (str, len)
      register const char *str;
      register unsigned int len;
 {
-  static const unsigned char asso_values[] =
+  static const unsigned short asso_values[] =
     {
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216,   0,   4,
-        1,  21,  15,  13,   9,  16,   2,   0, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216,  76, 216,   2,  28,  16,
-        0,  39, 112,  42,  31,   0, 216, 216,   0,   9,
-      100,   0,   7,  20,  95,  12,  44,  55, 216, 216,
-        1, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296,  47,   6,
+       15,   8,  64,  24,  12,  14,   7,   5, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 120, 296,   9,   5,  22,
+       48, 114,  28,  76,   6,   5, 296, 296,   5,  20,
+        7,  14,  82,   7,  81,  98,  10,  86, 296, 296,
+        5, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296
     };
   register int hval = len;
 
@@ -127,6 +127,8 @@ hash (str, len)
         hval += asso_values[(unsigned char)str[6]];
       /*FALLTHROUGH*/
       case 6:
+        hval += asso_values[(unsigned char)str[5]];
+      /*FALLTHROUGH*/
       case 5:
         hval += asso_values[(unsigned char)str[4]];
       /*FALLTHROUGH*/
@@ -142,166 +144,178 @@ hash (str, len)
 
 static const struct proposal_token wordlist[] =
   {
+    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
     {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
-    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
-    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
-    {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
-    {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
-    {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
-    {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
-    {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
-    {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
-    {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
-    {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
-    {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
-    {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
-    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
-    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
-    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
-    {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
-    {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"noesn",            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0},
+    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
+    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
     {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
-    {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
-    {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
-    {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
-    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
-    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
-    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
+    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
+    {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
+    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
+    {"md5_128",          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0},
     {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
+    {"ntru128",          DIFFIE_HELLMAN_GROUP, NTRU_128_BIT,              0},
+    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
     {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
+    {"ntru192",          DIFFIE_HELLMAN_GROUP, NTRU_192_BIT,              0},
+    {"ntru112",          DIFFIE_HELLMAN_GROUP, NTRU_112_BIT,              0},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
+    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
+    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
     {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
-    {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
-    {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
     {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
+    {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
     {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
     {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
-    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
-    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
-    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
     {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
+    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
     {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
-    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
+    {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
+    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
+    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
+    {"ntru256",          DIFFIE_HELLMAN_GROUP, NTRU_256_BIT,              0},
+    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
     {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
-    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
-    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
     {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
+    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
     {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
-    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
-    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
     {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
+    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
+    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
+    {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
+    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
+    {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
+    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
+    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
+    {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
+    {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
+    {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
+    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
+    {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
+    {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
+    {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
     {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
-    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
-    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
-    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
+    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
     {"aes192gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
-    {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
-    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
     {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
+    {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
-    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
+    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
+    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
+    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
+    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
+    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
+    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
     {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
-    {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
     {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"prfaesxcbc",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0},
+    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
+    {"ecp512bp",         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0},
     {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
-    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
-    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
-    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
-    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
+    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
+    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
+    {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
+    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
     {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
     {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
-    {"md5_128",          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0},
-    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
-    {"prfaescmac",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0},
-    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
-    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
-    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
-    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
-    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
-    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
-    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
-    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
-    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"ecp256bp",         DIFFIE_HELLMAN_GROUP, ECP_256_BP,                0},
+    {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
+    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
+    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
     {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
-    {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
+    {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
     {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
+    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
     {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
-    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
-    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
-    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
-    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
-    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
-    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
-    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
-    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
+    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
     {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
-    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
     {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
-    {"ecp224bp",         DIFFIE_HELLMAN_GROUP, ECP_224_BP,                0},
+    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"ecp384bp",         DIFFIE_HELLMAN_GROUP, ECP_384_BP,                0},
-    {"ecp512bp",         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0},
-    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
-    {"ecp256bp",         DIFFIE_HELLMAN_GROUP, ECP_256_BP,                0},
+    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
     {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
-    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"noesn",            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0},
-    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
-    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0}
+    {"ecp224bp",         DIFFIE_HELLMAN_GROUP, ECP_224_BP,                0},
+    {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
+    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
+    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
+    {"prfaesxcbc",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0},
+    {"prfaescmac",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0}
   };
 
 static const short lookup[] =
   {
-     -1,  -1,  -1,  -1,   0,  -1,  -1,  -1,  -1,  -1,
-      1,  -1,   2,  -1,   3,   4,  -1,  -1,  -1,   5,
-      6,   7,   8,   9,  10,  11,  12,  -1,  -1,  13,
-     14,  15,  16,  17,  18,  19,  20,  21,  22,  23,
-     24,  25,  26,  27,  28,  -1,  -1,  -1,  -1,  29,
-     -1,  -1,  30,  31,  32,  33,  34,  -1,  35,  36,
-     37,  38,  39,  40,  41,  42,  43,  44,  45,  46,
-     47,  48,  49,  50,  51,  52,  53,  54,  -1,  55,
-     56,  57,  -1,  58,  59,  60,  61,  62,  63,  64,
-     65,  66,  67,  -1,  68,  69,  70,  71,  72,  73,
-     74,  75,  76,  77,  -1,  78,  79,  80,  81,  82,
-     83,  84,  85,  86,  87,  88,  89,  90,  91,  92,
-     -1,  93,  94,  95,  96,  97,  98,  99, 100,  -1,
-     -1,  -1, 101, 102, 103, 104,  -1, 105, 106, 107,
-    108, 109, 110,  -1, 111, 112, 113, 114, 115, 116,
-    117, 118, 119, 120, 121, 122, 123, 124,  -1, 125,
-     -1, 126,  -1,  -1,  -1,  -1,  -1,  -1, 127,  -1,
-     -1,  -1,  -1, 128,  -1,  -1,  -1,  -1, 129, 130,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1, 131,  -1,  -1, 132,  -1,
-     -1,  -1,  -1,  -1,  -1, 133
+      0,  -1,   1,   2,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,   3,   4,  -1,  -1,  -1,   5,  -1,
+      6,   7,  -1,  -1,  -1,  -1,   8,  -1,   9,  10,
+     -1,  -1,  11,  -1,  12,  -1,  13,  -1,  14,  15,
+     -1,  16,  17,  18,  19,  20,  -1,  -1,  -1,  21,
+     22,  23,  24,  25,  26,  27,  28,  29,  30,  31,
+     32,  33,  34,  35,  36,  37,  -1,  38,  39,  -1,
+     40,  41,  42,  -1,  43,  44,  45,  46,  47,  48,
+     -1,  49,  50,  51,  -1,  52,  53,  54,  55,  56,
+     57,  58,  59,  -1,  -1,  60,  61,  62,  63,  64,
+     65,  66,  -1,  -1,  67,  68,  69,  70,  71,  72,
+     73,  74,  75,  76,  77,  78,  79,  80,  -1,  81,
+     82,  83,  84,  85,  86,  87,  88,  89,  90,  91,
+     92,  93,  -1,  94,  -1,  95,  -1,  96,  97,  98,
+     99, 100,  -1, 101,  -1, 102, 103, 104,  -1, 105,
+    106, 107, 108, 109,  -1, 110,  -1, 111,  -1, 112,
+     -1, 113, 114, 115, 116,  -1, 117, 118, 119, 120,
+    121,  -1,  -1,  -1, 122,  -1,  -1, 123,  -1,  -1,
+    124,  -1, 125, 126, 127,  -1,  -1,  -1, 128,  -1,
+     -1,  -1,  -1,  -1, 129, 130,  -1, 131,  -1, 132,
+     -1,  -1,  -1,  -1, 133,  -1,  -1,  -1,  -1, 134,
+     -1,  -1,  -1,  -1,  -1, 135,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 136,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1, 137
   };
 
 #ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
index c484320ca..70e79157a 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -1,7 +1,7 @@
 %{
 /*
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
+ * Copyright (C) 2009-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil, Switzerland
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -161,5 +161,9 @@ ecp224bp,         DIFFIE_HELLMAN_GROUP, ECP_224_BP,                0
 ecp256bp,         DIFFIE_HELLMAN_GROUP, ECP_256_BP,                0
 ecp384bp,         DIFFIE_HELLMAN_GROUP, ECP_384_BP,                0
 ecp512bp,         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0
+ntru112,          DIFFIE_HELLMAN_GROUP, NTRU_112_BIT,              0
+ntru128,          DIFFIE_HELLMAN_GROUP, NTRU_128_BIT,              0
+ntru192,          DIFFIE_HELLMAN_GROUP, NTRU_192_BIT,              0
+ntru256,          DIFFIE_HELLMAN_GROUP, NTRU_256_BIT,              0
 noesn,            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0
 esn,              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index 21cd1aff4..2fad486e0 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -43,7 +43,7 @@ struct private_fetcher_manager_t {
 };
 
 typedef struct {
-	/** assocaited fetcher construction function */
+	/** associated fetcher construction function */
 	fetcher_constructor_t create;
 	/** URL this fetcher support */
 	char *url;
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index f2fa3e0aa..8472c30a5 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -22,6 +22,7 @@
 #include <threading/thread.h>
 #include <utils/identification.h>
 #include <networking/host.h>
+#include <collections/array.h>
 #include <collections/hashtable.h>
 #include <utils/backtrace.h>
 #include <selectors/traffic_selector.h>
@@ -61,6 +62,39 @@ struct private_library_t {
  */
 library_t *lib = NULL;
 
+#ifdef LEAK_DETECTIVE
+/**
+ * Default leak report callback
+ */
+static void report_leaks(void *user, int count, size_t bytes,
+						 backtrace_t *bt, bool detailed)
+{
+	fprintf(stderr, "%zu bytes total, %d allocations, %zu bytes average:\n",
+			bytes, count, bytes / count);
+	bt->log(bt, stderr, detailed);
+}
+
+/**
+ * Default leak report summary callback
+ */
+static void sum_leaks(void* user, int count, size_t bytes, int whitelisted)
+{
+	switch (count)
+	{
+		case 0:
+			fprintf(stderr, "No leaks detected");
+			break;
+		case 1:
+			fprintf(stderr, "One leak detected");
+			break;
+		default:
+			fprintf(stderr, "%d leaks detected, %zu bytes", count, bytes);
+			break;
+	}
+	fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted);
+}
+#endif /* LEAK_DETECTIVE */
+
 /**
  * Deinitialize library
  */
@@ -75,7 +109,7 @@ void library_deinit()
 	}
 
 	detailed = lib->settings->get_bool(lib->settings,
-								"libstrongswan.leak_detective.detailed", TRUE);
+								"%s.leak_detective.detailed", TRUE, lib->ns);
 
 	/* make sure the cache is clear before unloading plugins */
 	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
@@ -109,9 +143,11 @@ void library_deinit()
 		lib->leak_detective->destroy(lib->leak_detective);
 	}
 
+	arrays_deinit();
 	threads_deinit();
 	backtrace_deinit();
 
+	free((void*)this->public.ns);
 	free(this);
 	lib = NULL;
 }
@@ -201,7 +237,7 @@ static bool check_memwipe()
 /*
  * see header file
  */
-bool library_init(char *settings)
+bool library_init(char *settings, const char *namespace)
 {
 	private_library_t *this;
 	printf_hook_t *pfh;
@@ -217,6 +253,7 @@ bool library_init(char *settings)
 		.public = {
 			.get = _get,
 			.set = _set,
+			.ns = strdup(namespace ?: "libstrongswan"),
 		},
 		.ref = 1,
 	);
@@ -224,9 +261,12 @@ bool library_init(char *settings)
 
 	backtrace_init();
 	threads_init();
+	arrays_init();
 
 #ifdef LEAK_DETECTIVE
 	lib->leak_detective = leak_detective_create();
+	lib->leak_detective->set_report_cb(lib->leak_detective,
+									   report_leaks, sum_leaks, NULL);
 #endif /* LEAK_DETECTIVE */
 
 	pfh = printf_hook_create();
@@ -256,6 +296,9 @@ bool library_init(char *settings)
 	this->objects = hashtable_create((hashtable_hash_t)hash,
 									 (hashtable_equals_t)equals, 4);
 	this->public.settings = settings_create(settings);
+	/* all namespace settings may fall back to libstrongswan */
+	lib->settings->add_fallback(lib->settings, lib->ns, "libstrongswan");
+
 	this->public.hosts = host_resolver_create();
 	this->public.proposal = proposal_keywords_create();
 	this->public.caps = capabilities_create();
@@ -278,7 +321,7 @@ bool library_init(char *settings)
 	}
 
 	if (lib->settings->get_bool(lib->settings,
-								"libstrongswan.integrity_test", FALSE))
+								"%s.integrity_test", FALSE, lib->ns))
 	{
 #ifdef INTEGRITY_TEST
 		this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY);
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index e53cf09e2..4125328b7 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2010-2014 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -140,6 +141,12 @@ struct library_t {
 	bool (*set)(library_t *this, char *name, void *object);
 
 	/**
+	 * Namespace used for settings etc. (i.e. the name of the binary that uses
+	 * the library)
+	 */
+	const char *ns;
+
+	/**
 	 * Printf hook registering facility
 	 */
 	printf_hook_t *printf_hook;
@@ -239,12 +246,17 @@ struct library_t {
  * Initialize library, creates "lib" instance.
  *
  * library_init() may be called multiple times in a single process, but each
- * caller should call library_deinit() for each call to library_init().
+ * caller must call library_deinit() for each call to library_init().
+ *
+ * The settings and namespace arguments are only used on the first call.
  *
  * @param settings		file to read settings from, may be NULL for default
+ * @param namespace		name of the binary that uses the library, determines
+ *						the first section name when reading config options.
+ *						Defaults to libstrongswan if NULL.
  * @return				FALSE if integrity check failed
  */
-bool library_init(char *settings);
+bool library_init(char *settings, const char *namespace);
 
 /**
  * Deinitialize library, destroys "lib" instance.
diff --git a/src/libstrongswan/networking/host_resolver.c b/src/libstrongswan/networking/host_resolver.c
index 99a17d17c..10af11a7f 100644
--- a/src/libstrongswan/networking/host_resolver.c
+++ b/src/libstrongswan/networking/host_resolver.c
@@ -355,11 +355,11 @@ host_resolver_t *host_resolver_create()
 	);
 
 	this->min_threads = max(0, lib->settings->get_int(lib->settings,
-									"libstrongswan.host_resolver.min_threads",
-									 MIN_THREADS_DEFAULT));
+												"%s.host_resolver.min_threads",
+												MIN_THREADS_DEFAULT, lib->ns));
 	this->max_threads = max(this->min_threads ?: 1,
 							lib->settings->get_int(lib->settings,
-									"libstrongswan.host_resolver.max_threads",
-									 MAX_THREADS_DEFAULT));
+												"%s.host_resolver.max_threads",
+												MAX_THREADS_DEFAULT, lib->ns));
 	return &this->public;
 }
diff --git a/src/libstrongswan/networking/streams/stream.c b/src/libstrongswan/networking/streams/stream.c
index 8ecb89fc9..f6fec0b4a 100644
--- a/src/libstrongswan/networking/streams/stream.c
+++ b/src/libstrongswan/networking/streams/stream.c
@@ -159,17 +159,6 @@ METHOD(stream_t, write_all, bool,
 }
 
 /**
- * Remove a registered watcher
- */
-static void remove_watcher(private_stream_t *this)
-{
-	if (this->read_cb || this->write_cb)
-	{
-		lib->watcher->remove(lib->watcher, this->fd);
-	}
-}
-
-/**
  * Watcher callback
  */
 static bool watch(private_stream_t *this, int fd, watcher_event_t event)
@@ -228,7 +217,7 @@ static void add_watcher(private_stream_t *this)
 METHOD(stream_t, on_read, void,
 	private_stream_t *this, stream_cb_t cb, void *data)
 {
-	remove_watcher(this);
+	lib->watcher->remove(lib->watcher, this->fd);
 
 	this->read_cb = cb;
 	this->read_data = data;
@@ -239,7 +228,7 @@ METHOD(stream_t, on_read, void,
 METHOD(stream_t, on_write, void,
 	private_stream_t *this, stream_cb_t cb, void *data)
 {
-	remove_watcher(this);
+	lib->watcher->remove(lib->watcher, this->fd);
 
 	this->write_cb = cb;
 	this->write_data = data;
@@ -270,7 +259,7 @@ METHOD(stream_t, get_file, FILE*,
 METHOD(stream_t, destroy, void,
 	private_stream_t *this)
 {
-	remove_watcher(this);
+	lib->watcher->remove(lib->watcher, this->fd);
 	close(this->fd);
 	free(this);
 }
diff --git a/src/libstrongswan/networking/streams/stream.h b/src/libstrongswan/networking/streams/stream.h
index 810514da9..3516d9186 100644
--- a/src/libstrongswan/networking/streams/stream.h
+++ b/src/libstrongswan/networking/streams/stream.h
@@ -39,9 +39,8 @@ typedef stream_t*(*stream_constructor_t)(char *uri);
 /**
  * Callback function prototype, called when stream is ready.
  *
- * It is allowed to destroy the stream during the callback, but only if it has
- * no other active on_read()/on_write() callback and returns FALSE. It is not
- * allowed to to call on_read()/on_write/() during the callback.
+ * It is not allowed to destroy the stream nor to call on_read()/on_write/()
+ * during the callback.
  *
  * As select() may return even if a read()/write() would actually block, it is
  * recommended to use the non-blocking calls and handle return values
diff --git a/src/libstrongswan/networking/tun_device.c b/src/libstrongswan/networking/tun_device.c
index 65268d242..ecefdc233 100644
--- a/src/libstrongswan/networking/tun_device.c
+++ b/src/libstrongswan/networking/tun_device.c
@@ -27,9 +27,11 @@
 #include <unistd.h>
 #include <net/if.h>
 
+#if !defined(__APPLE__) && !defined(__linux__) && !defined(HAVE_NET_IF_TUN_H)
+
 #include "tun_device.h"
 
-#if !defined(__APPLE__) && !defined(__linux__) && !defined(HAVE_NET_IF_TUN_H)
+#include <utils/debug.h>
 
 #warning TUN devices are not supported!
 
@@ -46,12 +48,14 @@ tun_device_t *tun_device_create(const char *name_tmpl)
 #include <netinet/in_var.h>
 #include <sys/kern_control.h>
 #elif defined(__linux__)
+#include <linux/types.h>
 #include <linux/if_tun.h>
 #else
 #include <net/if_tun.h>
 #endif
 
-#include <library.h>
+#include "tun_device.h"
+
 #include <utils/debug.h>
 #include <threading/thread.h>
 
diff --git a/src/libstrongswan/networking/tun_device.h b/src/libstrongswan/networking/tun_device.h
index 1d330f133..543125beb 100644
--- a/src/libstrongswan/networking/tun_device.h
+++ b/src/libstrongswan/networking/tun_device.h
@@ -23,7 +23,6 @@
 #ifndef TUN_DEVICE_H_
 #define TUN_DEVICE_H_
 
-#include <library.h>
 #include <networking/host.h>
 
 typedef struct tun_device_t tun_device_t;
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 5ae5537ad..9e91e8671 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index cdecc5b06..4ea1e8f36 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index b840d0e03..150e8d4d4 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index 322ded48c..dc6adc457 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -63,6 +63,13 @@ plugin_t *agent_plugin_create()
 {
 	private_agent_plugin_t *this;
 
+	/* required to connect to ssh-agent socket */
+	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
+	{
+		DBG1(DBG_DMN, "agent plugin requires CAP_DAC_OVERRIDE capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
@@ -75,4 +82,3 @@ plugin_t *agent_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 8a3fb150a..c2e82a9f1 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -442,4 +442,3 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 	}
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 8b2f7431f..f13a96421 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 486af34ed..ed3f05681 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index b8fe6de06..620d8359f 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 1f791208e..060287d1c 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 3d4f71176..ff34435a2 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index f6625dd48..a756a0a7e 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index a8cca98da..644f27709 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -80,7 +80,7 @@ static size_t curl_cb(void *ptr, size_t size, size_t nmemb, cb_data_t *data)
 METHOD(fetcher_t, fetch, status_t,
 	private_curl_fetcher_t *this, char *uri, void *userdata)
 {
-	char error[CURL_ERROR_SIZE];
+	char error[CURL_ERROR_SIZE], *enc_uri;
 	status_t status;
 	cb_data_t data = {
 		.cb = this->cb,
@@ -92,9 +92,14 @@ METHOD(fetcher_t, fetch, status_t,
 		*(chunk_t*)userdata = chunk_empty;
 	}
 
-	if (curl_easy_setopt(this->curl, CURLOPT_URL, uri) != CURLE_OK)
+	/* the URI has to be URL-encoded, we only replace spaces as replacing other
+	 * characters (e.g. '/' or ':') would render the URI invalid */
+	enc_uri = strreplace(uri, " ", "%20");
+
+	if (curl_easy_setopt(this->curl, CURLOPT_URL, enc_uri) != CURLE_OK)
 	{	/* URL type not supported by curl */
-		return NOT_SUPPORTED;
+		status = NOT_SUPPORTED;
+		goto out;
 	}
 	curl_easy_setopt(this->curl, CURLOPT_ERRORBUFFER, error);
 	curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
@@ -125,6 +130,12 @@ METHOD(fetcher_t, fetch, status_t,
 			status = FAILED;
 			break;
 	}
+
+out:
+	if (enc_uri != uri)
+	{
+		free(enc_uri);
+	}
 	return status;
 }
 
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 81e91bca0..ca79430c9 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index a012700c0..b94b644c0 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 06d9129c7..3bb540d90 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index e499ae1a0..7bce3c983 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 766340548..4ce3cf919 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 160db042b..44f3f84b1 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -194,8 +194,8 @@ plugin_t *gcrypt_plugin_create()
 
 	/* we currently do not use secure memory */
 	gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
-	if (lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.gcrypt.quick_random", FALSE))
+	if (lib->settings->get_bool(lib->settings, "%s.plugins.gcrypt.quick_random",
+								FALSE, lib->ns))
 	{
 		gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
 	}
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index f12827fd5..73e0645b0 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index f1956a9d2..f5e38fa90 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
index 5f7291ca4..42093e413 100644
--- a/src/libstrongswan/plugins/keychain/Makefile.in
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 35af7034a..7f14fbf8e 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 812d98628..bdd446cd3 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 082aebc51..32aac7bfa 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 2daf01c1d..a35f8051b 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 408848366..25437bdb8 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am
new file mode 100644
index 000000000..b33cbc8c9
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/Makefile.am
@@ -0,0 +1,33 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic @COVERAGE_CFLAGS@
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ntru.la
+else
+plugin_LTLIBRARIES = libstrongswan-ntru.la
+endif
+
+libstrongswan_ntru_la_SOURCES = \
+	ntru_plugin.h ntru_plugin.c \
+	ntru_drbg.h ntru_drbg.c \
+	ntru_ke.h ntru_ke.c \
+	ntru_mgf1.h ntru_mgf1.c \
+	ntru_poly.h ntru_poly.c \
+	ntru_trits.h ntru_trits.c \
+	ntru_crypto/ntru_crypto.h \
+	ntru_crypto/ntru_crypto_ntru_convert.h \
+	ntru_crypto/ntru_crypto_ntru_convert.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt_key.h \
+	ntru_crypto/ntru_crypto_ntru_encrypt_key.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \
+	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \
+	ntru_crypto/ntru_crypto_ntru_poly.h \
+	ntru_crypto/ntru_crypto_ntru_poly.c
+
+libstrongswan_ntru_la_LDFLAGS = -module -avoid-version
+
+
diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in
new file mode 100644
index 000000000..af192d203
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/Makefile.in
@@ -0,0 +1,812 @@
+# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/ntru
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ntru_la_LIBADD =
+am__dirstamp = $(am__leading_dot)dirstamp
+am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_drbg.lo \
+	ntru_ke.lo ntru_mgf1.lo ntru_poly.lo ntru_trits.lo \
+	ntru_crypto/ntru_crypto_ntru_convert.lo \
+	ntru_crypto/ntru_crypto_ntru_encrypt.lo \
+	ntru_crypto/ntru_crypto_ntru_encrypt_key.lo \
+	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo \
+	ntru_crypto/ntru_crypto_ntru_poly.lo
+libstrongswan_ntru_la_OBJECTS = $(am_libstrongswan_ntru_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libstrongswan_ntru_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ntru_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ntru_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ntru_la_rpath =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libstrongswan_ntru_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ntru_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic @COVERAGE_CFLAGS@
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ntru.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ntru.la
+libstrongswan_ntru_la_SOURCES = \
+	ntru_plugin.h ntru_plugin.c \
+	ntru_drbg.h ntru_drbg.c \
+	ntru_ke.h ntru_ke.c \
+	ntru_mgf1.h ntru_mgf1.c \
+	ntru_poly.h ntru_poly.c \
+	ntru_trits.h ntru_trits.c \
+	ntru_crypto/ntru_crypto.h \
+	ntru_crypto/ntru_crypto_ntru_convert.h \
+	ntru_crypto/ntru_crypto_ntru_convert.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt_key.h \
+	ntru_crypto/ntru_crypto_ntru_encrypt_key.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \
+	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \
+	ntru_crypto/ntru_crypto_ntru_poly.h \
+	ntru_crypto/ntru_crypto_ntru_poly.c
+
+libstrongswan_ntru_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ntru/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/ntru/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+ntru_crypto/$(am__dirstamp):
+	@$(MKDIR_P) ntru_crypto
+	@: > ntru_crypto/$(am__dirstamp)
+ntru_crypto/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) ntru_crypto/$(DEPDIR)
+	@: > ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+ntru_crypto/ntru_crypto_ntru_convert.lo: ntru_crypto/$(am__dirstamp) \
+	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+ntru_crypto/ntru_crypto_ntru_encrypt.lo: ntru_crypto/$(am__dirstamp) \
+	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+ntru_crypto/ntru_crypto_ntru_encrypt_key.lo:  \
+	ntru_crypto/$(am__dirstamp) \
+	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo:  \
+	ntru_crypto/$(am__dirstamp) \
+	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+ntru_crypto/ntru_crypto_ntru_poly.lo: ntru_crypto/$(am__dirstamp) \
+	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+
+libstrongswan-ntru.la: $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_DEPENDENCIES) $(EXTRA_libstrongswan_ntru_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_ntru_la_LINK) $(am_libstrongswan_ntru_la_rpath) $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+	-rm -f ntru_crypto/*.$(OBJEXT)
+	-rm -f ntru_crypto/*.lo
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_drbg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_ke.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_mgf1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_poly.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_trits.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_convert.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_param_sets.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_poly.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+	-rm -rf ntru_crypto/.libs ntru_crypto/_libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+	-rm -f ntru_crypto/$(am__dirstamp)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h
new file mode 100644
index 000000000..72f47035e
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h
@@ -0,0 +1,235 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto.h is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto.h
+ *
+ * Contents: Public header file for NTRUEncrypt.
+ *
+ *****************************************************************************/
+
+#ifndef NTRU_CRYPTO_H
+#define NTRU_CRYPTO_H
+
+#include <library.h>
+
+#include "ntru_drbg.h"
+
+#if !defined( NTRUCALL )
+  #if !defined(WIN32) || defined (NTRUCRYPTO_STATIC)
+    // Linux, or a Win32 static library
+    #define NTRUCALL extern uint32_t
+  #elif defined (NTRUCRYPTO_EXPORTS)
+    // Win32 DLL build
+    #define NTRUCALL extern __declspec(dllexport) uint32_t
+  #else
+    // Win32 DLL import
+    #define NTRUCALL extern __declspec(dllimport) uint32_t
+  #endif
+#endif /* NTRUCALL */
+
+/* parameter set ID list */
+
+typedef enum _NTRU_ENCRYPT_PARAM_SET_ID {
+    NTRU_EES401EP1,
+    NTRU_EES449EP1,
+    NTRU_EES677EP1,
+    NTRU_EES1087EP2,
+    NTRU_EES541EP1,
+    NTRU_EES613EP1,
+    NTRU_EES887EP1,
+    NTRU_EES1171EP1,
+    NTRU_EES659EP1,
+    NTRU_EES761EP1,
+    NTRU_EES1087EP1,
+    NTRU_EES1499EP1,
+    NTRU_EES401EP2,
+    NTRU_EES439EP1,
+    NTRU_EES593EP1,
+    NTRU_EES743EP1,
+} NTRU_ENCRYPT_PARAM_SET_ID;
+
+
+/* error codes */
+
+#define NTRU_OK                     0
+#define NTRU_FAIL                   1
+#define NTRU_BAD_PARAMETER          2
+#define NTRU_BAD_LENGTH             3
+#define NTRU_BUFFER_TOO_SMALL       4
+#define NTRU_INVALID_PARAMETER_SET  5
+#define NTRU_BAD_PUBLIC_KEY         6
+#define NTRU_BAD_PRIVATE_KEY        7
+#define NTRU_OUT_OF_MEMORY          8
+#define NTRU_BAD_ENCODING           9
+#define NTRU_OID_NOT_RECOGNIZED    10
+#define NTRU_DRBG_FAIL             11
+#define NTRU_MGF1_FAIL             12
+
+/* function declarations */
+
+/* ntru_crypto_ntru_encrypt
+ *
+ * Implements NTRU encryption (SVES) for the parameter set specified in
+ * the public key blob.
+ *
+ * Before invoking this function, a DRBG must be instantiated using
+ * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
+ * instantiation the requested security strength must be at least as large
+ * as the security strength of the NTRU parameter set being used.
+ * Failure to instantiate the DRBG with the proper security strength will
+ * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH.
+ *
+ * The required minimum size of the output ciphertext buffer (ct) may be
+ * queried by invoking this function with ct = NULL.  In this case, no
+ * encryption is performed, NTRU_OK is returned, and the required minimum
+ * size for ct is returned in ct_len.
+ *
+ * When ct != NULL, at invocation *ct_len must be the size of the ct buffer.
+ * Upon return it is the actual size of the ciphertext.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL.
+ * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is
+ *  zero, or if pt_len exceeds the maximum plaintext length for the parameter set.
+ * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid
+ *  (unknown format, corrupt, bad length).
+ * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ */
+
+NTRUCALL
+ntru_crypto_ntru_encrypt(
+    ntru_drbg_t     *drbg      ,     /*     in - handle for DRBG */
+    uint16_t        pubkey_blob_len, /*     in - no. of octets in public key
+                                                 blob */
+    uint8_t const  *pubkey_blob,     /*     in - pointer to public key */
+    uint16_t        pt_len,          /*     in - no. of octets in plaintext */
+    uint8_t const  *pt,              /*     in - pointer to plaintext */
+    uint16_t       *ct_len,          /* in/out - no. of octets in ct, addr for
+                                                 no. of octets in ciphertext */
+    uint8_t        *ct);             /*    out - address for ciphertext */
+
+
+/* ntru_crypto_ntru_decrypt
+ *
+ * Implements NTRU decryption (SVES) for the parameter set specified in
+ * the private key blob.
+ *
+ * The maximum size of the output plaintext may be queried by invoking
+ * this function with pt = NULL.  In this case, no decryption is performed,
+ * NTRU_OK is returned, and the maximum size the plaintext could be is
+ * returned in pt_len.
+ * Note that until the decryption is performed successfully, the actual size
+ * of the resulting plaintext cannot be known.
+ *
+ * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
+ * Upon return it is the actual size of the plaintext.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
+ * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
+ *  ct_len is invalid for the parameter set.
+ * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
+ *  (unknown format, corrupt, bad length).
+ * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ * Returns NTRU_FAIL if a decryption error occurs.
+ */
+
+NTRUCALL
+ntru_crypto_ntru_decrypt(
+    uint16_t       privkey_blob_len, /*     in - no. of octets in private key
+                                                 blob */
+    uint8_t const *privkey_blob,     /*     in - pointer to private key */
+    uint16_t       ct_len,           /*     in - no. of octets in ciphertext */
+    uint8_t const *ct,               /*     in - pointer to ciphertext */
+    uint16_t      *pt_len,           /* in/out - no. of octets in pt, addr for
+                                                 no. of octets in plaintext */
+    uint8_t       *pt);              /*    out - address for plaintext */
+
+
+/* ntru_crypto_ntru_encrypt_keygen
+ *
+ * Implements key generation for NTRUEncrypt for the parameter set specified.
+ *
+ * Before invoking this function, a DRBG must be instantiated using
+ * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
+ * instantiation the requested security strength must be at least as large
+ * as the security strength of the NTRU parameter set being used.
+ * Failure to instantiate the DRBG with the proper security strength will
+ * result in this function returning NTRU_DRBG_FAIL.
+ *
+ * The required minimum size of the output public-key buffer (pubkey_blob)
+ * may be queried by invoking this function with pubkey_blob = NULL.
+ * In this case, no key generation is performed, NTRU_OK is returned, and
+ * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
+ *
+ * The required minimum size of the output private-key buffer (privkey_blob)
+ * may be queried by invoking this function with privkey_blob = NULL.
+ * In this case, no key generation is performed, NTRU_OK is returned, and
+ * the required minimum size for privkey_blob is returned in privkey_blob_len.
+ *
+ * The required minimum sizes of both pubkey_blob and privkey_blob may be
+ * queried as described above, in a single invocation of this function.
+ *
+ * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
+ * *pubkey_blob_len must be the size of the pubkey_blob buffer and
+ * *privkey_blob_len must be the size of the privkey_blob buffer.
+ * Upon return, *pubkey_blob_len is the actual size of the public-key blob
+ * and *privkey_blob_len is the actual size of the private-key blob.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob
+ * or privkey_blob) is NULL.
+ * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
+ * Returns NTRU_BAD_LENGTH if a length argument is invalid.
+ * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
+ *  privkey_blob buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
+ *  (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
+ *  Should this occur, this function should simply be invoked again.
+ */
+
+NTRUCALL
+ntru_crypto_ntru_encrypt_keygen(
+    ntru_drbg_t               *drbg,             /*     in - handle of DRBG */
+    NTRU_ENCRYPT_PARAM_SET_ID  param_set_id,     /*     in - parameter set ID */
+    uint16_t                  *pubkey_blob_len,  /* in/out - no. of octets in
+                                                             pubkey_blob, addr
+                                                             for no. of octets
+                                                             in pubkey_blob */
+    uint8_t                   *pubkey_blob,      /*    out - address for
+                                                             public key blob */
+    uint16_t                  *privkey_blob_len, /* in/out - no. of octets in
+                                                             privkey_blob, addr
+                                                             for no. of octets
+                                                             in privkey_blob */
+    uint8_t                   *privkey_blob);    /*    out - address for
+                                                             private key blob */
+#endif /* NTRU_CRYPTO_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c
new file mode 100644
index 000000000..3d6dfde41
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c
@@ -0,0 +1,581 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_convert.c is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_convert.c
+ *
+ * Contents: Conversion routines for NTRUEncrypt, including packing, unpacking,
+ *           and others.
+ *
+ *****************************************************************************/
+
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "ntru_crypto_ntru_convert.h"
+
+
+/* 3-bit to 2-trit conversion tables: 2 represents -1 */
+
+static uint8_t const bits_2_trit1[] = {0, 0, 0, 1, 1, 1, 2, 2};
+static uint8_t const bits_2_trit2[] = {0, 1, 2, 0, 1, 2, 0, 1};
+
+
+/* ntru_bits_2_trits
+ *
+ * Each 3 bits in an array of octets is converted to 2 trits in an array
+ * of trits.
+ *
+ * The octet array may overlap the end of the trit array.
+ */
+
+void
+ntru_bits_2_trits(
+    uint8_t const *octets,          /*  in - pointer to array of octets */
+    uint16_t       num_trits,       /*  in - number of trits to produce */
+    uint8_t       *trits)           /* out - address for array of trits */
+{
+    uint32_t bits24;
+    uint32_t bits3;
+    uint32_t shift;
+
+    assert(octets);
+    assert(trits);
+
+    while (num_trits >= 16) {
+
+        /* get next three octets */
+
+        bits24  = ((uint32_t)(*octets++)) << 16;
+        bits24 |= ((uint32_t)(*octets++)) <<  8;
+        bits24 |=  (uint32_t)(*octets++);
+
+        /* for each 3 bits in the three octets, output 2 trits */
+
+        bits3 = (bits24 >> 21) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >> 18) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >> 15) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >> 12) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >>  9) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >>  6) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >>  3) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = bits24 & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        num_trits -= 16;
+    }
+    if (num_trits == 0)
+        return;
+
+    /* get three octets */
+
+    bits24  = ((uint32_t)(*octets++)) << 16;
+    bits24 |= ((uint32_t)(*octets++)) <<  8;
+    bits24 |=  (uint32_t)(*octets++);
+
+    shift = 21;
+    while (num_trits) {
+
+        /* for each 3 bits in the three octets, output up to 2 trits
+         * until all trits needed are produced
+         */
+
+        bits3 = (bits24 >> shift) & 0x7;
+        shift -= 3;
+        *trits++ = bits_2_trit1[bits3];
+        if (--num_trits) {
+            *trits++ = bits_2_trit2[bits3];
+            --num_trits;
+        }
+    }
+}
+
+
+/* ntru_trits_2_bits
+ *
+ * Each 2 trits in an array of trits is converted to 3 bits, and the bits
+ * are packed in an array of octets.  A multiple of 3 octets is output.
+ * Any bits in the final octets not derived from trits are zero.
+ *
+ * Returns TRUE if all trits were valid.
+ * Returns FALSE if invalid trits were found.
+ */
+
+bool
+ntru_trits_2_bits(
+    uint8_t const *trits,           /*  in - pointer to array of trits */
+    uint32_t       num_trits,       /*  in - number of trits to convert */
+    uint8_t       *octets)          /* out - address for array of octets */
+{
+    bool     all_trits_valid = TRUE;
+    uint32_t bits24;
+    uint32_t bits3;
+    uint32_t shift;
+
+    assert(octets);
+    assert(trits);
+
+    while (num_trits >= 16) {
+
+        /* convert each 2 trits to 3 bits and pack */
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 = (bits3 << 21);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 << 18);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 << 15);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 << 12);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 <<  9);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 <<  6);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 <<  3);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= bits3;
+
+        num_trits -= 16;
+
+        /* output three octets */
+
+        *octets++ = (uint8_t)((bits24 >> 16) & 0xff);
+        *octets++ = (uint8_t)((bits24 >>  8) & 0xff);
+        *octets++ = (uint8_t)(bits24 & 0xff);
+    }
+
+    bits24 = 0;
+    shift = 21;
+    while (num_trits) {
+
+        /* convert each 2 trits to 3 bits and pack */
+
+        bits3 = *trits++ * 3;
+        if (--num_trits) {
+            bits3 += *trits++;
+            --num_trits;
+        }
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 << shift);
+        shift -= 3;
+    }
+
+    /* output three octets */
+
+    *octets++ = (uint8_t)((bits24 >> 16) & 0xff);
+    *octets++ = (uint8_t)((bits24 >>  8) & 0xff);
+    *octets++ = (uint8_t)(bits24 & 0xff);
+
+    return all_trits_valid;
+}
+
+
+/* ntru_coeffs_mod4_2_octets
+ *
+ * Takes an array of ring element coefficients mod 4 and packs the
+ * results into an octet string.
+ */
+
+void
+ntru_coeffs_mod4_2_octets(
+    uint16_t        num_coeffs,     /*  in - number of coefficients */
+    uint16_t const *coeffs,         /*  in - pointer to coefficients */
+    uint8_t        *octets)         /* out - address for octets */
+{
+    uint8_t  bits2;
+    int      shift;
+    uint16_t i;
+
+    assert(coeffs);
+    assert(octets);
+
+    *octets = 0;
+    shift = 6;
+    for (i = 0; i < num_coeffs; i++) {
+        bits2 = (uint8_t)(coeffs[i] & 0x3);
+        *octets |= bits2 << shift;
+        shift -= 2;
+        if (shift < 0) {
+            ++octets;
+            *octets = 0;
+            shift = 6;
+        }
+    }
+}
+
+
+/* ntru_trits_2_octet
+ *
+ * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1).
+ */
+
+void
+ntru_trits_2_octet(
+    uint8_t const *trits,           /*  in - pointer to trits */
+    uint8_t *octet)                 /* out - address for octet */
+{
+    int i;
+
+    assert(trits);
+    assert(octet);
+
+    *octet = 0;
+    for (i = 4; i >= 0; i--) {
+        *octet = (*octet * 3) + trits[i];
+    }
+}
+
+
+/* ntru_octet_2_trits
+ *
+ * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1).
+ */
+
+void
+ntru_octet_2_trits(
+    uint8_t  octet,                 /*  in - octet to be unpacked */
+    uint8_t *trits)                 /* out - address for trits */
+{
+    int i;
+
+    assert(trits);
+
+    for (i = 0; i < 5; i++) {
+        trits[i] = octet % 3;
+        octet = (octet - trits[i]) / 3;
+    }
+}
+
+
+/* ntru_indices_2_trits
+ *
+ * Converts a list of the nonzero indices of a polynomial into an array of
+ * trits.
+ */
+
+void
+ntru_indices_2_trits(
+    uint16_t        in_len,         /*  in - no. of indices */
+    uint16_t const *in,             /*  in - pointer to list of indices */
+    bool            plus1,          /*  in - if list is +1 cofficients */
+    uint8_t        *out)            /* out - address of output polynomial */
+{
+    uint8_t     trit = plus1 ? 1 : 2;
+    uint16_t    i;
+
+    assert(in);
+    assert(out);
+
+    for (i = 0; i < in_len; i++) {
+        out[in[i]] = trit;
+    }
+}
+
+
+/* ntru_packed_trits_2_indices
+ *
+ * Unpacks an array of N trits and creates a list of array indices 
+ * corresponding to trits = +1, and list of array indices corresponding to
+ * trits = -1.
+ */
+
+void
+ntru_packed_trits_2_indices(
+    uint8_t const *in,              /*  in - pointer to packed-trit octets */
+    uint16_t       num_trits,       /*  in - no. of packed trits */
+    uint16_t      *indices_plus1,   /* out - address for indices of +1 trits */
+    uint16_t      *indices_minus1)  /* out - address for indices of -1 trits */
+{
+    uint8_t  trits[5];
+    uint16_t i = 0;
+    int      j;
+
+    assert(in);
+    assert(indices_plus1);
+    assert(indices_minus1);
+
+    while (num_trits >= 5) {
+        ntru_octet_2_trits(*in++, trits);
+        num_trits -= 5;
+        for (j = 0; j < 5; j++, i++) {
+            if (trits[j] == 1) {
+                *indices_plus1 = i;
+                ++indices_plus1;
+            } else if (trits[j] == 2) {
+                *indices_minus1 = i;
+                ++indices_minus1;
+            }
+        }
+    }
+    if (num_trits) {
+        ntru_octet_2_trits(*in, trits);
+        for (j = 0; num_trits && (j < 5); j++, i++) {
+            if (trits[j] == 1) {
+                *indices_plus1 = i;
+                ++indices_plus1;
+            } else if (trits[j] == 2) {
+                *indices_minus1 = i;
+                ++indices_minus1;
+            }
+            --num_trits;
+        }
+    }
+}
+
+
+/* ntru_indices_2_packed_trits
+ *
+ * Takes a list of array indices corresponding to elements whose values
+ * are +1 or -1, and packs the N-element array of trits described by these
+ * lists into octets, 5 trits per octet.
+ */
+
+void
+ntru_indices_2_packed_trits(
+    uint16_t const *indices,        /*  in - pointer to indices */
+    uint16_t        num_plus1,      /*  in - no. of indices for +1 trits */
+    uint16_t        num_minus1,     /*  in - no. of indices for -1 trits */
+    uint16_t        num_trits,      /*  in - N, no. of trits in array */
+    uint8_t        *buf,            /*  in - temp buf, N octets */
+    uint8_t        *out)            /* out - address for packed octets */
+{
+    assert(indices);
+    assert(buf);
+    assert(out);
+
+    /* convert indices to an array of trits */
+
+    memset(buf, 0, num_trits);
+    ntru_indices_2_trits(num_plus1, indices, TRUE, buf);
+    ntru_indices_2_trits(num_minus1, indices + num_plus1, FALSE, buf);
+
+    /* pack the array of trits */
+
+    while (num_trits >= 5) {
+        ntru_trits_2_octet(buf, out);
+        num_trits -= 5;
+        buf += 5;
+        ++out;
+    }
+    if (num_trits) {
+        uint8_t trits[5];
+
+        memcpy(trits, buf, num_trits);
+        memset(trits + num_trits, 0, sizeof(trits) - num_trits);
+        ntru_trits_2_octet(trits, out);
+    }
+}
+
+
+/* ntru_elements_2_octets
+ *
+ * Packs an array of n-bit elements into an array of
+ * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16.
+ */
+
+void
+ntru_elements_2_octets(
+    uint16_t        in_len,         /*  in - no. of elements to be packed */
+    uint16_t const *in,             /*  in - ptr to elements to be packed */
+    uint8_t         n_bits,         /*  in - no. of bits in input element */
+    uint8_t        *out)            /* out - addr for output octets */
+{
+    uint16_t  temp;
+    int       shift;
+    uint16_t  i;
+
+    assert(in_len);
+    assert(in);
+    assert((n_bits > 8) && (n_bits < 16));
+    assert(out);
+
+    /* pack */
+
+    temp = 0;
+    shift = n_bits - 8;
+    i = 0;
+    while (i < in_len) {
+
+        /* add bits to temp to fill an octet and output the octet */
+
+        temp |= in[i] >> shift;
+        *out++ = (uint8_t)(temp & 0xff);
+        shift = 8 - shift;
+        if (shift < 1) {
+
+            /* next full octet is in current input word */
+
+            shift += n_bits;
+            temp = 0;
+
+        } else {
+
+            /* put remaining bits of input word in temp as partial octet,
+             * and increment index to next input word
+             */
+            temp = in[i] << (uint16_t)shift;
+
+            ++i;
+        }
+        shift = n_bits - shift;
+    }
+
+    /* output any bits remaining in last input word */
+
+    if (shift != n_bits - 8) {
+        *out++ = (uint8_t)(temp & 0xff);
+    }
+}
+
+
+/* ntru_octets_2_elements
+ *
+ * Unpacks an octet string into an array of ((in_len * 8) / n_bits)
+ * n-bit elements, 8 < n_bits < 16.  Any extra bits are discarded.
+ */
+
+void
+ntru_octets_2_elements(
+    uint16_t        in_len,         /*  in - no. of octets to be unpacked */
+    uint8_t const  *in,             /*  in - ptr to octets to be unpacked */
+    uint8_t         n_bits,         /*  in - no. of bits in output element */
+    uint16_t       *out)            /* out - addr for output elements */
+{
+    uint16_t  temp;
+    uint16_t  mask = (1 << n_bits) - 1;
+    int       shift;
+    uint16_t  i;
+
+    assert(in_len > 1);
+    assert(in);
+    assert((n_bits > 8) && (n_bits < 16));
+    assert(out);
+
+    /* unpack */
+
+    temp = 0;
+    shift = n_bits;
+    i = 0;
+    while (i < in_len) {
+        shift = 8 - shift;
+        if (shift < 0) {
+
+            /* the current octet will not fill the current element */
+
+            shift += n_bits;
+
+        } else {
+
+            /* add bits from the current octet to fill the current element and
+             * output the element
+             */
+
+            temp |= ((uint16_t)in[i]) >> shift;
+            *out++ = temp & mask;
+            temp = 0;
+        }
+
+        /* add the remaining bits of the current octet to start an element */
+
+        shift = n_bits - shift;
+        temp |= ((uint16_t)in[i]) << shift;
+        ++i;
+    }
+}
+
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h
new file mode 100644
index 000000000..1c4b35b24
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h
@@ -0,0 +1,183 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_convert.h is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_convert.h
+ *
+ * Contents: Definitions and declarations for conversion routines
+ *           for NTRUEncrypt, including packing, unpacking and others.
+ *
+ *****************************************************************************/
+
+#ifndef NTRU_CRYPTO_NTRU_CONVERT_H
+#define NTRU_CRYPTO_NTRU_CONVERT_H
+
+#include "ntru_crypto.h"
+
+
+/* function declarations */
+
+/* ntru_bits_2_trits
+ *
+ * Each 3 bits in an array of octets is converted to 2 trits in an array
+ * of trits.
+ */
+
+extern void
+ntru_bits_2_trits(
+    uint8_t const *octets,          /*  in - pointer to array of octets */
+    uint16_t       num_trits,       /*  in - number of trits to produce */
+    uint8_t       *trits);          /* out - address for array of trits */
+
+
+/* ntru_trits_2_bits
+ *
+ * Each 2 trits in an array of trits is converted to 3 bits, and the bits
+ * are packed in an array of octets.  A multiple of 3 octets is output.
+ * Any bits in the final octets not derived from trits are zero.
+ *
+ * Returns TRUE if all trits were valid.
+ * Returns FALSE if invalid trits were found.
+ */
+
+extern bool
+ntru_trits_2_bits(
+    uint8_t const *trits,           /*  in - pointer to array of trits */
+    uint32_t       num_trits,       /*  in - number of trits to convert */
+    uint8_t       *octets);         /* out - address for array of octets */
+
+
+/* ntru_coeffs_mod4_2_octets
+ *
+ * Takes an array of coefficients mod 4 and packs the results into an
+ * octet string.
+ */
+
+extern void
+ntru_coeffs_mod4_2_octets(
+    uint16_t        num_coeffs,     /*  in - number of coefficients */
+    uint16_t const *coeffs,         /*  in - pointer to coefficients */
+    uint8_t        *octets);        /* out - address for octets */
+
+
+/* ntru_trits_2_octet
+ *
+ * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1).
+ */
+
+extern void
+ntru_trits_2_octet(
+    uint8_t const *trits,           /*  in - pointer to trits */
+    uint8_t *octet);                /* out - address for octet */
+
+
+/* ntru_octet_2_trits
+ *
+ * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1).
+ */
+
+extern void
+ntru_octet_2_trits(
+    uint8_t  octet,                 /*  in - octet to be unpacked */
+    uint8_t *trits);                /* out - address for trits */
+
+
+/* ntru_indices_2_trits
+ *
+ * Converts a list of the nonzero indices of a polynomial into an array of
+ * trits.
+ */
+
+extern void
+ntru_indices_2_trits(
+    uint16_t        in_len,         /*  in - no. of indices */
+    uint16_t const *in,             /*  in - pointer to list of indices */
+    bool            plus1,          /*  in - if list is +1 coefficients */
+    uint8_t        *out);           /* out - address of output polynomial */
+
+
+/* ntru_packed_trits_2_indices
+ *
+ * Unpacks an array of N trits and creates a list of array indices 
+ * corresponding to trits = +1, and list of array indices corresponding to
+ * trits = -1.
+ */
+
+extern void
+ntru_packed_trits_2_indices(
+    uint8_t const *in,              /*  in - pointer to packed-trit octets */
+    uint16_t       num_trits,       /*  in - no. of packed trits */
+    uint16_t      *indices_plus1,   /* out - address for indices of +1 trits */
+    uint16_t      *indices_minus1); /* out - address for indices of -1 trits */
+
+
+/* ntru_indices_2_packed_trits
+ *
+ * Takes a list of array indices corresponding to elements whose values
+ * are +1 or -1, and packs the N-element array of trits described by these
+ * lists into octets, 5 trits per octet.
+ */
+
+extern void
+ntru_indices_2_packed_trits(
+    uint16_t const *indices,        /*  in - pointer to indices */
+    uint16_t        num_plus1,      /*  in - no. of indices for +1 trits */
+    uint16_t        num_minus1,     /*  in - no. of indices for -1 trits */
+    uint16_t        num_trits,      /*  in - N, no. of trits in array */
+    uint8_t        *buf,            /*  in - temp buf, N octets */
+    uint8_t        *out);           /* out - address for packed octets */
+
+
+/* ntru_elements_2_octets
+ *
+ * Packs an array of n-bit elements into an array of
+ * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16.
+ */
+
+extern void
+ntru_elements_2_octets(
+    uint16_t        in_len,         /*  in - no. of elements to be packed */
+    uint16_t const *in,             /*  in - ptr to elements to be packed */
+    uint8_t         n_bits,         /*  in - no. of bits in input element */
+    uint8_t        *out);           /* out - addr for output octets */
+
+
+/* ntru_octets_2_elements
+ *
+ * Unpacks an octet string into an array of ((in_len * 8) / n_bits)
+ * n-bit elements, 8 < n < 16.  Any extra bits are discarded.
+ */
+
+extern void
+ntru_octets_2_elements(
+    uint16_t        in_len,         /*  in - no. of octets to be unpacked */
+    uint8_t const  *in,             /*  in - ptr to octets to be unpacked */
+    uint8_t         n_bits,         /*  in - no. of bits in output element */
+    uint16_t       *out);           /* out - addr for output elements */
+
+
+#endif /* NTRU_CRYPTO_NTRU_CONVERT_H */
+
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
new file mode 100644
index 000000000..dba81915a
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
@@ -0,0 +1,1034 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_encrypt.c is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_encrypt.c
+ *
+ * Contents: Routines implementing NTRUEncrypt encryption and decryption and
+ *           key generation.
+ *
+ *****************************************************************************/
+
+
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "ntru_crypto.h"
+#include "ntru_crypto_ntru_encrypt_param_sets.h"
+#include "ntru_crypto_ntru_encrypt_key.h"
+#include "ntru_crypto_ntru_convert.h"
+#include "ntru_crypto_ntru_poly.h"
+#
+#include "ntru_trits.h"
+#include "ntru_poly.h"
+
+/* ntru_crypto_ntru_encrypt
+ *
+ * Implements NTRU encryption (SVES) for the parameter set specified in
+ * the public key blob.
+ *
+ * Before invoking this function, a DRBG must be instantiated using
+ * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
+ * instantiation the requested security strength must be at least as large
+ * as the security strength of the NTRU parameter set being used.
+ * Failure to instantiate the DRBG with the proper security strength will
+ * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH.
+ *
+ * The required minimum size of the output ciphertext buffer (ct) may be
+ * queried by invoking this function with ct = NULL.  In this case, no
+ * encryption is performed, NTRU_OK is returned, and the required minimum
+ * size for ct is returned in ct_len.
+ *
+ * When ct != NULL, at invocation *ct_len must be the size of the ct buffer.
+ * Upon return it is the actual size of the ciphertext.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL.
+ * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is
+  * zero, or if pt_len exceeds the maximum plaintext length for the parameter set.
+ * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid
+ *  (unknown format, corrupt, bad length).
+ * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ */
+
+uint32_t
+ntru_crypto_ntru_encrypt(
+    ntru_drbg_t    *drbg,            /*     in - handle of DRBG */
+    uint16_t        pubkey_blob_len, /*     in - no. of octets in public key
+                                                 blob */
+    uint8_t const  *pubkey_blob,     /*     in - pointer to public key */
+    uint16_t        pt_len,          /*     in - no. of octets in plaintext */
+    uint8_t const  *pt,              /*     in - pointer to plaintext */
+    uint16_t       *ct_len,          /* in/out - no. of octets in ct, addr for
+                                                 no. of octets in ciphertext */
+    uint8_t        *ct)              /*    out - address for ciphertext */
+{
+    NTRU_ENCRYPT_PARAM_SET *params = NULL;
+    uint8_t const          *pubkey_packed = NULL;
+    uint8_t                 pubkey_pack_type = 0x00;
+    uint16_t                packed_ct_len;
+    size_t                  scratch_buf_len;
+    uint32_t                dr;
+    uint32_t                dr1 = 0;
+    uint32_t                dr2 = 0;
+    uint32_t                dr3 = 0;
+    uint16_t                ring_mult_tmp_len;
+    int16_t                 m1 = 0;
+    uint16_t               *scratch_buf = NULL;
+    uint16_t               *ringel_buf = NULL;
+    uint8_t                *b_buf = NULL;
+    uint8_t                *tmp_buf = NULL;
+    bool                    msg_rep_good = FALSE;
+    hash_algorithm_t        hash_algid;
+    uint16_t                mprime_len = 0;
+    uint16_t                mod_q_mask;
+    uint32_t                result = NTRU_OK;
+	ntru_trits_t           *mask;
+	uint8_t                *mask_trits;
+	chunk_t                 seed;
+	ntru_poly_t				*r_poly;
+
+    /* check for bad parameters */
+
+	if (!pubkey_blob || !pt || !ct_len)
+	{
+		return NTRU_BAD_PARAMETER;
+	}
+	if ((pubkey_blob_len == 0) || (pt_len == 0))
+	{
+		return NTRU_BAD_LENGTH;
+	}
+
+    /* get a pointer to the parameter-set parameters, the packing type for
+     * the public key, and a pointer to the packed public key
+     */
+
+    if (!ntru_crypto_ntru_encrypt_key_parse(TRUE /* pubkey */, pubkey_blob_len,
+                                            pubkey_blob, &pubkey_pack_type,
+                                            NULL, &params, &pubkey_packed,
+                                            NULL))
+	{
+		return NTRU_BAD_PUBLIC_KEY;
+	}
+
+    /* return the ciphertext size if requested */
+
+    packed_ct_len = (params->N * params->q_bits + 7) >> 3;
+    if (!ct)
+	{
+        *ct_len = packed_ct_len;
+		return NTRU_OK;
+    }
+
+    /* check the ciphertext buffer size */
+
+    if (*ct_len < packed_ct_len)
+	{
+		return NTRU_BUFFER_TOO_SMALL;
+    }
+
+    /* check the plaintext length */
+
+    if (pt_len > params->m_len_max)
+	{
+		return NTRU_BAD_LENGTH;
+    }
+
+    /* allocate memory for all operations */
+
+    if (params->is_product_form)
+	{
+        ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */
+        dr1 =  params->dF_r & 0xff;
+        dr2 = (params->dF_r >>  8) & 0xff;
+        dr3 = (params->dF_r >> 16) & 0xff;
+        dr = dr1 + dr2 + dr3;
+    }
+	else
+	{
+        ring_mult_tmp_len = params->N;      /* N 16-bit word buffer */
+        dr = params->dF_r;
+    }
+    scratch_buf_len = (ring_mult_tmp_len << 1) +
+                                            /* X-byte temp buf for ring mult and
+                                                other intermediate results */
+                      (params->N << 1) +    /* 2N-byte buffer for ring elements
+                                                and overflow from temp buffer */
+                      (dr << 2) +           /* buffer for r indices */
+                      params->sec_strength_len;
+                                            /* buffer for b */
+    scratch_buf = malloc(scratch_buf_len);
+    if (!scratch_buf)
+	{
+		return NTRU_OUT_OF_MEMORY;
+    }
+    ringel_buf = scratch_buf + ring_mult_tmp_len;
+    b_buf = (uint8_t *)(ringel_buf + params->N);
+    tmp_buf = (uint8_t *)scratch_buf;
+
+	/* set hash algorithm based on security strength */
+	 hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256;
+
+    /* set constants */
+	mod_q_mask = params->q - 1;
+
+    /* loop until a message representative with proper weight is achieved */
+
+    do {
+        uint8_t *ptr = tmp_buf;
+
+        /* get b */
+        if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+                                 params->sec_strength_len, b_buf))
+		{
+			result = NTRU_OK;
+		}
+		else
+		{
+			result = NTRU_FAIL;
+		}
+
+		if (result == NTRU_OK)
+		{
+
+            /* form sData (OID || m || b || hTrunc) */
+            memcpy(ptr, params->OID, 3);
+            ptr += 3;
+            memcpy(ptr, pt, pt_len);
+            ptr += pt_len;
+            memcpy(ptr, b_buf, params->sec_strength_len);
+            ptr += params->sec_strength_len;
+            memcpy(ptr, pubkey_packed, params->sec_strength_len);
+            ptr += params->sec_strength_len;
+
+			DBG2(DBG_LIB, "generate polynomial r");
+
+			seed = chunk_create(tmp_buf, ptr - tmp_buf);
+			r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+												params->N, params->q,
+												params->dF_r, params->dF_r,
+												params->is_product_form);
+			if (!r_poly)
+			{
+			   result = NTRU_MGF1_FAIL;
+			}
+        }
+
+		if (result == NTRU_OK)
+		{
+			uint16_t pubkey_packed_len;
+
+			/* unpack the public key */
+			assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
+			pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
+			ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
+								   params->q_bits, ringel_buf);
+
+			/* form R = h * r */
+			r_poly->ring_mult(r_poly, ringel_buf, ringel_buf);
+			r_poly->destroy(r_poly);
+
+			/* form R mod 4 */
+			ntru_coeffs_mod4_2_octets(params->N, ringel_buf, tmp_buf);
+
+			/* form mask */
+			seed = chunk_create(tmp_buf, (params->N + 3)/4);
+			mask = ntru_trits_create(params->N, hash_algid, seed);
+			if (!mask)
+			{
+				result = NTRU_MGF1_FAIL;
+			}
+		}
+
+		if (result == NTRU_OK)
+		{
+            uint8_t  *Mtrin_buf = tmp_buf + params->N;
+            uint8_t  *M_buf = Mtrin_buf + params->N -
+                              (params->sec_strength_len + params->m_len_len +
+                               params->m_len_max + 2);
+            uint16_t  i;
+
+            /* form the padded message M */
+            ptr = M_buf;
+            memcpy(ptr, b_buf, params->sec_strength_len);
+            ptr += params->sec_strength_len;
+            if (params->m_len_len == 2)
+                *ptr++ = (uint8_t)((pt_len >> 8) & 0xff);
+            *ptr++ = (uint8_t)(pt_len & 0xff);
+            memcpy(ptr, pt, pt_len);
+            ptr += pt_len;
+
+            /* add an extra zero byte in case without it the bit string
+             * is not a multiple of 3 bits and therefore might not be
+             * able to produce enough trits
+             */
+
+            memset(ptr, 0, params->m_len_max - pt_len + 2);
+
+            /* convert M to trits (Mbin to Mtrin) */
+            mprime_len = params->N;
+			if (params->is_product_form)
+			{
+                --mprime_len;
+			}
+
+            ntru_bits_2_trits(M_buf, mprime_len, Mtrin_buf);
+			mask_trits = mask->get_trits(mask);
+
+			/* form the msg representative m' by adding Mtrin to mask, mod p */
+			if (params->is_product_form)
+			{
+				for (i = 0; i < mprime_len; i++)
+				{
+					tmp_buf[i] = mask_trits[i] + Mtrin_buf[i];
+					if (tmp_buf[i] >= 3)
+					{
+						tmp_buf[i] -= 3;
+					}
+					if (tmp_buf[i] == 1)
+					{
+						++m1;
+					}
+					else if (tmp_buf[i] == 2)
+					{
+						--m1;
+					}
+				}
+			}
+			else
+			{
+				for (i = 0; i < mprime_len; i++)
+				{
+					tmp_buf[i] = mask_trits[i] + Mtrin_buf[i];
+					if (tmp_buf[i] >= 3)
+					{
+						tmp_buf[i] -= 3;
+					}
+				}
+			}
+			mask->destroy(mask);
+
+            /* check that message representative meets minimum weight
+             * requirements
+             */
+
+            if (params->is_product_form)
+                msg_rep_good = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : 
+                                        (bool)( m1 <= params->min_msg_rep_wt);
+            else
+                msg_rep_good = ntru_poly_check_min_weight(mprime_len, tmp_buf,
+                                                       params->min_msg_rep_wt);
+            msg_rep_good = TRUE;
+        }
+    } while ((result == NTRU_OK) && !msg_rep_good);
+
+	if (result == NTRU_OK)
+	{
+        uint16_t i;
+
+        /* form ciphertext e by adding m' to R mod q */
+
+        for (i = 0; i < mprime_len; i++) {
+            if (tmp_buf[i] == 1)
+                ringel_buf[i] = (ringel_buf[i] + 1) & mod_q_mask;
+            else if (tmp_buf[i] == 2)
+                ringel_buf[i] = (ringel_buf[i] - 1) & mod_q_mask;
+        }
+        if (params->is_product_form)
+            ringel_buf[i] = (ringel_buf[i] - m1) & mod_q_mask;
+
+        /* pack ciphertext */
+        ntru_elements_2_octets(params->N, ringel_buf, params->q_bits, ct);
+        *ct_len = packed_ct_len;
+    }
+
+    /* cleanup */
+    memset(scratch_buf, 0, scratch_buf_len);
+    free(scratch_buf);
+    
+	return result;
+}
+
+
+/* ntru_crypto_ntru_decrypt
+ *
+ * Implements NTRU decryption (SVES) for the parameter set specified in
+ * the private key blob.
+ *
+ * The maximum size of the output plaintext may be queried by invoking
+ * this function with pt = NULL.  In this case, no decryption is performed,
+ * NTRU_OK is returned, and the maximum size the plaintext could be is
+ * returned in pt_len.
+ * Note that until the decryption is performed successfully, the actual size
+ * of the resulting plaintext cannot be known.
+ *
+ * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
+ * Upon return it is the actual size of the plaintext.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
+ * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
+ *  ct_len is invalid for the parameter set.
+ * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
+ *  (unknown format, corrupt, bad length).
+ * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ * Returns NTRU_FAIL if a decryption error occurs.
+ */
+
+uint32_t
+ntru_crypto_ntru_decrypt(
+    uint16_t       privkey_blob_len, /*     in - no. of octets in private key
+                                                 blob */
+    uint8_t const *privkey_blob,     /*     in - pointer to private key */
+    uint16_t       ct_len,           /*     in - no. of octets in ciphertext */
+    uint8_t const *ct,               /*     in - pointer to ciphertext */
+    uint16_t      *pt_len,           /* in/out - no. of octets in pt, addr for
+                                                 no. of octets in plaintext */
+    uint8_t       *pt)               /*    out - address for plaintext */
+{
+    NTRU_ENCRYPT_PARAM_SET *params = NULL;
+    uint8_t const          *privkey_packed = NULL;
+    uint8_t const          *pubkey_packed = NULL;
+    uint8_t                 privkey_pack_type = 0x00;
+    uint8_t                 pubkey_pack_type = 0x00;
+    size_t                  scratch_buf_len;
+    uint32_t                dF_r;
+    uint32_t                dF_r1 = 0;
+    uint32_t                dF_r2 = 0;
+    uint32_t                dF_r3 = 0;
+    uint16_t                ring_mult_tmp_len;
+    int16_t                 m1 = 0;
+    uint16_t               *scratch_buf = NULL;
+    uint16_t               *ringel_buf1 = NULL;
+    uint16_t               *ringel_buf2 = NULL;
+    uint16_t               *i_buf = NULL;
+    uint8_t                *m_buf = NULL;
+    uint8_t                *tmp_buf = NULL;
+    uint8_t                *Mtrin_buf = NULL;
+    uint8_t                *M_buf = NULL;
+    uint8_t                *ptr = NULL;
+    hash_algorithm_t        hash_algid;
+    uint16_t                cmprime_len;
+    uint16_t                mod_q_mask;
+    uint16_t                q_mod_p;
+    uint16_t                cm_len = 0;
+    uint16_t                num_zeros;
+    uint16_t                i;
+    bool                    decryption_ok = TRUE;
+    uint32_t                result = NTRU_OK;
+	ntru_trits_t           *mask;
+	uint8_t                *mask_trits;
+	chunk_t                 seed;
+	ntru_poly_t			   *F_poly, *r_poly;
+
+	/* check for bad parameters */
+	if (!privkey_blob || !ct || !pt_len)
+	{
+		return NTRU_BAD_PARAMETER;
+	}
+	if ((privkey_blob_len == 0) || (ct_len == 0))
+	{
+		return NTRU_BAD_LENGTH;
+	}
+
+    /* get a pointer to the parameter-set parameters, the packing types for
+     * the public and private keys, and pointers to the packed public and
+     * private keys
+     */
+
+	if (!ntru_crypto_ntru_encrypt_key_parse(FALSE /* privkey */,
+                                            privkey_blob_len,
+                                            privkey_blob, &pubkey_pack_type,
+                                            &privkey_pack_type, &params,
+                                            &pubkey_packed, &privkey_packed))
+	{
+		return NTRU_BAD_PRIVATE_KEY;
+	}
+
+    /* return the max plaintext size if requested */
+
+	if (!pt)
+	{
+        *pt_len = params->m_len_max;
+		return NTRU_OK;
+    }
+
+    /* cannot check the plaintext buffer size until after the plaintext
+     * is derived, if we allow plaintext buffers only as large as the
+     * actual plaintext
+     */
+
+    /* check the ciphertext length */
+
+	if (ct_len != (params->N * params->q_bits + 7) >> 3)
+	{
+		return NTRU_BAD_LENGTH;
+	}
+
+    /* allocate memory for all operations */
+
+	if (params->is_product_form)
+	{
+        ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */
+        dF_r1 =  params->dF_r & 0xff;
+        dF_r2 = (params->dF_r >>  8) & 0xff;
+        dF_r3 = (params->dF_r >> 16) & 0xff;
+        dF_r = dF_r1 + dF_r2 + dF_r3;
+    } else {
+        ring_mult_tmp_len = params->N;      /* N 16-bit word buffer */
+        dF_r = params->dF_r;
+    }
+    scratch_buf_len = (ring_mult_tmp_len << 1) +
+                                            /* X-byte temp buf for ring mult and
+                                                other intermediate results */
+                      (params->N << 2) +    /* 2 2N-byte bufs for ring elements
+                                                and overflow from temp buffer */
+                      (dF_r << 2) +         /* buffer for F, r indices */
+                      params->m_len_max;    /* buffer for plaintext */
+    scratch_buf = malloc(scratch_buf_len);
+	if (!scratch_buf)
+	{
+		return NTRU_OUT_OF_MEMORY;
+    }
+    ringel_buf1 = scratch_buf + ring_mult_tmp_len;
+    ringel_buf2 = ringel_buf1 + params->N;
+    i_buf = ringel_buf2 + params->N;
+    m_buf = (uint8_t *)(i_buf + (dF_r << 1));
+    tmp_buf = (uint8_t *)scratch_buf;
+    Mtrin_buf = (uint8_t *)ringel_buf1;
+    M_buf = Mtrin_buf + params->N;
+
+	/* set hash algorithm based on security strength */
+	hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256;
+
+    /* set constants */
+    mod_q_mask = params->q - 1;
+    q_mod_p = params->q % 3;
+
+    /* unpack the ciphertext */
+    ntru_octets_2_elements(ct_len, ct, params->q_bits, ringel_buf2);
+
+    /* unpack the private key */
+    if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS)
+	{
+        ntru_packed_trits_2_indices(privkey_packed, params->N, i_buf,
+                                    i_buf + dF_r);
+
+    }
+	else if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_INDICES)
+	{
+        ntru_octets_2_elements(
+                (((uint16_t)dF_r << 1) * params->N_bits + 7) >> 3,
+                privkey_packed, params->N_bits, i_buf);
+
+    }
+	else
+	{
+        assert(FALSE);
+    }
+
+    /* form cm':
+     *  F * e
+     *  A = e * (1 + pF) mod q = e + pFe mod q
+     *  a = A in the range [-q/2, q/2)
+     *  cm' = a mod p
+     */
+	F_poly = ntru_poly_create_from_data(i_buf, params->N, params->q,
+										params->dF_r, params->dF_r,
+									    params->is_product_form);
+	F_poly->ring_mult(F_poly, ringel_buf2, ringel_buf1);
+	F_poly->destroy(F_poly);
+
+    cmprime_len = params->N;
+    if (params->is_product_form)
+	{
+         --cmprime_len;
+		for (i = 0; i < cmprime_len; i++)
+		{
+			ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
+			if (ringel_buf1[i] >= (params->q >> 1))
+			{
+				ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
+			}
+			Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
+			if (Mtrin_buf[i] == 1)
+			{
+				++m1;
+			}
+			else if (Mtrin_buf[i] == 2)
+			{
+				--m1;
+			}
+		}
+	}
+	else
+	{
+		for (i = 0; i < cmprime_len; i++)
+		{
+			ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
+			if (ringel_buf1[i] >= (params->q >> 1))
+			{
+				ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
+			}
+			Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
+		}
+	}
+
+    /* check that the candidate message representative meets minimum weight
+     * requirements
+     */
+
+    if (params->is_product_form)
+	{
+	    decryption_ok = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : 
+	                             (bool)( m1 <= params->min_msg_rep_wt);
+	}
+	else
+	{
+        decryption_ok = ntru_poly_check_min_weight(cmprime_len, Mtrin_buf,
+												   params->min_msg_rep_wt);
+	}
+
+	/* form cR = e - cm' mod q */
+	for (i = 0; i < cmprime_len; i++)
+	{
+		if (Mtrin_buf[i] == 1)
+		{
+			ringel_buf2[i] = (ringel_buf2[i] - 1) & mod_q_mask;
+		}
+		else if (Mtrin_buf[i] == 2)
+		{
+			ringel_buf2[i] = (ringel_buf2[i] + 1) & mod_q_mask;
+		}
+	}
+	if (params->is_product_form)
+	{
+		ringel_buf2[i] = (ringel_buf2[i] + m1) & mod_q_mask;
+	}
+
+	/* form cR mod 4 */
+	ntru_coeffs_mod4_2_octets(params->N, ringel_buf2, tmp_buf);
+
+	/* form mask */
+	seed = chunk_create(tmp_buf, (params->N + 3)/4);
+	mask = ntru_trits_create(params->N, hash_algid, seed);
+	if (!mask)
+	{
+		result = NTRU_MGF1_FAIL;
+	}
+	else
+	{
+		mask_trits = mask->get_trits(mask);
+
+		/* form cMtrin by subtracting mask from cm', mod p */
+		for (i = 0; i < cmprime_len; i++)
+		{
+			Mtrin_buf[i] = Mtrin_buf[i] - mask_trits[i];
+			if (Mtrin_buf[i] >= 3)
+			{
+				Mtrin_buf[i] += 3;
+			}
+		}
+		mask->destroy(mask);
+
+        if (params->is_product_form)
+
+            /* set the last trit to zero since that's what it was, and
+             * because it can't be calculated from (cm' - mask) since
+             * we don't have the correct value for the last cm' trit
+             */
+
+            Mtrin_buf[i] = 0;
+
+        /* convert cMtrin to cM (Mtrin to Mbin) */
+
+        if (!ntru_trits_2_bits(Mtrin_buf, params->N, M_buf))
+            decryption_ok = FALSE;
+
+        /* validate the padded message cM and copy cm to m_buf */
+
+        ptr = M_buf + params->sec_strength_len;
+        if (params->m_len_len == 2)
+            cm_len = (uint16_t)(*ptr++) << 16;
+        cm_len |= (uint16_t)(*ptr++);
+        if (cm_len > params->m_len_max) {
+            cm_len = params->m_len_max;
+            decryption_ok = FALSE;
+        }
+        memcpy(m_buf, ptr, cm_len);
+        ptr += cm_len;
+        num_zeros = params->m_len_max - cm_len + 1;
+        for (i = 0; i < num_zeros; i++) {
+            if (ptr[i] != 0)
+                decryption_ok = FALSE;
+        }
+
+        /* form sData (OID || m || b || hTrunc) */
+
+        ptr = tmp_buf;
+        memcpy(ptr, params->OID, 3);
+        ptr += 3;
+        memcpy(ptr, m_buf, cm_len);
+        ptr += cm_len;
+        memcpy(ptr, M_buf, params->sec_strength_len);
+        ptr += params->sec_strength_len;
+        memcpy(ptr, pubkey_packed, params->sec_strength_len);
+        ptr += params->sec_strength_len;
+
+        /* generate cr */
+		DBG2(DBG_LIB, "generate polynomial r");
+
+		seed = chunk_create(tmp_buf, ptr - tmp_buf);
+		r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+											params->N, params->q,
+											params->dF_r, params->dF_r,
+											params->is_product_form);
+		if (!r_poly)
+		{
+		   result = NTRU_MGF1_FAIL;
+		}
+    }
+
+	if (result == NTRU_OK)
+	{
+		/* unpack the public key */
+		{
+            uint16_t pubkey_packed_len;
+
+			assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
+			pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
+			ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
+								   params->q_bits, ringel_buf1);
+		}
+
+		/* form cR' = h * cr */
+		r_poly->ring_mult(r_poly, ringel_buf1, ringel_buf1);
+		r_poly->destroy(r_poly);
+
+		/* compare cR' to cR */
+		for (i = 0; i < params->N; i++)
+		{
+			if (ringel_buf1[i] != ringel_buf2[i])
+			{
+                decryption_ok = FALSE;
+			}
+		}
+
+        /* output plaintext and plaintext length */
+		if (decryption_ok)
+		{
+			if (*pt_len < cm_len)
+			{
+				return NTRU_BUFFER_TOO_SMALL;
+			}
+			memcpy(pt, m_buf, cm_len);
+			*pt_len = cm_len;
+        }
+    }
+
+	/* cleanup */
+	memset(scratch_buf, 0, scratch_buf_len);
+	free(scratch_buf);
+    
+	if (!decryption_ok)
+	{
+		return NTRU_FAIL;
+	}
+
+	return result;
+}
+
+
+/* ntru_crypto_ntru_encrypt_keygen
+ *
+ * Implements key generation for NTRUEncrypt for the parameter set specified.
+ *
+ * The required minimum size of the output public-key buffer (pubkey_blob)
+ * may be queried by invoking this function with pubkey_blob = NULL.
+ * In this case, no key generation is performed, NTRU_OK is returned, and
+ * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
+ *
+ * The required minimum size of the output private-key buffer (privkey_blob)
+ * may be queried by invoking this function with privkey_blob = NULL.
+ * In this case, no key generation is performed, NTRU_OK is returned, and
+ * the required minimum size for privkey_blob is returned in privkey_blob_len.
+ *
+ * The required minimum sizes of both pubkey_blob and privkey_blob may be
+ * queried as described above, in a single invocation of this function.
+ *
+ * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
+ * *pubkey_blob_len must be the size of the pubkey_blob buffer and
+ * *privkey_blob_len must be the size of the privkey_blob buffer.
+ * Upon return, *pubkey_blob_len is the actual size of the public-key blob
+ * and *privkey_blob_len is the actual size of the private-key blob.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob or
+ *  privkey_blob) is NULL.
+ * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
+ * Returns NTRU_BAD_LENGTH if a length argument is invalid.
+ * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
+ *  privkey_blob buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
+ *  (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
+ *  Should this occur, this function should simply be invoked again.
+ */
+
+uint32_t
+ntru_crypto_ntru_encrypt_keygen(
+    ntru_drbg_t               *drbg,             /*     in - handle of DRBG */
+    NTRU_ENCRYPT_PARAM_SET_ID  param_set_id,     /*     in - parameter set ID */
+    uint16_t                  *pubkey_blob_len,  /* in/out - no. of octets in
+                                                             pubkey_blob, addr
+                                                             for no. of octets
+                                                             in pubkey_blob */
+    uint8_t                   *pubkey_blob,      /*    out - address for
+                                                             public key blob */
+    uint16_t                  *privkey_blob_len, /* in/out - no. of octets in
+                                                             privkey_blob, addr
+                                                             for no. of octets
+                                                             in privkey_blob */
+    uint8_t                   *privkey_blob)     /*    out - address for
+                                                             private key blob */
+{
+    NTRU_ENCRYPT_PARAM_SET *params = NULL;
+    uint16_t                public_key_blob_len;
+    uint16_t                private_key_blob_len;
+    uint8_t                 pubkey_pack_type;
+    uint8_t                 privkey_pack_type;
+    size_t                  scratch_buf_len;
+    uint32_t                dF;
+    uint32_t                dF1 = 0;
+    uint32_t                dF2 = 0;
+    uint32_t                dF3 = 0;
+    uint16_t               *scratch_buf = NULL;
+    uint16_t               *ringel_buf1 = NULL;
+    uint16_t               *ringel_buf2 = NULL;
+    uint8_t                *tmp_buf = NULL;
+    uint16_t                mod_q_mask;
+    hash_algorithm_t        hash_algid;
+    uint16_t                seed_len;
+	chunk_t					seed;
+    uint32_t                result = NTRU_OK;
+	ntru_poly_t			   *F_poly = NULL;
+	ntru_poly_t            *g_poly = NULL;
+	uint16_t			   *F_indices;
+
+    /* get a pointer to the parameter-set parameters */
+
+    if ((params = ntru_encrypt_get_params_with_id(param_set_id)) == NULL)
+	{
+		return NTRU_INVALID_PARAMETER_SET;
+	}
+
+    /* check for bad parameters */
+
+    if (!pubkey_blob_len || !privkey_blob_len)
+	{
+		return NTRU_BAD_PARAMETER;
+	}
+
+    /* get public and private key packing types and blob lengths */
+
+    ntru_crypto_ntru_encrypt_key_get_blob_params(params, &pubkey_pack_type,
+                                                 &public_key_blob_len,
+                                                 &privkey_pack_type,
+                                                 &private_key_blob_len);
+
+    /* return the pubkey_blob size and/or privkey_blob size if requested */
+
+    if (!pubkey_blob || !privkey_blob)
+	{
+        if (!pubkey_blob)
+            *pubkey_blob_len = public_key_blob_len;
+        if (!privkey_blob)
+            *privkey_blob_len = private_key_blob_len;
+		return NTRU_OK;
+    }
+
+    /* check size of output buffers */
+
+    if ((*pubkey_blob_len < public_key_blob_len) ||
+            (*privkey_blob_len < private_key_blob_len))
+	{
+		return NTRU_BUFFER_TOO_SMALL;
+	}
+
+    /* allocate memory for all operations */
+    if (params->is_product_form) {
+        dF1 =  params->dF_r & 0xff;
+        dF2 = (params->dF_r >> 8) & 0xff;
+        dF3 = (params->dF_r >> 16) & 0xff;
+        dF = dF1 + dF2 + dF3;
+    } else {
+        dF = params->dF_r;
+    }
+
+    scratch_buf_len = (params->N * 8) +     /* 4N-byte temp buffer for ring inv
+                                                and other intermediate results,
+                                               2N-byte buffer for f, g indices
+                                                and overflow from temp buffer,
+                                               2N-byte buffer for f^-1 */
+                      (dF << 2);            /* buffer for F indices */
+    scratch_buf = malloc(scratch_buf_len);
+	if (!scratch_buf)
+	{
+		return NTRU_OUT_OF_MEMORY;
+    }
+    ringel_buf1 = scratch_buf + (params->N << 1);
+    ringel_buf2 = ringel_buf1 + params->N;
+    tmp_buf = (uint8_t *)scratch_buf;
+
+	/* set hash algorithm and seed length based on security strength */
+    if (params->sec_strength_len <= 20)
+	{
+		hash_algid = HASH_SHA1;
+	}
+	else
+	{
+		hash_algid = HASH_SHA256;
+	}
+	seed_len = params->sec_strength_len + 8;
+
+    /* set constants */
+
+    mod_q_mask = params->q - 1;
+
+    /* get random bytes for seed for generating trinary F
+     * as a list of indices
+     */
+
+    if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+							 seed_len, tmp_buf))
+	{
+		result = NTRU_OK;
+	}
+	else
+	{
+		result = NTRU_DRBG_FAIL;
+	}
+
+	if (result == NTRU_OK)
+	{
+		DBG2(DBG_LIB, "generate polynomial F");
+
+		seed = chunk_create(tmp_buf, seed_len);
+		F_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+											params->N, params->q,
+											params->dF_r, params->dF_r,
+											params->is_product_form);
+		if (!F_poly)
+		{
+		   result = NTRU_MGF1_FAIL;
+		}
+    }
+
+	if (result == NTRU_OK)
+	{
+		int i;
+
+		F_poly->get_array(F_poly, ringel_buf1);
+
+		/* form f = 1 + pF */
+		for (i = 0; i < params->N; i++)
+		{
+			ringel_buf1[i] = (ringel_buf1[i] * 3) & mod_q_mask;
+		}
+		ringel_buf1[0] = (ringel_buf1[0] + 1) & mod_q_mask;
+
+		/* find f^-1 in (Z/qZ)[X]/(X^N - 1) */
+		if (!ntru_ring_inv(ringel_buf1, params->N, params->q,
+						   scratch_buf, ringel_buf2))
+		{
+			result = NTRU_FAIL;
+		}
+	}
+
+	if (result == NTRU_OK)
+	{
+
+        /* get random bytes for seed for generating trinary polynomial g
+         * as a list of indices
+         */
+        if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+								  seed_len, tmp_buf))
+		{
+			result = NTRU_DRBG_FAIL;
+		}
+    }
+
+	if (result == NTRU_OK)
+	{
+		DBG2(DBG_LIB, "generate polynomial g");
+
+		seed = chunk_create(tmp_buf, seed_len);
+		g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+											params->N, params->q,
+											params->dg + 1, params->dg, FALSE);
+		if (!g_poly)
+		{
+		   result = NTRU_MGF1_FAIL;
+		}
+   }
+
+	if (result == NTRU_OK)
+	{
+		uint16_t i;
+
+		/* compute h = p * (f^-1 * g) mod q */
+		g_poly->ring_mult(g_poly, ringel_buf2, ringel_buf2);
+		g_poly->destroy(g_poly);
+
+		for (i = 0; i < params->N; i++)
+		{
+			ringel_buf2[i] = (ringel_buf2[i] * 3) & mod_q_mask;
+		}
+
+		/* create public key blob */
+		ntru_crypto_ntru_encrypt_key_create_pubkey_blob(params, ringel_buf2,
+													    pubkey_pack_type,
+														pubkey_blob);
+		*pubkey_blob_len = public_key_blob_len;
+
+		/* create private key blob */
+		F_indices = F_poly->get_indices(F_poly);
+		ntru_crypto_ntru_encrypt_key_create_privkey_blob(params, ringel_buf2,
+														 F_indices,
+														 privkey_pack_type,
+														 tmp_buf, privkey_blob);
+		*privkey_blob_len = private_key_blob_len;
+    }
+
+	/* cleanup */
+	DESTROY_IF(F_poly);
+	memset(scratch_buf, 0, scratch_buf_len);
+	free(scratch_buf);
+  
+	return result;
+}
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c
new file mode 100644
index 000000000..90baaadf3
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c
@@ -0,0 +1,360 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_encrypt_key.c is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_encrypt_key.c
+ *
+ * Contents: Routines for exporting and importing public and private keys
+ *           for NTRUEncrypt.
+ *
+ *****************************************************************************/
+
+
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "ntru_crypto_ntru_encrypt_key.h"
+
+
+/* ntru_crypto_ntru_encrypt_key_parse
+ *
+ * Parses an NTRUEncrypt key blob.
+ * If the blob is not corrupt, returns packing types for public and private
+ * keys, a pointer to the parameter set, a pointer to the public key, and
+ * a pointer to the private key if it exists.
+ *
+ * Returns TRUE if successful.
+ * Returns FALSE if the blob is invalid.
+ */
+
+bool
+ntru_crypto_ntru_encrypt_key_parse(
+    bool                     pubkey_parse,      /*  in - if parsing pubkey
+                                                         blob */
+    uint16_t                 key_blob_len,      /*  in - no. octets in key
+                                                         blob */
+    uint8_t const           *key_blob,          /*  in - pointer to key blob */
+    uint8_t                 *pubkey_pack_type,  /* out - addr for pubkey
+                                                         packing type */
+    uint8_t                 *privkey_pack_type, /* out - addr for privkey
+                                                         packing type */
+    NTRU_ENCRYPT_PARAM_SET **params,            /* out - addr for ptr to
+                                                         parameter set */
+    uint8_t const          **pubkey,            /* out - addr for ptr to
+                                                         packed pubkey */
+    uint8_t const          **privkey)           /* out - addr for ptr to
+                                                         packed privkey */
+{
+    uint8_t tag;
+
+    assert(key_blob_len);
+    assert(key_blob);
+    assert(pubkey_pack_type);
+    assert(params);
+    assert(pubkey);
+
+    /* parse key blob based on tag */
+
+    tag = key_blob[0];
+    switch (tag) {
+        case NTRU_ENCRYPT_PUBKEY_TAG:
+            if (!pubkey_parse)
+                return FALSE;
+            break;
+        case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
+        case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
+        case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
+            assert(privkey_pack_type);
+            assert(privkey);
+            if (pubkey_parse)
+                return FALSE;
+            break;
+        default:
+            return FALSE;
+    }
+
+    switch (tag) {
+        case NTRU_ENCRYPT_PUBKEY_TAG:
+        case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
+        case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
+        case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
+
+            /* Version 0:
+             *  byte  0:   tag
+             *  byte  1:   no. of octets in OID
+             *  bytes 2-4: OID
+             *  bytes 5- : packed pubkey
+             *             [packed privkey]
+             */
+
+        {
+            NTRU_ENCRYPT_PARAM_SET *p = NULL;
+            uint16_t pubkey_packed_len;
+
+            /* check OID length and minimum blob length for tag and OID */
+
+            if ((key_blob_len < 5) || (key_blob[1] != 3))
+                return FALSE;
+
+            /* get a pointer to the parameter set corresponding to the OID */
+
+            if ((p = ntru_encrypt_get_params_with_OID(key_blob + 2)) == NULL)
+                return FALSE;
+
+            /* check blob length and assign pointers to blob fields */
+
+            pubkey_packed_len = (p->N * p->q_bits + 7) / 8;
+            if (pubkey_parse) { /* public-key parsing */
+                if (key_blob_len != 5 + pubkey_packed_len)
+                    return FALSE;
+
+                *pubkey = key_blob + 5;
+
+            } else { /* private-key parsing */
+                uint16_t privkey_packed_len;
+                uint16_t privkey_packed_trits_len = (p->N + 4) / 5;
+                uint16_t privkey_packed_indices_len;
+                uint16_t dF;
+
+                /* check packing type for product-form private keys */
+
+                if (p->is_product_form &&
+                        (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG))
+                    return FALSE;
+
+                /* set packed-key length for packed indices */
+
+                if (p->is_product_form)
+                    dF = (uint16_t)( (p->dF_r & 0xff) +            /* df1 */
+                                    ((p->dF_r >>  8) & 0xff) +     /* df2 */
+                                    ((p->dF_r >> 16) & 0xff));     /* df3 */
+                else
+                    dF = (uint16_t)p->dF_r;
+                privkey_packed_indices_len = ((dF << 1) * p->N_bits + 7) >> 3;
+
+                /* set private-key packing type if defaulted */
+
+                if (tag == NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG) {
+                    if (p->is_product_form ||
+                            (privkey_packed_indices_len <=
+                             privkey_packed_trits_len))
+                        tag = NTRU_ENCRYPT_PRIVKEY_INDICES_TAG;
+                    else
+                        tag = NTRU_ENCRYPT_PRIVKEY_TRITS_TAG;
+                }
+
+                if (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG)
+                    privkey_packed_len = privkey_packed_trits_len;
+                else
+                    privkey_packed_len = privkey_packed_indices_len;
+
+                if (key_blob_len != 5 + pubkey_packed_len + privkey_packed_len)
+                    return FALSE;
+
+                *pubkey = key_blob + 5;
+                *privkey = *pubkey + pubkey_packed_len;
+                *privkey_pack_type = (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) ?
+                    NTRU_ENCRYPT_KEY_PACKED_TRITS :
+                    NTRU_ENCRYPT_KEY_PACKED_INDICES;
+            }
+
+            /* return parameter set pointer */
+
+            *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
+            *params = p;
+        }
+        default:
+            break;  /* can't get here */
+    }
+    return TRUE;
+}
+
+
+/* ntru_crypto_ntru_encrypt_key_get_blob_params
+ *
+ * Returns public and private key packing types and blob lengths given
+ * a packing format.  For now, only a default packing format exists.
+ *
+ * Only public-key params may be returned by setting privkey_pack_type
+ * and privkey_blob_len to NULL.
+ */
+
+void
+ntru_crypto_ntru_encrypt_key_get_blob_params(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint8_t                      *pubkey_pack_type,   /* out - addr for pubkey
+                                                               packing type */
+    uint16_t                     *pubkey_blob_len,    /* out - addr for no. of
+                                                               bytes in
+                                                               pubkey blob */
+    uint8_t                      *privkey_pack_type,  /* out - addr for privkey
+                                                               packing type */
+    uint16_t                     *privkey_blob_len)   /* out - addr for no. of
+                                                               bytes in
+                                                               privkey blob */
+{
+    uint16_t pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
+
+    assert(params);
+    assert(pubkey_pack_type);
+    assert(pubkey_blob_len);
+
+    *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
+    *pubkey_blob_len = 5 + pubkey_packed_len;
+
+    if (privkey_pack_type && privkey_blob_len) {
+        uint16_t privkey_packed_trits_len = (params->N + 4) / 5;
+        uint16_t privkey_packed_indices_len;
+        uint16_t dF;
+
+        if (params->is_product_form)
+            dF = (uint16_t)( (params->dF_r & 0xff) +            /* df1 */
+                            ((params->dF_r >>  8) & 0xff) +     /* df2 */
+                            ((params->dF_r >> 16) & 0xff));     /* df3 */
+        else
+            dF = (uint16_t)params->dF_r;
+        privkey_packed_indices_len = ((dF << 1) * params->N_bits + 7) >> 3;
+
+        if (params->is_product_form ||
+                (privkey_packed_indices_len <= privkey_packed_trits_len)) {
+            *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_INDICES;
+            *privkey_blob_len =
+                5 + pubkey_packed_len + privkey_packed_indices_len;
+        } else {
+            *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_TRITS;
+            *privkey_blob_len =
+                5 + pubkey_packed_len + privkey_packed_trits_len;
+        }
+    }
+}
+
+
+/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
+ *
+ * Returns a public key blob, packed according to the packing type provided.
+ */
+
+void
+ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint16_t const               *pubkey,             /*  in - pointer to the
+                                                               coefficients
+                                                               of the pubkey */
+    uint8_t                       pubkey_pack_type,   /* out - pubkey packing
+                                                               type */
+    uint8_t                      *pubkey_blob)        /* out - addr for the
+                                                               pubkey blob */
+{
+    assert(params);
+    assert(pubkey);
+    assert(pubkey_blob);
+
+    switch (pubkey_pack_type) {
+        case NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS:
+            *pubkey_blob++ = NTRU_ENCRYPT_PUBKEY_TAG;
+            *pubkey_blob++ = (uint8_t)sizeof(params->OID);
+            memcpy(pubkey_blob, params->OID, sizeof(params->OID));
+            pubkey_blob += sizeof(params->OID);
+            ntru_elements_2_octets(params->N, pubkey, params->q_bits,
+                                   pubkey_blob);
+            break;
+        default:
+            assert(FALSE);
+    }
+}
+
+
+/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
+ *
+ * Returns a private key blob, packed according to the packing type provided.
+ */
+
+void
+ntru_crypto_ntru_encrypt_key_create_privkey_blob(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint16_t const               *pubkey,             /*  in - pointer to the
+                                                               coefficients
+                                                               of the pubkey */
+    uint16_t const               *privkey,            /*  in - pointer to the
+                                                               indices of the
+                                                               privkey */
+    uint8_t                       privkey_pack_type,  /*  in - privkey packing
+                                                               type */
+    uint8_t                      *buf,                /*  in - temp, N bytes */
+    uint8_t                      *privkey_blob)       /* out - addr for the
+                                                               privkey blob */
+{
+    assert(params);
+    assert(pubkey);
+    assert(privkey);
+    assert(privkey_blob);
+
+    switch (privkey_pack_type) {
+        case NTRU_ENCRYPT_KEY_PACKED_TRITS:
+        case NTRU_ENCRYPT_KEY_PACKED_INDICES:
+
+            /* format header and packed public key */
+
+            *privkey_blob++ = NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG;
+            *privkey_blob++ = (uint8_t)sizeof(params->OID);
+            memcpy(privkey_blob, params->OID, sizeof(params->OID));
+            privkey_blob += sizeof(params->OID);
+            ntru_elements_2_octets(params->N, pubkey, params->q_bits,
+                                   privkey_blob);
+            privkey_blob += (params->N * params->q_bits + 7) >> 3;
+
+            /* add packed private key */
+
+            if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) {
+                ntru_indices_2_packed_trits(privkey, (uint16_t)params->dF_r,
+                                            (uint16_t)params->dF_r,
+                                            params->N, buf, privkey_blob);
+            } else {
+                uint32_t dF;
+
+                if (params->is_product_form) {
+                    dF =  (params->dF_r & 0xff) +
+                         ((params->dF_r >> 8) & 0xff) +
+                         ((params->dF_r >> 16) & 0xff);
+                } else {
+                    dF = params->dF_r;
+                }
+                ntru_elements_2_octets((uint16_t)dF << 1, privkey,
+                                       params->N_bits, privkey_blob);
+            }
+            break;
+        default:
+            assert(FALSE);
+            break;
+    }
+}
+
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h
new file mode 100644
index 000000000..6734f2a4c
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h
@@ -0,0 +1,167 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_cencrypt_key.h is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+
+
+#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H
+#define NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H
+
+#include "ntru_crypto_ntru_convert.h"
+#include "ntru_crypto_ntru_encrypt_param_sets.h"
+
+
+/* key-blob definitions */
+
+#define NTRU_ENCRYPT_PUBKEY_TAG           0x01
+#define NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG  0x02
+#define NTRU_ENCRYPT_PRIVKEY_TRITS_TAG    0xfe
+#define NTRU_ENCRYPT_PRIVKEY_INDICES_TAG  0xff
+
+/* packing types */
+
+#define NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS    0x01
+#define NTRU_ENCRYPT_KEY_PACKED_INDICES         0x02
+#define NTRU_ENCRYPT_KEY_PACKED_TRITS           0x03
+
+/* function declarations */
+
+
+/* ntru_crypto_ntru_encrypt_key_parse
+ *
+ * Parses an NTRUEncrypt key blob.
+ * If the blob is not corrupt, returns packing types for public and private
+ * keys, a pointer to the parameter set, a pointer to the public key, and
+ * a pointer to the private key if it exists.
+ *
+ * Returns TRUE if successful.
+ * Returns FALSE if the blob is invalid.
+ */
+
+extern bool
+ntru_crypto_ntru_encrypt_key_parse(
+    bool                     pubkey_parse,      /*  in - if parsing pubkey
+                                                         blob */
+    uint16_t                 key_blob_len,      /*  in - no. octets in key
+                                                         blob */
+    uint8_t const           *key_blob,          /*  in - pointer to key blob */
+    uint8_t                 *pubkey_pack_type,  /* out - addr for pubkey
+                                                         packing type */
+    uint8_t                 *privkey_pack_type, /* out - addr for privkey
+                                                         packing type */
+    NTRU_ENCRYPT_PARAM_SET **params,            /* out - addr for ptr to
+                                                         parameter set */
+    uint8_t const          **pubkey,            /* out - addr for ptr to
+                                                         packed pubkey */
+    uint8_t const          **privkey);          /* out - addr for ptr to
+                                                         packed privkey */
+
+
+/* ntru_crypto_ntru_encrypt_key_get_blob_params
+ *
+ * Returns public and private key packing types and blob lengths given
+ * a packing format.  For now, only a default packing format exists.
+ *
+ * Only public-key params may be returned by setting privkey_pack_type
+ * and privkey_blob_len to NULL.
+ */
+
+extern void
+ntru_crypto_ntru_encrypt_key_get_blob_params(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint8_t                      *pubkey_pack_type,   /* out - addr for pubkey
+                                                               packing type */
+    uint16_t                     *pubkey_blob_len,    /* out - addr for no. of
+                                                               bytes in
+                                                               pubkey blob */
+    uint8_t                      *privkey_pack_type,  /* out - addr for privkey
+                                                               packing type */
+    uint16_t                     *privkey_blob_len);  /* out - addr for no. of
+                                                               bytes in
+                                                               privkey blob */
+
+
+/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
+ *
+ * Returns a public key blob, packed according to the packing type provided.
+ */
+
+extern void
+ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint16_t const               *pubkey,             /*  in - pointer to the
+                                                               coefficients
+                                                               of the pubkey */
+    uint8_t                       pubkey_pack_type,   /* out - addr for pubkey
+                                                               packing type */
+    uint8_t                      *pubkey_blob);       /* out - addr for the
+                                                               pubkey blob */
+
+
+/* ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob
+ *
+ * Returns a public key blob, recreated from an already-packed public key.
+ */
+
+extern void
+ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint16_t                      packed_pubkey_len,  /*  in - no. octets in
+                                                               packed pubkey */
+    uint8_t const                *packed_pubkey,      /*  in - pointer to the
+                                                               packed pubkey */
+    uint8_t                       pubkey_pack_type,   /* out - pubkey packing
+                                                               type */
+    uint8_t                      *pubkey_blob);       /* out - addr for the
+                                                               pubkey blob */
+
+
+/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
+ *
+ * Returns a privlic key blob, packed according to the packing type provided.
+ */
+
+extern void
+ntru_crypto_ntru_encrypt_key_create_privkey_blob(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint16_t const               *pubkey,             /*  in - pointer to the
+                                                               coefficients
+                                                               of the pubkey */
+    uint16_t const               *privkey,            /*  in - pointer to the
+                                                               indices of the
+                                                               privkey */
+    uint8_t                       privkey_pack_type,  /*  in - privkey packing
+                                                               type */
+    uint8_t                      *buf,                /*  in - temp, N bytes */
+    uint8_t                      *privkey_blob);      /* out - addr for the
+                                                               privkey blob */
+
+
+#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c
new file mode 100644
index 000000000..5ddf91d2a
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c
@@ -0,0 +1,384 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_param_sets.c is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_encrypt_param_sets.c
+ *
+ * Contents: Defines the NTRUEncrypt parameter sets.
+ *
+ *****************************************************************************/
+
+#include <stdlib.h>
+#include <string.h>
+#include "ntru_crypto_ntru_encrypt_param_sets.h"
+
+
+/* parameter sets */
+
+static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
+
+    {
+        NTRU_EES401EP1,              /* parameter-set id */
+        {0x00, 0x02, 0x04},          /* OID */
+        0x22,                        /* DER id */
+        9,                           /* no. of bits in N (i.e., in an index) */
+        401,                         /* N */
+        14,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        113,                         /* df, dr */
+        133,                         /* dg */
+        60,                          /* maxMsgLenBytes */
+        113,                         /* dm0 */
+        11,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES449EP1,              /* parameter-set id */
+        {0x00, 0x03, 0x03},          /* OID */
+        0x23,                        /* DER id */
+        9,                           /* no. of bits in N (i.e., in an index) */
+        449,                         /* N */
+        16,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        134,                         /* df, dr */
+        149,                         /* dg */
+        67,                          /* maxMsgLenBytes */
+        134,                         /* dm0 */
+        9,                           /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES677EP1,              /* parameter-set id */
+        {0x00, 0x05, 0x03},          /* OID */
+        0x24,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        677,                         /* N */
+        24,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        157,                         /* df, dr */
+        225,                         /* dg */
+        101,                         /* maxMsgLenBytes */
+        157,                         /* dm0 */
+        11,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES1087EP2,             /* parameter-set id */
+        {0x00, 0x06, 0x03},          /* OID */
+        0x25,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        1087,                        /* N */
+        32,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        120,                         /* df, dr */
+        362,                         /* dg */
+        170,                         /* maxMsgLenBytes */
+        120,                         /* dm0 */
+        13,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES541EP1,              /* parameter-set id */
+        {0x00, 0x02, 0x05},          /* OID */
+        0x26,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        541,                         /* N */
+        14,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        49,                          /* df, dr */
+        180,                         /* dg */
+        86,                          /* maxMsgLenBytes */
+        49,                          /* dm0 */
+        12,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES613EP1,              /* parameter-set id */
+        {0x00, 0x03, 0x04},          /* OID */
+        0x27,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        613,                         /* N */
+        16,                          /* securuity strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        55,                          /* df, dr */
+        204,                         /* dg */
+        97,                          /* maxMsgLenBytes */
+        55,                          /* dm0 */
+        11,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES887EP1,              /* parameter-set id */
+        {0x00, 0x05, 0x04},          /* OID */
+        0x28,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        887,                         /* N */
+        24,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        81,                          /* df, dr */
+        295,                         /* dg */
+        141,                         /* maxMsgLenBytes */
+        81,                          /* dm0 */
+        10,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES1171EP1,             /* parameter-set id */
+        {0x00, 0x06, 0x04},          /* OID */
+        0x29,                        /* DER id */
+        11,                          /* no. of bits in N (i.e., in an index) */
+        1171,                        /* N */
+        32,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        106,                         /* df, dr */
+        390,                         /* dg */
+        186,                         /* maxMsgLenBytes */
+        106,                         /* dm0 */
+        12,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES659EP1,              /* parameter-set id */
+        {0x00, 0x02, 0x06},          /* OID */
+        0x2a,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        659,                         /* N */
+        14,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        38,                          /* df, dr */
+        219,                         /* dg */
+        108,                         /* maxMsgLenBytes */
+        38,                          /* dm0 */
+        11,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES761EP1,              /* parameter-set id */
+        {0x00, 0x03, 0x05},          /* OID */
+        0x2b,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        761,                         /* N */
+        16,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        42,                          /* df, dr */
+        253,                         /* dg */
+        125,                         /* maxMsgLenBytes */
+        42,                          /* dm0 */
+        12,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES1087EP1,             /* parameter-set id */
+        {0x00, 0x05, 0x05},          /* OID */
+        0x2c,                        /* DER id */
+        11,                          /* no. of bits in N (i.e., in an index) */
+        1087,                        /* N */
+        24,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        63,                          /* df, dr */
+        362,                         /* dg */
+        178,                         /* maxMsgLenBytes */
+        63,                          /* dm0 */
+        13,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES1499EP1,             /* parameter-set id */
+        {0x00, 0x06, 0x05},          /* OID */
+        0x2d,                        /* DER id */
+        11,                          /* no. of bits in N (i.e., in an index) */
+        1499,                        /* N */
+        32,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        79,                          /* df, dr */
+        499,                         /* dg */
+        247,                         /* maxMsgLenBytes */
+        79,                          /* dm0 */
+        13,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES401EP2,              /* parameter-set id */
+        {0x00, 0x02, 0x10},          /* OID */
+        0x2e,                        /* DER id */
+        9,                           /* no. of bits in N (i.e., in an index) */
+        401,                         /* N */
+        14,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        TRUE,                        /* product form */
+        8 + (8 << 8) + (6 << 16),    /* df, dr */
+        133,                         /* dg */
+        60,                          /* maxMsgLenBytes */
+        136,                         /* m(1)_max */
+        11,                          /* c */
+        1,                           /* lLen */
+   },
+
+    {
+        NTRU_EES439EP1,              /* parameter-set id */
+        {0x00, 0x03, 0x10},          /* OID */
+        0x2f,                        /* DER id */
+        9,                           /* no. of bits in N (i.e., in an index) */
+        439,                         /* N */
+        16,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        TRUE,                        /* product form */
+        9 + (8 << 8) + (5 << 16),    /* df, dr */
+        146,                         /* dg */
+        65,                          /* maxMsgLenBytes */
+        126,                         /* m(1)_max */
+        9,                           /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES593EP1,              /* parameter-set id */
+        {0x00, 0x05, 0x10},          /* OID */
+        0x30,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        593,                         /* N */
+        24,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        TRUE,                        /* product form */
+        10 + (10 << 8) + (8 << 16),  /* df, dr */
+        197,                         /* dg */
+        86,                          /* maxMsgLenBytes */
+        90,                          /* m(1)_max */
+        11,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES743EP1,              /* parameter-set id */
+        {0x00, 0x06, 0x10},          /* OID */
+        0x31,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        743,                         /* N */
+        32,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        TRUE,                        /* product form */
+        11 + (11 << 8) + (15 << 16), /* df, dr */
+        247,                         /* dg */
+        106,                         /* maxMsgLenBytes */
+        60,                          /* m(1)_max */
+        13,                          /* c */
+        1,                           /* lLen */
+    },
+
+};
+
+static size_t numParamSets =
+                sizeof(ntruParamSets)/sizeof(NTRU_ENCRYPT_PARAM_SET);
+
+
+/* functions */
+
+/* ntru_encrypt_get_params_with_id
+ *
+ * Looks up a set of NTRUEncrypt parameters based on the id of the
+ * parameter set.
+ *
+ * Returns a pointer to the parameter set parameters if successful.
+ * Returns NULL if the parameter set cannot be found.
+ */
+
+NTRU_ENCRYPT_PARAM_SET *
+ntru_encrypt_get_params_with_id(
+    NTRU_ENCRYPT_PARAM_SET_ID id)   /*  in - parameter-set id */
+{
+    size_t i;
+
+    for (i = 0; i < numParamSets; i++) {
+        if (ntruParamSets[i].id == id) {
+            return &(ntruParamSets[i]);
+        }
+    }
+    return NULL;
+}
+
+
+/* ntru_encrypt_get_params_with_OID
+ *
+ * Looks up a set of NTRUEncrypt parameters based on the OID of the
+ * parameter set.
+ *
+ * Returns a pointer to the parameter set parameters if successful.
+ * Returns NULL if the parameter set cannot be found.
+ */
+
+NTRU_ENCRYPT_PARAM_SET *
+ntru_encrypt_get_params_with_OID(
+    uint8_t const *oid)             /*  in - pointer to parameter-set OID */
+{
+    size_t i;
+
+    for (i = 0; i < numParamSets; i++) {
+        if (!memcmp(ntruParamSets[i].OID, oid, 3)) {
+            return &(ntruParamSets[i]);
+        }
+    }
+    return NULL;
+}
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h
new file mode 100644
index 000000000..e5e977a0e
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h
@@ -0,0 +1,101 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_encrypt_param_sets.h is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_encrypt_param_sets.h
+ *
+ * Contents: Definitions and declarations for the NTRUEncrypt parameter sets.
+ *
+ *****************************************************************************/
+
+#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H
+#define NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H
+
+#include "ntru_crypto.h"
+
+/* structures */
+
+typedef struct _NTRU_ENCRYPT_PARAM_SET {
+    NTRU_ENCRYPT_PARAM_SET_ID id;                 /* parameter-set ID */
+    uint8_t const             OID[3];             /* pointer to OID */
+    uint8_t                   der_id;             /* parameter-set DER id */
+    uint8_t                   N_bits;             /* no. of bits in N (i.e. in
+                                                     an index */
+    uint16_t                  N;                  /* ring dimension */
+    uint16_t                  sec_strength_len;   /* no. of octets of
+                                                     security strength */
+    uint16_t                  q;                  /* big modulus */
+    uint8_t                   q_bits;             /* no. of bits in q (i.e. in
+                                                     a coefficient */
+    bool                      is_product_form;    /* if product form used */
+    uint32_t                  dF_r;               /* no. of 1 or -1 coefficients
+                                                     in ring elements F, r */
+    uint16_t                  dg;                 /* no. - 1 of 1 coefficients
+                                                     or no. of -1 coefficients
+                                                     in ring element g */
+    uint16_t                  m_len_max;          /* max no. of plaintext
+                                                     octets */
+    uint16_t                  min_msg_rep_wt;     /* min. message
+                                                     representative weight */
+    uint8_t                   c_bits;             /* no. bits in candidate for
+                                                     deriving an index in
+                                                     IGF-2 */
+    uint8_t                   m_len_len;          /* no. of octets to hold
+                                                     mLenOctets */
+} NTRU_ENCRYPT_PARAM_SET;
+
+
+
+/* function declarations */
+
+/* ntru_encrypt_get_params_with_id
+ *
+ * Looks up a set of NTRU Encrypt parameters based on the id of the
+ * parameter set.
+ *
+ * Returns a pointer to the parameter set parameters if successful.
+ * Returns NULL if the parameter set cannot be found.
+ */
+
+extern NTRU_ENCRYPT_PARAM_SET *
+ntru_encrypt_get_params_with_id(
+    NTRU_ENCRYPT_PARAM_SET_ID id);  /*  in - parameter-set id */
+
+
+/* ntru_encrypt_get_params_with_OID
+ *
+ * Looks up a set of NTRU Encrypt parameters based on the OID of the
+ * parameter set.
+ *
+ * Returns a pointer to the parameter set parameters if successful.
+ * Returns NULL if the parameter set cannot be found.
+ */
+
+extern NTRU_ENCRYPT_PARAM_SET *
+ntru_encrypt_get_params_with_OID(
+    uint8_t const *oid);            /*  in - pointer to parameter-set OID */
+
+#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H */
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c
new file mode 100644
index 000000000..8e4eede87
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c
@@ -0,0 +1,242 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_poly.c is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+#include <stdlib.h>
+#include <string.h>
+#include "ntru_crypto_ntru_poly.h"
+
+/* ntru_poly_check_min_weight
+ *
+ * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
+ * a minimum weight.
+ */
+
+bool
+ntru_poly_check_min_weight(
+    uint16_t  num_els,              /*  in - degree of polynomial */
+    uint8_t  *ringels,              /*  in - pointer to trinary ring elements */
+    uint16_t  min_wt)               /*  in - minimum weight */
+{
+    uint16_t wt[3];
+    uint16_t i;
+
+    wt[0] = wt[1] = wt[2] = 0;
+    for (i = 0; i < num_els; i++) {
+       ++wt[ringels[i]];
+    }
+    if ((wt[0] < min_wt) || (wt[1] < min_wt) || (wt[2] < min_wt)) {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+/* ntru_ring_mult_coefficients
+ *
+ * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
+ * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
+ * This is a convolution operation.
+ *
+ * Ring element "b" has coefficients in the range [0,N).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
+ * beyond 16 bits does not matter.
+ */
+
+void
+ntru_ring_mult_coefficients(
+    uint16_t const *a,          /*  in - pointer to polynomial a */
+    uint16_t const *b,          /*  in - pointer to polynomial b */
+    uint16_t        N,          /*  in - no. of coefficients in a, b, c */
+    uint16_t        q,          /*  in - large modulus */
+    uint16_t       *c)          /* out - address for polynomial c */
+{
+    uint16_t const *bptr = b;
+    uint16_t        mod_q_mask = q - 1;
+    uint16_t        i, k;
+
+    /* c[k] = sum(a[i] * b[k-i]) mod q */
+    memset(c, 0, N * sizeof(uint16_t));
+    for (k = 0; k < N; k++) {
+        i = 0;
+        while (i <= k)
+            c[k] += a[i++] * *bptr--;
+        bptr += N;
+        while (i < N)
+            c[k] += a[i++] * *bptr--;
+        c[k] &= mod_q_mask;
+        ++bptr;
+    }
+}
+
+
+/* ntru_ring_inv
+ *
+ * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
+ * wait until the end, and only 16-bit arrays need to be used.
+ */
+
+bool
+ntru_ring_inv(
+    uint16_t       *a,          /*  in - pointer to polynomial a */
+    uint16_t        N,          /*  in - no. of coefficients in a */
+    uint16_t        q,          /*  in - large modulus */
+    uint16_t       *t,          /*  in - temp buffer of 2N elements */
+    uint16_t       *a_inv)      /* out - address for polynomial a^-1 */
+{
+    uint8_t  *b = (uint8_t *)t;     /* b cannot be in a_inv since it must be
+                                       rotated and copied there as a^-1 mod 2 */
+    uint8_t  *c = b + N;            /* c cannot be in a_inv since it exchanges
+                                       with b, and b cannot be in a_inv */
+    uint8_t  *f = c + N;
+    uint8_t  *g = (uint8_t *)a_inv; /* g needs N + 1 bytes */
+    uint16_t *t2 = t + N;
+    uint16_t  deg_b;
+    uint16_t  deg_c;
+    uint16_t  deg_f;
+    uint16_t  deg_g;
+    uint16_t  k = 0;
+    bool      done = FALSE;
+    uint16_t  i, j;
+
+    /* form a^-1 in (Z/2Z)[X]/X^N - 1) */
+    memset(b, 0, (N << 1));                /* clear to init b, c */
+
+    /* b(X) = 1 */
+    b[0] = 1;
+    deg_b = 0;
+
+    /* c(X) = 0 (cleared above) */
+    deg_c = 0;
+
+    /* f(X) = a(X) mod 2 */
+    for (i = 0; i < N; i++)
+        f[i] = (uint8_t)(a[i] & 1);
+    deg_f = N - 1;
+
+    /* g(X) = X^N - 1 */
+    g[0] = 1;
+    memset(g + 1, 0, N - 1);
+    g[N] = 1;
+    deg_g = N;
+
+    /* until f(X) = 1 */
+
+	while (!done)
+	{
+
+        /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */
+
+        for (i = 0; (i <= deg_f) && (f[i] == 0); ++i);
+        if (i > deg_f)
+            return FALSE;
+        if (i) {
+            f = f + i;
+            deg_f = deg_f - i;
+            deg_c = deg_c + i;
+            for (j = deg_c; j >= i; j--)
+                c[j] = c[j-i];
+            for (j = 0; j < i; j++)
+                c[j] = 0;
+            k = k + i;
+        }
+
+        /* adjust degree of f(X) if the highest coefficients are zero
+         * Note: f[0] = 1 from above so the loop will terminate.
+         */
+
+        while (f[deg_f] == 0)
+            --deg_f;
+
+        /* if f(X) = 1, done
+         * Note: f[0] = 1 from above, so only check the x term and up
+         */
+
+        for (i = 1; (i <= deg_f) && (f[i] == 0); ++i);
+        if (i > deg_f) {
+            done = TRUE;
+            break;
+        }
+
+        /* if deg_f < deg_g, f <-> g, b <-> c */
+
+        if (deg_f < deg_g) {
+            uint8_t *x;
+
+            x = f;
+            f = g;
+            g = x;
+            deg_f ^= deg_g;
+            deg_g ^= deg_f;
+            deg_f ^= deg_g;
+            x = b;
+            b = c;
+            c = x;
+            deg_b ^= deg_c;
+            deg_c ^= deg_b;
+            deg_b ^= deg_c;
+        }
+
+        /* f(X) += g(X), b(X) += c(X) */
+
+        for (i = 0; i <= deg_g; i++)
+            f[i] ^= g[i];
+
+        if (deg_c > deg_b)
+            deg_b = deg_c;
+        for (i = 0; i <= deg_c; i++)
+            b[i] ^= c[i];
+    }
+
+    /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */
+
+    j = 0;
+    if (k >= N)
+        k = k - N;
+    for (i = k; i < N; i++)
+        a_inv[j++] = (uint16_t)(b[i]);
+    for (i = 0; i < k; i++)
+        a_inv[j++] = (uint16_t)(b[i]);
+
+    /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */
+
+    for (j = 0; j < 4; ++j) {       /* assumes 256 < q <= 65536 */
+
+        /* a^-1 = a^-1 * (2 - a * a^-1) mod q */
+
+        memcpy(t2, a_inv, N * sizeof(uint16_t));
+        ntru_ring_mult_coefficients(a, t2, N, q, t);
+        for (i = 0; i < N; ++i)
+            t[i] = q - t[i];
+        t[0] = t[0] + 2;
+        ntru_ring_mult_coefficients(t2, t, N, q, a_inv);
+    }
+
+    return TRUE;
+
+
+}
+
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h
new file mode 100644
index 000000000..1e9d467ed
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h
@@ -0,0 +1,96 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_poly.h is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File:  ntru_crypto_ntru_poly.h
+ *
+ * Contents: Public header file for generating and operating on polynomials
+ *           in the NTRU algorithm.
+ *
+ *****************************************************************************/
+
+
+#ifndef NTRU_CRYPTO_NTRU_POLY_H
+#define NTRU_CRYPTO_NTRU_POLY_H
+
+
+#include "ntru_crypto.h"
+
+#include <crypto/hashers/hasher.h>
+
+
+/* function declarations */
+
+/* ntru_poly_check_min_weight
+ *
+ * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
+ * a minimum weight.
+ */
+
+extern bool
+ntru_poly_check_min_weight(
+    uint16_t  num_els,              /*  in - degree of polynomial */
+    uint8_t  *ringels,              /*  in - pointer to trinary ring elements */
+    uint16_t  min_wt);              /*  in - minimum weight */
+
+/* ntru_ring_mult_coefficients
+ *
+ * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
+ * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
+ * This is a convolution operation.
+ *
+ * Ring element "b" has coefficients in the range [0,N).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
+ * beyond 16 bits does not matter.
+ */
+
+extern void
+ntru_ring_mult_coefficients(
+    uint16_t const *a,          /*  in - pointer to polynomial a */
+    uint16_t const *b,          /*  in - pointer to polynomial b */
+    uint16_t        N,          /*  in - no. of coefficients in a, b, c */
+    uint16_t        q,          /*  in - large modulus */
+    uint16_t       *c);         /* out - address for polynomial c */
+
+
+/* ntru_ring_inv
+ *
+ * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
+ * wait until the end, and only 16-bit arrays need to be used.
+ */
+
+extern bool
+ntru_ring_inv(
+    uint16_t       *a,          /*  in - pointer to polynomial a */
+    uint16_t        N,          /*  in - no. of coefficients in a */
+    uint16_t        q,          /*  in - large modulus */
+    uint16_t       *t,          /*  in - temp buffer of 2N elements */
+    uint16_t       *a_inv);     /* out - address for polynomial a^-1 */
+
+
+#endif /* NTRU_CRYPTO_NTRU_POLY_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.c b/src/libstrongswan/plugins/ntru/ntru_drbg.c
new file mode 100644
index 000000000..181a58939
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_drbg.c
@@ -0,0 +1,279 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_drbg.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+#define	MAX_STRENGTH_BITS	256
+#define MAX_DRBG_REQUESTS	0xfffffffe
+
+typedef struct private_ntru_drbg_t private_ntru_drbg_t;
+
+/**
+ * Private data of an ntru_drbg_t object.
+ */
+struct private_ntru_drbg_t {
+	/**
+	 * Public ntru_drbg_t interface.
+	 */
+	ntru_drbg_t public;
+
+	/**
+	 * Security strength in bits of the DRBG
+	 */
+	u_int32_t strength;
+
+	/**
+	 * Number of requests for pseudorandom bits
+	 */
+	u_int32_t reseed_counter;
+
+	/**
+	 * Maximum number of requests for pseudorandom bits
+	 */
+	u_int32_t max_requests;
+
+	/**
+	 * True entropy source
+	 */
+	rng_t *entropy;
+
+	/**
+	 * HMAC-SHA256
+	 */
+	signer_t *hmac;
+
+	/**
+	 * Internal state of HMAC-SHA256: key
+	 */
+	chunk_t key;
+
+	/**
+	 * Internal state of HMAC-SHA256: value
+	 */
+	chunk_t value;
+
+};
+
+/**
+ * Update the internal state of the HMAC_DRBG
+ */
+static bool update(private_ntru_drbg_t *this, chunk_t data)
+{
+	chunk_t ch_00 = chunk_from_chars(0x00);
+	chunk_t ch_01 = chunk_from_chars(0x01);
+
+	if (!this->hmac->set_key(this->hmac, this->key) ||
+		!this->hmac->get_signature(this->hmac, this->value, NULL) ||
+	    !this->hmac->get_signature(this->hmac, ch_00, NULL) ||
+	    !this->hmac->get_signature(this->hmac, data, this->key.ptr) ||
+		!this->hmac->set_key(this->hmac, this->key) ||
+	    !this->hmac->get_signature(this->hmac, this->value,
+											   this->value.ptr))
+	{
+		return FALSE;
+	}
+
+	if (data.len > 0)
+	{
+		if (!this->hmac->set_key(this->hmac, this->key) ||
+			!this->hmac->get_signature(this->hmac, this->value, NULL) ||
+			!this->hmac->get_signature(this->hmac, ch_01, NULL) ||
+			!this->hmac->get_signature(this->hmac, data, this->key.ptr) ||
+			!this->hmac->set_key(this->hmac, this->key) ||
+			!this->hmac->get_signature(this->hmac, this->value,
+												   this->value.ptr))
+		{
+			return FALSE;
+		}
+	}
+	DBG4(DBG_LIB, "HMAC_DRBG V: %B", &this->value);
+	DBG4(DBG_LIB, "HMAC_DRBG K: %B", &this->key);
+
+	return TRUE;
+}
+
+METHOD(ntru_drbg_t, get_strength, u_int32_t,
+	private_ntru_drbg_t *this)
+{
+	return this->strength;
+}
+
+METHOD(ntru_drbg_t, reseed, bool,
+	private_ntru_drbg_t *this)
+{
+	chunk_t seed;
+
+	seed = chunk_alloc(this->strength / BITS_PER_BYTE);
+	DBG2(DBG_LIB, "DRBG requests %u bytes of entropy", seed.len);
+
+	if (!this->entropy->get_bytes(this->entropy, seed.len, seed.ptr))
+	{
+		chunk_free(&seed);
+		return FALSE;
+	}
+	if (!update(this, seed))
+	{
+		chunk_free(&seed);
+		return FALSE;
+	}
+	chunk_clear(&seed);
+	this->reseed_counter = 1;
+
+	return TRUE;
+}
+
+METHOD(ntru_drbg_t, generate, bool,
+	private_ntru_drbg_t *this, u_int32_t strength, u_int32_t len, u_int8_t *out)
+{
+	size_t delta;
+	chunk_t output;
+
+	DBG2(DBG_LIB, "DRBG generates %u pseudorandom bytes", len);
+	if (!out || len == 0)
+	{
+		return FALSE;
+	}
+	output = chunk_create(out, len);
+
+	if (this->reseed_counter > this->max_requests)
+	{
+		if (!reseed(this))
+		{
+			return FALSE;
+		}
+	}
+	while (len)
+	{
+		if (!this->hmac->get_signature(this->hmac, this->value,
+												   this->value.ptr))
+		{
+			return FALSE;
+		}
+		delta = min(len, this->value.len);
+		memcpy(out, this->value.ptr, delta);
+		len -= delta;
+		out += delta;
+	}
+	DBG4(DBG_LIB, "HMAC_DRBG Out: %B", &output);
+
+	if (!update(this, chunk_empty))
+	{
+		return FALSE;
+	}
+	this->reseed_counter++;
+
+	return TRUE;
+}
+
+METHOD(ntru_drbg_t, destroy, void,
+	private_ntru_drbg_t *this)
+{
+	this->hmac->destroy(this->hmac);
+	chunk_clear(&this->key);
+	chunk_clear(&this->value);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
+							  rng_t *entropy)
+{
+	private_ntru_drbg_t *this;
+	chunk_t seed;
+	signer_t *hmac;
+	size_t entropy_len;
+	u_int32_t max_requests;
+
+	if (strength > MAX_STRENGTH_BITS)
+	{
+		return NULL;
+	}
+	if (strength <= 112)
+	{
+		strength = 112;
+	}
+	else if (strength <= 128)
+	{
+		strength = 128;
+	}
+	else if (strength <= 192)
+	{
+		strength = 192;
+	}
+	else
+	{
+		strength = 256;
+	}
+
+	hmac = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA2_256_256);
+	if (!hmac)
+	{
+		DBG1(DBG_LIB, "could not instantiate HMAC-SHA256");
+		return NULL;
+	}
+
+	max_requests = lib->settings->get_int(lib->settings,
+										  "%s.plugins.ntru.max_drbg_requests",
+										  MAX_DRBG_REQUESTS, lib->ns);
+
+	INIT(this,
+		.public = {
+			.get_strength = _get_strength,
+			.reseed = _reseed,
+			.generate = _generate,
+			.destroy = _destroy,
+		},
+		.strength = strength,
+		.entropy = entropy,
+		.hmac = hmac,
+		.key = chunk_alloc(hmac->get_key_size(hmac)),
+		.value = chunk_alloc(hmac->get_block_size(hmac)),
+		.max_requests = max_requests,
+		.reseed_counter = 1,
+	);
+
+	memset(this->key.ptr, 0x00, this->key.len);
+	memset(this->value.ptr, 0x01, this->value.len);
+
+	entropy_len = (strength + strength/2) / BITS_PER_BYTE;
+	seed = chunk_alloc(entropy_len + pers_str.len);
+	DBG2(DBG_LIB, "DRBG requests %u bytes of entropy", entropy_len);
+
+	if (!this->entropy->get_bytes(this->entropy, entropy_len, seed.ptr))
+	{
+		chunk_free(&seed);
+		destroy(this);
+		return NULL;
+	}
+	memcpy(seed.ptr + entropy_len, pers_str.ptr, pers_str.len);
+	DBG4(DBG_LIB, "seed: %B", &seed);
+
+	if (!update(this, seed))
+	{
+		chunk_free(&seed);
+		destroy(this);
+		return NULL;
+	}
+	chunk_clear(&seed);
+
+	return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create);
diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.h b/src/libstrongswan/plugins/ntru/ntru_drbg.h
new file mode 100644
index 000000000..38ac718ae
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_drbg.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_drbg ntru_drbg
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_DRBG_H_
+#define NTRU_DRBG_H_
+
+typedef struct ntru_drbg_t ntru_drbg_t;
+
+#include <library.h>
+
+/**
+ * Implements a HMAC Deterministic Random Bit Generator (HMAC_DRBG)
+ * compliant with NIST SP 800-90A
+ */
+struct ntru_drbg_t {
+
+	/**
+	 * Reseed the instantiated DRBG
+	 *
+	 * @return			configured security strength in bits
+	 */
+	u_int32_t (*get_strength)(ntru_drbg_t *this);
+
+	/**
+	 * Reseed the instantiated DRBG
+	 *
+	 * @return			TRUE if successful
+	 */
+	bool (*reseed)(ntru_drbg_t *this);
+
+	/**
+	 * Generate pseudorandom bytes.
+	 * If the maximum number of requests has been reached, reseeding occurs
+	 *
+	 * @param strength	requested security strength in bits
+	 * @param len		number of octets to generate
+	 * @param out		address of output buffer
+	 * @return			TRUE if successful
+	 */
+	bool (*generate)(ntru_drbg_t *this, u_int32_t strength, u_int32_t len,
+										u_int8_t *out);
+
+	/**
+	 * Uninstantiate and destroy the DRBG object
+	 */
+	void (*destroy)(ntru_drbg_t *this);
+};
+
+/**
+ * Create and instantiate a new DRBG objet.
+ *
+ * @param strength		security strength in bits
+ * @param pers_str		personalization string
+ * @param entropy		entropy source to use
+ */
+ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
+							  rng_t *entropy);
+
+#endif /** NTRU_DRBG_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c
new file mode 100644
index 000000000..39fb261cd
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_ke.h"
+#include "ntru_drbg.h"
+
+#include "ntru_crypto/ntru_crypto.h"
+
+#include <crypto/diffie_hellman.h>
+#include <utils/debug.h>
+
+typedef struct private_ntru_ke_t private_ntru_ke_t;
+typedef struct param_set_t param_set_t;
+
+/**
+ * Defines an NTRU parameter set by ID or OID
+ */
+struct param_set_t {
+	NTRU_ENCRYPT_PARAM_SET_ID id;
+	char oid[3];
+	char *name;
+};
+
+/* Best bandwidth and speed, no X9.98 compatibility */
+static param_set_t param_sets_optimum[] = {
+	{ NTRU_EES401EP2,  {0x00, 0x02, 0x10}, "ees401ep2"  },
+	{ NTRU_EES439EP1,  {0x00, 0x03, 0x10}, "ees439ep1"  },
+	{ NTRU_EES593EP1,  {0x00, 0x05, 0x10}, "ees593ep1"  },
+	{ NTRU_EES743EP1,  {0x00, 0x06, 0x10}, "ees743ep1"  }
+};
+
+/* X9.98/IEEE 1363.1 parameter sets for best speed */
+static param_set_t param_sets_x9_98_speed[] = {
+	{ NTRU_EES659EP1,  {0x00, 0x02, 0x06}, "ees659ep1"  },
+	{ NTRU_EES761EP1,  {0x00, 0x03, 0x05}, "ees761ep1"  },
+	{ NTRU_EES1087EP1, {0x00, 0x05, 0x05}, "ees1087ep1" },
+	{ NTRU_EES1499EP1, {0x00, 0x06, 0x05}, "ees1499ep1" }
+};
+
+/* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
+static param_set_t param_sets_x9_98_bandwidth[] = {
+	{ NTRU_EES401EP1,  {0x00, 0x02, 0x04}, "ees401ep1"  },
+	{ NTRU_EES449EP1,  {0x00, 0x03, 0x03}, "ees449ep1"  },
+	{ NTRU_EES677EP1,  {0x00, 0x05, 0x03}, "ees677ep1"  },
+	{ NTRU_EES1087EP2, {0x00, 0x06, 0x03}, "ees1087ep2" }
+};
+
+/* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */
+static param_set_t param_sets_x9_98_balance[] = {
+	{ NTRU_EES541EP1,  {0x00, 0x02, 0x05}, "ees541ep1"  },
+	{ NTRU_EES613EP1,  {0x00, 0x03, 0x04}, "ees613ep1"  },
+	{ NTRU_EES887EP1,  {0x00, 0x05, 0x04}, "ees887ep1"  },
+	{ NTRU_EES1171EP1, {0x00, 0x06, 0x04}, "ees1171ep1" }
+};
+
+/**
+ * Private data of an ntru_ke_t object.
+ */
+struct private_ntru_ke_t {
+	/**
+	 * Public ntru_ke_t interface.
+	 */
+	ntru_ke_t public;
+
+	/**
+	 * Diffie Hellman group number.
+	 */
+	u_int16_t group;
+
+	/**
+	 * NTRU Parameter Set
+	 */
+	param_set_t *param_set;
+
+	/**
+	 * Cryptographical strength in bits of the NTRU Parameter Set
+	 */
+	u_int32_t strength;
+
+	/**
+	 * NTRU Public Key
+	 */
+	chunk_t pub_key;
+
+	/**
+	 * NTRU Private Key
+	 */
+	chunk_t priv_key;
+
+	/**
+	 * NTRU encrypted shared secret
+	 */
+	chunk_t ciphertext;
+
+	/**
+	 * Shared secret
+	 */
+	chunk_t shared_secret;
+
+	/**
+	 * True if peer is responder
+	 */
+	bool responder;
+
+	/**
+	 * True if shared secret is computed
+	 */
+	bool computed;
+
+	/**
+	 * True Random Generator
+	 */
+	rng_t *entropy;
+
+	/**
+	 * Deterministic Random Bit Generator
+	 */
+    ntru_drbg_t *drbg;
+};
+
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_ntru_ke_t *this, chunk_t *value)
+{
+    uint16_t pub_key_len, priv_key_len;
+
+	*value = chunk_empty;
+
+	if (this->responder)
+	{
+		if (this->ciphertext.len)
+		{
+			*value = chunk_clone(this->ciphertext);
+		}
+	}
+	else
+	{
+		if (this->pub_key.len == 0)
+		{
+			/* determine the NTRU public and private key sizes */
+			if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
+								&pub_key_len, NULL,
+				 				&priv_key_len, NULL) != NTRU_OK)
+			{
+				DBG1(DBG_LIB, "error determining NTRU public and private key "
+							  "sizes");
+				return;
+			}
+			this->pub_key  = chunk_alloc(pub_key_len);
+			this->priv_key = chunk_alloc(priv_key_len);
+
+			/* generate a random NTRU public/private key pair */
+		    if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
+								&pub_key_len, this->pub_key.ptr,
+				 				&priv_key_len, this->priv_key.ptr) != NTRU_OK)
+			{
+				DBG1(DBG_LIB, "NTRU keypair generation failed");
+				chunk_free(&this->priv_key);
+				chunk_free(&this->pub_key);
+				return;
+			}
+			DBG3(DBG_LIB, "NTRU public key: %B", &this->pub_key);
+			DBG4(DBG_LIB, "NTRU private key: %B", &this->priv_key);
+		}
+		*value = chunk_clone(this->pub_key);
+	}
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_ntru_ke_t *this, chunk_t *secret)
+{
+	if (!this->computed || !this->shared_secret.len)
+	{
+		*secret = chunk_empty;
+		return FAILED;
+	}
+	*secret = chunk_clone(this->shared_secret);
+
+	return SUCCESS;
+}
+
+
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_ntru_ke_t *this, chunk_t value)
+{
+	u_int16_t plaintext_len, ciphertext_len;
+
+	if (this->priv_key.len)
+	{
+		/* initiator decrypting shared secret */
+		if (value.len == 0)
+		{
+			DBG1(DBG_LIB, "empty NTRU ciphertext");
+			return;
+		}
+		this->ciphertext = chunk_clone(value);
+		DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
+
+		/* determine the size of the maximum plaintext */
+    	if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
+								this->ciphertext.len, this->ciphertext.ptr,
+								&plaintext_len, NULL) != NTRU_OK)
+		{
+			DBG1(DBG_LIB, "error determining maximum plaintext size");
+			return;
+		}
+		this->shared_secret = chunk_alloc(plaintext_len);
+
+		/* decrypt the shared secret */
+    	if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
+						this->ciphertext.len, this->ciphertext.ptr,
+						&plaintext_len, this->shared_secret.ptr) != NTRU_OK)
+		{
+			DBG1(DBG_LIB, "NTRU decryption of shared secret failed");
+			chunk_free(&this->shared_secret);
+			return;
+		}
+		this->shared_secret.len = plaintext_len;
+		this->computed = TRUE;
+	}
+	else
+	{
+		/* responder generating and encrypting the shared secret */
+		this->responder = TRUE;
+
+		/* check the NTRU public key format */
+		if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3)
+		{
+			DBG1(DBG_LIB, "received NTRU public key with invalid header");
+			return;
+		}
+		if (!memeq(value.ptr + 2, this->param_set->oid, 3))
+		{
+			DBG1(DBG_LIB, "received NTRU public key with wrong OID");
+			return;
+		}
+		this->pub_key = chunk_clone(value);
+
+		/* shared secret size is chosen as twice the cryptographical strength */
+		this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE);
+
+		/* generate the random shared secret */
+		if (!this->drbg->generate(this->drbg, this->strength,
+				this->shared_secret.len, this->shared_secret.ptr))
+		{
+			DBG1(DBG_LIB, "generation of shared secret failed");
+			chunk_free(&this->shared_secret);
+			return;
+		}
+		this->computed = TRUE;
+
+		/* determine the size of the ciphertext */
+		if (ntru_crypto_ntru_encrypt(this->drbg,
+							this->pub_key.len,	this->pub_key.ptr,
+							this->shared_secret.len, this->shared_secret.ptr,
+                            &ciphertext_len, NULL) != NTRU_OK)
+		{
+			DBG1(DBG_LIB, "error determining ciphertext size");
+			return;
+		}
+		this->ciphertext = chunk_alloc(ciphertext_len);
+
+		/* encrypt the shared secret */
+		if (ntru_crypto_ntru_encrypt(this->drbg,
+							this->pub_key.len,	this->pub_key.ptr,
+							this->shared_secret.len, this->shared_secret.ptr,
+                            &ciphertext_len, this->ciphertext.ptr) != NTRU_OK)
+		{
+			DBG1(DBG_LIB, "NTRU encryption of shared secret failed");
+			chunk_free(&this->ciphertext);
+			return;
+		}
+		DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
+	}
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_ntru_ke_t *this)
+{
+	return this->group;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+	private_ntru_ke_t *this)
+{
+	this->drbg->destroy(this->drbg);
+	this->entropy->destroy(this->entropy);
+	chunk_free(&this->pub_key);
+	chunk_free(&this->ciphertext);
+	chunk_clear(&this->priv_key);
+	chunk_clear(&this->shared_secret);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
+{
+	private_ntru_ke_t *this;
+	param_set_t *param_sets, *param_set;
+	rng_t *entropy;
+	ntru_drbg_t *drbg;
+	char *parameter_set;
+	u_int32_t strength;
+
+	parameter_set = lib->settings->get_str(lib->settings,
+						"%s.plugins.ntru.parameter_set", "optimum", lib->ns);
+
+	if (streq(parameter_set, "x9_98_speed"))
+	{
+		param_sets = param_sets_x9_98_speed;
+	}
+	else if (streq(parameter_set, "x9_98_bandwidth"))
+	{
+		param_sets = param_sets_x9_98_bandwidth;
+	}
+	else if (streq(parameter_set, "x9_98_balance"))
+	{
+		param_sets = param_sets_x9_98_balance;
+	}
+	else
+	{
+		param_sets = param_sets_optimum;
+	}
+
+	switch (group)
+	{
+		case NTRU_112_BIT:
+			strength = 112;
+			param_set = &param_sets[0];
+			break;
+		case NTRU_128_BIT:
+			strength = 128;
+			param_set = &param_sets[1];
+			break;
+		case NTRU_192_BIT:
+			strength = 192;
+			param_set = &param_sets[2];
+			break;
+		case NTRU_256_BIT:
+			strength = 256;
+			param_set = &param_sets[3];
+			break;
+		default:
+			return NULL;
+	}
+	DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength,
+				   parameter_set, param_set->name);
+
+	entropy = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+	if (!entropy)
+	{
+		DBG1(DBG_LIB, "could not attach entropy source for DRBG");
+		return NULL;
+	}
+
+	drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy);
+	if (!drbg)
+ 	{
+		DBG1(DBG_LIB, "could not instantiate DRBG at %u bit security", strength);
+		entropy->destroy(entropy);
+        return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+		.param_set = param_set,
+		.strength = strength,
+		.entropy = entropy,
+		.drbg = drbg,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.h b/src/libstrongswan/plugins/ntru/ntru_ke.h
new file mode 100644
index 000000000..b8bbf5e54
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_ke ntru_ke
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_KE_H_
+#define NTRU_KE_H_
+
+typedef struct ntru_ke_t ntru_ke_t;
+
+#include <library.h>
+
+/**
+ * Implementation of a key exchange algorithm using NTRU encryption
+ */
+struct ntru_ke_t {
+
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new ntru_ke_t object.
+ *
+ * @param group			NTRU group number to use
+ * @param g				not used
+ * @param p				not used
+ * @return				ntru_ke_t object, NULL if not supported
+ */
+ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p);
+
+#endif /** NTRU_KE_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_mgf1.c b/src/libstrongswan/plugins/ntru/ntru_mgf1.c
new file mode 100644
index 000000000..2338db208
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_mgf1.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_mgf1.h"
+
+#include <crypto/hashers/hasher.h>
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_mgf1_t private_ntru_mgf1_t;
+
+/**
+ * Private data of an ntru_mgf1_t object.
+ */
+struct private_ntru_mgf1_t {
+
+	/**
+	 * Public ntru_mgf1_t interface.
+	 */
+	ntru_mgf1_t public;
+
+	/**
+	 * Hasher the MGF1 Mask Generation Function is based on
+	 */
+	hasher_t *hasher;
+
+	/**
+	 * Counter
+	 */
+	u_int32_t counter;
+
+	/**
+	 * Set if counter has reached 2^32
+	 */
+	bool overflow;
+
+	/**
+	 * Current state to be hashed
+	 */
+	chunk_t state;
+
+	/**
+	 * Position of the 4 octet counter string
+	 */
+	u_char *ctr_str;
+
+};
+
+METHOD(ntru_mgf1_t, get_hash_size, size_t,
+	private_ntru_mgf1_t *this)
+{
+	return this->hasher->get_hash_size(this->hasher);
+}
+
+METHOD(ntru_mgf1_t, get_mask, bool,
+	private_ntru_mgf1_t *this, size_t mask_len, u_char *mask)
+{
+	u_char buf[HASH_SIZE_SHA512];
+	size_t hash_len;
+
+	hash_len = this->hasher->get_hash_size(this->hasher);
+
+	while (mask_len > 0)
+	{
+		/* detect overflow, set counter string and increment counter */
+		if (this->overflow)
+		{
+			return FALSE;
+		}
+		htoun32(this->ctr_str, this->counter++);
+		if (this->counter == 0)
+		{
+			this->overflow = TRUE;
+		}
+
+		/* get the next or final mask block from the hash function */
+		if (!this->hasher->get_hash(this->hasher, this->state,
+								   (mask_len < hash_len) ? buf : mask))
+		{
+			return FALSE;
+		}
+		if (mask_len < hash_len)
+		{
+			memcpy(mask, buf, mask_len);
+			return TRUE;
+		}
+		mask_len -= hash_len;
+		mask += hash_len;
+	}
+	return TRUE;
+}
+
+METHOD(ntru_mgf1_t, allocate_mask, bool,
+	private_ntru_mgf1_t *this, size_t mask_len, chunk_t *mask)
+{
+	if (mask_len == 0)
+	{
+		*mask = chunk_empty;
+		return TRUE;
+	}
+	*mask = chunk_alloc(mask_len);
+
+	return get_mask(this, mask_len, mask->ptr);
+}
+
+METHOD(ntru_mgf1_t, destroy, void,
+	private_ntru_mgf1_t *this)
+{
+	this->hasher->destroy(this->hasher);
+	chunk_clear(&this->state);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed,
+							  bool hash_seed)
+{
+	private_ntru_mgf1_t *this;
+	hasher_t *hasher;
+	size_t state_len;
+
+	if (seed.len == 0)
+	{
+		DBG1(DBG_LIB, "empty seed for MGF1");
+		return NULL;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, alg);
+	if (!hasher)
+	{
+		DBG1(DBG_LIB, "failed to create %N hasher for MGF1",
+			 hash_algorithm_names, alg);
+		return NULL;
+	}
+	state_len = (hash_seed ? hasher->get_hash_size(hasher) : seed.len) + 4;
+	
+	INIT(this,
+		.public = {
+			.get_hash_size = _get_hash_size,
+			.allocate_mask = _allocate_mask,
+			.get_mask = _get_mask,
+			.destroy = _destroy,
+		},
+		.hasher = hasher,
+		.state = chunk_alloc(state_len),
+	);
+
+	/* determine position of the 4 octet counter string */
+	this->ctr_str = this->state.ptr + state_len - 4;
+
+	if (hash_seed)
+	{
+		if (!hasher->get_hash(hasher, seed, this->state.ptr))
+		{
+			DBG1(DBG_LIB, "failed to hash seed for MGF1");
+			destroy(this);
+			return NULL;
+		}
+	}
+	else
+	{
+		memcpy(this->state.ptr, seed.ptr, seed.len);
+	}
+
+	return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_mgf1_create);
diff --git a/src/libstrongswan/plugins/ntru/ntru_mgf1.h b/src/libstrongswan/plugins/ntru/ntru_mgf1.h
new file mode 100644
index 000000000..53e90412a
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_mgf1.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_mgf1 ntru_mgf1
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_MGF1_H_
+#define NTRU_MGF1_H_
+
+typedef struct ntru_mgf1_t ntru_mgf1_t;
+
+#include <library.h>
+
+/**
+ * Implements the PKCS#1 MGF1 Mask Generation Function based on a hash function
+ * defined in section 10.2.1 of RFC 2437 
+ */
+struct ntru_mgf1_t {
+
+	/**
+	 * Get the hash size of the underlying hash function
+	 *
+	 * @return			hash size in bytes
+	 */
+	size_t (*get_hash_size)(ntru_mgf1_t *this);
+
+	/**
+	 * Generate a mask pattern and copy it to an output buffer
+	 * If the maximum number of requests has been reached, reseeding occurs
+	 *
+	 * @param mask_len	number of mask bytes to generate
+	 * @param mask		output buffer of minimum size mask_len
+	 * @return			TRUE if successful
+	 */
+	bool (*get_mask)(ntru_mgf1_t *this, size_t mask_len, u_char *mask);
+
+	/**
+	 * Generate a mask pattern and return it in an allocated chunk
+	 *
+	 * @param mask_len	number of mask bytes to generate
+	 * @param mask		chunk containing generated mask
+	 * @return			TRUE if successful
+	 */
+	bool (*allocate_mask)(ntru_mgf1_t *this, size_t mask_len, chunk_t *mask);
+
+	/**
+	 * Destroy the MGF1 object
+	 */
+	void (*destroy)(ntru_mgf1_t *this);
+};
+
+/**
+ * Create an MGF1 object
+ *
+ * @param alg			hash algorithm to be used by MGF1
+ * @param seed			seed used by MGF1 to generate mask from
+ * @param hash_seed		hash seed before using it as a seed from MGF1
+ */
+ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed,
+							  bool hash_seed);
+
+#endif /** NTRU_MGF1_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_plugin.c b/src/libstrongswan/plugins/ntru/ntru_plugin.c
new file mode 100644
index 000000000..66be7c75b
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_plugin.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_plugin.h"
+#include "ntru_ke.h"
+
+#include <library.h>
+
+typedef struct private_ntru_plugin_t private_ntru_plugin_t;
+
+/**
+ * private data of ntru_plugin
+ */
+struct private_ntru_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	ntru_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_ntru_plugin_t *this)
+{
+	return "ntru";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_ntru_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(DH, ntru_ke_create),
+			PLUGIN_PROVIDE(DH, NTRU_112_BIT),
+			PLUGIN_PROVIDE(DH, NTRU_128_BIT),
+			PLUGIN_PROVIDE(DH, NTRU_192_BIT),
+			PLUGIN_PROVIDE(DH, NTRU_256_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_TRUE),
+				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256),
+				PLUGIN_DEPENDS(HASHER, HASH_SHA256),
+				PLUGIN_SDEPEND(HASHER, HASH_SHA1)
+	};
+	*features = f;
+
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_ntru_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ntru_plugin_create()
+{
+	private_ntru_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/ntru/ntru_plugin.h b/src/libstrongswan/plugins/ntru/ntru_plugin.h
new file mode 100644
index 000000000..187b83445
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_p ntru
+ * @ingroup plugins
+ *
+ * @defgroup ntru_plugin ntru_plugin
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PLUGIN_H_
+#define NTRU_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ntru_plugin_t ntru_plugin_t;
+
+/**
+ * Plugin implementing NTRU-base key exchange
+ */
+struct ntru_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** NTRU_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_poly.c
new file mode 100644
index 000000000..3f754f2a0
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_poly.c
@@ -0,0 +1,416 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_poly.h"
+#include "ntru_mgf1.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_poly_t private_ntru_poly_t;
+typedef struct indices_len_t indices_len_t;
+
+/**
+ * Stores number of +1 and -1 coefficients
+ */
+struct indices_len_t {
+	int p;
+	int m;
+};
+
+/**
+ * Private data of an ntru_poly_t object.
+ */
+struct private_ntru_poly_t {
+
+	/**
+	 * Public ntru_poly_t interface.
+	 */
+	ntru_poly_t public;
+
+	/**
+	 * Ring dimension equal to the number of polynomial coefficients
+	 */
+	uint16_t N;
+
+	/**
+	 * Large modulus
+	 */
+	uint16_t q;
+
+	/**
+	 * Array containing the indices of the non-zero coefficients
+	 */
+	uint16_t *indices;
+
+	/**
+	 * Number of indices of the non-zero coefficients
+	 */
+	size_t num_indices;
+
+	/**
+	 * Number of sparse polynomials
+	 */
+	int num_polynomials;
+
+	/**
+	 * Number of nonzero coefficients for up to 3 sparse polynomials
+	 */
+	indices_len_t indices_len[3];
+
+};
+
+METHOD(ntru_poly_t, get_size, size_t,
+	private_ntru_poly_t *this)
+{
+	return this->num_indices;
+}
+
+METHOD(ntru_poly_t, get_indices, uint16_t*,
+	private_ntru_poly_t *this)
+{
+	return this->indices;
+}
+
+/**
+  * Multiplication of polynomial a with a sparse polynomial b given by
+  * the indices of its +1 and -1 coefficients results in polynomial c.
+  * This is a convolution operation
+  */
+static void ring_mult_i(uint16_t *a, indices_len_t len, uint16_t *indices,
+							  uint16_t N, uint16_t mod_q_mask, uint16_t *t,
+							  uint16_t *c)
+{
+	int i, j, k;
+
+	/* initialize temporary array t */
+	for (k = 0; k < N; k++)
+	{
+		t[k] = 0;
+	}
+
+	/* t[(i+k)%N] = sum i=0 through N-1 of a[i], for b[k] = -1 */
+	for (j = len.p; j < len.p + len.m; j++)
+	{
+		k = indices[j];
+		for (i = 0; k < N; ++i, ++k)
+		{
+			t[k] += a[i];
+		}
+		for (k = 0; i < N; ++i, ++k)
+		{
+			t[k] += a[i];
+		}
+	}
+
+	/* t[(i+k)%N] = -(sum i=0 through N-1 of a[i] for b[k] = -1) */
+	for (k = 0; k < N; k++)
+	{
+		t[k] = -t[k];
+	}
+
+	/* t[(i+k)%N] += sum i=0 through N-1 of a[i] for b[k] = +1 */
+	for (j = 0; j < len.p; j++)
+	{
+		k = indices[j];
+		for (i = 0; k < N; ++i, ++k)
+		{
+			t[k] += a[i];
+		}
+		for (k = 0; i < N; ++i, ++k)
+		{
+			t[k] += a[i];
+		}
+	}
+
+	/* c = (a * b) mod q */
+	for (k = 0; k < N; k++)
+	{
+		c[k] = t[k] & mod_q_mask;
+	}
+}
+
+METHOD(ntru_poly_t, get_array, void,
+	private_ntru_poly_t *this, uint16_t *array)
+{
+	uint16_t *t, *bi;
+	uint16_t mod_q_mask = this->q - 1;
+	indices_len_t len;
+	int i;
+
+	/* form polynomial F or F1 */
+	memset(array, 0x00, this->N * sizeof(uint16_t));
+	bi = this->indices;
+	len = this->indices_len[0];
+	for (i = 0; i < len.p + len.m; i++)
+	{
+		array[bi[i]] = (i < len.p) ? 1 : mod_q_mask;
+	}
+
+	if (this->num_polynomials == 3)
+	{
+		/* allocate temporary array t */
+		t = malloc(this->N * sizeof(uint16_t));
+
+		/* form F1 * F2 */
+		bi += len.p + len.m;
+		len = this->indices_len[1];
+		ring_mult_i(array, len, bi, this->N, mod_q_mask, t, array);
+
+		/* form (F1 * F2) + F3 */
+		bi += len.p + len.m;
+		len = this->indices_len[2];
+		for (i = 0; i < len.p + len.m; i++)
+		{
+			if (i < len.p)
+			{
+				array[bi[i]] += 1;
+			}
+			else
+			{
+				array[bi[i]] -= 1;
+			}
+			array[bi[i]] &= mod_q_mask;
+		}
+		free(t);
+	}
+}
+
+METHOD(ntru_poly_t, ring_mult, void,
+	private_ntru_poly_t *this, uint16_t *a, uint16_t *c)
+{
+	uint16_t *t1, *t2;
+	uint16_t *bi = this->indices;
+	uint16_t mod_q_mask = this->q - 1;
+	int i;
+
+	/* allocate temporary array t1 */
+	t1 = malloc(this->N * sizeof(uint16_t));
+
+	if (this->num_polynomials == 1)
+	{
+		ring_mult_i(a, this->indices_len[0], bi, this->N, mod_q_mask, t1, c);
+	}
+	else
+	{
+		/* allocate temporary array t2 */
+		t2 = malloc(this->N * sizeof(uint16_t));
+
+		/* t1 = a * b1 */
+		ring_mult_i(a, this->indices_len[0], bi, this->N, mod_q_mask, t1, t1);
+
+		/* t1 = (a * b1) * b2 */
+		bi += this->indices_len[0].p + this->indices_len[0].m;
+		ring_mult_i(t1, this->indices_len[1], bi, this->N, mod_q_mask, t2, t1);
+
+		/* t2 = a * b3 */
+		bi += this->indices_len[1].p + this->indices_len[1].m;
+		ring_mult_i(a, this->indices_len[2], bi, this->N, mod_q_mask, t2, t2);
+
+		/* c = (a * b1 * b2) + (a * b3) */
+		for (i = 0; i < this->N; i++)
+		{
+			c[i] = (t1[i] + t2[i]) & mod_q_mask;
+		}
+		free(t2);
+	}
+	free(t1);
+}
+
+METHOD(ntru_poly_t, destroy, void,
+	private_ntru_poly_t *this)
+{
+	memwipe(this->indices, sizeof(uint16_t) * get_size(this));
+	free(this->indices);
+	free(this);
+}
+
+static void init_indices(private_ntru_poly_t *this, bool is_product_form,
+						 uint32_t indices_len_p, uint32_t indices_len_m)
+{
+	int n;
+
+	if (is_product_form)
+	{
+		this->num_polynomials = 3;
+		for (n = 0; n < 3; n++)
+		{
+			this->indices_len[n].p = 0xff & indices_len_p;
+			this->indices_len[n].m = 0xff & indices_len_m;
+			this->num_indices += this->indices_len[n].p +
+								 this->indices_len[n].m;
+			indices_len_p >>= 8;
+			indices_len_m >>= 8;
+		}
+	}
+	else
+	{
+		this->num_polynomials = 1;
+		this->indices_len[0].p = indices_len_p;
+		this->indices_len[0].m = indices_len_m;
+		this->num_indices = indices_len_p + indices_len_m;
+	}
+	this->indices = malloc(sizeof(uint16_t) * this->num_indices);
+}
+
+/*
+ * Described in header.
+ */
+ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
+										uint8_t c_bits, uint16_t N, uint16_t q,
+										uint32_t indices_len_p,
+										uint32_t indices_len_m,
+										bool is_product_form)
+{
+	private_ntru_poly_t *this;
+	size_t hash_len, octet_count = 0, i;
+	uint8_t octets[HASH_SIZE_SHA512], *used, num_left = 0, num_needed;
+	uint16_t index, limit, left = 0;
+	int n, num_indices, index_i = 0;
+	ntru_mgf1_t *mgf1;
+
+	DBG2(DBG_LIB, "MGF1 is seeded with %u bytes", seed.len);
+	mgf1 = ntru_mgf1_create(alg, seed, TRUE);
+	if (!mgf1)
+	{
+	    return NULL;
+	}
+	i = hash_len = mgf1->get_hash_size(mgf1);
+
+	INIT(this,
+		.public = {
+			.get_size = _get_size,
+			.get_indices = _get_indices,
+			.get_array = _get_array,
+			.ring_mult = _ring_mult,
+			.destroy = _destroy,
+		},
+		.N = N,
+		.q = q,
+	);
+
+	init_indices(this, is_product_form, indices_len_p, indices_len_m);
+	used = malloc(N);
+	limit = N * ((1 << c_bits) / N);
+
+	/* generate indices for all polynomials */
+	for (n = 0; n < this->num_polynomials; n++)
+	{
+		memset(used, 0, N);
+		num_indices = this->indices_len[n].p + this->indices_len[n].m;
+
+		/* generate indices for a single polynomial */
+		while (num_indices)
+		{
+			/* generate a random candidate index with a size of c_bits */		
+			do
+			{
+				/* use any leftover bits first */
+				index = num_left ? left << (c_bits - num_left) : 0;
+
+				/* get the rest of the bits needed from new octets */
+				num_needed = c_bits - num_left;
+
+				while (num_needed)
+				{
+					if (i == hash_len)
+					{
+						/* get another block from MGF1 */
+						if (!mgf1->get_mask(mgf1, hash_len, octets))
+						{
+							mgf1->destroy(mgf1);
+							destroy(this);
+							free(used);
+							return NULL;
+						}
+						octet_count += hash_len;
+						i = 0;
+					}
+					left = octets[i++];
+
+					if (num_needed <= 8)
+					{
+						/* all bits needed to fill the index are in this octet */
+						index |= left >> (8 - num_needed);
+						num_left = 8 - num_needed;
+						num_needed = 0;
+						left &= 0xff >> (8 - num_left);
+					}
+					else
+					{
+						/* more than one octet will be needed */
+						index |= left << (num_needed - 8);
+						num_needed -= 8;
+					}
+				}
+			}
+			while (index >= limit);
+
+			/* form index and check if unique */
+			index %= N;
+			if (!used[index])
+			{
+				used[index] = 1;
+				this->indices[index_i++] = index;
+				num_indices--;
+			}
+		}
+	}
+
+	DBG2(DBG_LIB, "MGF1 generates %u octets to derive %u indices",
+				   octet_count, this->num_indices);
+	mgf1->destroy(mgf1);
+	free(used);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+ntru_poly_t *ntru_poly_create_from_data(uint16_t *data, uint16_t N, uint16_t q,
+										uint32_t indices_len_p,
+										uint32_t indices_len_m,
+										bool is_product_form)
+{
+	private_ntru_poly_t *this;
+	int i;
+
+	INIT(this,
+		.public = {
+			.get_size = _get_size,
+			.get_indices = _get_indices,
+			.get_array = _get_array,
+			.ring_mult = _ring_mult,
+			.destroy = _destroy,
+		},
+		.N = N,
+		.q = q,
+	);
+
+	init_indices(this, is_product_form, indices_len_p, indices_len_m);
+	for (i = 0; i < this->num_indices; i++)
+	{
+		this->indices[i] = data[i];
+	}
+
+	return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_seed);
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_data);
diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.h b/src/libstrongswan/plugins/ntru/ntru_poly.h
new file mode 100644
index 000000000..87c77103c
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_poly.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_poly ntru_poly
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_POLY_H_
+#define NTRU_POLY_H_
+
+typedef struct ntru_poly_t ntru_poly_t;
+
+#include <library.h>
+
+/**
+ * Implements a trinary polynomial storing the indices of non-zero coefficients 
+ */
+struct ntru_poly_t {
+
+	/**
+	 * Get the size of the indices array
+	 *
+	 * @return			number of indices
+	 */
+	size_t (*get_size)(ntru_poly_t *this);
+
+	/**
+	 * @return			array containing the indices of the non-zero coefficients
+	 */
+	uint16_t* (*get_indices)(ntru_poly_t *this);
+
+	/**
+	 * @param array		array containing all N coefficients of the polynomial
+	 */
+	void (*get_array)(ntru_poly_t *this, uint16_t *array);
+
+	/**
+	 * Multiply polynomial a with ntru_poly_t object b having sparse coeffients
+	 * to form result polynomial c = a * b
+	 *
+	 * @param a			input polynomial a
+	 * @param b			output polynomial c
+	 */
+	void (*ring_mult)(ntru_poly_t *this, uint16_t *a, uint16_t *c);
+
+	/**
+	 * Destroy ntru_poly_t object
+	 */
+	void (*destroy)(ntru_poly_t *this);
+};
+
+/**
+ * Create a trits polynomial from a seed using MGF1 with a base hash function
+ *
+ * @param alg				hash algorithm to be used by MGF1
+ * @param seed				seed used by MGF1 to generate trits from
+ * @param N					ring dimension, number of polynomial coefficients
+ * @param q					large modulus
+ * @param c_bits			number of bits for candidate index
+ * @param indices_len_p		number of indices for +1 coefficients
+ * @param indices_len_m		number of indices for -1 coefficients
+ * @param is_product_form	generate multiple polynomials
+ */
+ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
+										uint8_t c_bits, uint16_t N, uint16_t q,
+										uint32_t indices_len_p,
+										uint32_t indices_len_m,
+										bool is_product_form);
+
+/**
+ * Create a trits polynomial from an array of indices of non-zero coefficients
+ *
+ * @param data				array of indices of non-zero coefficients
+ * @param N					ring dimension, number of polynomial coefficients
+ * @param q					large modulus
+ * @param indices_len_p		number of indices for +1 coefficients
+ * @param indices_len_m		number of indices for -1 coefficients
+ * @param is_product_form	generate multiple polynomials
+ */
+ntru_poly_t *ntru_poly_create_from_data(uint16_t *data, uint16_t N, uint16_t q,
+										uint32_t indices_len_p,
+										uint32_t indices_len_m,
+										bool is_product_form);
+
+#endif /** NTRU_POLY_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.c b/src/libstrongswan/plugins/ntru/ntru_trits.c
new file mode 100644
index 000000000..f82501629
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_trits.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_trits.h"
+#include "ntru_mgf1.h"
+
+#include "ntru_crypto/ntru_crypto_ntru_convert.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_trits_t private_ntru_trits_t;
+
+/**
+ * Private data of an ntru_trits_t object.
+ */
+struct private_ntru_trits_t {
+
+	/**
+	 * Public ntru_trits_t interface.
+	 */
+	ntru_trits_t public;
+
+	/**
+	 * Size of the trits array
+	 */
+	size_t trits_len;
+
+	/**
+	 * Array containing a trit per octet
+	 */
+	uint8_t *trits;
+
+};
+
+METHOD(ntru_trits_t, get_size, size_t,
+	private_ntru_trits_t *this)
+{
+	return this->trits_len;
+}
+
+METHOD(ntru_trits_t, get_trits, uint8_t*,
+	private_ntru_trits_t *this)
+{
+	return this->trits;
+}
+
+METHOD(ntru_trits_t, destroy, void,
+	private_ntru_trits_t *this)
+{
+	memwipe(this->trits, this->trits_len);
+	free(this->trits);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed)
+{
+	private_ntru_trits_t *this;
+	uint8_t octets[HASH_SIZE_SHA512], buf[5], *trits;
+	size_t hash_len, octet_count = 0, trits_needed, i;
+	ntru_mgf1_t *mgf1;
+
+	DBG2(DBG_LIB, "MGF1 is seeded with %u bytes", seed.len);
+	mgf1 = ntru_mgf1_create(alg, seed, TRUE);
+	if (!mgf1)
+	{
+	    return NULL;
+	}
+	i = hash_len = mgf1->get_hash_size(mgf1);
+
+	INIT(this,
+		.public = {
+			.get_size = _get_size,
+			.get_trits = _get_trits,
+			.destroy = _destroy,
+		},
+		.trits_len = len,
+		.trits = malloc(len),
+	);
+
+	trits = this->trits;
+	trits_needed = this->trits_len;
+
+	while (trits_needed > 0)
+	{
+		if (i == hash_len)
+		{
+			/* get another block from MGF1 */
+			if (!mgf1->get_mask(mgf1, hash_len, octets))
+			{
+				mgf1->destroy(mgf1);
+				destroy(this);
+				return NULL;
+			}
+			octet_count += hash_len;
+			i = 0;
+		}
+		if (octets[i] < 243)  /* 243 = 3^5 */ 
+		{		
+			ntru_octet_2_trits(octets[i], (trits_needed < 5) ? buf : trits);
+			if (trits_needed < 5)
+			{
+				memcpy(trits, buf, trits_needed);
+				break;
+			}
+			trits += 5;
+			trits_needed -= 5;
+		}
+		i++;
+	}
+	DBG2(DBG_LIB, "MGF1 generates %u octets to extract %u trits",
+				   octet_count, len);
+	mgf1->destroy(mgf1);
+
+	return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_trits_create);
diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.h b/src/libstrongswan/plugins/ntru/ntru_trits.h
new file mode 100644
index 000000000..524c51bac
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_trits.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_trits ntru_trits
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_TRITS_H_
+#define NTRU_TRITS_H_
+
+typedef struct ntru_trits_t ntru_trits_t;
+
+#include <library.h>
+
+/**
+ * Implements an array of trinary elements (trits) 
+ */
+struct ntru_trits_t {
+
+	/**
+	 * Get the size of the trits array
+	 *
+	 * @return			number of trinary elements
+	 */
+	size_t (*get_size)(ntru_trits_t *this);
+
+	/**
+	 * @return			octet array containing a trit per octet
+	 */
+	uint8_t* (*get_trits)(ntru_trits_t *this);
+
+	/**
+	 * Destroy ntru_trits_t object
+	 */
+	void (*destroy)(ntru_trits_t *this);
+};
+
+/**
+ * Create a trits array from a seed using MGF1 with a base hash function
+ *
+ * @param size			size of the trits array
+ * @param alg			hash algorithm to be used by MGF1
+ * @param seed			seed used by MGF1 to generate trits from
+ */
+ntru_trits_t *ntru_trits_create(size_t size, hash_algorithm_t alg, chunk_t seed);
+
+#endif /** NTRU_TRITS_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 53ff2eb4c..f0735294b 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -224,8 +224,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -293,6 +291,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -381,12 +384,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -401,6 +408,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 18aa5ceca..cb02c663c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -471,7 +471,7 @@ static bool parse_extensions(private_openssl_crl_t *this)
 				default:
 					ok = X509_EXTENSION_get_critical(ext) == 0 ||
 						 !lib->settings->get_bool(lib->settings,
-								"libstrongswan.x509.enforce_critical", TRUE);
+									"%s.x509.enforce_critical", TRUE, lib->ns);
 					if (!ok)
 					{
 						DBG1(DBG_LIB, "found unsupported critical X.509 "
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index c43fe455a..b487d59a5 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -102,6 +102,11 @@ static bool chunk2ecp(const EC_GROUP *group, chunk_t chunk, EC_POINT *point)
 		goto error;
 	}
 
+	if (!EC_POINT_is_on_curve(group, point, ctx))
+	{
+		goto error;
+	}
+
 	ret = TRUE;
 error:
 	BN_CTX_end(ctx);
@@ -196,7 +201,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this,
 	 * http://www.rfc-editor.org/errata_search.php?eid=9
 	 */
 	x_coordinate_only = lib->settings->get_bool(lib->settings,
-							"libstrongswan.ecp_x_coordinate_only", TRUE);
+									"%s.ecp_x_coordinate_only", TRUE, lib->ns);
 	if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only))
 	{
 		goto error;
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index ff2508609..f4aef8200 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -522,7 +522,7 @@ plugin_t *openssl_plugin_create()
 	int fips_mode;
 
 	fips_mode = lib->settings->get_int(lib->settings,
-						"libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
+							"%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);
 #ifdef OPENSSL_FIPS
 	if (fips_mode)
 	{
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 036f53d23..10a35c1fd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -558,7 +558,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 	if (!engine_id)
 	{
 		engine_id = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.openssl.engine_id", "pkcs11");
+							"%s.plugins.openssl.engine_id", "pkcs11", lib->ns);
 	}
 	engine = ENGINE_by_id(engine_id);
 	if (!engine)
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 24b12d50c..7a5b206dd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -1012,7 +1012,7 @@ static bool parse_extensions(private_openssl_x509_t *this)
 				default:
 					ok = X509_EXTENSION_get_critical(ext) == 0 ||
 						 !lib->settings->get_bool(lib->settings,
-								"libstrongswan.x509.enforce_critical", TRUE);
+									"%s.x509.enforce_critical", TRUE, lib->ns);
 					if (!ok)
 					{
 						char buf[80] = "";
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 5c3ce2a42..55c0271ce 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 060799dc8..22c33b0c8 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 254b1951b..62780c384 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -25,7 +25,6 @@
 #include <stddef.h>
 #include <fcntl.h>
 #include <sys/types.h>
-#include <sys/mman.h>
 #include <sys/stat.h>
 
 #include <utils/debug.h>
@@ -418,39 +417,17 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
 static void *load_from_file(char *file, credential_type_t type, int subtype,
 							identification_t *subject, x509_flag_t flags)
 {
-	void *cred = NULL;
-	struct stat sb;
-	void *addr;
-	int fd;
+	void *cred;
+	chunk_t *chunk;
 
-	fd = open(file, O_RDONLY);
-	if (fd == -1)
+	chunk = chunk_map(file, FALSE);
+	if (!chunk)
 	{
 		DBG1(DBG_LIB, "  opening '%s' failed: %s", file, strerror(errno));
 		return NULL;
 	}
-
-	if (fstat(fd, &sb) == -1)
-	{
-		DBG1(DBG_LIB, "  getting file size of '%s' failed: %s", file,
-			 strerror(errno));
-		close(fd);
-		return NULL;
-	}
-
-	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		DBG1(DBG_LIB, "  mapping '%s' failed: %s", file, strerror(errno));
-		close(fd);
-		return NULL;
-	}
-
-	cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype,
-									   subject, flags);
-
-	munmap(addr, sb.st_size);
-	close(fd);
+	cred = load_from_blob(*chunk, type, subtype, subject, flags);
+	chunk_unmap(chunk);
 	return cred;
 }
 
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 05319bb87..e2491f5a4 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 2befd0949..d3f3fdf49 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index 186d90ac6..c8cec3771 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
index 2e5af95ff..36cc284bf 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
@@ -135,7 +135,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 			};
 
 			if (!lib->settings->get_bool(lib->settings,
-								"libstrongswan.ecp_x_coordinate_only", TRUE))
+									"%s.ecp_x_coordinate_only", TRUE, lib->ns))
 			{	/* we only get the x coordinate back */
 				return;
 			}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
index 8bda5b66f..96c4a180d 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -338,7 +338,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
 	);
 
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
-										"libstrongswan.plugins.pkcs11.modules");
+										"%s.plugins.pkcs11.modules", lib->ns);
 	while (enumerator->enumerate(enumerator, &module))
 	{
 		INIT(entry,
@@ -346,7 +346,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
 		);
 
 		entry->path = lib->settings->get_str(lib->settings,
-				"libstrongswan.plugins.pkcs11.modules.%s.path", NULL, module);
+				"%s.plugins.pkcs11.modules.%s.path", NULL, lib->ns, module);
 		if (!entry->path)
 		{
 			DBG1(DBG_CFG, "PKCS11 module '%s' lacks library path", module);
@@ -355,8 +355,8 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
 		}
 		entry->lib = pkcs11_library_create(module, entry->path,
 						lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.modules.%s.os_locking",
-							FALSE, module));
+							"%s.plugins.pkcs11.modules.%s.os_locking",
+							FALSE, lib->ns, module));
 		if (!entry->lib)
 		{
 			free(entry);
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index 3faa59cae..bd2a2c114 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -83,8 +83,8 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
 	if (add && this->handle_events)
 	{
 		if (lib->settings->get_bool(lib->settings,
-						"libstrongswan.plugins.pkcs11.modules.%s.load_certs",
-						TRUE, p11->get_name(p11)))
+								"%s.plugins.pkcs11.modules.%s.load_certs",
+								TRUE, lib->ns, p11->get_name(p11)))
 		{
 			creds = pkcs11_creds_create(p11, slot);
 			if (creds)
@@ -174,8 +174,8 @@ static bool handle_certs(private_pkcs11_plugin_t *this,
 METHOD(plugin_t, reload, bool,
 	private_pkcs11_plugin_t *this)
 {
-	if (lib->settings->get_bool(lib->settings,
-					"libstrongswan.plugins.pkcs11.reload_certs", FALSE))
+	if (lib->settings->get_bool(lib->settings, "%s.plugins.pkcs11.reload_certs",
+								FALSE, lib->ns))
 	{
 		DBG1(DBG_CFG, "reloading certificates from PKCS#11 tokens");
 		handle_certs(this, NULL, FALSE, NULL);
@@ -247,28 +247,28 @@ METHOD(plugin_t, get_features, int,
 	if (!count)
 	{	/* initialize only once */
 		bool use_ecc = lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.use_ecc", FALSE);
+								"%s.plugins.pkcs11.use_ecc", FALSE, lib->ns);
 		plugin_features_add(f, f_manager, countof(f_manager), &count);
 		/* private key handling for EC keys is not disabled by use_ecc */
 		plugin_features_add(f, f_privkey, countof(f_privkey), &count);
 		if (lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.use_pubkey", FALSE))
+								"%s.plugins.pkcs11.use_pubkey", FALSE, lib->ns))
 		{
 			plugin_features_add(f, f_pubkey, countof(f_pubkey) - (use_ecc ? 0 : 1),
 								&count);
 		}
 		if (lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
+								"%s.plugins.pkcs11.use_hasher", FALSE, lib->ns))
 		{
 			plugin_features_add(f, f_hash, countof(f_hash), &count);
 		}
 		if (lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.use_rng", FALSE))
+								"%s.plugins.pkcs11.use_rng", FALSE, lib->ns))
 		{
 			plugin_features_add(f, f_rng, countof(f_rng), &count);
 		}
 		if (lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.use_dh", FALSE))
+								"%s.plugins.pkcs11.use_dh", FALSE, lib->ns))
 		{
 			plugin_features_add(f, f_dh, countof(f_dh), &count);
 			if (use_ecc)
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
index 1972f33b3..67b1f4f57 100644
--- a/src/libstrongswan/plugins/pkcs12/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index 300212173..feff6e5b0 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index e2ccb326d..35a5c9a35 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 5ed0a9b0f..08a8442ea 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Tobias Brunner
+ * Copyright (C) 2010-2014 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -28,6 +28,7 @@
 #include <utils/debug.h>
 #include <library.h>
 #include <collections/hashtable.h>
+#include <collections/array.h>
 #include <collections/linked_list.h>
 #include <plugins/plugin.h>
 #include <utils/integrity_checker.h>
@@ -936,18 +937,146 @@ static bool find_plugin(char *path, char *name, char *buf, char **file)
 	return FALSE;
 }
 
+/**
+ * Used to sort plugins by priority
+ */
+typedef struct {
+	/* name of the plugin */
+	char *name;
+	/* the plugins priority */
+	int prio;
+	/* default priority */
+	int def;
+} plugin_priority_t;
+
+static void plugin_priority_free(const plugin_priority_t *this, int idx,
+								 void *user)
+{
+	free(this->name);
+}
+
+/**
+ * Sort plugins and their priority by name
+ */
+static int plugin_priority_cmp_name(const plugin_priority_t *a,
+								    const plugin_priority_t *b)
+{
+	return strcmp(a->name, b->name);
+}
+
+/**
+ * Sort plugins by decreasing priority or default priority then by name
+ */
+static int plugin_priority_cmp(const plugin_priority_t *a,
+							   const plugin_priority_t *b, void *user)
+{
+	int diff;
+
+	diff = b->prio - a->prio;
+	if (!diff)
+	{	/* the same priority, use default order */
+		diff = b->def - a->def;
+		if (!diff)
+		{	/* same default priority (i.e. both were not found in that list) */
+			return strcmp(a->name, b->name);
+		}
+	}
+	return diff;
+}
+
+
+/**
+ * Determine the list of plugins to load via load option in each plugin's
+ * config section.
+ */
+static char *modular_pluginlist(char *list)
+{
+	enumerator_t *enumerator;
+	array_t *given, *final;
+	plugin_priority_t item, *current, found;
+	char *plugin, *plugins = NULL;
+	int i = 0, max_prio;
+
+	if (!lib->settings->get_bool(lib->settings, "%s.load_modular", FALSE,
+								 lib->ns))
+	{
+		return list;
+	}
+
+	given = array_create(sizeof(plugin_priority_t), 0);
+	final = array_create(sizeof(plugin_priority_t), 0);
+
+	enumerator = enumerator_create_token(list, " ", " ");
+	while (enumerator->enumerate(enumerator, &plugin))
+	{
+		item.name = strdup(plugin);
+		item.prio = i++;
+		array_insert(given, ARRAY_TAIL, &item);
+	}
+	enumerator->destroy(enumerator);
+	array_sort(given, (void*)plugin_priority_cmp_name, NULL);
+	/* the maximum priority used for plugins not found in this list */
+	max_prio = i + 1;
+
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+														"%s.plugins", lib->ns);
+	while (enumerator->enumerate(enumerator, &plugin))
+	{
+		item.prio = lib->settings->get_int(lib->settings,
+								"%s.plugins.%s.load", 0, lib->ns, plugin);
+		if (!item.prio)
+		{
+			if (!lib->settings->get_bool(lib->settings,
+								"%s.plugins.%s.load", FALSE, lib->ns, plugin))
+			{
+				continue;
+			}
+			item.prio = 1;
+		}
+		item.name = plugin;
+		item.def = max_prio;
+		if (array_bsearch(given, &item, (void*)plugin_priority_cmp_name,
+						  &found) != -1)
+		{
+			item.def = max_prio - found.prio;
+		}
+		array_insert(final, ARRAY_TAIL, &item);
+	}
+	enumerator->destroy(enumerator);
+	array_destroy_function(given, (void*)plugin_priority_free, NULL);
+
+	array_sort(final, (void*)plugin_priority_cmp, NULL);
+
+	enumerator = array_create_enumerator(final);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		char *prev = plugins;
+		if (asprintf(&plugins, "%s %s", plugins ?: "", current->name) < 0)
+		{
+			plugins = prev;
+			break;
+		}
+		free(prev);
+	}
+	enumerator->destroy(enumerator);
+	array_destroy(final);
+	return plugins;
+}
+
 METHOD(plugin_loader_t, load_plugins, bool,
 	private_plugin_loader_t *this, char *list)
 {
 	enumerator_t *enumerator;
-	char *default_path = NULL, *token;
+	char *default_path = NULL, *plugins, *token;
 	bool critical_failed = FALSE;
 
 #ifdef PLUGINDIR
 	default_path = PLUGINDIR;
 #endif /* PLUGINDIR */
 
-	enumerator = enumerator_create_token(list, " ", " ");
+	plugins = modular_pluginlist(list);
+
+	enumerator = enumerator_create_token(plugins, " ", " ");
 	while (!critical_failed && enumerator->enumerate(enumerator, &token))
 	{
 		plugin_entry_t *entry;
@@ -1006,6 +1135,10 @@ METHOD(plugin_loader_t, load_plugins, bool,
 		free(this->loaded_plugins);
 		this->loaded_plugins = loaded_plugins_list(this);
 	}
+	if (plugins != list)
+	{
+		free(plugins);
+	}
 	return !critical_failed;
 }
 
@@ -1170,3 +1303,22 @@ plugin_loader_t *plugin_loader_create()
 
 	return &this->public;
 }
+
+/*
+ * See header
+ */
+void plugin_loader_add_plugindirs(char *basedir, char *plugins)
+{
+	enumerator_t *enumerator;
+	char *name, path[PATH_MAX], dir[64];
+
+	enumerator = enumerator_create_token(plugins, " ", "");
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		snprintf(dir, sizeof(dir), "%s", name);
+		translate(dir, "-", "_");
+		snprintf(path, sizeof(path), "%s/%s/.libs", basedir, dir);
+		lib->plugins->add_path(lib->plugins, path);
+	}
+	enumerator->destroy(enumerator);
+}
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index 285b33910..fec57ce98 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2013 Tobias Brunner
+ * Copyright (C) 2012-2014 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -67,6 +67,13 @@ struct plugin_loader_t {
 	 * for the plugins first, in the order they were added, then the default
 	 * path follows.
 	 *
+	 * If \<ns>.load_modular is enabled (where \<ns> is lib->ns) the plugins to
+	 * load are determined via a load option in their respective plugin config
+	 * section e.g. \<ns>.plugins.\<plugin>.load = <priority|bool>.
+	 * The oder is determined by the configured priority.  If two plugins have
+	 * the same priority the order as seen in list is preserved.  Plugins not
+	 * found in list are loaded first, in alphabetical order.
+	 *
 	 * @note Even though this method could be called multiple times this is
 	 * currently not really supported in regards to plugin features and their
 	 * dependencies (in particular soft dependencies).
@@ -146,4 +153,13 @@ struct plugin_loader_t {
  */
 plugin_loader_t *plugin_loader_create();
 
+/**
+ * Convenience function to add plugin directories for the given plugins within
+ * the given base directory according to the conventions in the src/build tree.
+ *
+ * @param basedir	base directory
+ * @param plugins	space separated list of plugins
+ */
+void plugin_loader_add_plugindirs(char *basedir, char *plugins);
+
 #endif /** PLUGIN_LOADER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index c5b3bad05..803eeab44 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 492bc31ac..0efe24cb7 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index 24c711a69..1f1079240 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -51,6 +51,9 @@ static int dev_random = -1;
 /** /dev/urandom file descriptor */
 static int dev_urandom = -1;
 
+/** Is strong randomness equivalent to true randomness? */
+static bool strong_equals_true = FALSE;
+
 /**
  * See header.
  */
@@ -68,6 +71,14 @@ int random_plugin_get_dev_urandom()
 }
 
 /**
+ * See header.
+ */
+bool random_plugin_get_strong_equals_true()
+{
+	return strong_equals_true;
+}
+
+/**
  * Open a random device file
  */
 static bool open_dev(char *file, int *fd)
@@ -131,10 +142,12 @@ plugin_t *random_plugin_create()
 		},
 	);
 
+	strong_equals_true = lib->settings->get_bool(lib->settings,
+						"%s.plugins.random.strong_equals_true", FALSE, lib->ns);
 	urandom_file = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.random.urandom", DEV_URANDOM);
+						"%s.plugins.random.urandom", DEV_URANDOM, lib->ns);
 	random_file = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.random.random", DEV_RANDOM);
+						"%s.plugins.random.random", DEV_RANDOM, lib->ns);
 	if (!open_dev(urandom_file, &dev_urandom) ||
 		!open_dev(random_file, &dev_random))
 	{
diff --git a/src/libstrongswan/plugins/random/random_plugin.h b/src/libstrongswan/plugins/random/random_plugin.h
index c34fa8196..ff79bef0c 100644
--- a/src/libstrongswan/plugins/random/random_plugin.h
+++ b/src/libstrongswan/plugins/random/random_plugin.h
@@ -49,4 +49,9 @@ int random_plugin_get_dev_random();
  */
 int random_plugin_get_dev_urandom();
 
+/**
+ * Must strong randomness be equivalent to true randomness?
+ */
+bool random_plugin_get_strong_equals_true();
+
 #endif /** RANDOM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 568844899..36d5446b8 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -99,6 +99,10 @@ random_rng_t *random_rng_create(rng_quality_t quality)
 			this->fd = random_plugin_get_dev_random();
 			break;
 		case RNG_STRONG:
+			this->fd = random_plugin_get_strong_equals_true() ?
+							random_plugin_get_dev_random() :
+							random_plugin_get_dev_urandom();
+			break;
 		case RNG_WEAK:
 		default:
 			this->fd = random_plugin_get_dev_urandom();
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
index e2cdbac7a..afcbc07eb 100644
--- a/src/libstrongswan/plugins/rc2/Makefile.in
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index 0a3063f04..88b283e87 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_plugin.c b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
index 4bdfc258e..b416c872f 100644
--- a/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
+++ b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
@@ -77,11 +77,11 @@ static bool have_rdrand()
 		cpuid(1, &a, &b, &c, &d);
 		if (c & CPUID_RDRAND)
 		{
-			DBG1(DBG_LIB, "detected RDRAND support on %s CPU", vendor);
+			DBG2(DBG_LIB, "detected RDRAND support on %s CPU", vendor);
 			return TRUE;
 		}
 	}
-	DBG1(DBG_LIB, "no RDRAND support on %s CPU, disabled", vendor);
+	DBG2(DBG_LIB, "no RDRAND support on %s CPU, disabled", vendor);
 	return FALSE;
 }
 
@@ -102,7 +102,11 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_DEPENDS(CRYPTER, ENCR_AES_CBC, 16),
 	};
 	*features = f;
-	return countof(f);
+	if (have_rdrand())
+	{
+		return countof(f);
+	}
+	return 0;
 }
 
 METHOD(plugin_t, destroy, void,
@@ -122,16 +126,12 @@ plugin_t *rdrand_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
+				.get_features = _get_features,
 				.reload = (void*)return_false,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	if (have_rdrand())
-	{
-		this->public.plugin.get_features = _get_features;
-	}
-
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index fe9aa16e7..745ee83e7 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 2095dbdb7..e57eb78ab 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 2eb572f70..c044178b9 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 5483bf91f..cc16ef5cb 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 13c0bf86d..c428b883f 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
index a62d22a5b..3c9926acc 100644
--- a/src/libstrongswan/plugins/sshkey/Makefile.in
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_builder.c b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
index 569b0b738..652663108 100644
--- a/src/libstrongswan/plugins/sshkey/sshkey_builder.c
+++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
@@ -13,6 +13,7 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for fmemopen() */
 #include <unistd.h>
 #include <stdio.h>
 #include <errno.h>
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index d4cbde107..a1439f6ea 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -232,8 +232,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -301,6 +299,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -389,12 +392,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -409,6 +416,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index d79803189..961311eb0 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/unbound/unbound_resolver.c b/src/libstrongswan/plugins/unbound/unbound_resolver.c
index 42cdbc6cc..745e59d5b 100644
--- a/src/libstrongswan/plugins/unbound/unbound_resolver.c
+++ b/src/libstrongswan/plugins/unbound/unbound_resolver.c
@@ -97,14 +97,14 @@ resolver_t *unbound_resolver_create(void)
 	char *resolv_conf, *trust_anchors, *dlv_anchors;
 
 	resolv_conf = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.unbound.resolv_conf",
-						RESOLV_CONF_FILE);
+										"%s.plugins.unbound.resolv_conf",
+										RESOLV_CONF_FILE, lib->ns);
 	trust_anchors = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.unbound.trust_anchors",
-						TRUST_ANCHOR_FILE);
+										"%s.plugins.unbound.trust_anchors",
+										TRUST_ANCHOR_FILE, lib->ns);
 	dlv_anchors = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.unbound.dlv_anchors",
-						NULL);
+										"%s.plugins.unbound.dlv_anchors",
+										NULL, lib->ns);
 
 	INIT(this,
 		.public = {
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 09d300255..74552e00b 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 85c481552..ed850e8f5 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -20,14 +20,14 @@
 
 #define _GNU_SOURCE
 
-#include "x509_cert.h"
-
 #include <sys/stat.h>
 #include <time.h>
 #include <unistd.h>
 #include <string.h>
 #include <stdio.h>
 
+#include "x509_cert.h"
+
 #include <library.h>
 #include <utils/debug.h>
 #include <asn1/oid.h>
@@ -1446,7 +1446,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 						break;
 					default:
 						if (critical && lib->settings->get_bool(lib->settings,
-							"libstrongswan.x509.enforce_critical", TRUE))
+							"%s.x509.enforce_critical", TRUE, lib->ns))
 						{
 							DBG1(DBG_ASN, "critical '%s' extension not supported",
 								 (extn_oid == OID_UNKNOWN) ? "unknown" :
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index efb70c94c..d6057c30f 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -325,7 +325,7 @@ static bool parse(private_x509_crl_t *this)
 						break;
 					default:
 						if (critical && lib->settings->get_bool(lib->settings,
-							"libstrongswan.x509.enforce_critical", TRUE))
+							"%s.x509.enforce_critical", TRUE, lib->ns))
 						{
 							DBG1(DBG_ASN, "critical '%s' extension not supported",
 								 (extn_oid == OID_UNKNOWN) ? "unknown" :
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 59ee48377..c8f886c60 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c
index adbd95685..012b169e3 100644
--- a/src/libstrongswan/processing/processor.c
+++ b/src/libstrongswan/processing/processor.c
@@ -545,7 +545,7 @@ processor_t *processor_create()
 	{
 		this->jobs[i] = linked_list_create();
 		this->prio_threads[i] = lib->settings->get_int(lib->settings,
-						"libstrongswan.processor.priority_threads.%N", 0,
+						"%s.processor.priority_threads.%N", 0, lib->ns,
 						job_priority_names, i);
 	}
 
diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
index 9773e7601..cc3c3a788 100644
--- a/src/libstrongswan/processing/watcher.c
+++ b/src/libstrongswan/processing/watcher.c
@@ -340,7 +340,7 @@ static job_requeue_t watch(private_watcher_t *this)
 		}
 		else
 		{
-			if (!this->pending)
+			if (!this->pending && errno != EINTR)
 			{	/* complain only if no pending updates */
 				DBG1(DBG_JOB, "watcher select() error: %s", strerror(errno));
 			}
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index c3d41a1cd..331a5480d 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -1,23 +1,62 @@
-TESTS = test_runner
+check_LTLIBRARIES = libtest.la
+
+libtest_la_SOURCES = \
+  test_suite.c test_suite.h \
+  test_runner.c test_runner.h \
+  utils/test_rng.c utils/test_rng.h
+
+libtest_la_CFLAGS = \
+  -I$(top_srcdir)/src/libstrongswan \
+  @COVERAGE_CFLAGS@
+
+libtest_la_LDFLAGS = @COVERAGE_LDFLAGS@
+libtest_la_LIBADD = \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(PTHREADLIB)
+
+
+TESTS = tests
 
 check_PROGRAMS = $(TESTS)
 
-test_runner_SOURCES = \
-  test_runner.c test_runner.h test_suite.h \
-  test_linked_list.c test_enumerator.c test_linked_list_enumerator.c \
-  test_bio_reader.c test_bio_writer.c test_chunk.c test_enum.c test_hashtable.c \
-  test_identification.c test_threading.c test_utils.c test_vectors.c \
-  test_array.c test_ecdsa.c test_rsa.c test_host.c test_printf.c
+tests_SOURCES = tests.h tests.c \
+  suites/test_linked_list.c \
+  suites/test_enumerator.c \
+  suites/test_linked_list_enumerator.c \
+  suites/test_bio_reader.c \
+  suites/test_bio_writer.c \
+  suites/test_chunk.c \
+  suites/test_enum.c \
+  suites/test_hashtable.c \
+  suites/test_identification.c \
+  suites/test_threading.c \
+  suites/test_watcher.c \
+  suites/test_stream.c \
+  suites/test_fetch_http.c \
+  suites/test_utils.c \
+  suites/test_settings.c \
+  suites/test_vectors.c \
+  suites/test_array.c \
+  suites/test_ecdsa.c \
+  suites/test_rsa.c \
+  suites/test_host.c \
+  suites/test_hasher.c \
+  suites/test_crypter.c \
+  suites/test_pen.c \
+  suites/test_asn1.c \
+  suites/test_asn1_parser.c \
+  suites/test_printf.c \
+  suites/test_test_rng.c \
+  suites/test_ntru.c
 
-test_runner_CFLAGS = \
+tests_CFLAGS = \
   -I$(top_srcdir)/src/libstrongswan \
+  -I$(top_srcdir)/src/libstrongswan/tests \
   -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
   -DPLUGINS=\""${s_plugins}\"" \
-  @COVERAGE_CFLAGS@ \
-  @CHECK_CFLAGS@
+  @COVERAGE_CFLAGS@
 
-test_runner_LDFLAGS = @COVERAGE_LDFLAGS@
-test_runner_LDADD = \
+tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tests_LDADD = \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  $(PTHREADLIB) \
-  @CHECK_LIBS@
+  libtest.la
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index adeae1a81..656be4efb 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -77,11 +77,11 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-TESTS = test_runner$(EXEEXT)
+TESTS = tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
 subdir = src/libstrongswan/tests
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp $(top_srcdir)/test-driver
+	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -99,36 +99,57 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__EXEEXT_1 = test_runner$(EXEEXT)
-am_test_runner_OBJECTS = test_runner-test_runner.$(OBJEXT) \
-	test_runner-test_linked_list.$(OBJEXT) \
-	test_runner-test_enumerator.$(OBJEXT) \
-	test_runner-test_linked_list_enumerator.$(OBJEXT) \
-	test_runner-test_bio_reader.$(OBJEXT) \
-	test_runner-test_bio_writer.$(OBJEXT) \
-	test_runner-test_chunk.$(OBJEXT) \
-	test_runner-test_enum.$(OBJEXT) \
-	test_runner-test_hashtable.$(OBJEXT) \
-	test_runner-test_identification.$(OBJEXT) \
-	test_runner-test_threading.$(OBJEXT) \
-	test_runner-test_utils.$(OBJEXT) \
-	test_runner-test_vectors.$(OBJEXT) \
-	test_runner-test_array.$(OBJEXT) \
-	test_runner-test_ecdsa.$(OBJEXT) \
-	test_runner-test_rsa.$(OBJEXT) test_runner-test_host.$(OBJEXT) \
-	test_runner-test_printf.$(OBJEXT)
-test_runner_OBJECTS = $(am_test_runner_OBJECTS)
 am__DEPENDENCIES_1 =
-test_runner_DEPENDENCIES =  \
+libtest_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_libtest_la_OBJECTS = libtest_la-test_suite.lo \
+	libtest_la-test_runner.lo utils/libtest_la-test_rng.lo
+libtest_la_OBJECTS = $(am_libtest_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
-test_runner_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_runner_CFLAGS) \
-	$(CFLAGS) $(test_runner_LDFLAGS) $(LDFLAGS) -o $@
+libtest_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(libtest_la_CFLAGS) \
+	$(CFLAGS) $(libtest_la_LDFLAGS) $(LDFLAGS) -o $@
+am__EXEEXT_1 = tests$(EXEEXT)
+am_tests_OBJECTS = tests-tests.$(OBJEXT) \
+	suites/tests-test_linked_list.$(OBJEXT) \
+	suites/tests-test_enumerator.$(OBJEXT) \
+	suites/tests-test_linked_list_enumerator.$(OBJEXT) \
+	suites/tests-test_bio_reader.$(OBJEXT) \
+	suites/tests-test_bio_writer.$(OBJEXT) \
+	suites/tests-test_chunk.$(OBJEXT) \
+	suites/tests-test_enum.$(OBJEXT) \
+	suites/tests-test_hashtable.$(OBJEXT) \
+	suites/tests-test_identification.$(OBJEXT) \
+	suites/tests-test_threading.$(OBJEXT) \
+	suites/tests-test_watcher.$(OBJEXT) \
+	suites/tests-test_stream.$(OBJEXT) \
+	suites/tests-test_fetch_http.$(OBJEXT) \
+	suites/tests-test_utils.$(OBJEXT) \
+	suites/tests-test_settings.$(OBJEXT) \
+	suites/tests-test_vectors.$(OBJEXT) \
+	suites/tests-test_array.$(OBJEXT) \
+	suites/tests-test_ecdsa.$(OBJEXT) \
+	suites/tests-test_rsa.$(OBJEXT) \
+	suites/tests-test_host.$(OBJEXT) \
+	suites/tests-test_hasher.$(OBJEXT) \
+	suites/tests-test_crypter.$(OBJEXT) \
+	suites/tests-test_pen.$(OBJEXT) \
+	suites/tests-test_asn1.$(OBJEXT) \
+	suites/tests-test_asn1_parser.$(OBJEXT) \
+	suites/tests-test_printf.$(OBJEXT) \
+	suites/tests-test_test_rng.$(OBJEXT) \
+	suites/tests-test_ntru.$(OBJEXT)
+tests_OBJECTS = $(am_tests_OBJECTS)
+tests_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la libtest.la
+tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(tests_CFLAGS) $(CFLAGS) \
+	$(tests_LDFLAGS) $(LDFLAGS) -o $@
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -163,8 +184,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(test_runner_SOURCES)
-DIST_SOURCES = $(test_runner_SOURCES)
+SOURCES = $(libtest_la_SOURCES) $(tests_SOURCES)
+DIST_SOURCES = $(libtest_la_SOURCES) $(tests_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -211,188 +232,6 @@ am__tty_colors = { \
     std='[m'; \
   fi; \
 }
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-am__recheck_rx = ^[ 	]*:recheck:[ 	]*
-am__global_test_result_rx = ^[ 	]*:global-test-result:[ 	]*
-am__copy_in_global_log_rx = ^[ 	]*:copy-in-global-log:[ 	]*
-# A command that, given a newline-separated list of test names on the
-# standard input, print the name of the tests that are to be re-run
-# upon "make recheck".
-am__list_recheck_tests = $(AWK) '{ \
-  recheck = 1; \
-  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
-    { \
-      if (rc < 0) \
-        { \
-          if ((getline line2 < ($$0 ".log")) < 0) \
-	    recheck = 0; \
-          break; \
-        } \
-      else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \
-        { \
-          recheck = 0; \
-          break; \
-        } \
-      else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \
-        { \
-          break; \
-        } \
-    }; \
-  if (recheck) \
-    print $$0; \
-  close ($$0 ".trs"); \
-  close ($$0 ".log"); \
-}'
-# A command that, given a newline-separated list of test names on the
-# standard input, create the global log from their .trs and .log files.
-am__create_global_log = $(AWK) ' \
-function fatal(msg) \
-{ \
-  print "fatal: making $@: " msg | "cat >&2"; \
-  exit 1; \
-} \
-function rst_section(header) \
-{ \
-  print header; \
-  len = length(header); \
-  for (i = 1; i <= len; i = i + 1) \
-    printf "="; \
-  printf "\n\n"; \
-} \
-{ \
-  copy_in_global_log = 1; \
-  global_test_result = "RUN"; \
-  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
-    { \
-      if (rc < 0) \
-         fatal("failed to read from " $$0 ".trs"); \
-      if (line ~ /$(am__global_test_result_rx)/) \
-        { \
-          sub("$(am__global_test_result_rx)", "", line); \
-          sub("[ 	]*$$", "", line); \
-          global_test_result = line; \
-        } \
-      else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \
-        copy_in_global_log = 0; \
-    }; \
-  if (copy_in_global_log) \
-    { \
-      rst_section(global_test_result ": " $$0); \
-      while ((rc = (getline line < ($$0 ".log"))) != 0) \
-      { \
-        if (rc < 0) \
-          fatal("failed to read from " $$0 ".log"); \
-        print line; \
-      }; \
-      printf "\n"; \
-    }; \
-  close ($$0 ".trs"); \
-  close ($$0 ".log"); \
-}'
-# Restructured Text title.
-am__rst_title = { sed 's/.*/   &   /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; }
-# Solaris 10 'make', and several other traditional 'make' implementations,
-# pass "-e" to $(SHELL), and POSIX 2008 even requires this.  Work around it
-# by disabling -e (using the XSI extension "set +e") if it's set.
-am__sh_e_setup = case $$- in *e*) set +e;; esac
-# Default flags passed to test drivers.
-am__common_driver_flags = \
-  --color-tests "$$am__color_tests" \
-  --enable-hard-errors "$$am__enable_hard_errors" \
-  --expect-failure "$$am__expect_failure"
-# To be inserted before the command running the test.  Creates the
-# directory for the log if needed.  Stores in $dir the directory
-# containing $f, in $tst the test, in $log the log.  Executes the
-# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and
-# passes TESTS_ENVIRONMENT.  Set up options for the wrapper that
-# will run the test scripts (or their associated LOG_COMPILER, if
-# thy have one).
-am__check_pre = \
-$(am__sh_e_setup);					\
-$(am__vpath_adj_setup) $(am__vpath_adj)			\
-$(am__tty_colors);					\
-srcdir=$(srcdir); export srcdir;			\
-case "$@" in						\
-  */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;;	\
-    *) am__odir=.;; 					\
-esac;							\
-test "x$$am__odir" = x"." || test -d "$$am__odir" 	\
-  || $(MKDIR_P) "$$am__odir" || exit $$?;		\
-if test -f "./$$f"; then dir=./;			\
-elif test -f "$$f"; then dir=;				\
-else dir="$(srcdir)/"; fi;				\
-tst=$$dir$$f; log='$@'; 				\
-if test -n '$(DISABLE_HARD_ERRORS)'; then		\
-  am__enable_hard_errors=no; 				\
-else							\
-  am__enable_hard_errors=yes; 				\
-fi; 							\
-case " $(XFAIL_TESTS) " in				\
-  *[\ \	]$$f[\ \	]* | *[\ \	]$$dir$$f[\ \	]*) \
-    am__expect_failure=yes;;				\
-  *)							\
-    am__expect_failure=no;;				\
-esac; 							\
-$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT)
-# A shell command to get the names of the tests scripts with any registered
-# extension removed (i.e., equivalently, the names of the test logs, with
-# the '.log' extension removed).  The result is saved in the shell variable
-# '$bases'.  This honors runtime overriding of TESTS and TEST_LOGS.  Sadly,
-# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)",
-# since that might cause problem with VPATH rewrites for suffix-less tests.
-# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'.
-am__set_TESTS_bases = \
-  bases='$(TEST_LOGS)'; \
-  bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
-  bases=`echo $$bases`
-RECHECK_LOGS = $(TEST_LOGS)
-AM_RECURSIVE_TARGETS = check recheck
-TEST_SUITE_LOG = test-suite.log
-TEST_EXTENSIONS = @EXEEXT@ .test
-LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS)
-am__set_b = \
-  case '$@' in \
-    */*) \
-      case '$*' in \
-        */*) b='$*';; \
-          *) b=`echo '$@' | sed 's/\.log$$//'`; \
-       esac;; \
-    *) \
-      b='$*';; \
-  esac
-am__test_logs1 = $(TESTS:=.log)
-am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log)
-TEST_LOGS = $(am__test_logs2:.test.log=.log)
-TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
-	$(TEST_LOG_FLAGS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
@@ -408,8 +247,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -477,6 +314,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -565,12 +407,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -585,6 +431,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -595,30 +442,67 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-test_runner_SOURCES = \
-  test_runner.c test_runner.h test_suite.h \
-  test_linked_list.c test_enumerator.c test_linked_list_enumerator.c \
-  test_bio_reader.c test_bio_writer.c test_chunk.c test_enum.c test_hashtable.c \
-  test_identification.c test_threading.c test_utils.c test_vectors.c \
-  test_array.c test_ecdsa.c test_rsa.c test_host.c test_printf.c
-
-test_runner_CFLAGS = \
+check_LTLIBRARIES = libtest.la
+libtest_la_SOURCES = \
+  test_suite.c test_suite.h \
+  test_runner.c test_runner.h \
+  utils/test_rng.c utils/test_rng.h
+
+libtest_la_CFLAGS = \
+  -I$(top_srcdir)/src/libstrongswan \
+  @COVERAGE_CFLAGS@
+
+libtest_la_LDFLAGS = @COVERAGE_LDFLAGS@
+libtest_la_LIBADD = \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(PTHREADLIB)
+
+tests_SOURCES = tests.h tests.c \
+  suites/test_linked_list.c \
+  suites/test_enumerator.c \
+  suites/test_linked_list_enumerator.c \
+  suites/test_bio_reader.c \
+  suites/test_bio_writer.c \
+  suites/test_chunk.c \
+  suites/test_enum.c \
+  suites/test_hashtable.c \
+  suites/test_identification.c \
+  suites/test_threading.c \
+  suites/test_watcher.c \
+  suites/test_stream.c \
+  suites/test_fetch_http.c \
+  suites/test_utils.c \
+  suites/test_settings.c \
+  suites/test_vectors.c \
+  suites/test_array.c \
+  suites/test_ecdsa.c \
+  suites/test_rsa.c \
+  suites/test_host.c \
+  suites/test_hasher.c \
+  suites/test_crypter.c \
+  suites/test_pen.c \
+  suites/test_asn1.c \
+  suites/test_asn1_parser.c \
+  suites/test_printf.c \
+  suites/test_test_rng.c \
+  suites/test_ntru.c
+
+tests_CFLAGS = \
   -I$(top_srcdir)/src/libstrongswan \
+  -I$(top_srcdir)/src/libstrongswan/tests \
   -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
   -DPLUGINS=\""${s_plugins}\"" \
-  @COVERAGE_CFLAGS@ \
-  @CHECK_CFLAGS@
+  @COVERAGE_CFLAGS@
 
-test_runner_LDFLAGS = @COVERAGE_LDFLAGS@
-test_runner_LDADD = \
+tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tests_LDADD = \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  $(PTHREADLIB) \
-  @CHECK_LIBS@
+  libtest.la
 
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .c .lo .log .o .obj .test .test$(EXEEXT) .trs
+.SUFFIXES: .c .lo .o .obj
 $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -650,6 +534,28 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
 
+clean-checkLTLIBRARIES:
+	-test -z "$(check_LTLIBRARIES)" || rm -f $(check_LTLIBRARIES)
+	@list='$(check_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+utils/$(am__dirstamp):
+	@$(MKDIR_P) utils
+	@: > utils/$(am__dirstamp)
+utils/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) utils/$(DEPDIR)
+	@: > utils/$(DEPDIR)/$(am__dirstamp)
+utils/libtest_la-test_rng.lo: utils/$(am__dirstamp) \
+	utils/$(DEPDIR)/$(am__dirstamp)
+
+libtest.la: $(libtest_la_OBJECTS) $(libtest_la_DEPENDENCIES) $(EXTRA_libtest_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libtest_la_LINK)  $(libtest_la_OBJECTS) $(libtest_la_LIBADD) $(LIBS)
+
 clean-checkPROGRAMS:
 	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
 	echo " rm -f" $$list; \
@@ -658,35 +564,114 @@ clean-checkPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-
-test_runner$(EXEEXT): $(test_runner_OBJECTS) $(test_runner_DEPENDENCIES) $(EXTRA_test_runner_DEPENDENCIES) 
-	@rm -f test_runner$(EXEEXT)
-	$(AM_V_CCLD)$(test_runner_LINK) $(test_runner_OBJECTS) $(test_runner_LDADD) $(LIBS)
+suites/$(am__dirstamp):
+	@$(MKDIR_P) suites
+	@: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) suites/$(DEPDIR)
+	@: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_linked_list.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_enumerator.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_linked_list_enumerator.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_bio_reader.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_bio_writer.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_chunk.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_enum.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_hashtable.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_identification.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_threading.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_watcher.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_stream.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_fetch_http.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_utils.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_settings.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_vectors.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_array.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_ecdsa.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_rsa.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_host.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_hasher.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_crypter.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_pen.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_asn1.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_asn1_parser.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_printf.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_test_rng.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_ntru.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+
+tests$(EXEEXT): $(tests_OBJECTS) $(tests_DEPENDENCIES) $(EXTRA_tests_DEPENDENCIES) 
+	@rm -f tests$(EXEEXT)
+	$(AM_V_CCLD)$(tests_LINK) $(tests_OBJECTS) $(tests_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
+	-rm -f suites/*.$(OBJEXT)
+	-rm -f utils/*.$(OBJEXT)
+	-rm -f utils/*.lo
 
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_array.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_bio_reader.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_bio_writer.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_chunk.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_ecdsa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_enum.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_enumerator.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_hashtable.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_host.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_identification.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_linked_list.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_linked_list_enumerator.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_printf.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_rsa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_runner.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_threading.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_utils.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_vectors.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtest_la-test_runner.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtest_la-test_suite.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_array.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1_parser.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_reader.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_writer.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_chunk.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypter.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ecdsa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_enum.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_enumerator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_fetch_http.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hasher.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hashtable.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_host.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_identification.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ntru.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_pen.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_printf.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_rsa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_settings.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_stream.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_test_rng.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_threading.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_utils.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_vectors.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_watcher.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/libtest_la-test_rng.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -712,263 +697,439 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
-test_runner-test_runner.o: test_runner.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_runner.o -MD -MP -MF $(DEPDIR)/test_runner-test_runner.Tpo -c -o test_runner-test_runner.o `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_runner.Tpo $(DEPDIR)/test_runner-test_runner.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_runner.c' object='test_runner-test_runner.o' libtool=no @AMDEPBACKSLASH@
+libtest_la-test_suite.lo: test_suite.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -MT libtest_la-test_suite.lo -MD -MP -MF $(DEPDIR)/libtest_la-test_suite.Tpo -c -o libtest_la-test_suite.lo `test -f 'test_suite.c' || echo '$(srcdir)/'`test_suite.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libtest_la-test_suite.Tpo $(DEPDIR)/libtest_la-test_suite.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_suite.c' object='libtest_la-test_suite.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-test_suite.lo `test -f 'test_suite.c' || echo '$(srcdir)/'`test_suite.c
+
+libtest_la-test_runner.lo: test_runner.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -MT libtest_la-test_runner.lo -MD -MP -MF $(DEPDIR)/libtest_la-test_runner.Tpo -c -o libtest_la-test_runner.lo `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libtest_la-test_runner.Tpo $(DEPDIR)/libtest_la-test_runner.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_runner.c' object='libtest_la-test_runner.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-test_runner.lo `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
+
+utils/libtest_la-test_rng.lo: utils/test_rng.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -MT utils/libtest_la-test_rng.lo -MD -MP -MF utils/$(DEPDIR)/libtest_la-test_rng.Tpo -c -o utils/libtest_la-test_rng.lo `test -f 'utils/test_rng.c' || echo '$(srcdir)/'`utils/test_rng.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/libtest_la-test_rng.Tpo utils/$(DEPDIR)/libtest_la-test_rng.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/test_rng.c' object='utils/libtest_la-test_rng.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o utils/libtest_la-test_rng.lo `test -f 'utils/test_rng.c' || echo '$(srcdir)/'`utils/test_rng.c
+
+tests-tests.o: tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.o -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests.c' object='tests-tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c
+
+tests-tests.obj: tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.obj -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests.c' object='tests-tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi`
+
+suites/tests-test_linked_list.o: suites/test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list.o -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list.Tpo -c -o suites/tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list.Tpo suites/$(DEPDIR)/tests-test_linked_list.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_linked_list.c' object='suites/tests-test_linked_list.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c
+
+suites/tests-test_linked_list.obj: suites/test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list.Tpo -c -o suites/tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list.Tpo suites/$(DEPDIR)/tests-test_linked_list.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_linked_list.c' object='suites/tests-test_linked_list.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi`
+
+suites/tests-test_enumerator.o: suites/test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enumerator.o -MD -MP -MF suites/$(DEPDIR)/tests-test_enumerator.Tpo -c -o suites/tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enumerator.Tpo suites/$(DEPDIR)/tests-test_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_enumerator.c' object='suites/tests-test_enumerator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c
+
+suites/tests-test_enumerator.obj: suites/test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_enumerator.Tpo -c -o suites/tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enumerator.Tpo suites/$(DEPDIR)/tests-test_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_enumerator.c' object='suites/tests-test_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi`
+
+suites/tests-test_linked_list_enumerator.o: suites/test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list_enumerator.o -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo -c -o suites/tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/tests-test_linked_list_enumerator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c
+
+suites/tests-test_linked_list_enumerator.obj: suites/test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo -c -o suites/tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/tests-test_linked_list_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi`
+
+suites/tests-test_bio_reader.o: suites/test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_reader.o -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_reader.Tpo -c -o suites/tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_reader.Tpo suites/$(DEPDIR)/tests-test_bio_reader.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bio_reader.c' object='suites/tests-test_bio_reader.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c
+
+suites/tests-test_bio_reader.obj: suites/test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_reader.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_reader.Tpo -c -o suites/tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_reader.Tpo suites/$(DEPDIR)/tests-test_bio_reader.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bio_reader.c' object='suites/tests-test_bio_reader.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi`
+
+suites/tests-test_bio_writer.o: suites/test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_writer.o -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_writer.Tpo -c -o suites/tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_writer.Tpo suites/$(DEPDIR)/tests-test_bio_writer.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bio_writer.c' object='suites/tests-test_bio_writer.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c
+
+suites/tests-test_bio_writer.obj: suites/test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_writer.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_writer.Tpo -c -o suites/tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_writer.Tpo suites/$(DEPDIR)/tests-test_bio_writer.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bio_writer.c' object='suites/tests-test_bio_writer.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi`
+
+suites/tests-test_chunk.o: suites/test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_chunk.o -MD -MP -MF suites/$(DEPDIR)/tests-test_chunk.Tpo -c -o suites/tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_chunk.Tpo suites/$(DEPDIR)/tests-test_chunk.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_chunk.c' object='suites/tests-test_chunk.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_runner.o `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c
 
-test_runner-test_runner.obj: test_runner.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_runner.obj -MD -MP -MF $(DEPDIR)/test_runner-test_runner.Tpo -c -o test_runner-test_runner.obj `if test -f 'test_runner.c'; then $(CYGPATH_W) 'test_runner.c'; else $(CYGPATH_W) '$(srcdir)/test_runner.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_runner.Tpo $(DEPDIR)/test_runner-test_runner.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_runner.c' object='test_runner-test_runner.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_chunk.obj: suites/test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_chunk.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_chunk.Tpo -c -o suites/tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_chunk.Tpo suites/$(DEPDIR)/tests-test_chunk.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_chunk.c' object='suites/tests-test_chunk.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_runner.obj `if test -f 'test_runner.c'; then $(CYGPATH_W) 'test_runner.c'; else $(CYGPATH_W) '$(srcdir)/test_runner.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi`
 
-test_runner-test_linked_list.o: test_linked_list.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list.o -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list.Tpo -c -o test_runner-test_linked_list.o `test -f 'test_linked_list.c' || echo '$(srcdir)/'`test_linked_list.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list.Tpo $(DEPDIR)/test_runner-test_linked_list.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list.c' object='test_runner-test_linked_list.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_enum.o: suites/test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enum.o -MD -MP -MF suites/$(DEPDIR)/tests-test_enum.Tpo -c -o suites/tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enum.Tpo suites/$(DEPDIR)/tests-test_enum.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_enum.c' object='suites/tests-test_enum.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list.o `test -f 'test_linked_list.c' || echo '$(srcdir)/'`test_linked_list.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c
 
-test_runner-test_linked_list.obj: test_linked_list.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list.obj -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list.Tpo -c -o test_runner-test_linked_list.obj `if test -f 'test_linked_list.c'; then $(CYGPATH_W) 'test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list.Tpo $(DEPDIR)/test_runner-test_linked_list.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list.c' object='test_runner-test_linked_list.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_enum.obj: suites/test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enum.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_enum.Tpo -c -o suites/tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enum.Tpo suites/$(DEPDIR)/tests-test_enum.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_enum.c' object='suites/tests-test_enum.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list.obj `if test -f 'test_linked_list.c'; then $(CYGPATH_W) 'test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi`
 
-test_runner-test_enumerator.o: test_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enumerator.o -MD -MP -MF $(DEPDIR)/test_runner-test_enumerator.Tpo -c -o test_runner-test_enumerator.o `test -f 'test_enumerator.c' || echo '$(srcdir)/'`test_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enumerator.Tpo $(DEPDIR)/test_runner-test_enumerator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enumerator.c' object='test_runner-test_enumerator.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_hashtable.o: suites/test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hashtable.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hashtable.Tpo -c -o suites/tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hashtable.Tpo suites/$(DEPDIR)/tests-test_hashtable.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_hashtable.c' object='suites/tests-test_hashtable.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enumerator.o `test -f 'test_enumerator.c' || echo '$(srcdir)/'`test_enumerator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c
 
-test_runner-test_enumerator.obj: test_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enumerator.obj -MD -MP -MF $(DEPDIR)/test_runner-test_enumerator.Tpo -c -o test_runner-test_enumerator.obj `if test -f 'test_enumerator.c'; then $(CYGPATH_W) 'test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_enumerator.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enumerator.Tpo $(DEPDIR)/test_runner-test_enumerator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enumerator.c' object='test_runner-test_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_hashtable.obj: suites/test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hashtable.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_hashtable.Tpo -c -o suites/tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hashtable.Tpo suites/$(DEPDIR)/tests-test_hashtable.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_hashtable.c' object='suites/tests-test_hashtable.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enumerator.obj `if test -f 'test_enumerator.c'; then $(CYGPATH_W) 'test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_enumerator.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi`
 
-test_runner-test_linked_list_enumerator.o: test_linked_list_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list_enumerator.o -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo -c -o test_runner-test_linked_list_enumerator.o `test -f 'test_linked_list_enumerator.c' || echo '$(srcdir)/'`test_linked_list_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo $(DEPDIR)/test_runner-test_linked_list_enumerator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list_enumerator.c' object='test_runner-test_linked_list_enumerator.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_identification.o: suites/test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_identification.o -MD -MP -MF suites/$(DEPDIR)/tests-test_identification.Tpo -c -o suites/tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_identification.Tpo suites/$(DEPDIR)/tests-test_identification.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_identification.c' object='suites/tests-test_identification.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list_enumerator.o `test -f 'test_linked_list_enumerator.c' || echo '$(srcdir)/'`test_linked_list_enumerator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c
 
-test_runner-test_linked_list_enumerator.obj: test_linked_list_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list_enumerator.obj -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo -c -o test_runner-test_linked_list_enumerator.obj `if test -f 'test_linked_list_enumerator.c'; then $(CYGPATH_W) 'test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list_enumerator.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo $(DEPDIR)/test_runner-test_linked_list_enumerator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list_enumerator.c' object='test_runner-test_linked_list_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_identification.obj: suites/test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_identification.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_identification.Tpo -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_identification.Tpo suites/$(DEPDIR)/tests-test_identification.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_identification.c' object='suites/tests-test_identification.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list_enumerator.obj `if test -f 'test_linked_list_enumerator.c'; then $(CYGPATH_W) 'test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list_enumerator.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi`
 
-test_runner-test_bio_reader.o: test_bio_reader.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_reader.o -MD -MP -MF $(DEPDIR)/test_runner-test_bio_reader.Tpo -c -o test_runner-test_bio_reader.o `test -f 'test_bio_reader.c' || echo '$(srcdir)/'`test_bio_reader.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_reader.Tpo $(DEPDIR)/test_runner-test_bio_reader.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_reader.c' object='test_runner-test_bio_reader.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_threading.o: suites/test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.o -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_threading.c' object='suites/tests-test_threading.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_reader.o `test -f 'test_bio_reader.c' || echo '$(srcdir)/'`test_bio_reader.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c
 
-test_runner-test_bio_reader.obj: test_bio_reader.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_reader.obj -MD -MP -MF $(DEPDIR)/test_runner-test_bio_reader.Tpo -c -o test_runner-test_bio_reader.obj `if test -f 'test_bio_reader.c'; then $(CYGPATH_W) 'test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_reader.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_reader.Tpo $(DEPDIR)/test_runner-test_bio_reader.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_reader.c' object='test_runner-test_bio_reader.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_threading.obj: suites/test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_threading.c' object='suites/tests-test_threading.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_reader.obj `if test -f 'test_bio_reader.c'; then $(CYGPATH_W) 'test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_reader.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi`
 
-test_runner-test_bio_writer.o: test_bio_writer.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_writer.o -MD -MP -MF $(DEPDIR)/test_runner-test_bio_writer.Tpo -c -o test_runner-test_bio_writer.o `test -f 'test_bio_writer.c' || echo '$(srcdir)/'`test_bio_writer.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_writer.Tpo $(DEPDIR)/test_runner-test_bio_writer.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_writer.c' object='test_runner-test_bio_writer.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_watcher.o: suites/test_watcher.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_watcher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_watcher.Tpo -c -o suites/tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_watcher.Tpo suites/$(DEPDIR)/tests-test_watcher.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_watcher.c' object='suites/tests-test_watcher.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_writer.o `test -f 'test_bio_writer.c' || echo '$(srcdir)/'`test_bio_writer.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c
 
-test_runner-test_bio_writer.obj: test_bio_writer.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_writer.obj -MD -MP -MF $(DEPDIR)/test_runner-test_bio_writer.Tpo -c -o test_runner-test_bio_writer.obj `if test -f 'test_bio_writer.c'; then $(CYGPATH_W) 'test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_writer.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_writer.Tpo $(DEPDIR)/test_runner-test_bio_writer.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_writer.c' object='test_runner-test_bio_writer.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_watcher.obj: suites/test_watcher.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_watcher.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_watcher.Tpo -c -o suites/tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_watcher.Tpo suites/$(DEPDIR)/tests-test_watcher.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_watcher.c' object='suites/tests-test_watcher.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_writer.obj `if test -f 'test_bio_writer.c'; then $(CYGPATH_W) 'test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_writer.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi`
 
-test_runner-test_chunk.o: test_chunk.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_chunk.o -MD -MP -MF $(DEPDIR)/test_runner-test_chunk.Tpo -c -o test_runner-test_chunk.o `test -f 'test_chunk.c' || echo '$(srcdir)/'`test_chunk.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_chunk.Tpo $(DEPDIR)/test_runner-test_chunk.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_chunk.c' object='test_runner-test_chunk.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_stream.o: suites/test_stream.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_stream.o -MD -MP -MF suites/$(DEPDIR)/tests-test_stream.Tpo -c -o suites/tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_stream.Tpo suites/$(DEPDIR)/tests-test_stream.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_stream.c' object='suites/tests-test_stream.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_chunk.o `test -f 'test_chunk.c' || echo '$(srcdir)/'`test_chunk.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c
 
-test_runner-test_chunk.obj: test_chunk.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_chunk.obj -MD -MP -MF $(DEPDIR)/test_runner-test_chunk.Tpo -c -o test_runner-test_chunk.obj `if test -f 'test_chunk.c'; then $(CYGPATH_W) 'test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/test_chunk.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_chunk.Tpo $(DEPDIR)/test_runner-test_chunk.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_chunk.c' object='test_runner-test_chunk.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_stream.obj: suites/test_stream.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_stream.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_stream.Tpo -c -o suites/tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_stream.Tpo suites/$(DEPDIR)/tests-test_stream.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_stream.c' object='suites/tests-test_stream.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_chunk.obj `if test -f 'test_chunk.c'; then $(CYGPATH_W) 'test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/test_chunk.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi`
 
-test_runner-test_enum.o: test_enum.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enum.o -MD -MP -MF $(DEPDIR)/test_runner-test_enum.Tpo -c -o test_runner-test_enum.o `test -f 'test_enum.c' || echo '$(srcdir)/'`test_enum.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enum.Tpo $(DEPDIR)/test_runner-test_enum.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enum.c' object='test_runner-test_enum.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_fetch_http.o: suites/test_fetch_http.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_fetch_http.o -MD -MP -MF suites/$(DEPDIR)/tests-test_fetch_http.Tpo -c -o suites/tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_fetch_http.Tpo suites/$(DEPDIR)/tests-test_fetch_http.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_fetch_http.c' object='suites/tests-test_fetch_http.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enum.o `test -f 'test_enum.c' || echo '$(srcdir)/'`test_enum.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c
 
-test_runner-test_enum.obj: test_enum.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enum.obj -MD -MP -MF $(DEPDIR)/test_runner-test_enum.Tpo -c -o test_runner-test_enum.obj `if test -f 'test_enum.c'; then $(CYGPATH_W) 'test_enum.c'; else $(CYGPATH_W) '$(srcdir)/test_enum.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enum.Tpo $(DEPDIR)/test_runner-test_enum.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enum.c' object='test_runner-test_enum.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_fetch_http.obj: suites/test_fetch_http.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_fetch_http.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_fetch_http.Tpo -c -o suites/tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_fetch_http.Tpo suites/$(DEPDIR)/tests-test_fetch_http.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_fetch_http.c' object='suites/tests-test_fetch_http.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enum.obj `if test -f 'test_enum.c'; then $(CYGPATH_W) 'test_enum.c'; else $(CYGPATH_W) '$(srcdir)/test_enum.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi`
 
-test_runner-test_hashtable.o: test_hashtable.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_hashtable.o -MD -MP -MF $(DEPDIR)/test_runner-test_hashtable.Tpo -c -o test_runner-test_hashtable.o `test -f 'test_hashtable.c' || echo '$(srcdir)/'`test_hashtable.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_hashtable.Tpo $(DEPDIR)/test_runner-test_hashtable.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_hashtable.c' object='test_runner-test_hashtable.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_utils.o: suites/test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_utils.o -MD -MP -MF suites/$(DEPDIR)/tests-test_utils.Tpo -c -o suites/tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_utils.Tpo suites/$(DEPDIR)/tests-test_utils.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_utils.c' object='suites/tests-test_utils.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_hashtable.o `test -f 'test_hashtable.c' || echo '$(srcdir)/'`test_hashtable.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c
 
-test_runner-test_hashtable.obj: test_hashtable.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_hashtable.obj -MD -MP -MF $(DEPDIR)/test_runner-test_hashtable.Tpo -c -o test_runner-test_hashtable.obj `if test -f 'test_hashtable.c'; then $(CYGPATH_W) 'test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/test_hashtable.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_hashtable.Tpo $(DEPDIR)/test_runner-test_hashtable.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_hashtable.c' object='test_runner-test_hashtable.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_utils.obj: suites/test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_utils.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_utils.Tpo -c -o suites/tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_utils.Tpo suites/$(DEPDIR)/tests-test_utils.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_utils.c' object='suites/tests-test_utils.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_hashtable.obj `if test -f 'test_hashtable.c'; then $(CYGPATH_W) 'test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/test_hashtable.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi`
 
-test_runner-test_identification.o: test_identification.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_identification.o -MD -MP -MF $(DEPDIR)/test_runner-test_identification.Tpo -c -o test_runner-test_identification.o `test -f 'test_identification.c' || echo '$(srcdir)/'`test_identification.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_identification.Tpo $(DEPDIR)/test_runner-test_identification.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_identification.c' object='test_runner-test_identification.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_settings.o: suites/test_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_settings.o -MD -MP -MF suites/$(DEPDIR)/tests-test_settings.Tpo -c -o suites/tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_settings.Tpo suites/$(DEPDIR)/tests-test_settings.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_settings.c' object='suites/tests-test_settings.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_identification.o `test -f 'test_identification.c' || echo '$(srcdir)/'`test_identification.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c
 
-test_runner-test_identification.obj: test_identification.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_identification.obj -MD -MP -MF $(DEPDIR)/test_runner-test_identification.Tpo -c -o test_runner-test_identification.obj `if test -f 'test_identification.c'; then $(CYGPATH_W) 'test_identification.c'; else $(CYGPATH_W) '$(srcdir)/test_identification.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_identification.Tpo $(DEPDIR)/test_runner-test_identification.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_identification.c' object='test_runner-test_identification.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_settings.obj: suites/test_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_settings.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_settings.Tpo -c -o suites/tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_settings.Tpo suites/$(DEPDIR)/tests-test_settings.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_settings.c' object='suites/tests-test_settings.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_identification.obj `if test -f 'test_identification.c'; then $(CYGPATH_W) 'test_identification.c'; else $(CYGPATH_W) '$(srcdir)/test_identification.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi`
 
-test_runner-test_threading.o: test_threading.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_threading.o -MD -MP -MF $(DEPDIR)/test_runner-test_threading.Tpo -c -o test_runner-test_threading.o `test -f 'test_threading.c' || echo '$(srcdir)/'`test_threading.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_threading.Tpo $(DEPDIR)/test_runner-test_threading.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_threading.c' object='test_runner-test_threading.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_vectors.o: suites/test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_vectors.o -MD -MP -MF suites/$(DEPDIR)/tests-test_vectors.Tpo -c -o suites/tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_vectors.Tpo suites/$(DEPDIR)/tests-test_vectors.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_vectors.c' object='suites/tests-test_vectors.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_threading.o `test -f 'test_threading.c' || echo '$(srcdir)/'`test_threading.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c
 
-test_runner-test_threading.obj: test_threading.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_threading.obj -MD -MP -MF $(DEPDIR)/test_runner-test_threading.Tpo -c -o test_runner-test_threading.obj `if test -f 'test_threading.c'; then $(CYGPATH_W) 'test_threading.c'; else $(CYGPATH_W) '$(srcdir)/test_threading.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_threading.Tpo $(DEPDIR)/test_runner-test_threading.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_threading.c' object='test_runner-test_threading.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_vectors.obj: suites/test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_vectors.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_vectors.Tpo -c -o suites/tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_vectors.Tpo suites/$(DEPDIR)/tests-test_vectors.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_vectors.c' object='suites/tests-test_vectors.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_threading.obj `if test -f 'test_threading.c'; then $(CYGPATH_W) 'test_threading.c'; else $(CYGPATH_W) '$(srcdir)/test_threading.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi`
 
-test_runner-test_utils.o: test_utils.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_utils.o -MD -MP -MF $(DEPDIR)/test_runner-test_utils.Tpo -c -o test_runner-test_utils.o `test -f 'test_utils.c' || echo '$(srcdir)/'`test_utils.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_utils.Tpo $(DEPDIR)/test_runner-test_utils.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_utils.c' object='test_runner-test_utils.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_array.o: suites/test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_array.o -MD -MP -MF suites/$(DEPDIR)/tests-test_array.Tpo -c -o suites/tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_array.Tpo suites/$(DEPDIR)/tests-test_array.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_array.c' object='suites/tests-test_array.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_utils.o `test -f 'test_utils.c' || echo '$(srcdir)/'`test_utils.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c
 
-test_runner-test_utils.obj: test_utils.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_utils.obj -MD -MP -MF $(DEPDIR)/test_runner-test_utils.Tpo -c -o test_runner-test_utils.obj `if test -f 'test_utils.c'; then $(CYGPATH_W) 'test_utils.c'; else $(CYGPATH_W) '$(srcdir)/test_utils.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_utils.Tpo $(DEPDIR)/test_runner-test_utils.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_utils.c' object='test_runner-test_utils.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_array.obj: suites/test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_array.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_array.Tpo -c -o suites/tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_array.Tpo suites/$(DEPDIR)/tests-test_array.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_array.c' object='suites/tests-test_array.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_utils.obj `if test -f 'test_utils.c'; then $(CYGPATH_W) 'test_utils.c'; else $(CYGPATH_W) '$(srcdir)/test_utils.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi`
 
-test_runner-test_vectors.o: test_vectors.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_vectors.o -MD -MP -MF $(DEPDIR)/test_runner-test_vectors.Tpo -c -o test_runner-test_vectors.o `test -f 'test_vectors.c' || echo '$(srcdir)/'`test_vectors.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_vectors.Tpo $(DEPDIR)/test_runner-test_vectors.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors.c' object='test_runner-test_vectors.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_ecdsa.o: suites/test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ecdsa.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ecdsa.Tpo -c -o suites/tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ecdsa.Tpo suites/$(DEPDIR)/tests-test_ecdsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ecdsa.c' object='suites/tests-test_ecdsa.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_vectors.o `test -f 'test_vectors.c' || echo '$(srcdir)/'`test_vectors.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c
 
-test_runner-test_vectors.obj: test_vectors.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_vectors.obj -MD -MP -MF $(DEPDIR)/test_runner-test_vectors.Tpo -c -o test_runner-test_vectors.obj `if test -f 'test_vectors.c'; then $(CYGPATH_W) 'test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/test_vectors.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_vectors.Tpo $(DEPDIR)/test_runner-test_vectors.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors.c' object='test_runner-test_vectors.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_ecdsa.obj: suites/test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ecdsa.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ecdsa.Tpo -c -o suites/tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ecdsa.Tpo suites/$(DEPDIR)/tests-test_ecdsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ecdsa.c' object='suites/tests-test_ecdsa.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_vectors.obj `if test -f 'test_vectors.c'; then $(CYGPATH_W) 'test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/test_vectors.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi`
 
-test_runner-test_array.o: test_array.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_array.o -MD -MP -MF $(DEPDIR)/test_runner-test_array.Tpo -c -o test_runner-test_array.o `test -f 'test_array.c' || echo '$(srcdir)/'`test_array.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_array.Tpo $(DEPDIR)/test_runner-test_array.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_array.c' object='test_runner-test_array.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_rsa.o: suites/test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_rsa.o -MD -MP -MF suites/$(DEPDIR)/tests-test_rsa.Tpo -c -o suites/tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_rsa.Tpo suites/$(DEPDIR)/tests-test_rsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_rsa.c' object='suites/tests-test_rsa.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_array.o `test -f 'test_array.c' || echo '$(srcdir)/'`test_array.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c
 
-test_runner-test_array.obj: test_array.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_array.obj -MD -MP -MF $(DEPDIR)/test_runner-test_array.Tpo -c -o test_runner-test_array.obj `if test -f 'test_array.c'; then $(CYGPATH_W) 'test_array.c'; else $(CYGPATH_W) '$(srcdir)/test_array.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_array.Tpo $(DEPDIR)/test_runner-test_array.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_array.c' object='test_runner-test_array.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_rsa.obj: suites/test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_rsa.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_rsa.Tpo -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_rsa.Tpo suites/$(DEPDIR)/tests-test_rsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_rsa.c' object='suites/tests-test_rsa.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_array.obj `if test -f 'test_array.c'; then $(CYGPATH_W) 'test_array.c'; else $(CYGPATH_W) '$(srcdir)/test_array.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi`
 
-test_runner-test_ecdsa.o: test_ecdsa.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_ecdsa.o -MD -MP -MF $(DEPDIR)/test_runner-test_ecdsa.Tpo -c -o test_runner-test_ecdsa.o `test -f 'test_ecdsa.c' || echo '$(srcdir)/'`test_ecdsa.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_ecdsa.Tpo $(DEPDIR)/test_runner-test_ecdsa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_ecdsa.c' object='test_runner-test_ecdsa.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_host.o: suites/test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.o -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_host.c' object='suites/tests-test_host.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_ecdsa.o `test -f 'test_ecdsa.c' || echo '$(srcdir)/'`test_ecdsa.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c
 
-test_runner-test_ecdsa.obj: test_ecdsa.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_ecdsa.obj -MD -MP -MF $(DEPDIR)/test_runner-test_ecdsa.Tpo -c -o test_runner-test_ecdsa.obj `if test -f 'test_ecdsa.c'; then $(CYGPATH_W) 'test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/test_ecdsa.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_ecdsa.Tpo $(DEPDIR)/test_runner-test_ecdsa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_ecdsa.c' object='test_runner-test_ecdsa.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_host.obj: suites/test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_host.c' object='suites/tests-test_host.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_ecdsa.obj `if test -f 'test_ecdsa.c'; then $(CYGPATH_W) 'test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/test_ecdsa.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi`
 
-test_runner-test_rsa.o: test_rsa.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_rsa.o -MD -MP -MF $(DEPDIR)/test_runner-test_rsa.Tpo -c -o test_runner-test_rsa.o `test -f 'test_rsa.c' || echo '$(srcdir)/'`test_rsa.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_rsa.Tpo $(DEPDIR)/test_runner-test_rsa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_rsa.c' object='test_runner-test_rsa.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_hasher.o: suites/test_hasher.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_hasher.c' object='suites/tests-test_hasher.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_rsa.o `test -f 'test_rsa.c' || echo '$(srcdir)/'`test_rsa.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c
 
-test_runner-test_rsa.obj: test_rsa.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_rsa.obj -MD -MP -MF $(DEPDIR)/test_runner-test_rsa.Tpo -c -o test_runner-test_rsa.obj `if test -f 'test_rsa.c'; then $(CYGPATH_W) 'test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/test_rsa.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_rsa.Tpo $(DEPDIR)/test_runner-test_rsa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_rsa.c' object='test_runner-test_rsa.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_hasher.obj: suites/test_hasher.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_hasher.c' object='suites/tests-test_hasher.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_rsa.obj `if test -f 'test_rsa.c'; then $(CYGPATH_W) 'test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/test_rsa.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi`
 
-test_runner-test_host.o: test_host.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_host.o -MD -MP -MF $(DEPDIR)/test_runner-test_host.Tpo -c -o test_runner-test_host.o `test -f 'test_host.c' || echo '$(srcdir)/'`test_host.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_host.Tpo $(DEPDIR)/test_runner-test_host.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_host.c' object='test_runner-test_host.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_crypter.o: suites/test_crypter.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypter.o -MD -MP -MF suites/$(DEPDIR)/tests-test_crypter.Tpo -c -o suites/tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypter.Tpo suites/$(DEPDIR)/tests-test_crypter.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_crypter.c' object='suites/tests-test_crypter.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_host.o `test -f 'test_host.c' || echo '$(srcdir)/'`test_host.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c
 
-test_runner-test_host.obj: test_host.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_host.obj -MD -MP -MF $(DEPDIR)/test_runner-test_host.Tpo -c -o test_runner-test_host.obj `if test -f 'test_host.c'; then $(CYGPATH_W) 'test_host.c'; else $(CYGPATH_W) '$(srcdir)/test_host.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_host.Tpo $(DEPDIR)/test_runner-test_host.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_host.c' object='test_runner-test_host.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_crypter.obj: suites/test_crypter.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypter.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_crypter.Tpo -c -o suites/tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypter.Tpo suites/$(DEPDIR)/tests-test_crypter.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_crypter.c' object='suites/tests-test_crypter.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_host.obj `if test -f 'test_host.c'; then $(CYGPATH_W) 'test_host.c'; else $(CYGPATH_W) '$(srcdir)/test_host.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi`
 
-test_runner-test_printf.o: test_printf.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_printf.o -MD -MP -MF $(DEPDIR)/test_runner-test_printf.Tpo -c -o test_runner-test_printf.o `test -f 'test_printf.c' || echo '$(srcdir)/'`test_printf.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_printf.Tpo $(DEPDIR)/test_runner-test_printf.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_printf.c' object='test_runner-test_printf.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_pen.o: suites/test_pen.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_pen.c' object='suites/tests-test_pen.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_printf.o `test -f 'test_printf.c' || echo '$(srcdir)/'`test_printf.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c
 
-test_runner-test_printf.obj: test_printf.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_printf.obj -MD -MP -MF $(DEPDIR)/test_runner-test_printf.Tpo -c -o test_runner-test_printf.obj `if test -f 'test_printf.c'; then $(CYGPATH_W) 'test_printf.c'; else $(CYGPATH_W) '$(srcdir)/test_printf.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_printf.Tpo $(DEPDIR)/test_runner-test_printf.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_printf.c' object='test_runner-test_printf.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_pen.obj: suites/test_pen.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_pen.c' object='suites/tests-test_pen.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_printf.obj `if test -f 'test_printf.c'; then $(CYGPATH_W) 'test_printf.c'; else $(CYGPATH_W) '$(srcdir)/test_printf.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi`
+
+suites/tests-test_asn1.o: suites/test_asn1.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1.o -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1.Tpo -c -o suites/tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1.Tpo suites/$(DEPDIR)/tests-test_asn1.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_asn1.c' object='suites/tests-test_asn1.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c
+
+suites/tests-test_asn1.obj: suites/test_asn1.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1.Tpo -c -o suites/tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1.Tpo suites/$(DEPDIR)/tests-test_asn1.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_asn1.c' object='suites/tests-test_asn1.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi`
+
+suites/tests-test_asn1_parser.o: suites/test_asn1_parser.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1_parser.o -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1_parser.Tpo -c -o suites/tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1_parser.Tpo suites/$(DEPDIR)/tests-test_asn1_parser.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/tests-test_asn1_parser.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c
+
+suites/tests-test_asn1_parser.obj: suites/test_asn1_parser.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1_parser.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1_parser.Tpo -c -o suites/tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1_parser.Tpo suites/$(DEPDIR)/tests-test_asn1_parser.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/tests-test_asn1_parser.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi`
+
+suites/tests-test_printf.o: suites/test_printf.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_printf.o -MD -MP -MF suites/$(DEPDIR)/tests-test_printf.Tpo -c -o suites/tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_printf.Tpo suites/$(DEPDIR)/tests-test_printf.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_printf.c' object='suites/tests-test_printf.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c
+
+suites/tests-test_printf.obj: suites/test_printf.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_printf.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_printf.Tpo -c -o suites/tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_printf.Tpo suites/$(DEPDIR)/tests-test_printf.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_printf.c' object='suites/tests-test_printf.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi`
+
+suites/tests-test_test_rng.o: suites/test_test_rng.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_test_rng.o -MD -MP -MF suites/$(DEPDIR)/tests-test_test_rng.Tpo -c -o suites/tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_test_rng.Tpo suites/$(DEPDIR)/tests-test_test_rng.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_test_rng.c' object='suites/tests-test_test_rng.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c
+
+suites/tests-test_test_rng.obj: suites/test_test_rng.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_test_rng.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_test_rng.Tpo -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_test_rng.Tpo suites/$(DEPDIR)/tests-test_test_rng.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_test_rng.c' object='suites/tests-test_test_rng.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi`
+
+suites/tests-test_ntru.o: suites/test_ntru.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ntru.c' object='suites/tests-test_ntru.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c
+
+suites/tests-test_ntru.obj: suites/test_ntru.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ntru.c' object='suites/tests-test_ntru.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
+	-rm -rf utils/.libs utils/_libs
 
 ID: $(am__tagged_files)
 	$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -1022,168 +1183,98 @@ cscopelist-am: $(am__tagged_files)
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
-# Recover from deleted '.trs' file; this should ensure that
-# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create
-# both 'foo.log' and 'foo.trs'.  Break the recipe in two subshells
-# to avoid problems with "make -n".
-.log.trs:
-	rm -f $< $@
-	$(MAKE) $(AM_MAKEFLAGS) $<
-
-# Leading 'am--fnord' is there to ensure the list of targets does not
-# expand to empty, as could happen e.g. with make check TESTS=''.
-am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck)
-am--force-recheck:
-	@:
-
-$(TEST_SUITE_LOG): $(TEST_LOGS)
-	@$(am__set_TESTS_bases); \
-	am__f_ok () { test -f "$$1" && test -r "$$1"; }; \
-	redo_bases=`for i in $$bases; do \
-	              am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \
-	            done`; \
-	if test -n "$$redo_bases"; then \
-	  redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \
-	  redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \
-	  if $(am__make_dryrun); then :; else \
-	    rm -f $$redo_logs && rm -f $$redo_results || exit 1; \
-	  fi; \
-	fi; \
-	if test -n "$$am__remaking_logs"; then \
-	  echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
-	       "recursion detected" >&2; \
-	else \
-	  am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
-	fi; \
-	if $(am__make_dryrun); then :; else \
-	  st=0;  \
-	  errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \
-	  for i in $$redo_bases; do \
-	    test -f $$i.trs && test -r $$i.trs \
-	      || { echo "$$errmsg $$i.trs" >&2; st=1; }; \
-	    test -f $$i.log && test -r $$i.log \
-	      || { echo "$$errmsg $$i.log" >&2; st=1; }; \
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
 	  done; \
-	  test $$st -eq 0 || exit 1; \
-	fi
-	@$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \
-	ws='[ 	]'; \
-	results=`for b in $$bases; do echo $$b.trs; done`; \
-	test -n "$$results" || results=/dev/null; \
-	all=`  grep "^$$ws*:test-result:"           $$results | wc -l`; \
-	pass=` grep "^$$ws*:test-result:$$ws*PASS"  $$results | wc -l`; \
-	fail=` grep "^$$ws*:test-result:$$ws*FAIL"  $$results | wc -l`; \
-	skip=` grep "^$$ws*:test-result:$$ws*SKIP"  $$results | wc -l`; \
-	xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \
-	xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \
-	error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \
-	if test `expr $$fail + $$xpass + $$error` -eq 0; then \
-	  success=true; \
-	else \
-	  success=false; \
-	fi; \
-	br='==================='; br=$$br$$br$$br$$br; \
-	result_count () \
-	{ \
-	    if test x"$$1" = x"--maybe-color"; then \
-	      maybe_colorize=yes; \
-	    elif test x"$$1" = x"--no-color"; then \
-	      maybe_colorize=no; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
 	    else \
-	      echo "$@: invalid 'result_count' usage" >&2; exit 4; \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
 	    fi; \
-	    shift; \
-	    desc=$$1 count=$$2; \
-	    if test $$maybe_colorize = yes && test $$count -gt 0; then \
-	      color_start=$$3 color_end=$$std; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
 	    else \
-	      color_start= color_end=; \
+	      skipped="($$skip tests were not run)"; \
 	    fi; \
-	    echo "$${color_start}# $$desc $$count$${color_end}"; \
-	}; \
-	create_testsuite_report () \
-	{ \
-	  result_count $$1 "TOTAL:" $$all   "$$brg"; \
-	  result_count $$1 "PASS: " $$pass  "$$grn"; \
-	  result_count $$1 "SKIP: " $$skip  "$$blu"; \
-	  result_count $$1 "XFAIL:" $$xfail "$$lgn"; \
-	  result_count $$1 "FAIL: " $$fail  "$$red"; \
-	  result_count $$1 "XPASS:" $$xpass "$$red"; \
-	  result_count $$1 "ERROR:" $$error "$$mgn"; \
-	}; \
-	{								\
-	  echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" |	\
-	    $(am__rst_title);						\
-	  create_testsuite_report --no-color;				\
-	  echo;								\
-	  echo ".. contents:: :depth: 2";				\
-	  echo;								\
-	  for b in $$bases; do echo $$b; done				\
-	    | $(am__create_global_log);					\
-	} >$(TEST_SUITE_LOG).tmp || exit 1;				\
-	mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG);			\
-	if $$success; then						\
-	  col="$$grn";							\
-	 else								\
-	  col="$$red";							\
-	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
-	fi;								\
-	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
-	echo "$${col}$$br$${std}"; 					\
-	create_testsuite_report --maybe-color;				\
-	echo "$$col$$br$$std";						\
-	if $$success; then :; else					\
-	  echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}";		\
-	  if test -n "$(PACKAGE_BUGREPORT)"; then			\
-	    echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}";	\
-	  fi;								\
-	  echo "$$col$$br$$std";					\
-	fi;								\
-	$$success || exit 1
-
-check-TESTS:
-	@list='$(RECHECK_LOGS)';           test -z "$$list" || rm -f $$list
-	@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
-	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-	@set +e; $(am__set_TESTS_bases); \
-	log_list=`for i in $$bases; do echo $$i.log; done`; \
-	trs_list=`for i in $$bases; do echo $$i.trs; done`; \
-	log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
-	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
-	exit $$?;
-recheck: all $(check_PROGRAMS)
-	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-	@set +e; $(am__set_TESTS_bases); \
-	bases=`for i in $$bases; do echo $$i; done \
-	         | $(am__list_recheck_tests)` || exit 1; \
-	log_list=`for i in $$bases; do echo $$i.log; done`; \
-	log_list=`echo $$log_list`; \
-	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \
-	        am__force_recheck=am--force-recheck \
-	        TEST_LOGS="$$log_list"; \
-	exit $$?
-test_runner.log: test_runner$(EXEEXT)
-	@p='test_runner$(EXEEXT)'; \
-	b='test_runner'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-.test.log:
-	@p='$<'; \
-	$(am__set_b); \
-	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-@am__EXEEXT_TRUE@.test$(EXEEXT).log:
-@am__EXEEXT_TRUE@	@p='$<'; \
-@am__EXEEXT_TRUE@	$(am__set_b); \
-@am__EXEEXT_TRUE@	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-@am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
-@am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-@am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
 
 distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -1216,7 +1307,7 @@ distdir: $(DISTFILES)
 	  fi; \
 	done
 check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) $(check_LTLIBRARIES) $(check_PROGRAMS)
 	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
 check: check-am
 all-am: Makefile
@@ -1241,26 +1332,27 @@ install-strip:
 	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
 	fi
 mostlyclean-generic:
-	-test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS)
-	-test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs)
-	-test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
 
 clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f suites/$(DEPDIR)/$(am__dirstamp)
+	-rm -f suites/$(am__dirstamp)
+	-rm -f utils/$(DEPDIR)/$(am__dirstamp)
+	-rm -f utils/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
-	mostlyclean-am
+clean-am: clean-checkLTLIBRARIES clean-checkPROGRAMS clean-generic \
+	clean-libtool mostlyclean-am
 
 distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR) utils/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -1306,7 +1398,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR) utils/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
@@ -1328,18 +1420,18 @@ uninstall-am:
 .MAKE: check-am install-am install-strip
 
 .PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
-	clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
-	ctags ctags-am distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	recheck tags tags-am uninstall uninstall-am
+	clean-checkLTLIBRARIES clean-checkPROGRAMS clean-generic \
+	clean-libtool cscopelist-am ctags ctags-am distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/tests/test_array.c b/src/libstrongswan/tests/suites/test_array.c
index 2220d5a2b..ba2aff460 100644
--- a/src/libstrongswan/tests/test_array.c
+++ b/src/libstrongswan/tests/suites/test_array.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -35,6 +38,14 @@ START_TEST(test_append_ptr)
 
 		/* 3, 4 */
 
+		ck_assert(array_get(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 3);
+		ck_assert(array_get(array, 1, &x));
+		ck_assert_int_eq(x, 4);
+		ck_assert(array_get(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 4);
+		ck_assert(!array_get(array, 3, &x));
+
 		array_insert(array, ARRAY_HEAD, (void*)(uintptr_t)1);
 		array_insert(array, 1, (void*)(uintptr_t)2);
 		ck_assert_int_eq(array_count(array), 4);
@@ -108,6 +119,14 @@ START_TEST(test_append_obj)
 
 		/* 3, 4 */
 
+		ck_assert(array_get(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 3);
+		ck_assert(array_get(array, 1, &x));
+		ck_assert_int_eq(x, 4);
+		ck_assert(array_get(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 4);
+		ck_assert(!array_get(array, 3, &x));
+
 		array_insert(array, ARRAY_HEAD, &y[1]);
 		array_insert(array, 1, &y[2]);
 		ck_assert_int_eq(array_count(array), 4);
@@ -258,6 +277,149 @@ START_TEST(test_enumerate)
 }
 END_TEST
 
+static int comp_obj(const void *a, const void *b, void *arg)
+{
+	ck_assert_str_eq(arg, "arg");
+	return *(int*)a - *(int*)b;
+}
+
+START_TEST(test_sort_obj)
+{
+	array_t *array;
+	int x[][3] = {
+		{1, 2, 3},
+		{1, 3, 2},
+		{2, 1, 3},
+		{2, 3, 1},
+		{3, 1, 2},
+		{3, 2, 1},
+	};
+	char *arg = "arg";
+	int i, v;
+
+	for (i = 0; i < countof(x); i++)
+	{
+		array = array_create(sizeof(x[i][0]), 0);
+		array_insert(array, ARRAY_TAIL, &x[i][0]);
+		array_insert(array, ARRAY_TAIL, &x[i][1]);
+		array_insert(array, ARRAY_TAIL, &x[i][2]);
+
+		array_sort(array, comp_obj, arg);
+
+		ck_assert(array_get(array, 0, &v));
+		ck_assert_int_eq(v, 1);
+		ck_assert(array_get(array, 1, &v));
+		ck_assert_int_eq(v, 2);
+		ck_assert(array_get(array, 2, &v));
+		ck_assert_int_eq(v, 3);
+
+		array_destroy(array);
+	}
+}
+END_TEST
+
+static int comp_ptr(const void *a, const void *b, void *arg)
+{
+	ck_assert_str_eq(arg, "arg");
+	return strcmp(a, b);
+}
+
+START_TEST(test_sort_ptr)
+{
+	array_t *array;
+	char *x[][3] = {
+		{"a", "b", "c"},
+		{"a", "c", "b"},
+		{"b", "a", "c"},
+		{"b", "c", "a"},
+		{"c", "a", "b"},
+		{"c", "b", "a"},
+	};
+	char *v, *arg = "arg";
+	int i;
+
+	for (i = 0; i < countof(x); i++)
+	{
+		array = array_create(0, 0);
+		array_insert(array, ARRAY_TAIL, x[i][0]);
+		array_insert(array, ARRAY_TAIL, x[i][1]);
+		array_insert(array, ARRAY_TAIL, x[i][2]);
+
+		array_sort(array, comp_ptr, arg);
+
+		ck_assert(array_get(array, 0, &v));
+		ck_assert_str_eq(v, "a");
+		ck_assert(array_get(array, 1, &v));
+		ck_assert_str_eq(v, "b");
+		ck_assert(array_get(array, 2, &v));
+		ck_assert_str_eq(v, "c");
+
+		array_destroy(array);
+	}
+}
+END_TEST
+
+static int comp_search_obj(const void *a, const void *b)
+{
+	return *(int*)a - *(int*)b;
+}
+
+START_TEST(test_bsearch_obj)
+{
+	array_t *array;
+	int x[] = { 3, 2, 1 };
+	int k, v;
+
+	array = array_create(sizeof(x[0]), 0);
+	array_insert(array, ARRAY_TAIL, &x[0]);
+	array_insert(array, ARRAY_TAIL, &x[1]);
+	array_insert(array, ARRAY_TAIL, &x[2]);
+
+	array_sort(array, (void*)comp_search_obj, NULL);
+
+	k = 0;
+	ck_assert_int_eq(array_bsearch(array, &k, comp_search_obj, &v), -1);
+	for (k = 1; k < 4; k++)
+	{
+		ck_assert_int_eq(array_bsearch(array, &k, comp_search_obj, &v), k-1);
+		ck_assert_int_eq(v, k);
+	}
+	k = 4;
+	ck_assert_int_eq(array_bsearch(array, &k, comp_search_obj, &v), -1);
+	array_destroy(array);
+}
+END_TEST
+
+static int comp_search_ptr(const void *a, const void *b)
+{
+	return strcmp(a, b);
+}
+
+START_TEST(test_bsearch_ptr)
+{
+	array_t *array;
+	char *x[] = {"c", "b", "a"};
+	char *v;
+
+	array = array_create(0, 0);
+	array_insert(array, ARRAY_TAIL, x[0]);
+	array_insert(array, ARRAY_TAIL, x[1]);
+	array_insert(array, ARRAY_TAIL, x[2]);
+
+	array_sort(array, (void*)comp_search_ptr, NULL);
+
+	ck_assert_int_eq(array_bsearch(array, "abc", comp_search_ptr, &v), -1);
+	ck_assert_int_eq(array_bsearch(array, "a", comp_search_ptr, &v), 0);
+	ck_assert_str_eq(v, "a");
+	ck_assert_int_eq(array_bsearch(array, "b", comp_search_ptr, &v), 1);
+	ck_assert_str_eq(v, "b");
+	ck_assert_int_eq(array_bsearch(array, "c", comp_search_ptr, &v), 2);
+	ck_assert_str_eq(v, "c");
+
+	array_destroy(array);
+}
+END_TEST
+
 static void invoke(void *data, int idx, void *user)
 {
 	int *y = user, *x = data;
@@ -336,11 +498,11 @@ Suite *array_suite_create()
 
 	s = suite_create("array");
 
-	tc = tcase_create("add/remove ptr");
+	tc = tcase_create("add/get/remove ptr");
 	tcase_add_test(tc, test_append_ptr);
 	suite_add_tcase(s, tc);
 
-	tc = tcase_create("add/remove obj");
+	tc = tcase_create("add/get/remove obj");
 	tcase_add_test(tc, test_append_obj);
 	suite_add_tcase(s, tc);
 
@@ -348,6 +510,16 @@ Suite *array_suite_create()
 	tcase_add_test(tc, test_enumerate);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("sort");
+	tcase_add_test(tc, test_sort_obj);
+	tcase_add_test(tc, test_sort_ptr);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("bsearch");
+	tcase_add_test(tc, test_bsearch_obj);
+	tcase_add_test(tc, test_bsearch_ptr);
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("invoke");
 	tcase_add_test(tc, test_invoke);
 	suite_add_tcase(s, tc);
diff --git a/src/libstrongswan/tests/suites/test_asn1.c b/src/libstrongswan/tests/suites/test_asn1.c
new file mode 100644
index 000000000..d0cd7e6e4
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_asn1.c
@@ -0,0 +1,869 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "test_suite.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+#include <utils/chunk.h>
+
+/*******************************************************************************
+ * algorithm_identifier
+ */
+
+START_TEST(test_asn1_algorithmIdentifier)
+{
+	typedef struct {
+		int n;
+		chunk_t algid;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ OID_ECDSA_WITH_SHA1, chunk_from_chars(0x30, 0x09, 0x06, 0x07,
+			0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01) },
+		{ OID_SHA1_WITH_RSA,   chunk_from_chars(0x30, 0x0d, 0x06, 0x09,
+			0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00) },
+	};
+
+	chunk_t algid;
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		algid = asn1_algorithmIdentifier(test[i].n);
+		ck_assert(chunk_equals(algid, test[i].algid));
+		free(algid.ptr);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * parse_algorithm_identifier
+ */
+
+START_TEST(test_asn1_parse_algorithmIdentifier)
+{
+	typedef struct {
+		int alg;
+		bool empty;
+		chunk_t parameters;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ OID_ECDSA_WITH_SHA1, TRUE,  chunk_empty },
+		{ OID_SHA1_WITH_RSA,   TRUE,  chunk_from_chars(0x05, 0x00) },
+		{ OID_3DES_EDE_CBC,    FALSE, chunk_from_chars(0x04, 0x01, 0xaa) },
+		{ OID_PBKDF2,          FALSE, chunk_from_chars(0x30, 0x01, 0xaa) }
+	};
+
+	chunk_t algid, parameters;
+	int i, alg;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		algid = asn1_wrap(ASN1_SEQUENCE, "mc",
+					 asn1_build_known_oid(test[i].alg), test[i].parameters);
+		parameters = chunk_empty;
+		if (i == 2)
+		{
+			alg = asn1_parse_algorithmIdentifier(algid, 0, NULL);
+		}
+		else
+		{
+			alg = asn1_parse_algorithmIdentifier(algid, 0, &parameters);
+			if (test[i].empty)
+			{
+				ck_assert(parameters.len == 0 && parameters.ptr == NULL);
+			}
+				else
+			{
+				ck_assert(chunk_equals(parameters, test[i].parameters));
+			}
+		}
+		ck_assert(alg == test[i].alg);
+		chunk_free(&algid);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * known_oid
+ */
+
+START_TEST(test_asn1_known_oid)
+{
+	typedef struct {
+		int n;
+		chunk_t oid;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ OID_UNKNOWN,    chunk_empty },
+		{ OID_UNKNOWN,    chunk_from_chars(0x55, 0x04, 0x02) },
+		{ OID_COUNTRY,    chunk_from_chars(0x55, 0x04, 0x06) },
+		{ OID_STRONGSWAN, chunk_from_chars(0x2b, 0x06, 0x01, 0x04, 0x01,
+										   0x82, 0xa0, 0x2a, 0x01) }
+	};
+
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		ck_assert(asn1_known_oid(test[i].oid) == test[i].n);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * build_known_oid
+ */
+
+START_TEST(test_asn1_build_known_oid)
+{
+	typedef struct {
+		int n;
+		chunk_t oid;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ OID_UNKNOWN,    chunk_empty },
+		{ OID_MAX,        chunk_empty },
+		{ OID_COUNTRY,    chunk_from_chars(0x06, 0x03, 0x55, 0x04, 0x06) },
+		{ OID_STRONGSWAN, chunk_from_chars(0x06, 0x09, 0x2b, 0x06, 0x01, 0x04,
+										   0x01, 0x82, 0xa0, 0x2a, 0x01) }
+	};
+
+	int i;
+	chunk_t oid = chunk_empty;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		oid = asn1_build_known_oid(test[i].n);
+		if (test[i].oid.len == 0)
+		{
+			ck_assert(oid.len == 0 && oid.ptr == NULL);
+		}
+		else
+		{
+			ck_assert(chunk_equals(oid, test[i].oid));
+			chunk_free(&oid);
+		}
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * oid_from_string
+ */
+
+START_TEST(test_asn1_oid_from_string)
+{
+	typedef struct {
+		char *string;
+		chunk_t oid;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ "",  chunk_empty },
+		{ " ", chunk_empty },
+		{ "0.2.262.1", chunk_from_chars(
+			0x02, 0x82, 0x06, 0x01) },
+		{ "1.2.840.10045.4.1", chunk_from_chars(
+			0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01) },
+		{ "1.3.6.1.4.1.36906.1", chunk_from_chars(
+			0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa0, 0x2a, 0x01) },
+		{ "2.16.840.1.101.3.4.2.1", chunk_from_chars(
+			0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01) },
+		{ "0.10.100.1000.10000.100000.1000000.10000000.100000000.268435455",
+			chunk_from_chars(0x0a,0x64, 0x87, 0x68, 0xce, 0x10, 0x86, 0x8d,
+			0x20, 0xbd, 0x84, 0x40, 0x84, 0xe2, 0xad, 0x00,
+			0xaf, 0xd7, 0xc2, 0x00, 0xff, 0xff, 0xff, 0x7f) },
+		{ "0.1.2.3.4.5.6.7.8.9.10.128.129.130.131.132.133.134.135.136.137."
+		  "256.257.258.259.260.261.262.263.264.265.384.385.386.387.388."
+		  "2097153", chunk_from_chars(
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+			0x81, 0x00, 0x81, 0x01, 0x81, 0x02, 0x81, 0x03, 0x81, 0x04,
+			0x81, 0x05, 0x81, 0x06, 0x81, 0x07, 0x81, 0x08, 0x81, 0x09,
+			0x82, 0x00, 0x82, 0x01, 0x82, 0x02, 0x82, 0x03, 0x82, 0x04,
+			0x82, 0x05, 0x82, 0x06, 0x82, 0x07, 0x82, 0x08, 0x82, 0x09,
+			0x83, 0x00, 0x83, 0x01, 0x83, 0x02, 0x83, 0x03, 0x83, 0x04,
+			0x81, 0x80, 0x80, 0x01) },
+		{ "0.1.2.3.4.5.6.7.8.9.10.128.129.130.131.132.133.134.135.136.137."
+		  "256.257.258.259.260.261.262.263.264.265.384.385.386.387.388."
+		  "1.2097153", chunk_empty },
+		{ "1.a.2.b.3", chunk_empty }
+	};
+
+	int i;
+	chunk_t oid = chunk_empty;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		oid = asn1_oid_from_string(test[i].string);
+		if (test[i].oid.len == 0)
+		{
+			ck_assert(oid.len == 0 && oid.ptr == NULL);
+		}
+		else
+		{
+			ck_assert(chunk_equals(oid, test[i].oid));
+			chunk_free(&oid);
+		}
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * oid_to_string
+ */
+
+START_TEST(test_asn1_oid_to_string)
+{
+	typedef struct {
+		char *string;
+		chunk_t oid;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{  NULL,  chunk_empty },
+		{ "0.2.262.1", chunk_from_chars(
+			0x02, 0x82, 0x06, 0x01) },
+		{ "1.2.840.10045.4.1", chunk_from_chars(
+			0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01) },
+		{ "1.3.6.1.4.1.36906.1", chunk_from_chars(
+			0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa0, 0x2a, 0x01) },
+		{ "2.16.840.1.101.3.4.2.1", chunk_from_chars(
+			0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01) },
+		{ "0.10.100.1000.10000.100000.1000000.10000000.100000000.268435455",
+			chunk_from_chars( 0x0a, 0x64, 0x87, 0x68, 0xce, 0x10, 0x86, 0x8d,
+			0x20, 0xbd, 0x84, 0x40, 0x84, 0xe2, 0xad, 0x00,
+			0xaf, 0xd7, 0xc2, 0x00, 0xff, 0xff, 0xff, 0x7f) },
+		{ NULL, chunk_from_chars(
+			0x0a, 0x02, 0x64, 0x87, 0x68, 0xce, 0x10, 0x86, 0x8d, 0x20,
+			0xbd, 0x84, 0x40, 0x84, 0xe2, 0xad, 0x00, 0xaf, 0xd7, 0xc2, 0x00,
+		    0xff, 0xff, 0xff, 0x7f) },
+		{ NULL, chunk_from_chars(0x0a, 0x87) }
+	};
+
+	int i;
+	char *string = NULL;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		string = asn1_oid_to_string(test[i].oid);
+		if (test[i].string == NULL)
+		{
+			ck_assert(string == NULL);
+		}
+		else
+		{
+			ck_assert(streq(string, test[i].string));
+			free(string);
+		}
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * length
+ */
+
+START_TEST(test_asn1_length)
+{
+	chunk_t a;
+
+	a = chunk_empty;
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04);
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04, 0x00);
+	ck_assert(asn1_length(&a) == 0);
+
+	a = chunk_from_chars(0x04, 0x01);
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04, 0x01, 0xaa);
+	ck_assert(asn1_length(&a) == 1);
+
+	a = chunk_from_chars(0x04, 0x7f, 0xaa);
+	a.len = 2 + 127;
+	ck_assert(asn1_length(&a) == 127);
+
+	a = chunk_from_chars(0x04, 0x80, 0xaa);
+	a.len = 2 + 128;
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04, 0x81);
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04, 0x81, 0x00);
+	ck_assert(asn1_length(&a) == 0);
+
+	a = chunk_from_chars(0x04, 0x81, 0x80, 0xaa);
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04, 0x81, 0x80, 0xaa);
+	a.len = 3 + 128;
+	ck_assert(asn1_length(&a) == 128);
+
+	a = chunk_from_chars(0x04, 0x82, 0x01, 0x02, 0xaa);
+	a.len = 4 + 258;
+	ck_assert(asn1_length(&a) == 258);
+
+	a = chunk_from_chars(0x04, 0x83, 0x01, 0x02, 0x03, 0xaa);
+	a.len = 5 + 66051;
+	ck_assert(asn1_length(&a) == 66051);
+
+	a = chunk_from_chars(0x04, 0x84, 0x01, 0x02, 0x03, 0x04, 0xaa);
+	a.len = 6 + 16909060;
+	ck_assert(asn1_length(&a) == 16909060);
+
+	/* largest chunk on 32 bit system */
+	a = chunk_from_chars(0x04, 0x84, 0xff, 0xff, 0xff, 0xf9, 0xaa);
+	a.len = 4294967295;
+	ck_assert(asn1_length(&a) == 4294967289);
+
+}
+END_TEST
+
+/*******************************************************************************
+ * unwrap
+ */
+
+START_TEST(test_asn1_unwrap)
+{
+	chunk_t c0 = chunk_from_chars(0x30);
+	chunk_t c1 = chunk_from_chars(0x30, 0x01, 0xaa);
+	chunk_t c2 = chunk_from_chars(0x30, 0x80);
+	chunk_t c3 = chunk_from_chars(0x30, 0x81);
+	chunk_t c4 = chunk_from_chars(0x30, 0x81, 0x01, 0xaa);
+	chunk_t c5 = chunk_from_chars(0x30, 0x81, 0x02, 0xaa);
+
+	chunk_t inner;
+	chunk_t inner_ref = chunk_from_chars(0xaa);
+
+	ck_assert(asn1_unwrap(&c0, &inner) == ASN1_INVALID);
+
+	ck_assert(asn1_unwrap(&c1, &inner) == ASN1_SEQUENCE);
+
+	ck_assert(chunk_equals(inner, inner_ref));
+
+	ck_assert(asn1_unwrap(&c2, &inner) == ASN1_INVALID);
+
+	ck_assert(asn1_unwrap(&c3, &inner) == ASN1_INVALID);
+
+	ck_assert(asn1_unwrap(&c4, &inner) == ASN1_SEQUENCE);
+
+	ck_assert(chunk_equals(inner, inner_ref));
+
+	ck_assert(asn1_unwrap(&c5, &inner) == ASN1_INVALID);
+}
+END_TEST
+
+/*******************************************************************************
+ * is_asn1
+ */
+
+START_TEST(test_is_asn1)
+{
+	typedef struct {
+		bool asn1;
+		chunk_t chunk;
+	} testdata_t;
+
+	u_char buf[8];
+	chunk_t chunk_zero = { buf, 0 };
+	chunk_t chunk_mean = {   0, 1 };
+
+	testdata_t test[] = {
+		{ FALSE, chunk_zero },
+		{ FALSE, chunk_empty },
+		{ FALSE, chunk_mean },
+		{ TRUE,  chunk_from_chars(0x30, 0x00) },
+		{ TRUE,  chunk_from_chars(0x31, 0x00) },
+		{ TRUE,  chunk_from_chars(0x04, 0x00) },
+		{ FALSE, chunk_from_chars(0x02, 0x00) },
+		{ FALSE, chunk_from_chars(0x30, 0x01) },
+		{ FALSE, chunk_from_chars(0x30, 0x80) },
+		{ TRUE,  chunk_from_chars(0x30, 0x01, 0xa1) },
+		{ FALSE, chunk_from_chars(0x30, 0x01, 0xa1, 0xa2) },
+		{ TRUE,  chunk_from_chars(0x30, 0x01, 0xa1, 0x0a) },
+		{ FALSE, chunk_from_chars(0x30, 0x01, 0xa1, 0xa2, 0x0a) },
+	};
+
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		ck_assert(is_asn1(test[i].chunk) == test[i].asn1);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * is_printablestring
+ */
+
+START_TEST(test_asn1_is_printablestring)
+{
+	typedef struct {
+		bool printable;
+		char *string;
+	} testdata_t;
+
+
+	testdata_t test[] = {
+		{ TRUE,  "" },
+		{ TRUE,  "Z" },
+		{ FALSE, "Z#" },
+		{ FALSE, "&Z" },
+		{ FALSE, "Z@z" },
+		{ FALSE, "!" },  { FALSE, "*" },  { FALSE, "$" },  { FALSE, "%" },
+		{ FALSE, "[" },  { FALSE, "]" },  { FALSE, "{" },  { FALSE, "}" },
+		{ FALSE, "|" },  { FALSE, "~" },  { FALSE, "^" },  { FALSE, "_" },
+		{ FALSE, "\"" }, { FALSE, "\\" }, { FALSE, "ä" },  { FALSE, "à" },
+		{ TRUE,  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+				 "0123456789 '()+,-./:=?" },
+	};
+
+	chunk_t chunk;
+	int i;
+
+	ck_assert(asn1_is_printablestring(chunk_empty));
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk = chunk_from_str(test[i].string);
+		ck_assert(asn1_is_printablestring(chunk) == test[i].printable);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * to_time
+ */
+
+START_TEST(test_asn1_to_time)
+{
+	typedef struct {
+		time_t time;
+		u_int8_t type;
+		char *string;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{       352980, 0x18, "197001050203Z" },
+		{       352984, 0x18, "19700105020304Z" },
+		{       352980, 0x17, "7001050203Z" },
+		{       347580, 0x17, "7001050203+0130" },
+		{       358380, 0x17, "7001050203-0130" },
+		{       352984, 0x17, "700105020304Z" },
+		{       347584, 0x17, "700105020304+0130" },
+		{       358384, 0x17, "700105020304-0130" },
+		{            0, 0x17, "700105020304+01" },
+		{            0, 0x17, "700105020304-01" },
+		{            0, 0x17, "700105020304" },
+		{            0, 0x17, "70010502Z" },
+		{            0, 0x17, "7001050203xxZ" },
+		{            0, 0x17, "7000050203Z" },
+		{            0, 0x17, "7013050203Z" },
+		{            0, 0x17, "7001004203Z" },
+		{            0, 0x17, "7001320203Z" },
+		{            0, 0x17, "700101-103Z" },
+		{            0, 0x17, "7001016003Z" },
+		{            0, 0x17, "70010102-1Z" },
+		{            0, 0x17, "7001010260Z" },
+		{            0, 0x17, "7001010203-1Z" },
+		{            0, 0x17, "700101020361Z" },
+		{   -631152000, 0x17, "500101000000Z" }, /* UTCTime min */
+		{           59, 0x17, "691231235959-0001" },
+		{           -1, 0x17, "691231235959Z" },
+		{            0, 0x17, "700101000000Z" },
+		{          -60, 0x17, "700101000000+0001" },
+		{ 2524607999UL, 0x17, "491231235959Z" }, /* UTCTime max */
+		{      5097600, 0x17, "7003010000Z" },
+		{     68256000, 0x17, "7203010000Z" },
+		{    951868800, 0x17, "0003010000Z" },
+		{ 4107542400UL, 0x18, "210003010000Z" }
+	};
+
+	int i;
+	chunk_t chunk;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		if (sizeof(time_t) == 4 && test[i].time < 0)
+		{
+			continue;
+		}
+		chunk = chunk_from_str(test[i].string);
+		ck_assert(asn1_to_time(&chunk, test[i].type) == test[i].time);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * from_time
+ */
+
+START_TEST(test_asn1_from_time)
+{
+	typedef struct {
+		time_t time;
+		u_int8_t type;
+		chunk_t chunk;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{       352984, 0x18, chunk_from_chars(
+						0x18, 0x0f, 0x31, 0x39, 0x37, 0x30, 0x30, 0x31, 0x30, 0x35,
+						0x30, 0x32, 0x30, 0x33, 0x30, 0x34, 0x5a) },
+		{       352984, 0x17, chunk_from_chars(
+						0x17, 0x0d, 0x37, 0x30, 0x30, 0x31, 0x30, 0x35,
+						0x30, 0x32, 0x30, 0x33, 0x30, 0x34, 0x5a) },
+		{   1078099200, 0x17, chunk_from_chars(
+						0x17, 0x0d, 0x30, 0x34, 0x30, 0x33, 0x30, 0x31,
+						0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a) },
+		{ 4107542400UL, 0x18, chunk_from_chars(
+						0x18, 0x0f, 0x32, 0x31, 0x30, 0x30, 0x30, 0x33, 0x30, 0x31,
+						0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a) }
+	};
+
+	int i;
+	chunk_t chunk;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		if (sizeof(time_t) == 4 && test[i].time < 0)
+		{
+			continue;
+		}
+		chunk = asn1_from_time(&test[i].time, test[i].type);
+		ck_assert(chunk_equals(chunk, test[i].chunk));
+		free(chunk.ptr);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * parse_time
+ */
+
+START_TEST(test_asn1_parse_time)
+{
+	typedef struct {
+		time_t time;
+		chunk_t chunk;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ 352984, chunk_from_chars(
+					0x18, 0x0f, 0x31, 0x39, 0x37, 0x30, 0x30, 0x31, 0x30, 0x35,
+					0x30, 0x32, 0x30, 0x33, 0x30, 0x34, 0x5a) },
+		{ 352984, chunk_from_chars(
+					0x17, 0x0d, 0x37, 0x30, 0x30, 0x31, 0x30, 0x35,
+					0x30, 0x32, 0x30, 0x33, 0x30, 0x34, 0x5a) },
+		{      0, chunk_from_chars(0x05, 0x00) }
+	};
+
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		ck_assert(asn1_parse_time(test[i].chunk, 0) == test[i].time);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * build_object
+ */
+
+START_TEST(test_asn1_build_object)
+{
+	typedef struct {
+		size_t len;
+		size_t size;
+		u_char *b;
+	} testdata_t;
+
+	u_char b0[] = { 0x05, 0x00 };
+	u_char b1[] = { 0x04, 0x7f };
+	u_char b2[] = { 0x04, 0x81, 0x80 };
+	u_char b3[] = { 0x04, 0x81, 0xff };
+	u_char b4[] = { 0x04, 0x82, 0x01, 0x00 };
+	u_char b5[] = { 0x04, 0x82, 0xff, 0xff };
+	u_char b6[] = { 0x04, 0x83, 0x01, 0x00, 0x00 };
+
+	testdata_t test[] = {
+		{     0, sizeof(b0), b0 },
+		{   127, sizeof(b1), b1 },
+		{   128, sizeof(b2), b2 },
+ 		{   255, sizeof(b3), b3 },
+		{   256, sizeof(b4), b4 },
+		{ 65535, sizeof(b5), b5 },
+		{ 65536, sizeof(b6), b6 }
+	};
+
+	chunk_t a = chunk_empty;
+	u_char *pos;
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		pos = asn1_build_object(&a, test[i].b[0], test[i].len);
+		ck_assert(pos == (a.ptr + test[i].size));
+		ck_assert(a.len == test[i].size + test[i].len);
+		ck_assert(memeq(a.ptr, test[i].b, test[i].size));
+		chunk_free(&a);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * simple_object
+ */
+
+START_TEST(test_asn1_simple_object)
+{
+	chunk_t a = chunk_empty;
+	chunk_t b = chunk_from_chars(0x04, 0x05, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5);
+	chunk_t c = chunk_from_chars(0xa1, 0xa2, 0xa3, 0xa4, 0xa5);
+
+	a = asn1_simple_object(0x04, c);
+	ck_assert(chunk_equals(a, b));
+	chunk_free(&a);
+}
+END_TEST
+
+/*******************************************************************************
+ * parse_simple_object
+ */
+
+START_TEST(test_asn1_parse_simple_object)
+{
+	typedef struct {
+		bool res;
+		int type;
+		chunk_t chunk;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ FALSE, 0x04, chunk_from_chars(0x04) },
+		{ FALSE, 0x04, chunk_from_chars(0x02, 0x01, 0x55) },
+		{ FALSE, 0x04, chunk_from_chars(0x04, 0x01) },
+		{ TRUE,  0x04, chunk_from_chars(0x04, 0x01, 0x55) },
+		{ TRUE,  0x06, chunk_from_chars(0x06, 0x02, 0x55, 0x03) },
+		{ TRUE,  0x06, chunk_from_chars(0x06, 0x00) },
+		{ TRUE,  0x13, chunk_from_chars(0x13, 0x01, 0x55), }
+	};
+
+	int i;
+	bool res;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		res = asn1_parse_simple_object(&test[i].chunk, test[i].type, 0, "test");
+		ck_assert(res == test[i].res);
+		if (res && test[i].chunk.len)
+		{
+			ck_assert(*test[i].chunk.ptr == 0x55);
+		}
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * bitstring
+ */
+
+START_TEST(test_asn1_bitstring)
+{
+	chunk_t a = chunk_empty;
+	chunk_t b = chunk_from_chars(0x03, 0x05, 0x00, 0xa1, 0xa2, 0xa3, 0xa4);
+	chunk_t c = chunk_from_chars(0xa1, 0xa2, 0xa3, 0xa4);
+	chunk_t d = chunk_clone(c);
+
+	a = asn1_bitstring("c", c);
+	ck_assert(chunk_equals(a, b));
+	chunk_free(&a);
+
+	a = asn1_bitstring("m", d);
+	ck_assert(chunk_equals(a, b));
+	chunk_free(&a);
+}
+END_TEST
+
+/*******************************************************************************
+ * integer
+ */
+
+START_TEST(test_asn1_integer)
+{
+	typedef struct {
+		chunk_t b;
+		chunk_t c;
+	} testdata_t;
+
+	chunk_t b0 = chunk_from_chars(0x02, 0x01, 0x00);
+	chunk_t b1 = chunk_from_chars(0x02, 0x01, 0x7f);
+	chunk_t b2 = chunk_from_chars(0x02, 0x02, 0x00, 0x80);
+
+	chunk_t c0 = chunk_empty;
+	chunk_t c1 = chunk_from_chars(0x7f);
+	chunk_t c2 = chunk_from_chars(0x80);
+	chunk_t c3 = chunk_from_chars(0x00, 0x80);
+
+	testdata_t test[] = {
+		{ b0, c0 },
+		{ b1, c1 },
+		{ b2, c2 },
+		{ b2, c3 }
+	};
+
+	chunk_t a = chunk_empty;
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		a = asn1_integer("c", test[i].c);
+		ck_assert(chunk_equals(a, test[i].b));
+		chunk_free(&a);
+
+		a = asn1_integer("m", chunk_clone(test[i].c));
+		ck_assert(chunk_equals(a, test[i].b));
+		chunk_free(&a);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * parse_integer_uint64
+ */
+
+START_TEST(test_asn1_parse_integer_uint64)
+{
+	typedef struct {
+		u_int64_t n;
+		chunk_t chunk;
+	} testdata_t;
+
+
+	testdata_t test[] = {
+		{             67305985ULL, chunk_from_chars(
+						0x04, 0x03, 0x02, 0x01) },
+		{   578437695752307201ULL, chunk_from_chars(
+						0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01) },
+		{ 18446744073709551615ULL, chunk_from_chars(
+						0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff) }
+	};
+
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		ck_assert(asn1_parse_integer_uint64(test[i].chunk) == test[i].n);
+	}
+}
+END_TEST
+
+Suite *asn1_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("asn1");
+
+	tc = tcase_create("algorithmIdentifier");
+	tcase_add_test(tc, test_asn1_algorithmIdentifier);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("parse_algorithmIdentifier");
+	tcase_add_test(tc, test_asn1_parse_algorithmIdentifier);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("known_oid");
+	tcase_add_test(tc, test_asn1_known_oid);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("build_known_oid");
+	tcase_add_test(tc, test_asn1_build_known_oid);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("oid_from_string");
+	tcase_add_test(tc, test_asn1_oid_from_string);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("oid_to_string");
+	tcase_add_test(tc, test_asn1_oid_to_string);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("length");
+	tcase_add_test(tc, test_asn1_length);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("unwrap");
+	tcase_add_test(tc, test_asn1_unwrap);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("is_asn1");
+	tcase_add_test(tc, test_is_asn1);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("is_printablestring");
+	tcase_add_test(tc, test_asn1_is_printablestring);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("to_time");
+	tcase_add_test(tc, test_asn1_to_time);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("from_time");
+	tcase_add_test(tc, test_asn1_from_time);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("parse_time");
+	tcase_add_test(tc, test_asn1_parse_time);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("build_object");
+	tcase_add_test(tc, test_asn1_build_object);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("simple_object");
+	tcase_add_test(tc, test_asn1_simple_object);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("parse_simple_object");
+	tcase_add_test(tc, test_asn1_parse_simple_object);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("bitstring");
+	tcase_add_test(tc, test_asn1_bitstring);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("integer");
+	tcase_add_test(tc, test_asn1_integer);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("parse_integer_uint64");
+	tcase_add_test(tc, test_asn1_parse_integer_uint64);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_asn1_parser.c b/src/libstrongswan/tests/suites/test_asn1_parser.c
new file mode 100644
index 000000000..973562bff
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_asn1_parser.c
@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <asn1/asn1_parser.h>
+#include <utils/chunk.h>
+
+/*******************************************************************************
+ * utilities
+ */
+
+typedef struct {
+	bool success;
+	int count;
+	chunk_t blob;
+} asn1_test_t;
+
+static void run_parser_test(const asn1Object_t *objects, int id,
+							asn1_test_t *test)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, count = 0;
+	bool success;
+
+	parser = asn1_parser_create(objects, test->blob);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == id)
+		{
+			count++;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	ck_assert(success == test->success && count == test->count);
+}
+
+/*******************************************************************************
+ * length
+ */
+
+static const asn1Object_t octetStringObjects[] = {
+	{ 0, "octetString",	ASN1_OCTET_STRING,	ASN1_BODY }, /* 0 */
+	{ 0, "exit",		ASN1_EOC,			ASN1_EXIT }
+};
+
+asn1_test_t length_tests[] = {
+	{ FALSE, 0, { NULL, 0 } },
+	{ FALSE, 0, chunk_from_chars(0x04) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x00) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x01, 0xaa) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x7f) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x80) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x81) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x81, 0x00) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x81, 0x01) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x81, 0x01, 0xaa) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x82, 0x00, 0x01) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x82, 0x00, 0x01, 0xaa) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x83, 0x00, 0x00, 0x01) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x83, 0x00, 0x00, 0x01, 0xaa) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x84, 0x00, 0x00, 0x00, 0x01) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x84, 0x00, 0x00, 0x00, 0x01, 0xaa) },
+};
+
+START_TEST(test_asn1_parser_length)
+{
+	run_parser_test(octetStringObjects, 0, &length_tests[_i]);
+}
+END_TEST
+
+/*******************************************************************************
+ * loop
+ */
+
+static const asn1Object_t loopObjects[] = {
+	{ 0, "loopObjects",		ASN1_SEQUENCE,		ASN1_LOOP }, /* 0 */
+	{ 1,   "octetString",	ASN1_OCTET_STRING,	ASN1_BODY }, /* 1 */
+	{ 0, "end loop",		ASN1_EOC,			ASN1_END  }, /* 2 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT }
+};
+
+asn1_test_t loop_tests[] = {
+	{ TRUE,  0, chunk_from_chars(0x30, 0x00) },
+	{ FALSE, 0, chunk_from_chars(0x30, 0x02, 0x04, 0x01) },
+	{ TRUE,  1, chunk_from_chars(0x30, 0x03, 0x04, 0x01, 0xaa) },
+	{ TRUE,  2, chunk_from_chars(0x30, 0x05, 0x04, 0x01, 0xaa, 0x04, 0x00) },
+	{ FALSE, 1, chunk_from_chars(0x30, 0x05, 0x04, 0x01, 0xaa, 0x05, 0x00) },
+	{ TRUE,  3, chunk_from_chars(0x30, 0x09, 0x04, 0x01, 0xaa, 0x04, 0x00,
+											 0x04, 0x02, 0xbb, 0xcc) },
+};
+
+START_TEST(test_asn1_parser_loop)
+{
+	run_parser_test(loopObjects, 1, &loop_tests[_i]);
+}
+END_TEST
+
+/*******************************************************************************
+ * default
+ */
+
+typedef struct {
+	int i1, i2, i3;
+	chunk_t blob;
+} default_opt_test_t;
+
+static const asn1Object_t defaultObjects[] = {
+	{ 0, "defaultObjects",	ASN1_SEQUENCE,		ASN1_OBJ			}, /* 0 */
+	{ 1,   "explicit int1",	ASN1_CONTEXT_C_1,	ASN1_DEF			}, /* 1 */
+	{ 2,     "int1",		ASN1_INTEGER,		ASN1_BODY			}, /* 2 */
+	{ 1,   "int2",			ASN1_INTEGER,		ASN1_DEF|ASN1_BODY	}, /* 3 */
+	{ 1,   "implicit int3", ASN1_CONTEXT_S_3,	ASN1_DEF|ASN1_BODY	}, /* 4 */		
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+
+default_opt_test_t default_tests[] = {
+	{ -1, -2, -3, chunk_from_chars(0x30, 0x00) },
+	{  1, -2, -3, chunk_from_chars(0x30, 0x05, 0xa1, 0x03, 0x02, 0x01, 0x01) },
+	{ -1,  2, -3, chunk_from_chars(0x30, 0x03, 0x02, 0x01, 0x02) },
+	{ -1, -2,  3, chunk_from_chars(0x30, 0x03, 0x83, 0x01, 0x03) },
+	{  1,  2, -3, chunk_from_chars(0x30, 0x08, 0xa1, 0x03, 0x02, 0x01, 0x01,
+											   0x02, 0x01, 0x02) },
+	{  1, -2,  3, chunk_from_chars(0x30, 0x08, 0xa1, 0x03, 0x02, 0x01, 0x01,
+											   0x83, 0x01, 0x03) },
+	{ -1,  2,  3, chunk_from_chars(0x30, 0x06, 0x02, 0x01, 0x02,
+											   0x83, 0x01, 0x03) },
+	{  1,  2,  3, chunk_from_chars(0x30, 0x0b, 0xa1, 0x03, 0x02, 0x01, 0x01,
+											   0x02, 0x01, 0x02,
+											   0x83, 0x01, 0x03) },
+	{  0,  0,  0, chunk_from_chars(0x30, 0x0b, 0xa1, 0x03, 0x04, 0x01, 0xaa,
+											   0x02, 0x01, 0x02,
+											   0x83, 0x01, 0x03) },
+	{  1,  0,  0, chunk_from_chars(0x30, 0x0b, 0xa1, 0x03, 0x02, 0x01, 0x01,
+											   0x02, 0x05, 0x02,
+											   0x83, 0x01, 0x03) },
+	{  1,  2,  0, chunk_from_chars(0x30, 0x0b, 0xa1, 0x03, 0x02, 0x01, 0x01,
+											   0x02, 0x01, 0x02,
+											   0x83, 0x02, 0x03) },
+};
+
+START_TEST(test_asn1_parser_default)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, i1 = 0, i2 = 0, i3 = 0;
+	bool success;
+
+	parser = asn1_parser_create(defaultObjects, default_tests[_i].blob);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case 2:
+				i1 = object.len ? *object.ptr : -1;
+				break;
+			case 3:
+				i2 = object.len ? *object.ptr : -2;
+				break;
+			case 4:
+				i3 = object.len ? *object.ptr : -3;
+				break;
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	ck_assert(success == (default_tests[_i].i1 &&
+						  default_tests[_i].i2 &&
+						  default_tests[_i].i3));
+
+	ck_assert(i1 == default_tests[_i].i1 &&
+			  i2 == default_tests[_i].i2 &&
+			  i3 == default_tests[_i].i3);
+}
+END_TEST
+
+/*******************************************************************************
+ * option
+ */
+
+static const asn1Object_t optionObjects[] = {
+	{ 0, "optionalObjects",	ASN1_SEQUENCE,		ASN1_OBJ			}, /* 0 */
+	{ 1,   "sequence int1",	ASN1_SEQUENCE,		ASN1_OPT			}, /* 1 */
+	{ 2,     "int1",		ASN1_INTEGER,		ASN1_OPT|ASN1_BODY  }, /* 2 */
+	{ 2,     "end opt",		ASN1_EOC,			ASN1_END			}, /* 3 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 4 */
+	{ 1,   "int2",			ASN1_INTEGER,		ASN1_OPT|ASN1_BODY	}, /* 5 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 6 */
+	{ 1,   "implicit int3", ASN1_CONTEXT_S_3,	ASN1_OPT|ASN1_BODY	}, /* 7 */		
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 8 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+
+default_opt_test_t option_tests[] = {
+	{ 0, 0, 0, chunk_from_chars(0x30, 0x00) },
+	{ 1, 0, 0, chunk_from_chars(0x30, 0x05, 0x30, 0x03, 0x02, 0x01, 0x01) },
+	{ 0, 2, 0, chunk_from_chars(0x30, 0x03, 0x02, 0x01, 0x02) },
+	{ 0, 0, 3, chunk_from_chars(0x30, 0x03, 0x83, 0x01, 0x03) },
+	{ 1, 2, 0, chunk_from_chars(0x30, 0x08, 0x30, 0x03, 0x02, 0x01, 0x01,
+											0x02, 0x01, 0x02) },
+	{ 1, 0, 3, chunk_from_chars(0x30, 0x08, 0x30, 0x03, 0x02, 0x01, 0x01,
+											0x83, 0x01, 0x03) },
+	{ 0, 2, 3, chunk_from_chars(0x30, 0x06, 0x02, 0x01, 0x02,
+											0x83, 0x01, 0x03) },
+	{ 1, 2, 3, chunk_from_chars(0x30, 0x0b, 0x30, 0x03, 0x02, 0x01, 0x01,
+											0x02, 0x01, 0x02,
+											0x83, 0x01, 0x03) },
+	{ 0, 2, 3, chunk_from_chars(0x30, 0x08, 0x30, 0x00,
+											0x02, 0x01, 0x02,
+											0x83, 0x01, 0x03) },
+};
+
+START_TEST(test_asn1_parser_option)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, i1 = 0, i2 = 0, i3 = 0;
+	bool success;
+
+	parser = asn1_parser_create(optionObjects, option_tests[_i].blob);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case 2:
+				i1 = *object.ptr;
+				break;
+			case 5:
+				i2 = *object.ptr;
+				break;
+			case 7:
+				i3 = *object.ptr;
+				break;
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	ck_assert(success);
+
+	ck_assert(i1 == option_tests[_i].i1 &&
+			  i2 == option_tests[_i].i2 &&
+			  i3 == option_tests[_i].i3);
+}
+END_TEST
+
+Suite *asn1_parser_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("asn1_parser");
+
+	tc = tcase_create("length");
+	tcase_add_loop_test(tc, test_asn1_parser_length, 0, countof(length_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("loop");
+	tcase_add_loop_test(tc, test_asn1_parser_loop, 0, countof(loop_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("default");
+	tcase_add_loop_test(tc, test_asn1_parser_default, 0, countof(default_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("option");
+	tcase_add_loop_test(tc, test_asn1_parser_option, 0, countof(option_tests));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_bio_reader.c b/src/libstrongswan/tests/suites/test_bio_reader.c
index 45b20db00..6a9743d62 100644
--- a/src/libstrongswan/tests/test_bio_reader.c
+++ b/src/libstrongswan/tests/suites/test_bio_reader.c
@@ -329,7 +329,7 @@ END_TEST
  */
 
 #define assert_read_data_len(bits) ({ \
- 	bio_reader_t *reader; \
+	bio_reader_t *reader; \
 	chunk_t read, data; \
 	int i, len = bits / 8; \
 	data = chunk_empty; \
diff --git a/src/libstrongswan/tests/test_bio_writer.c b/src/libstrongswan/tests/suites/test_bio_writer.c
index 665cd2d7c..e74288eb7 100644
--- a/src/libstrongswan/tests/test_bio_writer.c
+++ b/src/libstrongswan/tests/suites/test_bio_writer.c
@@ -181,7 +181,7 @@ END_TEST
  */
 
 #define assert_write_data_len(init, bits) ({ \
- 	bio_writer_t *writer; \
+	bio_writer_t *writer; \
 	chunk_t buf, data; \
 	int i, len = bits / 8; \
 	writer = bio_writer_create(init); \
@@ -240,7 +240,7 @@ END_TEST
  */
 
 #define assert_wrap_data(init, bits) ({ \
- 	bio_writer_t *writer; \
+	bio_writer_t *writer; \
 	chunk_t buf, data; \
 	int i, len = bits / 8; \
 	writer = bio_writer_create(init); \
diff --git a/src/libstrongswan/tests/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c
index 8e29971c1..e373fbdb6 100644
--- a/src/libstrongswan/tests/test_chunk.c
+++ b/src/libstrongswan/tests/suites/test_chunk.c
@@ -14,10 +14,16 @@
  * for more details.
  */
 
-
 #include "test_suite.h"
 
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+
 #include <utils/chunk.h>
+#include <threading/thread.h>
 
 /*******************************************************************************
  * utilities
@@ -672,6 +678,31 @@ static const u_char sip_vectors[64][8] =
 	{ 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
 };
 
+/**
+ * Our SipHash-2-4 implementation returns the result in host order, which
+ * doesn't matter for practical purposes and even avoids a byte swap.  But
+ * because the test vectors are in little-endian we have to account for this
+ * with this custom comparison function.
+ */
+static inline bool sipeq(const void *a, const void *b, size_t n)
+{
+	u_char *ap = (u_char*)a, *bp = (u_char*)b;
+	int i;
+
+	for (i = 0; i < n; i++)
+	{
+#ifdef WORDS_BIGENDIAN
+		if (ap[i] != bp[n - i - 1])
+#else
+		if (ap[i] != bp[i])
+#endif
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
 START_TEST(test_chunk_mac)
 {
 	chunk_t in;
@@ -692,7 +723,7 @@ START_TEST(test_chunk_mac)
 		in.ptr[i] = i;
 		in.len = i;
 		out = chunk_mac(in, key);
-		fail_unless(memeq(&out, sip_vectors[i], 8),
+		fail_unless(sipeq(&out, sip_vectors[i], 8),
 					"test vector failed for %d bytes", i);
 	}
 }
@@ -739,7 +770,7 @@ START_TEST(test_chunk_hash_static)
 		in.len = i;
 		/* compared to chunk_mac() we only get half the value back */
 		out = chunk_hash_static(in);
-		fail_unless(memeq(&out, sip_vectors[i], 4),
+		fail_unless(sipeq(&out, sip_vectors[i], 4),
 					"test vector failed for %d bytes", i);
 	}
 	hash_a = chunk_hash_static_inc(in, out);
@@ -750,6 +781,116 @@ START_TEST(test_chunk_hash_static)
 END_TEST
 
 /*******************************************************************************
+ * test for chunk_map and friends
+ */
+
+START_TEST(test_chunk_map)
+{
+	chunk_t *map, contents = chunk_from_chars(0x01,0x02,0x03,0x04,0x05);
+	char *path = "/tmp/strongswan-chunk-map-test";
+
+	ck_assert(chunk_write(contents, path, 022, TRUE));
+
+	/* read */
+	map = chunk_map(path, FALSE);
+	ck_assert(map != NULL);
+	ck_assert_msg(chunk_equals(*map, contents), "%B", map);
+	/* altering mapped chunk should not hurt */
+	*map = chunk_empty;
+	ck_assert(chunk_unmap(map));
+
+	/* write */
+	map = chunk_map(path, TRUE);
+	ck_assert(map != NULL);
+	ck_assert_msg(chunk_equals(*map, contents), "%B", map);
+	map->ptr[0] = 0x06;
+	ck_assert(chunk_unmap(map));
+
+	/* verify write */
+	contents.ptr[0] = 0x06;
+	map = chunk_map(path, FALSE);
+	ck_assert(map != NULL);
+	ck_assert_msg(chunk_equals(*map, contents), "%B", map);
+	ck_assert(chunk_unmap(map));
+
+	unlink(path);
+}
+END_TEST
+
+/*******************************************************************************
+ * test for chunk_from_fd
+ */
+
+START_TEST(test_chunk_from_fd_file)
+{
+	chunk_t in, contents = chunk_from_chars(0x01,0x02,0x03,0x04,0x05);
+	char *path = "/tmp/strongswan-chunk-fd-test";
+	int fd;
+
+	ck_assert(chunk_write(contents, path, 022, TRUE));
+
+	fd = open(path, O_RDONLY);
+	ck_assert(fd != -1);
+
+	ck_assert(chunk_from_fd(fd, &in));
+	close(fd);
+	ck_assert_msg(chunk_equals(in, contents), "%B", &in);
+	unlink(path);
+	free(in.ptr);
+}
+END_TEST
+
+START_TEST(test_chunk_from_fd_skt)
+{
+	chunk_t in, contents = chunk_from_chars(0x01,0x02,0x03,0x04,0x05);
+	int s[2];
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, s) == 0);
+	ck_assert(write(s[1], contents.ptr, contents.len) == contents.len);
+	close(s[1]);
+	ck_assert_msg(chunk_from_fd(s[0], &in), "%s", strerror(errno));
+	close(s[0]);
+	ck_assert_msg(chunk_equals(in, contents), "%B", &in);
+	free(in.ptr);
+}
+END_TEST
+
+#define FROM_FD_COUNT 8192
+
+void *chunk_from_fd_run(void *data)
+{
+	int i, fd = (uintptr_t)data;
+
+	for (i = 0; i < FROM_FD_COUNT; i++)
+	{
+		ck_assert(write(fd, &i, sizeof(i)) == sizeof(i));
+	}
+	close(fd);
+	return NULL;
+}
+
+START_TEST(test_chunk_from_fd_huge)
+{
+	thread_t *thread;
+	chunk_t in;
+	int s[2], i;
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, s) == 0);
+
+	thread = thread_create(chunk_from_fd_run, (void*)(uintptr_t)s[1]);
+	ck_assert_msg(chunk_from_fd(s[0], &in), "%s", strerror(errno));
+	ck_assert_int_eq(in.len, FROM_FD_COUNT * sizeof(i));
+	for (i = 0; i < FROM_FD_COUNT; i++)
+	{
+		ck_assert_int_eq(((int*)in.ptr)[i], i);
+	}
+	thread->join(thread);
+	close(s[0]);
+	free(in.ptr);
+}
+END_TEST
+
+/*******************************************************************************
  * printf_hook tests
  */
 
@@ -866,6 +1007,16 @@ Suite *chunk_suite_create()
 	tcase_add_test(tc, test_chunk_hash_static);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("chunk_map");
+	tcase_add_test(tc, test_chunk_map);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_from_fd");
+	tcase_add_test(tc, test_chunk_from_fd_file);
+	tcase_add_test(tc, test_chunk_from_fd_skt);
+	tcase_add_test(tc, test_chunk_from_fd_huge);
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("printf_hook");
 	tcase_add_loop_test(tc, test_printf_hook_hash, 0, countof(printf_hook_data));
 	tcase_add_loop_test(tc, test_printf_hook_plus, 0, countof(printf_hook_data));
diff --git a/src/libstrongswan/tests/suites/test_crypter.c b/src/libstrongswan/tests/suites/test_crypter.c
new file mode 100644
index 000000000..4e7550aee
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_crypter.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <crypto/crypters/crypter.h>
+#include <asn1/oid.h>
+#include <utils/test.h>
+
+typedef struct {
+	int oid;
+	encryption_algorithm_t alg;
+	size_t key_size;
+}crypter_oid_t;
+
+static crypter_oid_t oids[] = {
+	{ OID_UNKNOWN, ENCR_AES_CBC, 0 },
+	{ OID_UNKNOWN, ENCR_CAMELLIA_CBC, 0 },
+	{ OID_UNKNOWN, ENCR_UNDEFINED, 0 },
+	{ OID_DES_CBC, ENCR_DES, 0 },
+	{ OID_3DES_EDE_CBC, ENCR_3DES, 0 },
+	{ OID_AES128_CBC, ENCR_AES_CBC, 128 },
+	{ OID_AES192_CBC, ENCR_AES_CBC, 192 },
+	{ OID_AES256_CBC, ENCR_AES_CBC, 256 },
+	{ OID_CAMELLIA128_CBC, ENCR_CAMELLIA_CBC, 128 },
+	{ OID_CAMELLIA192_CBC, ENCR_CAMELLIA_CBC, 192 },
+	{ OID_CAMELLIA256_CBC, ENCR_CAMELLIA_CBC, 256 }
+};
+
+START_TEST(test_crypter_from_oid)
+{
+	size_t key_size;
+
+	ck_assert(encryption_algorithm_from_oid(oids[_i].oid, NULL) ==
+										    oids[_i].alg);
+	ck_assert(encryption_algorithm_from_oid(oids[_i].oid, &key_size) ==
+										    oids[_i].alg);
+	ck_assert(key_size == oids[_i].key_size);
+}
+END_TEST
+
+START_TEST(test_crypter_to_oid)
+{
+	ck_assert(encryption_algorithm_to_oid(oids[_i].alg,
+									      oids[_i].key_size) == oids[_i].oid);
+}
+END_TEST
+
+typedef struct {
+	encryption_algorithm_t alg;
+	bool is_aead;
+}crypter_aead_t;
+
+static crypter_aead_t aead[] = {
+	{ ENCR_AES_CCM_ICV8, TRUE },
+	{ ENCR_AES_CCM_ICV12, TRUE },
+	{ ENCR_AES_CCM_ICV16, TRUE },
+	{ ENCR_AES_GCM_ICV8, TRUE },
+	{ ENCR_AES_GCM_ICV12, TRUE },
+	{ ENCR_AES_GCM_ICV16, TRUE },
+	{ ENCR_NULL_AUTH_AES_GMAC, TRUE },
+	{ ENCR_CAMELLIA_CCM_ICV8, TRUE },
+	{ ENCR_CAMELLIA_CCM_ICV12, TRUE },
+	{ ENCR_CAMELLIA_CCM_ICV16, TRUE },
+	{ ENCR_AES_CBC, FALSE },
+	{ ENCR_CAMELLIA_CBC, FALSE }
+};
+     
+START_TEST(test_crypter_is_aead)
+{
+	ck_assert(encryption_algorithm_is_aead(aead[_i].alg) == aead[_i].is_aead);
+}
+END_TEST
+
+Suite *crypter_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("crypter");
+
+	tc = tcase_create("from_oid");
+	tcase_add_loop_test(tc, test_crypter_from_oid, 2, countof(oids));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("to_oid");
+	tcase_add_loop_test(tc, test_crypter_to_oid, 0, countof(oids));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("is_aead");
+	tcase_add_loop_test(tc, test_crypter_is_aead, 0, countof(aead));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_ecdsa.c b/src/libstrongswan/tests/suites/test_ecdsa.c
index 2955bae2f..3c842996d 100644
--- a/src/libstrongswan/tests/test_ecdsa.c
+++ b/src/libstrongswan/tests/suites/test_ecdsa.c
@@ -222,11 +222,17 @@ Suite *ecdsa_suite_create()
 {
 	Suite *s;
 	TCase *tc;
+	int gen_count = countof(key_sizes);
 
 	s = suite_create("ecdsa");
 
+	if (getenv("TESTS_REDUCED_KEYLENGTHS") != NULL)
+	{
+		gen_count = min(1, gen_count);
+	}
+
 	tc = tcase_create("generate");
-	tcase_add_loop_test(tc, test_gen, 0, countof(key_sizes));
+	tcase_add_loop_test(tc, test_gen, 0, gen_count);
 	suite_add_tcase(s, tc);
 
 	tc = tcase_create("load");
diff --git a/src/libstrongswan/tests/test_enum.c b/src/libstrongswan/tests/suites/test_enum.c
index 990d9cfad..990d9cfad 100644
--- a/src/libstrongswan/tests/test_enum.c
+++ b/src/libstrongswan/tests/suites/test_enum.c
diff --git a/src/libstrongswan/tests/test_enumerator.c b/src/libstrongswan/tests/suites/test_enumerator.c
index b5dde4650..b5dde4650 100644
--- a/src/libstrongswan/tests/test_enumerator.c
+++ b/src/libstrongswan/tests/suites/test_enumerator.c
diff --git a/src/libstrongswan/tests/suites/test_fetch_http.c b/src/libstrongswan/tests/suites/test_fetch_http.c
new file mode 100644
index 000000000..8749ff375
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_fetch_http.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <unistd.h>
+#include <time.h>
+
+/**
+ * HTTP test definition
+ */
+typedef struct {
+	/* HTTP Method */
+	char *meth;
+	/* HTTP 1.x minor version */
+	int minor;
+	/* host to connect to */
+	char *host;
+	/* HTTP service port */
+	int port;
+	/* path on host to fetch from */
+	char *path;
+	/* request Content-Type, if any */
+	char *type;
+	/* request data, if any */
+	void *req;
+	/* length of request data */
+	int req_len;
+	/* response data, if any */
+	void *res;
+	/* length of response data */
+	int res_len;
+} test_service_t;
+
+static char large[] = {
+	0x88,0x3e,0xa3,0xe3,0x95,0x67,0x53,0x93,0xc8,0xce,0x5c,0xcd,0x8c,0x03,0x0c,0xa8,
+	0x94,0xaf,0x49,0xf6,0xc6,0x50,0xad,0xb8,0xea,0xb8,0x85,0x8a,0xde,0x92,0xe1,0xbc,
+	0xf3,0x15,0xbb,0x5b,0xb8,0x35,0xd8,0x17,0xad,0xcf,0x6b,0x07,0x63,0x61,0x2e,0x2f,
+	0xa5,0xc9,0x1d,0xa7,0xac,0xaa,0x4d,0xde,0x71,0x65,0x95,0x87,0x66,0x50,0xa2,0xa6,
+	0x28,0xef,0x49,0x5c,0x53,0xa3,0x87,0xad,0x42,0xc3,0x41,0xd8,0xfa,0x92,0xd8,0x32,
+	0xce,0x7c,0xf2,0x72,0x2f,0x51,0x27,0x71,0xe3,0x78,0x59,0xf9,0x46,0x23,0xf3,0xa7,
+	0x38,0x12,0x05,0xbb,0x1a,0xb0,0xe0,0x12,0xae,0x97,0xa1,0x0f,0xd4,0x34,0xe0,0x15,
+	0xb4,0xa3,0x15,0x08,0xbe,0xff,0x4d,0x31,0x81,0x39,0x62,0x29,0xf0,0x90,0x79,0x02,
+	0x4d,0x0c,0xf4,0x9e,0xe5,0xd4,0xdc,0xca,0xea,0xb8,0x85,0x8a,0xde,0x92,0xe1,0xbc,
+	0xf3,0x15,0xbb,0x5b,0xb8,0x35,0xd8,0x17,0xad,0xcf,0x6b,0x07,0x63,0x61,0x2e,0x2f,
+	0xa5,0xc9,0x1d,0xa7,0xac,0xaa,0x4d,0xde,0x71,0x65,0x95,0x87,0x66,0x50,0xa2,0xa6,
+	0x28,0xef,0x49,0x5c,0x53,0xa3,0x87,0xad,0x42,0xc3,0x41,0xd8,0xfa,0x92,0xd8,0x32,
+	0xce,0x7c,0xf2,0x72,0x2f,0x51,0x27,0x71,0xe3,0x78,0x59,0xf9,0x46,0x23,0xf3,0xa7,
+	0x38,0x12,0x05,0xbb,0x1a,0xb0,0xe0,0x12,0xae,0x97,0xa1,0x0f,0xd4,0x34,0xe0,0x15,
+	0xf3,0x15,0xbb,0x5b,0xb8,0x35,0xd8,0x17,0xad,0xcf,0x6b,0x07,0x63,0x61,0x2e,0x2f,
+	0xa5,0xc9,0x1d,0xa7,0xac,0xaa,0x4d,0xde,0x71,0x65,0x95,0x87,0x66,0x50,0xa2,0xa6,
+	0x28,0xef,0x49,0x5c,0x53,0xa3,0x87,0xad,0x42,0xc3,0x41,0xd8,0xfa,0x92,0xd8,0x32,
+	0xce,0x7c,0xf2,0x72,0x2f,0x51,0x27,0x71,0xe3,0x78,0x59,0xf9,0x46,0x23,0xf3,0xa7,
+	0x38,0x12,0x05,0xbb,0x1a,0xb0,0xe0,0x12,0xae,0x97,0xa1,0x0f,0xd4,0x34,0xe0,0x15,
+	0xb4,0xa3,0x15,0x08,0xbe,0xff,0x4d,0x31,0x81,0x39,0x62,0x29,0xf0,0x90,0x79,0x02,
+	0x4d,0x0c,0xf4,0x9e,0xe5,0xd4,0xdc,0xca,0xea,0xb8,0x85,0x8a,0xde,0x92,0xe1,0xbc,
+	0xf3,0x15,0xbb,0x5b,0xb8,0x35,0xd8,0x17,0xad,0xcf,0x6b,0x07,0x63,0x61,0x2e,0x2f,
+	0xa5,0xc9,0x1d,0xa7,0xac,0xaa,0x4d,0xde,0x71,0x65,0x95,0x87,0x66,0x50,0xa2,0xa6,
+	0x28,0xef,0x49,0x5c,0x53,0xa3,0x87,0xad,0x42,0xc3,0x41,0xd8,0xfa,0x92,0xd8,0x32,
+	0xce,0x7c,0xf2,0x72,0x2f,0x51,0x27,0x71,0xe3,0x78,0x59,0xf9,0x46,0x23,0xf3,0xa7,
+	0x38,0x12,0x05,0xbb,0x1a,0xb0,0xe0,0x12,0xae,0x97,0xa1,0x0f,0xd4,0x34,0xe0,0x15,
+	0xb4,0xa3,0x15,0x08,0xbe,0xff,0x4d,0x31,0x81,0x39,0x62,0x29,0xf0,0x90,0x79,0x02,
+	0x4d,0x0c,0xf4,0x9e,0xe5,0xd4,0xdc,0xca,0xea,0xb8,0x85,0x8a,0xde,0x92,0xe1,0xbc,
+};
+
+static bool servicing(void *data, stream_t *stream)
+{
+	test_service_t *test = (test_service_t*)data;
+	char buf[1024], hdr[256], *start, *end = NULL, *body = NULL, *type = NULL;
+	struct tm tm;
+	time_t t;
+	ssize_t len, tot = 0;
+	int nr = 0;
+
+	start = buf;
+
+	/* parse method and headers */
+	while (end != start)
+	{
+		len = stream->read(stream, buf + tot, sizeof(buf) - tot, TRUE);
+		ck_assert(len > 0);
+		tot += len;
+
+		while (TRUE)
+		{
+			end = memchr(start, '\n', tot);
+			if (!end)
+			{
+				break;
+			}
+			*end = '\0';
+			ck_assert(end > buf);
+			ck_assert(*(--end) == '\r');
+			*end = '\0';
+			if (end == start)
+			{
+				body = end + strlen("\r\n");
+				break;
+			}
+			switch (nr++)
+			{
+				case 0:
+					snprintf(hdr, sizeof(hdr), "%s %s HTTP/1.%u",
+							 test->meth, test->path, test->minor);
+					ck_assert_str_eq(hdr, start);
+					break;
+				default:
+					if (strcasepfx(start, "Content-Length: "))
+					{
+						ck_assert_int_eq(
+							atoi(start + strlen("Content-Length: ")),
+							test->req_len);
+					}
+					if (strcasepfx(start, "Content-Type: "))
+					{
+						type = start + strlen("Content-Type: ");
+					}
+					break;
+			}
+			start = end + strlen("\r\n");
+		}
+	}
+
+	if (test->type)
+	{
+		ck_assert(type);
+		ck_assert_str_eq(type, test->type);
+	}
+
+	/* request body */
+	if (test->req_len)
+	{
+		ck_assert(stream->read_all(stream, buf + tot,
+								   test->req_len - (tot - (body - buf))));
+		ck_assert(memeq(body, test->req, test->req_len));
+	}
+
+	/* response headers */
+	snprintf(buf, sizeof(buf), "HTTP/1.%u 200 OK\r\n", test->minor);
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+	t = time(NULL);
+	gmtime_r(&t, &tm);
+	strftime(buf, sizeof(buf), "%a, %d %b %Y %T %z", &tm);
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+	snprintf(buf, sizeof(buf), "Server: strongSwan unit test\r\n");
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+
+	/* rest of response headers */
+	snprintf(buf, sizeof(buf), "Content-Type: text/plain\r\n");
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+	snprintf(buf, sizeof(buf), "Content-Length: %u\r\n", test->res_len);
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+	snprintf(buf, sizeof(buf), "Connection: close\r\n");
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+	snprintf(buf, sizeof(buf), "\r\n");
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+
+	/* response body */
+	ck_assert(stream->write_all(stream, test->res, test->res_len));
+	return FALSE;
+}
+
+static test_service_t gtests[] = {
+	{ "GET", 1, "127.0.0.1", 6543, "/a/test/?b=c", NULL,
+	  NULL, 0, "\x12\x34", 2 },
+	{ "GET", 0, "localhost", 6543, "/", NULL,
+	  NULL, 0, NULL, 0 },
+	{ "GET", 0, "127.0.0.1", 6543, "/largefile", NULL,
+	  NULL, 0, large, sizeof(large) },
+	{ "GET", 1, "[::1]", 6543, "/ipv6-url", NULL,
+	  NULL, 0, "\x00\r\n\r\x00testdatablabla", 20 },
+};
+
+START_TEST(test_get)
+{
+	stream_service_t *service;
+	status_t status;
+	chunk_t data, expected;
+	char uri[256];
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	snprintf(uri, sizeof(uri), "tcp://%s:%u", gtests[_i].host, gtests[_i].port);
+	service = lib->streams->create_service(lib->streams, uri, 1);
+	ck_assert(service != NULL);
+	service->on_accept(service, servicing, &gtests[_i], JOB_PRIO_HIGH, 0);
+
+	snprintf(uri, sizeof(uri), "http://%s:%u%s",
+			 gtests[_i].host, gtests[_i].port, gtests[_i].path);
+	status = lib->fetcher->fetch(lib->fetcher, uri, &data,
+			!gtests[_i].minor ? FETCH_HTTP_VERSION_1_0 : FETCH_END,
+			FETCH_END);
+	ck_assert_int_eq(status, SUCCESS);
+	expected = chunk_create(gtests[_i].res, gtests[_i].res_len);
+	ck_assert_msg(chunk_compare(expected, data) == 0,
+				  "exp %B\ngot %B\n", &expected, &data);
+	free(data.ptr);
+
+	service->destroy(service);
+}
+END_TEST
+
+
+static test_service_t ptests[] = {
+	{ "POST", 1, "127.0.0.1", 6543, "/a/test/?b=c", "application/binary",
+	  "\x23\x45", 2, "\x12\x34", 2 },
+	{ "POST", 0, "localhost", 6543, "/largefile", "application/x-large",
+	  large, sizeof(large), large, sizeof(large) },
+	{ "POST", 1, "[::1]", 6543, "/ipv6-url", "text/plain",
+	  "\x00\r\n\r\x00testdatablabla", 20, "\x00\r\n\r\x00testdatablabla", 20 },
+};
+
+START_TEST(test_post)
+{
+	stream_service_t *service;
+	status_t status;
+	chunk_t data, expected;
+	char uri[256];
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	snprintf(uri, sizeof(uri), "tcp://%s:%u", ptests[_i].host, ptests[_i].port);
+	service = lib->streams->create_service(lib->streams, uri, 1);
+	ck_assert(service != NULL);
+	service->on_accept(service, servicing, &ptests[_i], JOB_PRIO_HIGH, 0);
+
+	snprintf(uri, sizeof(uri), "http://%s:%u%s",
+			 ptests[_i].host, ptests[_i].port, ptests[_i].path);
+	status = lib->fetcher->fetch(lib->fetcher, uri, &data,
+					FETCH_REQUEST_TYPE, ptests[_i].type,
+					FETCH_REQUEST_DATA,
+						chunk_create(ptests[_i].req, ptests[_i].req_len),
+					!ptests[_i].minor ? FETCH_HTTP_VERSION_1_0 : FETCH_END,
+					FETCH_END);
+	ck_assert_int_eq(status, SUCCESS);
+	expected = chunk_create(ptests[_i].res, ptests[_i].res_len);
+	ck_assert_msg(chunk_compare(expected, data) == 0,
+				  "exp %B\ngot %B\n", &expected, &data);
+	free(data.ptr);
+
+	service->destroy(service);
+}
+END_TEST
+
+Suite *fetch_http_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("http fetcher");
+
+	tc = tcase_create("GET");
+	tcase_add_loop_test(tc, test_get, 0, countof(gtests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("POST");
+	tcase_add_loop_test(tc, test_post, 0, countof(ptests));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
new file mode 100644
index 000000000..41a9d64ef
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_hasher.c
@@ -0,0 +1,189 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <crypto/hashers/hasher.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/signers/signer.h>
+#include <asn1/oid.h>
+#include <utils/test.h>
+
+typedef struct {
+	int oid;
+	hash_algorithm_t alg;
+	key_type_t key;
+}hasher_oid_t;
+
+static hasher_oid_t oids[] = {
+	{ OID_MD2, HASH_MD2, KEY_ANY },
+	{ OID_MD5, HASH_MD5, KEY_ANY },
+	{ OID_SHA1, HASH_SHA1, KEY_ANY },
+	{ OID_SHA224, HASH_SHA224, KEY_ANY },
+	{ OID_SHA256, HASH_SHA256, KEY_ANY },
+	{ OID_SHA384, HASH_SHA384, KEY_ANY },
+	{ OID_SHA512, HASH_SHA512, KEY_ANY },
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY },
+	{ OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA },
+	{ OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA },
+	{ OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA },
+	{ OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA },
+	{ OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA },
+	{ OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA },
+	{ OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA },
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA },
+	{ OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA },
+	{ OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },
+	{ OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },
+	{ OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }
+};
+
+START_TEST(test_hasher_from_oid)
+{
+	ck_assert(hasher_algorithm_from_oid(oids[_i].oid) == oids[_i].alg);
+}
+END_TEST
+
+START_TEST(test_hasher_to_oid)
+{
+	ck_assert(hasher_algorithm_to_oid(oids[_i].alg) == oids[_i].oid);
+}
+END_TEST
+
+START_TEST(test_hasher_sig_to_oid)
+{
+	ck_assert(hasher_signature_algorithm_to_oid(oids[_i].alg,
+												oids[_i].key) == oids[_i].oid);
+}
+END_TEST
+
+typedef struct {
+	pseudo_random_function_t prf;
+	hash_algorithm_t alg;
+}hasher_prf_t;
+
+static hasher_prf_t prfs[] = {
+	{ PRF_HMAC_MD5, HASH_MD5 },
+	{ PRF_HMAC_SHA1, HASH_SHA1 },
+	{ PRF_FIPS_SHA1_160, HASH_SHA1 },
+	{ PRF_KEYED_SHA1, HASH_SHA1 },
+	{ PRF_HMAC_SHA2_256, HASH_SHA256 },
+	{ PRF_HMAC_SHA2_384, HASH_SHA384 },
+	{ PRF_HMAC_SHA2_512, HASH_SHA512 },
+	{ PRF_HMAC_TIGER, HASH_UNKNOWN },
+	{ PRF_AES128_XCBC, HASH_UNKNOWN },
+	{ PRF_AES128_CMAC, HASH_UNKNOWN },
+	{ PRF_FIPS_DES, HASH_UNKNOWN },
+	{ PRF_CAMELLIA128_XCBC, HASH_UNKNOWN },
+	{ PRF_UNDEFINED, HASH_UNKNOWN },
+	{ 0, HASH_UNKNOWN }
+};
+
+START_TEST(test_hasher_from_prf)
+{
+	ck_assert(hasher_algorithm_from_prf(prfs[_i].prf) == prfs[_i].alg);
+}
+END_TEST
+
+typedef struct {
+	integrity_algorithm_t auth;
+	hash_algorithm_t alg;
+	size_t length;
+}hasher_auth_t;
+
+static hasher_auth_t auths[] = {
+	{ AUTH_UNDEFINED, HASH_MD2, 0 },
+	{ AUTH_UNDEFINED, HASH_MD4, 0 },
+	{ AUTH_UNDEFINED, HASH_SHA224, 0 },
+	{ AUTH_UNDEFINED, 9, 0 },
+	{ AUTH_UNDEFINED, HASH_UNKNOWN, 0 },
+	{ AUTH_HMAC_MD5_96, HASH_MD5, 12 },
+	{ AUTH_HMAC_SHA1_96, HASH_SHA1, 12 },
+	{ AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 },
+	{ AUTH_HMAC_MD5_128, HASH_MD5, 16 },
+	{ AUTH_HMAC_SHA1_128, HASH_SHA1, 16 },
+	{ AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 },
+	{ AUTH_HMAC_SHA1_160, HASH_SHA1, 20 },
+	{ AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 },
+	{ AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 },
+	{ AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 },
+	{ AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 },
+	{ AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 },
+	{ AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 },
+	{ AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 },
+	{ AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 },
+	{ AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 },
+	{ AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 },
+	{ AUTH_DES_MAC, HASH_UNKNOWN, 0 },
+	{ AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 },
+	{ 0, HASH_UNKNOWN, 0 }
+};
+
+START_TEST(test_hasher_from_integrity)
+{
+	size_t length;
+
+	length = 0;
+	ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, NULL) == 
+											  auths[_i].alg);
+	ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, &length) == 
+											  auths[_i].alg);
+	ck_assert(length == auths[_i].length);
+}
+END_TEST
+
+START_TEST(test_hasher_to_integrity)
+{
+	ck_assert(hasher_algorithm_to_integrity(
+						auths[_i].alg, auths[_i].length) == auths[_i].auth);
+	ck_assert(hasher_algorithm_to_integrity(
+						auths[_i].alg, 0) == AUTH_UNDEFINED);
+}
+END_TEST
+
+Suite *hasher_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("hasher");
+
+	tc = tcase_create("from_oid");
+	tcase_add_loop_test(tc, test_hasher_from_oid, 0, 15);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("to_oid");
+	tcase_add_loop_test(tc, test_hasher_to_oid, 0, 8);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("sig_to_oid");
+	tcase_add_loop_test(tc, test_hasher_sig_to_oid, 7, countof(oids));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("from_prf");
+	tcase_add_loop_test(tc, test_hasher_from_prf, 0, countof(prfs));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("from_integrity");
+	tcase_add_loop_test(tc, test_hasher_from_integrity, 4, countof(auths));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("to_integrity");
+	tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 17);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_hashtable.c b/src/libstrongswan/tests/suites/test_hashtable.c
index 8cc7bfe42..8cc7bfe42 100644
--- a/src/libstrongswan/tests/test_hashtable.c
+++ b/src/libstrongswan/tests/suites/test_hashtable.c
diff --git a/src/libstrongswan/tests/test_host.c b/src/libstrongswan/tests/suites/test_host.c
index 30b9eb940..30b9eb940 100644
--- a/src/libstrongswan/tests/test_host.c
+++ b/src/libstrongswan/tests/suites/test_host.c
diff --git a/src/libstrongswan/tests/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c
index 1dc6776d1..edf53f0fd 100644
--- a/src/libstrongswan/tests/test_identification.c
+++ b/src/libstrongswan/tests/suites/test_identification.c
@@ -179,7 +179,7 @@ static struct {
 START_TEST(test_from_string)
 {
 	identification_t *a;
-	chunk_t encoding, expected;
+	chunk_t encoding, expected = chunk_empty;
 	char *id;
 
 	id = string_data[_i].id;
diff --git a/src/libstrongswan/tests/test_linked_list.c b/src/libstrongswan/tests/suites/test_linked_list.c
index 9e85c58d8..922f954e3 100644
--- a/src/libstrongswan/tests/test_linked_list.c
+++ b/src/libstrongswan/tests/suites/test_linked_list.c
@@ -246,10 +246,10 @@ struct invoke_t {
 
 static void invoke(intptr_t item, void *a, void *b, void *c, void *d, int *sum)
 {
-	ck_assert(a == (void*)1);
-	ck_assert(b == (void*)2);
-	ck_assert(c == (void*)3);
-	ck_assert(d == (void*)4);
+	ck_assert_int_eq((uintptr_t)a, 1);
+	ck_assert_int_eq((uintptr_t)b, 2);
+	ck_assert_int_eq((uintptr_t)c, 3);
+	ck_assert_int_eq((uintptr_t)d, 4);
 	*sum += item;
 }
 
@@ -267,7 +267,9 @@ START_TEST(test_invoke_function)
 	list->insert_last(list, (void*)3);
 	list->insert_last(list, (void*)4);
 	list->insert_last(list, (void*)5);
-	list->invoke_function(list, (linked_list_invoke_t)invoke, 1, 2, 3, 4, &sum);
+	list->invoke_function(list, (linked_list_invoke_t)invoke,
+						  (uintptr_t)1, (uintptr_t)2,
+						  (uintptr_t)3, (uintptr_t)4, &sum);
 	ck_assert_int_eq(sum, 15);
 }
 END_TEST
@@ -287,7 +289,9 @@ START_TEST(test_invoke_offset)
 	{
 		list->insert_last(list, &items[i]);
 	}
-	list->invoke_offset(list, offsetof(invoke_t, invoke), 1, 2, 3, 4, &sum);
+	list->invoke_offset(list, offsetof(invoke_t, invoke),
+						(uintptr_t)1, (uintptr_t)2,
+						(uintptr_t)3, (uintptr_t)4, &sum);
 	ck_assert_int_eq(sum, 15);
 }
 END_TEST
@@ -303,7 +307,7 @@ struct clone_t {
 	void *(*clone)(clone_t *item);
 };
 
-static void *clone(clone_t *item)
+static void *clonefn(clone_t *item)
 {
 	return item->val;
 }
@@ -326,11 +330,11 @@ START_TEST(test_clone_offset)
 {
 	linked_list_t *other;
 	clone_t items[] = {
-		{ .val = (void*)1, .clone = clone, },
-		{ .val = (void*)2, .clone = clone, },
-		{ .val = (void*)3, .clone = clone, },
-		{ .val = (void*)4, .clone = clone, },
-		{ .val = (void*)5, .clone = clone, },
+		{ .val = (void*)1, .clone = clonefn, },
+		{ .val = (void*)2, .clone = clonefn, },
+		{ .val = (void*)3, .clone = clonefn, },
+		{ .val = (void*)4, .clone = clonefn, },
+		{ .val = (void*)5, .clone = clonefn, },
 	};
 	int i;
 
diff --git a/src/libstrongswan/tests/test_linked_list_enumerator.c b/src/libstrongswan/tests/suites/test_linked_list_enumerator.c
index 48d6f40e6..48d6f40e6 100644
--- a/src/libstrongswan/tests/test_linked_list_enumerator.c
+++ b/src/libstrongswan/tests/suites/test_linked_list_enumerator.c
diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c
new file mode 100644
index 000000000..a46f5742c
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_ntru.c
@@ -0,0 +1,1042 @@
+/*
+ * Copyright (C) 2013-2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <tests/utils/test_rng.h>
+#include <plugins/ntru/ntru_drbg.h>
+#include <plugins/ntru/ntru_mgf1.h>
+#include <plugins/ntru/ntru_trits.h>
+#include <plugins/ntru/ntru_poly.h>
+#include <utils/test.h>
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*,
+						  u_int32_t strength, chunk_t pers_str, rng_t *entropy)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_mgf1_create, ntru_mgf1_t*,
+						  hash_algorithm_t alg, chunk_t seed, bool hash_seed)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_trits_create, ntru_trits_t*,
+						  size_t len, hash_algorithm_t alg, chunk_t seed)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_seed, ntru_poly_t*,
+						  hash_algorithm_t alg, chunk_t seed, uint8_t c_bits,
+						  uint16_t N, uint16_t q, uint32_t indices_len_p,
+						  uint32_t indices_len_m, bool is_product_form)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_data, ntru_poly_t*,
+						  u_int16_t *data, uint16_t N, uint16_t q,
+						  uint32_t indices_len_p, uint32_t indices_len_m,
+						  bool is_product_form)
+
+/**
+ * NTRU parameter sets to test
+ */
+static struct {
+	diffie_hellman_group_t group;
+	char *group_name;
+} params[] = {
+	{ NTRU_112_BIT, "NTRU_112" },
+	{ NTRU_128_BIT, "NTRU_128" },
+	{ NTRU_192_BIT, "NTRU_192" },
+	{ NTRU_256_BIT, "NTRU_256" }
+};
+
+/**
+ * NTRU parameter set selection
+ */
+char *parameter_sets[] = {
+		"x9_98_speed", "x9_98_bandwidth", "x9_98_balance", "optimum"
+};
+
+typedef struct {
+	u_int32_t requested;
+	u_int32_t standard;
+}strength_t;
+
+strength_t strengths[] = {
+	{  80, 112 },
+	{ 112, 112 },
+	{ 120, 128 },
+	{ 128, 128 },
+	{ 150, 192 },
+	{ 192, 192 },
+	{ 200, 256 },
+	{ 256, 256 },
+	{ 512,   0 }
+};
+
+START_TEST(test_ntru_drbg_strength)
+{
+	ntru_drbg_t *drbg;
+	rng_t *entropy;
+
+	entropy = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	ck_assert(entropy != NULL);
+
+	drbg = ntru_drbg_create(strengths[_i].requested, chunk_empty, entropy);
+	if (strengths[_i].standard)
+	{
+		ck_assert(drbg != NULL);
+		ck_assert(drbg->get_strength(drbg) == strengths[_i].standard);
+		drbg->destroy(drbg);
+	}
+	else
+	{
+		ck_assert(drbg == NULL);
+	}
+	entropy->destroy(entropy);
+}
+END_TEST
+
+typedef struct {
+	chunk_t pers_str;
+	chunk_t entropy;
+	chunk_t out;
+} drbg_test_t;
+
+/**
+ * NIST SP 800-90A Deterministic Random Generator Validation System (DRBGVS)
+ */
+drbg_test_t drbg_tests[] = {
+	/* SHA-256 test case 1 - count 0 */
+	{ { NULL, 0 },
+	  chunk_from_chars(0x06, 0x03, 0x2c, 0xd5, 0xee, 0xd3, 0x3f, 0x39,
+					   0x26, 0x5f, 0x49, 0xec, 0xb1, 0x42, 0xc5, 0x11,
+					   0xda, 0x9a, 0xff, 0x2a, 0xf7, 0x12, 0x03, 0xbf,
+					   0xfa, 0xf3, 0x4a, 0x9c, 0xa5, 0xbd, 0x9c, 0x0d,
+					   0x0e, 0x66, 0xf7, 0x1e, 0xdc, 0x43, 0xe4, 0x2a,
+					   0x45, 0xad, 0x3c, 0x6f, 0xc6, 0xcd, 0xc4, 0xdf,
+					   0x01, 0x92, 0x0a, 0x4e, 0x66, 0x9e, 0xd3, 0xa8,
+					   0x5a, 0xe8, 0xa3, 0x3b, 0x35, 0xa7, 0x4a, 0xd7,
+					   0xfb, 0x2a, 0x6b, 0xb4, 0xcf, 0x39, 0x5c, 0xe0,
+					   0x03, 0x34, 0xa9, 0xc9, 0xa5, 0xa5, 0xd5, 0x52),
+	  chunk_from_chars(0x76, 0xfc, 0x79, 0xfe, 0x9b, 0x50, 0xbe, 0xcc,
+					   0xc9, 0x91, 0xa1, 0x1b, 0x56, 0x35, 0x78, 0x3a,
+					   0x83, 0x53, 0x6a, 0xdd, 0x03, 0xc1, 0x57, 0xfb,
+					   0x30, 0x64, 0x5e, 0x61, 0x1c, 0x28, 0x98, 0xbb,
+					   0x2b, 0x1b, 0xc2, 0x15, 0x00, 0x02, 0x09, 0x20,
+					   0x8c, 0xd5, 0x06, 0xcb, 0x28, 0xda, 0x2a, 0x51,
+					   0xbd, 0xb0, 0x38, 0x26, 0xaa, 0xf2, 0xbd, 0x23,
+					   0x35, 0xd5, 0x76, 0xd5, 0x19, 0x16, 0x08, 0x42,
+					   0xe7, 0x15, 0x8a, 0xd0, 0x94, 0x9d, 0x1a, 0x9e,
+					   0xc3, 0xe6, 0x6e, 0xa1, 0xb1, 0xa0, 0x64, 0xb0,
+					   0x05, 0xde, 0x91, 0x4e, 0xac, 0x2e, 0x9d, 0x4f,
+					   0x2d, 0x72, 0xa8, 0x61, 0x6a, 0x80, 0x22, 0x54,
+					   0x22, 0x91, 0x82, 0x50, 0xff, 0x66, 0xa4, 0x1b,
+					   0xd2, 0xf8, 0x64, 0xa6, 0xa3, 0x8c, 0xc5, 0xb6,
+					   0x49, 0x9d, 0xc4, 0x3f, 0x7f, 0x2b, 0xd0, 0x9e,
+					   0x1e, 0x0f, 0x8f, 0x58, 0x85, 0x93, 0x51, 0x24)
+	},
+	/* SHA-256 test case 3 - count 0 */
+	{ chunk_from_chars(0xf2, 0xe5, 0x8f, 0xe6, 0x0a, 0x3a, 0xfc, 0x59,
+					   0xda, 0xd3, 0x75, 0x95, 0x41, 0x5f, 0xfd, 0x31,
+					   0x8c, 0xcf, 0x69, 0xd6, 0x77, 0x80, 0xf6, 0xfa,
+					   0x07, 0x97, 0xdc, 0x9a, 0xa4, 0x3e, 0x14, 0x4c),
+	  chunk_from_chars(0xfa, 0x0e, 0xe1, 0xfe, 0x39, 0xc7, 0xc3, 0x90,
+					   0xaa, 0x94, 0x15, 0x9d, 0x0d, 0xe9, 0x75, 0x64,
+					   0x34, 0x2b, 0x59, 0x17, 0x77, 0xf3, 0xe5, 0xf6,
+					   0xa4, 0xba, 0x2a, 0xea, 0x34, 0x2e, 0xc8, 0x40,
+					   0xdd, 0x08, 0x20, 0x65, 0x5c, 0xb2, 0xff, 0xdb,
+					   0x0d, 0xa9, 0xe9, 0x31, 0x0a, 0x67, 0xc9, 0xe5,
+					   0xe0, 0x62, 0x9b, 0x6d, 0x79, 0x75, 0xdd, 0xfa,
+					   0x96, 0xa3, 0x99, 0x64, 0x87, 0x40, 0xe6, 0x0f,
+					   0x1f, 0x95, 0x57, 0xdc, 0x58, 0xb3, 0xd7, 0x41,
+					   0x5f, 0x9b, 0xa9, 0xd4, 0xdb, 0xb5, 0x01, 0xf6),
+	  chunk_from_chars(0xf9, 0x2d, 0x4c, 0xf9, 0x9a, 0x53, 0x5b, 0x20,
+					   0x22, 0x2a, 0x52, 0xa6, 0x8d, 0xb0, 0x4c, 0x5a,
+					   0xf6, 0xf5, 0xff, 0xc7, 0xb6, 0x6a, 0x47, 0x3a,
+					   0x37, 0xa2, 0x56, 0xbd, 0x8d, 0x29, 0x8f, 0x9b,
+					   0x4a, 0xa4, 0xaf, 0x7e, 0x8d, 0x18, 0x1e, 0x02,
+					   0x36, 0x79, 0x03, 0xf9, 0x3b, 0xdb, 0x74, 0x4c,
+					   0x6c, 0x2f, 0x3f, 0x34, 0x72, 0x62, 0x6b, 0x40,
+					   0xce, 0x9b, 0xd6, 0xa7, 0x0e, 0x7b, 0x8f, 0x93,
+					   0x99, 0x2a, 0x16, 0xa7, 0x6f, 0xab, 0x6b, 0x5f,
+					   0x16, 0x25, 0x68, 0xe0, 0x8e, 0xe6, 0xc3, 0xe8,
+					   0x04, 0xae, 0xfd, 0x95, 0x2d, 0xdd, 0x3a, 0xcb,
+					   0x79, 0x1c, 0x50, 0xf2, 0xad, 0x69, 0xe9, 0xa0,
+					   0x40, 0x28, 0xa0, 0x6a, 0x9c, 0x01, 0xd3, 0xa6,
+					   0x2a, 0xca, 0x2a, 0xaf, 0x6e, 0xfe, 0x69, 0xed,
+					   0x97, 0xa0, 0x16, 0x21, 0x3a, 0x2d, 0xd6, 0x42,
+					   0xb4, 0x88, 0x67, 0x64, 0x07, 0x2d, 0x9c, 0xbe)
+	},
+	/* SHA-256 test case 5 - count 0 */
+	{ { NULL, 0 },
+	  chunk_from_chars(0xff, 0x0c, 0xdd, 0x55, 0x5c, 0x60, 0x46, 0x47,
+					   0x60, 0xb2, 0x89, 0xb7, 0xbc, 0x1f, 0x81, 0x1a,
+					   0x41, 0xff, 0xf7, 0x2d, 0xe5, 0x90, 0x83, 0x85,
+					   0x8c, 0x02, 0x0a, 0x10, 0x53, 0xbd, 0xc7, 0x4a,
+					   0x7b, 0xc0, 0x99, 0x28, 0x5a, 0xd5, 0x62, 0x19,
+					   0x93, 0xb6, 0x39, 0xc4, 0xa9, 0x4c, 0x37, 0x6b,
+					   0x14, 0xfc, 0x6c, 0x9b, 0x17, 0x8d, 0xb6, 0x44,
+					   0xa8, 0xcd, 0x71, 0x30, 0xa4, 0xcf, 0x05, 0x16,
+					   0x78, 0xc8, 0xf4, 0xfa, 0x8f, 0x24, 0xc2, 0x7b,
+					   0x0a, 0x53, 0x13, 0x38, 0xa5, 0xce, 0x85, 0x89),
+	  chunk_from_chars(0x2f, 0x26, 0x20, 0x34, 0x7b, 0xdd, 0xca, 0xa2,
+					   0x94, 0x36, 0x85, 0x34, 0x6b, 0xbf, 0x31, 0xc4,
+					   0x40, 0x81, 0xf8, 0x66, 0x5f, 0x3d, 0xdb, 0x2b,
+					   0x42, 0xae, 0x14, 0x16, 0xa7, 0x4c, 0x4b, 0x77,
+					   0xfa, 0xb3, 0xfa, 0x19, 0xae, 0xec, 0xc5, 0x47,
+					   0xe7, 0x6c, 0x8c, 0xbe, 0x6a, 0xd1, 0xf1, 0x00,
+					   0xa3, 0xfc, 0x8b, 0x2c, 0xe2, 0xa1, 0xea, 0x3a,
+					   0x3d, 0xd7, 0xcf, 0xad, 0x46, 0xc1, 0xb2, 0x78,
+					   0x30, 0xb9, 0x40, 0xba, 0x18, 0xd0, 0x9e, 0x9b,
+					   0x7f, 0xa9, 0x02, 0xbb, 0x76, 0x06, 0x69, 0xb1,
+					   0x73, 0x5c, 0xc7, 0xb7, 0xbd, 0x39, 0x05, 0x2d,
+					   0xa7, 0xf2, 0x62, 0x6f, 0xa8, 0x70, 0x00, 0xcf,
+					   0xfa, 0xda, 0x41, 0x00, 0x19, 0xd0, 0x53, 0x38,
+					   0x6a, 0xd8, 0x08, 0xbd, 0x3c, 0x0c, 0xfc, 0xf5,
+					   0x6b, 0x91, 0x87, 0x9e, 0xb8, 0xd3, 0xf9, 0x32,
+					   0xee, 0x2d, 0x18, 0x5e, 0x54, 0xf3, 0x1b, 0x74)
+	},
+	/* SHA-256 test case 7 - count 0 */
+	{ chunk_from_chars(0x40, 0x93, 0x3f, 0xdc, 0xce, 0x41, 0x59, 0xb0,
+					   0x95, 0x51, 0x11, 0xf8, 0x44, 0x47, 0x1b, 0x0d,
+					   0xb8, 0x5b, 0x73, 0xbd, 0xd2, 0xb7, 0x8c, 0x46,
+					   0x8d, 0xd3, 0x9e, 0x2a, 0x9b, 0x29, 0xae, 0xf2),
+	  chunk_from_chars(0x28, 0xba, 0x1a, 0x66, 0x16, 0x32, 0xef, 0xc8,
+					   0xec, 0xce, 0xd5, 0xf5, 0x1b, 0x79, 0x13, 0x00,
+					   0xfb, 0x3b, 0x55, 0xb0, 0x5d, 0x04, 0x17, 0x08,
+					   0x63, 0x8d, 0xe4, 0xbe, 0xb7, 0x57, 0xa9, 0xe5,
+					   0x76, 0x82, 0x87, 0x96, 0xaf, 0xf0, 0x7f, 0x55,
+					   0x79, 0x5c, 0xb5, 0x47, 0x13, 0xc7, 0x7e, 0xd4,
+					   0xa5, 0xf5, 0x42, 0xb0, 0x4a, 0xaa, 0x5d, 0xbc,
+					   0x93, 0x1e, 0x47, 0x01, 0x9f, 0xeb, 0x38, 0x96,
+					   0x26, 0x16, 0xc5, 0x7a, 0xf0, 0x9b, 0x7c, 0x1d,
+					   0xf8, 0x3f, 0x2b, 0x86, 0x0f, 0xf7, 0x65, 0x86),
+	  chunk_from_chars(0x65, 0xe5, 0xaa, 0x47, 0xb3, 0x85, 0xf1, 0xea,
+					   0x42, 0xb2, 0x31, 0xb9, 0xfe, 0x74, 0x42, 0x53,
+					   0xb8, 0x59, 0x88, 0x59, 0xd7, 0x01, 0x1e, 0x52,
+					   0x5f, 0x5a, 0x2a, 0x1a, 0xd3, 0x2a, 0x97, 0x2a,
+					   0x85, 0x08, 0x02, 0xc6, 0x0a, 0x2b, 0xe1, 0x9b,
+					   0xe2, 0x70, 0x06, 0x3a, 0x3c, 0xfb, 0xea, 0xae,
+					   0x95, 0x4f, 0x10, 0xb1, 0x22, 0x35, 0x2d, 0xe6,
+					   0xa0, 0x8a, 0xc4, 0x10, 0xe0, 0x99, 0x16, 0x53,
+					   0xaa, 0xb2, 0x71, 0xb3, 0x60, 0xfe, 0x91, 0x91,
+					   0xcf, 0x5a, 0xdd, 0xcc, 0xcc, 0xed, 0x8c, 0x4a,
+					   0xcf, 0xb6, 0x14, 0x57, 0x04, 0x99, 0x92, 0x98,
+					   0x8f, 0xd7, 0xa9, 0xac, 0xca, 0x1f, 0x1b, 0xca,
+					   0x35, 0xf1, 0x47, 0x58, 0x13, 0x69, 0x4a, 0x39,
+					   0x98, 0x8e, 0x5f, 0xac, 0x9f, 0x4a, 0xc0, 0x57,
+					   0x22, 0x86, 0xbc, 0x46, 0x25, 0x82, 0xad, 0x0a,
+					   0xf7, 0x8a, 0xb3, 0xb8, 0x5e, 0xc1, 0x7a, 0x25)
+	}
+};
+
+START_TEST(test_ntru_drbg)
+{
+	ntru_drbg_t *drbg;
+	rng_t *entropy;
+	chunk_t out;
+
+	out = chunk_alloc(128);
+	entropy = test_rng_create(drbg_tests[_i].entropy);
+	drbg = ntru_drbg_create(256, drbg_tests[_i].pers_str, entropy);
+	ck_assert(drbg != NULL);
+	ck_assert(drbg->reseed(drbg));
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+	ck_assert(chunk_equals(out, drbg_tests[_i].out));
+	drbg->destroy(drbg);
+	entropy->destroy(entropy);
+	chunk_free(&out);
+}
+END_TEST
+
+START_TEST(test_ntru_drbg_reseed)
+{
+	ntru_drbg_t *drbg;
+	rng_t *entropy;
+	chunk_t out;
+
+	lib->settings->set_int(lib->settings,
+						  "libstrongswan.plugins.ntru.max_drbg_requests", 2);
+	out = chunk_alloc(128);
+	entropy = test_rng_create(drbg_tests[0].entropy);
+	drbg = ntru_drbg_create(256, chunk_empty, entropy);
+
+	/* bad output parameters */
+	ck_assert(!drbg->generate(drbg, 256, 0, out.ptr));
+	ck_assert(!drbg->generate(drbg, 256, 128, NULL));
+
+	/* no reseeding occurs */
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+
+	/* consuming remaining entropy */
+	ck_assert(entropy->get_bytes(entropy, 32, out.ptr));
+
+	/* no entropy available for automatic reseeding */
+	ck_assert(!drbg->generate(drbg, 256, 128, out.ptr));
+	drbg->destroy(drbg);
+
+	/* no entropy available for DRBG instantiation */
+	drbg = ntru_drbg_create(256, chunk_empty, entropy);
+	ck_assert(drbg == NULL);
+	entropy->destroy(entropy);
+
+	/* one automatic reseeding occurs */
+	entropy = test_rng_create(drbg_tests[0].entropy);
+	drbg = ntru_drbg_create(256, chunk_empty, entropy);
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+
+	/* no entropy left */
+	ck_assert(!entropy->get_bytes(entropy, 32, out.ptr));
+
+	drbg->destroy(drbg);
+	entropy->destroy(entropy);
+	chunk_free(&out);
+	lib->settings->set_int(lib->settings,
+						  "libstrongswan.plugins.ntru.max_drbg_requests", 2000);
+}
+END_TEST
+
+typedef struct {
+	uint8_t c_bits;
+	uint16_t N;
+	uint16_t q;
+	bool is_product_form;
+	uint32_t indices_len;
+	uint32_t indices_size;
+	uint16_t *indices;
+} poly_test_t;
+
+typedef struct {
+	hash_algorithm_t alg;
+	size_t hash_size;
+	size_t ml1, ml2, ml3, seed_len;
+	chunk_t seed;
+	chunk_t hashed_seed;
+	chunk_t mask;
+	chunk_t trits;
+	poly_test_t poly_test[2];
+} mgf1_test_t;
+
+uint16_t indices_ees439ep1[] = {
+	367, 413,  16, 214, 114, 128,  42, 268, 346, 329, 119, 303, 208, 287, 150,
+	  3,  45, 321, 110, 109, 272, 430,  80, 305,  51, 381, 322, 140, 207, 315,
+	206, 186,  56,   5, 273, 177,  44, 100, 205, 210,  98, 191,   8, 336
+};
+
+uint16_t indices_ees613ep1[] = {
+	245, 391, 251, 428, 301,   2, 176, 296, 461, 224, 590, 215, 250,  91, 395,
+	363,  58, 537, 278, 291, 247,  33, 140, 447, 172, 514, 424, 412,  95,  94,
+	281, 159, 196, 302, 277,  63, 404, 150, 608, 315, 195, 334, 207, 376, 398,
+	  0, 309, 486, 516,  86, 267, 139, 130,  38, 141, 258,  21, 341, 526, 388,
+	194, 116, 138, 524, 547, 383, 542, 406, 270, 438, 240, 445, 527, 168, 320,
+	186, 327, 212, 543,  82, 606, 131, 294, 392, 477, 430, 583, 142, 253, 434,
+	134, 458, 559, 414, 162, 407, 580, 577, 191, 109, 554, 523,  32,  62, 297,
+	283, 268,  54, 539,   5
+};
+
+uint16_t indices_ees743ep1[] = {
+	285,  62, 136, 655, 460,  35, 450, 208, 340, 212,  61, 234, 454,  52, 520,
+	399, 315, 616, 496,  88, 280, 543, 508, 237, 553,  39, 214, 253, 720, 291,
+	586, 615, 635, 596,  62, 499, 301, 176, 271, 659, 372, 185, 621, 350, 683,
+	180, 717, 509, 641, 738, 666, 171, 639, 606, 353, 706, 237, 358, 410, 423,
+	197, 501, 261, 654, 658, 701, 377, 182, 548, 287, 700, 403, 248, 137
+};
+
+uint16_t indices_ees1171ep1[] = {
+	514, 702, 760, 505, 262, 486, 695, 783, 533,  74, 403, 847, 170,1019, 568,
+	676,1057, 277,1021, 238, 203, 884, 124,  87,  65,  93, 131, 881,1102, 133,
+	459, 462,  92,  40,   5,1152,1158, 297, 599, 299,   7, 458, 347, 343, 173,
+   1044, 264, 871, 819, 679, 328, 438, 990, 982, 308,1135, 423, 470, 254, 295,
+   1029, 892, 759, 789, 123, 939, 749, 353,1062, 145, 562, 337, 550, 102, 549,
+	821,1098, 823,  96, 365, 135,1110, 334, 391, 638, 963, 962,1002,1069, 993,
+	983, 649,1056, 399, 385, 715, 582, 799, 161, 512, 629, 979, 250,  37, 213,
+	929, 413, 566, 336, 727, 160, 616,1170, 748, 282,1115, 325, 994, 189, 500,
+	913, 332,1118, 753, 946, 775,  59, 809, 782, 612, 909,1090, 223, 777, 940,
+	866,1032, 471, 298, 969, 192, 411, 721, 476, 910,1045,1027, 812, 352, 487,
+	215, 625, 808, 230, 602, 457, 900, 416, 985, 850, 908, 155, 670, 669,1054,
+	400,1126, 733, 647, 786, 195, 148, 362,1094, 389,1086,1166, 231, 436, 210,
+	333, 824, 785, 826, 658, 472, 639,1046,1028, 519, 422,  80, 924,1089, 547,
+   1157, 579,   2, 508,1040, 998, 902,1058, 600, 220, 805, 945, 140,1117, 179,
+	536, 191
+};
+
+/**
+ * MGF1 Mask Generation Function Test Vectors
+ */
+mgf1_test_t mgf1_tests[] = {
+	{	HASH_SHA1, 20, 60, 20, 15, 24,
+		chunk_from_chars( 
+						0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
+						0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
+						0x8C, 0x9B, 0xD5, 0x63, 0x57, 0x38, 0x11, 0xC2,
+						0xB5, 0xCA, 0xBF, 0x06, 0x43, 0x45, 0x19, 0xD5,
+						0xE7, 0x36, 0xD0, 0x29, 0x21, 0xDA, 0x02, 0x20,
+						0x45, 0xF6, 0x5F, 0x0F, 0x10, 0x04, 0x2A, 0xE3,
+						0x6A, 0x1D, 0xD5, 0x9F, 0x1D, 0x66, 0x44, 0x8F,
+						0xFA, 0xC6, 0xCA, 0xA4, 0x6E, 0x3B, 0x00, 0x66,
+						0xA6, 0xC9, 0x80, 0x5C, 0xF5, 0x2D, 0xD7, 0x72,
+						0xC6, 0xD4, 0x4F, 0x30, 0x72, 0xA2, 0xAD, 0xE0,
+						0x33, 0xE8, 0x55, 0xD5, 0xE6, 0xD6, 0x00, 0x1D,
+						0xA8, 0x68, 0xFF, 0x97, 0x36, 0x8A, 0xF4, 0xD6,
+						0xF1, 0xB6, 0x7E, 0x1F, 0x06, 0xCB, 0x57, 0xCB,
+						0x35, 0x38, 0xF2, 0x2D, 0xF6, 0x20),
+		chunk_from_chars(
+						0xF3, 0x9B, 0x0B, 0xB4, 0x97, 0x50, 0xB5, 0xA7,
+						0xE6, 0xBD, 0xDA, 0xD0, 0x9A, 0x52, 0xBE, 0xA0,
+						0x21, 0xC4, 0x90, 0xB6),
+		chunk_from_chars(
+						0x10, 0x43, 0x76, 0x72, 0x6C, 0xDE, 0xA0, 0x0E,
+						0x77, 0x51, 0xFB, 0x58, 0x39, 0x8A, 0x36, 0xE1,
+						0x63, 0x2B, 0xC9, 0x17, 0x56, 0x0C, 0x4B, 0x46,
+						0xA4, 0x07, 0xA4, 0x3B, 0x8E, 0x33, 0x4D, 0xD1,
+						0x65, 0xF1, 0xAC, 0xC8, 0x59, 0x21, 0x32, 0x16,
+						0x44, 0x2B, 0x7F, 0xB2, 0xA8, 0xA7, 0x26, 0x5D,
+						0xE8, 0x02, 0xBE, 0x8E, 0xDC, 0x34, 0xEB, 0x10,
+						0x76, 0x16, 0x8C, 0xDD, 0x90, 0x92, 0x3D, 0x29,
+						0x90, 0x98, 0x46, 0x11, 0x73, 0x53, 0x47, 0xB1,
+						0x2C, 0xD4, 0x83, 0x78, 0x9B, 0x93, 0x2F, 0x5B,
+						0xFC, 0x26, 0xFF, 0x42, 0x08, 0x1F, 0x70, 0x66,
+						0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D,
+						0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C,
+						0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92,
+						0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14), 
+		chunk_from_chars(
+				1, 2, 1, 0, 0,  1, 1, 1, 2, 0,  1, 0, 1, 1, 1,  0, 2, 0, 1, 1,
+				0, 0, 0, 1, 1,  0, 2, 0, 2, 2,	1, 2, 2, 2, 1,  2, 1, 1, 0, 0,
+				2, 0, 1, 1, 1,	0, 0, 0, 0, 1,  1, 2, 0, 0, 1,  0, 1, 0, 2, 0,
+				0, 1, 0, 2, 1,  0, 0, 0, 2, 0,  0, 0, 1, 2, 2,	0, 0, 2, 0, 1,
+				1, 2, 1, 1, 0,  0, 1, 1, 1, 2,	2, 1, 2, 0, 0,  2, 1, 0, 0, 1,
+				0, 1, 1, 0, 0,	0, 1, 2, 2, 0,  1, 2, 1, 2, 0,  2, 0, 0, 0, 2,
+				1, 2, 0, 0, 0,  2, 0, 0, 0, 2,  2, 1, 0, 2, 0,	1, 2, 0, 2, 1,
+				0, 2, 2, 1, 0,  2, 1, 2, 2, 0,  2, 0, 2, 1, 2,  2, 0, 2, 0, 1,
+				1, 2, 2, 2, 2,  1, 0, 1, 0, 2,  2, 0, 1, 1, 2,  2, 2, 0, 0, 1,
+				0, 2, 0, 1, 0,  2, 1, 2, 1, 0,  1, 1, 2, 0, 0,  2, 1, 1, 2, 0,
+				1, 2, 1, 1, 0,  1, 0, 2, 1, 1,  1, 2, 1, 0, 2,  0, 2, 0, 0, 2,
+				2, 1, 0, 0, 2,  2, 0, 1, 1, 0,  0, 1, 1, 0, 1,  1, 2, 1, 2, 2,
+				2, 0, 0, 0, 0,  1, 0, 0, 1, 2,  1, 2, 0, 2, 1,  1, 1, 0, 2, 2,
+				1, 2, 2, 1, 0,  1, 0, 2, 2, 2,  1, 2, 1, 0, 0,  1, 0, 1, 1, 1,
+				1, 1, 2, 0, 0,  2, 1, 0, 2, 1,  2, 1, 0, 2, 2,  0, 0, 1, 2, 1,
+				2, 0, 1, 2, 1,  1, 2, 0, 2, 0,  2, 1, 1, 1, 0,  0, 0, 1, 2, 1,
+				2, 2, 1, 2, 1,  1, 2, 1, 2, 0,  2, 2, 1, 0, 0,  1, 2, 0, 1, 1,
+				2, 0, 0, 0, 1,  2, 2, 1, 2, 0,  0, 2, 1, 0, 2,  2, 2, 1, 1, 0,
+				2, 1, 2, 1, 2,  2, 1, 2, 1, 1,  0, 1, 1, 1, 1,  2, 0, 2, 2, 1,
+				0, 1, 1, 2, 1,  2, 0, 2, 1, 0,  1, 0, 1, 0, 1,  2, 0, 1, 1, 0,
+				0, 1, 1, 2, 0,  2, 2, 0, 0, 0,  1, 1, 0, 1, 0,  1, 1, 0, 1, 1,
+				0, 1, 2, 0, 1,  1, 0, 1, 2, 0,  0, 1, 2, 2, 0,  0, 2, 1, 2),
+		{
+			{	9, 439, 2048, TRUE, 9 + (8 << 8) + (5 << 16),
+				countof(indices_ees439ep1), indices_ees439ep1
+			},
+			{	11, 613, 2048, FALSE, 55,
+				countof(indices_ees613ep1), indices_ees613ep1
+			}
+		}
+	},
+	{	HASH_SHA256, 32, 64, 32, 33, 40,
+		chunk_from_chars(
+						0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53,
+						0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69,
+						0xC5, 0x9D, 0xDE, 0xF6, 0xFC, 0xFA, 0x93, 0xCE,
+						0x32, 0x52, 0x66, 0xF9, 0xC9, 0x97, 0xF6, 0x42,
+						0x00, 0x2C, 0x64, 0xED, 0x1A, 0x6B, 0x14, 0x0A,
+						0x4B, 0x04, 0xCF, 0x6D, 0x2D, 0x82, 0x0A, 0x07,
+						0xA2, 0x3B, 0xDE, 0xCE, 0x19, 0x8A, 0x39, 0x43,
+						0x16, 0x61, 0x29, 0x98, 0x68, 0xEA, 0xE5, 0xCC,
+						0x0A, 0xF8, 0xE9, 0x71, 0x26, 0xF1, 0x07, 0x36,
+						0x2C, 0x07, 0x1E, 0xEB, 0xE4, 0x28, 0xA2, 0xF4,
+						0xA8, 0x12, 0xC0, 0xC8, 0x20, 0x37, 0xF8, 0xF2,
+						0x6C, 0xAF, 0xDC, 0x6F, 0x2E, 0xD0, 0x62, 0x58,
+						0xD2, 0x37, 0x03, 0x6D, 0xFA, 0x6E, 0x1A, 0xAC,
+						0x9F, 0xCA, 0x56, 0xC6, 0xA4, 0x52, 0x41, 0xE8,
+						0x0F, 0x1B, 0x0C, 0xB9, 0xE6, 0xBA, 0xDE, 0xE1,
+						0x03, 0x5E, 0xC2, 0xE5, 0xF8, 0xF4, 0xF3, 0x46,
+						0x3A, 0x12, 0xC0, 0x1F, 0x3A, 0x00, 0xD0, 0x91,
+						0x18, 0xDD, 0x53, 0xE4, 0x22, 0xF5, 0x26, 0xA4,
+						0x54, 0xEE, 0x20, 0xF0, 0x80),
+		chunk_from_chars(
+						0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D,
+						0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB,
+						0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C,
+						0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28), 
+		chunk_from_chars(
+						0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A,
+						0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46,
+						0xCB, 0x35, 0x3C, 0xDC, 0xAD, 0x20, 0xD9, 0x3F,
+						0x0D, 0xD1, 0xAA, 0x64, 0x66, 0x5C, 0xFA, 0x4A,
+						0xFE, 0xD6, 0x8F, 0x55, 0x57, 0x15, 0xB2, 0xA6,
+						0xA0, 0xE6, 0xA8, 0xC6, 0xBD, 0x28, 0xB4, 0xD5,
+						0x6E, 0x5B, 0x4B, 0xB0, 0x97, 0x09, 0xF5, 0xAC,
+						0x57, 0x65, 0x13, 0x97, 0x71, 0x2C, 0x45, 0x13,
+						0x3D, 0xEE, 0xFB, 0xBF, 0xFE, 0xAF, 0xBB, 0x4B,
+						0x0D, 0x5C, 0x45, 0xD4, 0x2F, 0x17, 0x92, 0x07,
+						0x66, 0x11, 0xF5, 0x46, 0xF8, 0x0C, 0x03, 0x92,
+						0xF5, 0xF5, 0xFF, 0xA4, 0xF3, 0x52, 0xF4, 0x08,
+						0x2C, 0x49, 0x32, 0x1A, 0x93, 0x51, 0x98, 0xB6,
+						0x94, 0x83, 0x39, 0xCF, 0x6B, 0x1F, 0x2F, 0xFC,
+						0x2B, 0xFF, 0x10, 0x71, 0x7D, 0x35, 0x6C, 0xEA,
+						0xC5, 0x66, 0xC7, 0x26, 0x7D, 0x9E, 0xAC, 0xDD,
+						0x35, 0xD7, 0x06, 0x3F, 0x40, 0x82, 0xDA, 0xC3,
+						0x2B, 0x3C, 0x91, 0x3A, 0x32, 0xF8, 0xB2, 0xC6,
+						0x44, 0x4D, 0xCD, 0xB6, 0x54, 0x5F, 0x81, 0x95,
+						0x59, 0xA1, 0xE5, 0x4E, 0xA5, 0x0A, 0x4A, 0x42),
+		chunk_from_chars(
+				1, 2, 2, 2, 2,  1, 2, 2, 0, 0,  2, 0, 0, 0, 0,  1, 2, 2, 2, 0,
+				2, 0, 0, 2, 2,  1, 2, 0, 0, 1,  2, 1, 0, 0, 0,  1, 0, 2, 2, 1,
+				1, 2, 0, 0, 0,  1, 2, 0, 2, 2,  1, 2, 1, 0, 1,  0, 1, 2, 1, 1,
+				1, 2, 0, 1, 0,  2, 1, 1, 0, 0,  0, 1, 2, 0, 0,  1, 2, 1, 2, 0,
+				2, 1, 1, 1, 2,  2, 2, 2, 1, 0,  0, 2, 0, 2, 0,  1, 1, 0, 2, 2,
+				2, 0, 1, 0, 2,  2, 1, 0, 1, 0,  1, 0, 0, 2, 2,  0, 0, 1, 2, 0,
+				1, 1, 1, 0, 0,  2, 0, 2, 1, 2,  2, 2, 0, 0, 2,  1, 0, 2, 0, 1,
+				0, 1, 2, 0, 1,  2, 0, 1, 0, 1,  2, 0, 2, 2, 0,  1, 2, 2, 1, 2,
+				2, 2, 0, 2, 1,  1, 1, 0, 0, 1,  0, 2, 0, 0, 1,  0, 1, 2, 0, 0,
+				1, 2, 1, 0, 2,  1, 1, 0, 0, 2,  1, 2, 2, 2, 1,  2, 1, 1, 2, 2,
+				0, 2, 0, 0, 2,  0, 0, 1, 1, 2,  0, 0, 0, 1, 2,  1, 1, 1, 1, 0,
+				0, 0, 2, 0, 2,  0, 2, 2, 1, 2,  2, 0, 0, 1, 1,  1, 0, 1, 0, 1,
+				0, 1, 2, 2, 0,  2, 1, 1, 0, 2,  1, 2, 1, 2, 1,  0, 0, 1, 0, 0,
+				1, 0, 1, 0, 2,  0, 2, 0, 0, 1,  2, 0, 2, 0, 1,  1, 0, 2, 0, 0,
+				1, 2, 1, 2, 1,  2, 1, 0, 1, 1,  2, 2, 1, 1, 0,  0, 2, 1, 2, 0,
+				1, 0, 2, 0, 0,  1, 2, 0, 2, 0,  1, 1, 2, 2, 2,  2, 0, 0, 1, 2,
+				1, 1, 1, 0, 2,  1, 2, 2, 0, 2,  0, 1, 2, 2, 0,  1, 1, 1, 0, 0,
+				2, 0, 1, 0, 1,  0, 2, 1, 2, 0,  2, 1, 2, 1, 2,  2, 0, 2, 1, 0,
+				2, 1, 2, 0, 0,  2, 0, 1, 2, 1,  1, 2, 0, 0, 0,  0, 1, 2, 0, 1,
+				2, 2, 1, 0, 0,  1, 2, 1, 2, 0,  0, 1, 1, 0, 0,  0, 1, 0, 0, 0,
+				2, 0, 1, 2, 1,  2, 0, 0, 0, 2,  1, 0, 0, 0, 1,  2, 2, 0, 0, 0,
+				2, 2, 1, 1, 0,  1, 0, 2, 2, 0,  2, 1, 2, 1, 0,  2, 2, 2, 0, 0,
+				0, 1, 1, 2, 1,  0, 0, 0, 0, 1,  2, 2, 1, 2, 1,  2, 0, 2, 0, 2,
+				1, 1, 1, 2, 1,  2, 1, 2, 1, 1,  0, 1, 0, 2, 0,  0, 0, 2, 1, 2,
+				2, 2, 2, 0, 1,  1, 1, 0, 1, 0,  2, 0, 2, 1, 0,  1, 2, 1, 1, 0,
+				1, 2, 1, 0, 0,  2, 1, 0, 1, 1,  2, 2, 1, 1, 1,  2, 2, 2, 1, 0,
+				0, 0, 0, 1, 1,  0, 0, 2, 2, 2,  2, 2, 0, 1, 2,  0, 1, 2, 0, 1,
+				1, 0, 1, 1, 2,  2, 0, 1, 1, 0,  2, 2, 1, 1, 1,  2, 1, 2, 2, 1,
+				1, 0, 1, 0, 2,  2, 1, 0, 2, 2,  2, 2, 2, 1, 0,  2, 2, 2, 1, 2,
+				0, 2, 0, 0, 0,  0, 0, 1, 2, 0,  1, 0, 1),
+		{
+			{	13, 743, 2048, TRUE, 11 + (11 << 8) + (15 << 16),
+				countof(indices_ees743ep1), indices_ees743ep1
+			},
+			{	12, 1171, 2048, FALSE, 106,
+				countof(indices_ees1171ep1), indices_ees1171ep1
+			}
+		}
+	}
+};
+
+START_TEST(test_ntru_mgf1)
+{
+	ntru_mgf1_t *mgf1;
+	chunk_t mask, mask1, mask2, mask3;
+
+	mask1 = mgf1_tests[_i].mask;
+	mask2 = chunk_skip(mask1, mgf1_tests[_i].ml1);
+	mask3 = chunk_skip(mask2, mgf1_tests[_i].ml2);
+	mask1.len = mgf1_tests[_i].ml1;
+	mask2.len = mgf1_tests[_i].ml2;
+	mask3.len = mgf1_tests[_i].ml3;
+
+	mgf1 = ntru_mgf1_create(HASH_UNKNOWN, mgf1_tests[_i].seed, TRUE);
+	ck_assert(mgf1 == NULL);
+
+	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, chunk_empty, TRUE);
+	ck_assert(mgf1 == NULL);
+
+	/* return mask in allocated chunk */
+	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+	ck_assert(mgf1);
+
+	/* check hash size */
+	ck_assert(mgf1->get_hash_size(mgf1) == mgf1_tests[_i].hash_size);
+
+	/* get zero number of octets */
+	ck_assert(mgf1->allocate_mask(mgf1, 0, &mask));
+	ck_assert(mask.len == 0 && mask.ptr == NULL);
+
+	/* get non-zero number of octets */
+	ck_assert(mgf1->allocate_mask(mgf1, mgf1_tests[_i].mask.len, &mask));
+	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
+	mgf1->destroy(mgf1);
+
+	/* copy mask to pre-allocated buffer */
+	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+	ck_assert(mgf1);
+	ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr));
+	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
+	mgf1->destroy(mgf1);
+
+	/* get mask in batches without hashing the seed */
+	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].hashed_seed, FALSE);
+	ck_assert(mgf1);
+
+	/* first batch */
+	ck_assert(mgf1->get_mask(mgf1, mask1.len, mask.ptr));
+	mask.len = mask1.len;
+	ck_assert(chunk_equals(mask, mask1));
+
+	/* second batch */
+	ck_assert(mgf1->get_mask(mgf1, mask2.len, mask.ptr));
+	mask.len = mask2.len;
+	ck_assert(chunk_equals(mask, mask2));
+
+	/* third batch */
+	ck_assert(mgf1->get_mask(mgf1, mask3.len, mask.ptr));
+	mask.len = mask3.len;
+	ck_assert(chunk_equals(mask, mask3));
+
+	mgf1->destroy(mgf1);
+	chunk_free(&mask);
+}
+END_TEST
+
+START_TEST(test_ntru_trits)
+{
+	ntru_trits_t *mask;
+	chunk_t trits;
+
+	mask = ntru_trits_create(mgf1_tests[_i].trits.len, HASH_UNKNOWN,
+							 mgf1_tests[_i].seed);
+	ck_assert(mask == NULL);
+
+	mask = ntru_trits_create(mgf1_tests[_i].trits.len, mgf1_tests[_i].alg,
+							 chunk_empty);
+	ck_assert(mask == NULL);
+
+	mask = ntru_trits_create(mgf1_tests[_i].trits.len, mgf1_tests[_i].alg,
+							 mgf1_tests[_i].seed);
+	ck_assert(mask);
+
+	trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
+	ck_assert(chunk_equals(trits, mgf1_tests[_i].trits));
+	mask->destroy(mask);
+
+	/* generate a multiple of 5 trits */
+	mask = ntru_trits_create(10, mgf1_tests[_i].alg, mgf1_tests[_i].seed);
+	ck_assert(mask);
+
+	trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
+	ck_assert(chunk_equals(trits, chunk_create(mgf1_tests[_i].trits.ptr, 10)));
+	mask->destroy(mask);
+}
+END_TEST
+
+START_TEST(test_ntru_poly)
+{
+	ntru_poly_t *poly;
+	uint16_t *indices;
+	chunk_t seed;
+	poly_test_t *p;
+	int j, n;
+
+	seed = mgf1_tests[_i].seed;
+	seed.len = mgf1_tests[_i].seed_len;
+
+	p = &mgf1_tests[_i].poly_test[0];
+	poly = ntru_poly_create_from_seed(HASH_UNKNOWN, seed, p->c_bits, p->N, p->q,
+									  p->indices_len, p->indices_len,
+									  p->is_product_form);
+	ck_assert(poly == NULL);
+
+	for (n = 0; n < 2; n++)
+	{
+		p = &mgf1_tests[_i].poly_test[n];
+		poly = ntru_poly_create_from_seed(mgf1_tests[_i].alg, seed, p->c_bits,
+										  p->N, p->q, p->indices_len,
+										  p->indices_len, p->is_product_form);
+		ck_assert(poly != NULL && poly->get_size(poly) == p->indices_size);
+
+		indices = poly->get_indices(poly);
+		for (j = 0; j < p->indices_size; j++)
+		{
+			ck_assert(indices[j] == p->indices[j]);
+		}
+		poly->destroy(poly);
+	}
+}
+END_TEST
+
+typedef struct {
+	uint16_t N;
+	uint16_t q;
+	bool is_product_form;
+	uint32_t indices_len_p;
+	uint32_t indices_len_m;
+	uint16_t *indices;
+	uint16_t *a;
+	uint16_t *c;
+} ring_mult_test_t;
+
+uint16_t t1_indices[] = { 1, 6, 5, 3 };
+
+uint16_t t1_a[] = { 1, 0, 0, 0, 0, 0, 0 };
+uint16_t t1_c[] = { 0, 1, 0, 7, 0, 7, 1 };
+
+uint16_t t2_a[] = { 5, 0, 0, 0, 0, 0, 0 };
+uint16_t t2_c[] = { 0, 5, 0, 3, 0, 3, 5 };
+
+uint16_t t3_a[]  = { 4, 0, 0, 0, 0, 0, 0 };
+uint16_t t3_c[]  = { 0, 4, 0, 4, 0, 4, 4 };
+
+uint16_t t4_a[]  = { 0, 6, 0, 0, 0, 0, 0 };
+uint16_t t4_c[]  = { 6, 0, 6, 0, 2, 0, 2 };
+
+uint16_t t5_a[]  = { 4, 6, 0, 0, 0, 0, 0 };
+uint16_t t5_c[]  = { 6, 4, 6, 4, 2, 4, 6 };
+
+uint16_t t6_a[]  = { 0, 0, 3, 0, 0, 0, 0 };
+uint16_t t6_c[]  = { 5, 3, 0, 3, 0, 5, 0 };
+
+uint16_t t7_a[]  = { 4, 6, 3, 0, 0, 0, 0 };
+uint16_t t7_c[]  = { 3, 7, 6, 7, 2, 1, 6 };
+
+uint16_t t8_a[]  = { 0, 0, 0, 7, 0, 0, 0 };
+uint16_t t8_c[]  = { 0, 1, 7, 0, 7, 0, 1 };
+
+uint16_t t9_a[]  = { 4, 6, 3, 7, 0, 0, 0 };
+uint16_t t9_c[]  = { 3, 0, 5, 7, 1, 1, 7 };
+
+uint16_t t10_a[] = { 0, 0, 0, 0, 0, 1, 0 };
+uint16_t t10_c[] = { 0, 7, 0, 7, 1, 0, 1 };
+
+uint16_t t11_a[] = { 4, 6, 3, 7, 0, 1, 0 };
+uint16_t t11_c[] = { 3, 7, 5, 6, 2, 1, 0 };
+
+uint16_t t2_indices[] = { 1, 6, 5, 2, 3 };
+
+uint16_t t12_c[] = { 0, 1, 7, 7, 0, 1, 1 };
+uint16_t t13_c[] = { 0, 1, 7, 7, 0, 7, 1 };
+uint16_t t14_c[] = { 0, 1, 0, 31, 0, 31, 1 };
+uint16_t t15_c[] = { 0, 5, 0, 2043, 0, 2043, 5 };
+uint16_t t16_c[] = { 0, 5, 0, 32763, 0, 32763, 5 };
+
+uint16_t t3_indices[] = { 7, 2, 3, 5, 0, 2, 3, 10, 7, 0, 8, 2 };
+
+uint16_t t17_a[] = { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+uint16_t t17_c[] = { 7, 1, 0, 1, 1, 7, 0, 7, 7, 7, 2 };
+
+ring_mult_test_t ring_mult_tests[] = {
+	{  7,     8, FALSE, 2, 2, t1_indices, t1_a,  t1_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t2_a,  t2_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t3_a,  t3_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t4_a,  t4_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t5_a,  t5_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t6_a,  t6_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t7_a,  t7_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t8_a,  t8_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t9_a,  t9_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t10_a, t10_c },
+	{  7,     8, FALSE, 2, 2, t1_indices, t11_a, t11_c },
+	{  7,     8, FALSE, 3, 2, t2_indices, t1_a,  t12_c },
+	{  7,     8, FALSE, 2, 3, t2_indices, t1_a,  t13_c },
+	{  7,    32, FALSE, 2, 2, t1_indices, t1_a,  t14_c },
+	{  7,  2048, FALSE, 2, 2, t1_indices, t2_a,  t15_c },
+	{  7, 32768, FALSE, 2, 2, t1_indices, t2_a,  t16_c },
+	{ 11,     8, TRUE, 197121, 197121, t3_indices, t17_a,  t17_c },
+};
+
+START_TEST(test_ntru_ring_mult)
+{
+	ntru_poly_t *poly;
+	ring_mult_test_t *t;
+	uint16_t *c;
+	int i;
+
+	t = &ring_mult_tests[_i];
+	poly = ntru_poly_create_from_data(t->indices, t->N, t->q, t->indices_len_p,
+									  t->indices_len_m, t->is_product_form);
+	ck_assert(poly != NULL);
+
+	c = malloc(t->N * sizeof(uint16_t));
+	poly->ring_mult(poly, t->a, c);
+
+	for (i = 0; i < t->N; i++)
+	{
+		ck_assert(c[i] == t->c[i]);
+	}
+
+	free(c);
+	poly->destroy(poly);
+}
+END_TEST
+
+int array_tests[] = { 0, 11, 12, 16 };
+
+START_TEST(test_ntru_array)
+{
+	ntru_poly_t *poly;
+	ring_mult_test_t *t;
+	uint16_t *c;
+	int i;
+
+	t = &ring_mult_tests[array_tests[_i]];
+
+	poly = ntru_poly_create_from_data(t->indices, t->N, t->q, t->indices_len_p,
+									  t->indices_len_m, t->is_product_form);
+	ck_assert(poly != NULL);
+
+	c = malloc(t->N * sizeof(uint16_t));
+	poly->get_array(poly, c);
+
+	for (i = 0; i < t->N; i++)
+	{
+		ck_assert(c[i] == t->c[i]);
+	}
+
+	free(c);
+	poly->destroy(poly);
+}
+END_TEST
+
+START_TEST(test_ntru_ke)
+{
+	chunk_t pub_key, cipher_text, i_shared_secret, r_shared_secret;
+	diffie_hellman_t *i_ntru, *r_ntru;
+	char buf[10];
+	int n, len;
+	status_t status;
+
+	len = snprintf(buf, sizeof(buf), "%N", diffie_hellman_group_names,
+				   params[_i].group);
+	ck_assert(len == 8);
+	ck_assert(streq(buf, params[_i].group_name));
+
+	for (n = 0; n < countof(parameter_sets); n++)
+	{
+		lib->settings->set_str(lib->settings,
+							  "libstrongswan.plugins.ntru.parameter_set",
+							   parameter_sets[n]);
+
+		i_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
+		ck_assert(i_ntru != NULL);
+		ck_assert(i_ntru->get_dh_group(i_ntru) == params[_i].group);
+
+		i_ntru->get_my_public_value(i_ntru, &pub_key);
+		ck_assert(pub_key.len > 0);
+
+		r_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
+		ck_assert(r_ntru != NULL);
+
+		r_ntru->set_other_public_value(r_ntru, pub_key);
+		r_ntru->get_my_public_value(r_ntru, &cipher_text);
+		ck_assert(cipher_text.len > 0);
+
+		status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
+		ck_assert(status == SUCCESS);
+		ck_assert(r_shared_secret.len > 0);
+
+		i_ntru->set_other_public_value(i_ntru, cipher_text);
+		status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
+
+		if (status == SUCCESS)
+		{
+			ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
+		}
+		else
+		{
+			ck_assert(i_shared_secret.len == 0);
+		}
+
+		chunk_clear(&i_shared_secret);
+		chunk_clear(&r_shared_secret);
+		chunk_free(&pub_key);
+		chunk_free(&cipher_text);
+		i_ntru->destroy(i_ntru);
+		r_ntru->destroy(r_ntru);
+	}
+}
+END_TEST
+
+START_TEST(test_ntru_retransmission)
+{
+	diffie_hellman_t *i_ntru;
+	chunk_t pub_key1, pub_key2;
+
+	i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_256_BIT);
+	i_ntru->get_my_public_value(i_ntru, &pub_key1);
+	i_ntru->get_my_public_value(i_ntru, &pub_key2);
+	ck_assert(chunk_equals(pub_key1, pub_key2));
+
+	chunk_free(&pub_key1);
+	chunk_free(&pub_key2);
+	i_ntru->destroy(i_ntru);
+}
+END_TEST
+
+chunk_t oid_tests[] = {
+	{ NULL, 0 },
+	chunk_from_chars(0x00),
+	chunk_from_chars(0x01),
+	chunk_from_chars(0x02),
+	chunk_from_chars(0x02, 0x03, 0x00, 0x03, 0x10),
+	chunk_from_chars(0x01, 0x04, 0x00, 0x03, 0x10),
+	chunk_from_chars(0x01, 0x03, 0x00, 0x03, 0x10),
+	chunk_from_chars(0x01, 0x03, 0xff, 0x03, 0x10),
+};
+
+START_TEST(test_ntru_pubkey_oid)
+{
+	diffie_hellman_t *r_ntru;
+	chunk_t cipher_text;
+
+	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+	r_ntru->set_other_public_value(r_ntru, oid_tests[_i]);
+	r_ntru->get_my_public_value(r_ntru, &cipher_text);
+	ck_assert(cipher_text.len == 0);
+	r_ntru->destroy(r_ntru);
+}
+END_TEST
+
+START_TEST(test_ntru_wrong_set)
+{
+	diffie_hellman_t *i_ntru, *r_ntru;
+	chunk_t pub_key, cipher_text;
+
+	lib->settings->set_str(lib->settings,
+						  "libstrongswan.plugins.ntru.parameter_set",
+			 			  "x9_98_bandwidth");
+	i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT);
+	i_ntru->get_my_public_value(i_ntru, &pub_key);
+
+	lib->settings->set_str(lib->settings,
+						  "libstrongswan.plugins.ntru.parameter_set",
+						  "optimum");
+	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT);
+	r_ntru->set_other_public_value(r_ntru, pub_key);
+	r_ntru->get_my_public_value(r_ntru, &cipher_text);
+	ck_assert(cipher_text.len == 0);
+
+	chunk_free(&pub_key);
+	chunk_free(&cipher_text);
+	i_ntru->destroy(i_ntru);
+	r_ntru->destroy(r_ntru);
+}
+END_TEST
+
+START_TEST(test_ntru_ciphertext)
+{
+	char buf_00[604], buf_ff[604];
+
+	chunk_t test[] = {
+		chunk_empty,
+		chunk_from_chars(0x00),
+		chunk_create(buf_00, sizeof(buf_00)),
+		chunk_create(buf_ff, sizeof(buf_ff)),
+	};
+
+	diffie_hellman_t *i_ntru;
+	chunk_t pub_key, shared_secret;
+	int i;
+
+	memset(buf_00, 0x00, sizeof(buf_00));
+	memset(buf_ff, 0xff, sizeof(buf_ff));
+
+	for (i = 0; i < countof(test); i++)
+	{
+		i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+		i_ntru->get_my_public_value(i_ntru, &pub_key);
+		i_ntru->set_other_public_value(i_ntru, test[i]);
+		ck_assert(i_ntru->get_shared_secret(i_ntru, &shared_secret) != SUCCESS);
+		ck_assert(shared_secret.len == 0);
+
+		chunk_free(&pub_key);
+		i_ntru->destroy(i_ntru);
+	}
+}
+END_TEST
+
+START_TEST(test_ntru_wrong_ciphertext)
+{
+	diffie_hellman_t *i_ntru, *r_ntru, *m_ntru;
+	chunk_t pub_key_i, pub_key_m, cipher_text, shared_secret;
+
+	i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+	m_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+
+	i_ntru->get_my_public_value(i_ntru, &pub_key_i);
+	m_ntru->get_my_public_value(m_ntru, &pub_key_m);
+	r_ntru->set_other_public_value(r_ntru, pub_key_m);
+	r_ntru->get_my_public_value(r_ntru, &cipher_text);
+	i_ntru->set_other_public_value(i_ntru, cipher_text);
+	ck_assert(i_ntru->get_shared_secret(i_ntru, &shared_secret) != SUCCESS);
+	ck_assert(shared_secret.len == 0);
+
+	chunk_free(&pub_key_i);
+	chunk_free(&pub_key_m);
+	chunk_free(&cipher_text);
+	i_ntru->destroy(i_ntru);
+	m_ntru->destroy(m_ntru);
+	r_ntru->destroy(r_ntru);
+}
+END_TEST
+
+Suite *ntru_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("ntru");
+
+	tc = tcase_create("drbg_strength");
+	tcase_add_loop_test(tc, test_ntru_drbg_strength, 0, countof(strengths));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("drbg");
+	tcase_add_loop_test(tc, test_ntru_drbg, 0, countof(drbg_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("drgb_reseed");
+	tcase_add_test(tc, test_ntru_drbg_reseed);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("mgf1");
+	tcase_add_loop_test(tc, test_ntru_mgf1, 0, countof(mgf1_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("trits");
+	tcase_add_loop_test(tc, test_ntru_trits, 0, countof(mgf1_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("poly");
+	tcase_add_loop_test(tc, test_ntru_poly, 0, countof(mgf1_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ring_mult");
+	tcase_add_loop_test(tc, test_ntru_ring_mult, 0, countof(ring_mult_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("array");
+	tcase_add_loop_test(tc, test_ntru_array, 0, countof(array_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ke");
+	tcase_add_loop_test(tc, test_ntru_ke, 0, countof(params));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("retransmission");
+	tcase_add_test(tc, test_ntru_retransmission);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("pubkey_oid");
+	tcase_add_loop_test(tc, test_ntru_pubkey_oid, 0, countof(oid_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("wrong_set");
+	tcase_add_test(tc, test_ntru_wrong_set);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ciphertext");
+	tcase_add_test(tc, test_ntru_ciphertext);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("wrong_ciphertext");
+	tcase_add_test(tc, test_ntru_wrong_ciphertext);
+	suite_add_tcase(s, tc);
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_pen.c b/src/libstrongswan/tests/suites/test_pen.c
new file mode 100644
index 000000000..a6cbc9aa1
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_pen.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "test_suite.h"
+
+#include <pen/pen.h>
+
+/*******************************************************************************
+ * create
+ */
+
+START_TEST(test_pen_type_create)
+{
+	pen_type_t ita_1 = pen_type_create(PEN_ITA, 100);
+
+	ck_assert(ita_1.vendor_id == PEN_ITA);
+	ck_assert(ita_1.type == 100);
+}
+END_TEST
+
+/*******************************************************************************
+ * equals
+ */
+
+START_TEST(test_pen_type_equals)
+{
+	pen_type_t ita_1 = pen_type_create(PEN_ITA, 100);
+	pen_type_t ita_2 = pen_type_create(PEN_ITA, 200);
+	pen_type_t fhh_1 = pen_type_create(PEN_FHH, 100);
+	pen_type_t fhh_2 = pen_type_create(PEN_FHH, 200);
+
+	ck_assert( pen_type_equals(ita_1, ita_1));
+	ck_assert(!pen_type_equals(ita_1, ita_2));
+	ck_assert(!pen_type_equals(ita_1, fhh_1));
+	ck_assert(!pen_type_equals(ita_1, fhh_2));
+}
+END_TEST
+
+/*******************************************************************************
+ * is
+ */
+
+START_TEST(test_pen_type_is)
+{
+	pen_type_t ita_1 = pen_type_create(PEN_ITA, 100);
+
+	ck_assert( pen_type_is(ita_1, PEN_ITA, 100));
+	ck_assert(!pen_type_is(ita_1, PEN_ITA, 200));
+	ck_assert(!pen_type_is(ita_1, PEN_FHH, 100));
+	ck_assert(!pen_type_is(ita_1, PEN_FHH, 200));
+}
+END_TEST
+
+Suite *pen_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("pen");
+
+	tc = tcase_create("create");
+	tcase_add_test(tc, test_pen_type_create);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("equals");
+	tcase_add_test(tc, test_pen_type_equals);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("is");
+	tcase_add_test(tc, test_pen_type_is);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_printf.c b/src/libstrongswan/tests/suites/test_printf.c
index 6c15fbea1..9e40d1fc0 100644
--- a/src/libstrongswan/tests/test_printf.c
+++ b/src/libstrongswan/tests/suites/test_printf.c
@@ -17,10 +17,10 @@
 
 #include <errno.h>
 #include <math.h>
+#include <inttypes.h>
 
 static void verify(char *expected, char *format, ...)
 {
-	FILE *mem;
 	char buf[128];
 	va_list args;
 
@@ -29,17 +29,35 @@ static void verify(char *expected, char *format, ...)
 	ck_assert_str_eq(expected, buf);
 	va_end(args);
 
-	mem = fmemopen(buf, sizeof(buf), "w");
-	va_start(args, format);
-	vfprintf(mem, format, args);
-	va_end(args);
-	fclose(mem);
-	ck_assert_str_eq(expected, buf);
+#ifdef HAVE_FMEMOPEN
+	{
+		FILE *mem;
+
+		mem = fmemopen(buf, sizeof(buf), "w");
+		va_start(args, format);
+		vfprintf(mem, format, args);
+		va_end(args);
+		fclose(mem);
+		ck_assert_str_eq(expected, buf);
+	}
+#endif /* HAVE_FMEMOPEN */
 }
 
+START_TEST(test_printf_null)
+{
+	char buf[16];
+
+	/* on FreeBSD "(null)" gets printed even when a precision of 0 is used.
+	 * because printing of "(null)" for NULL is not standardized we don't verify
+	 * the output and just make sure there is no crash */
+	snprintf(buf, sizeof(buf), "%s", NULL);
+}
+END_TEST
+
 START_TEST(test_printf_strings)
 {
 	verify("a bc def", "%s %s %s", "a", "bc", "def");
+	verify("", "%.0s", "asdfg");
 	verify("asd", "%.3s", "asdfg");
 	verify("asdf", "%.*s", (int)4, "asdfg");
 	verify("  asdf", "%6s", "asdf");
@@ -150,6 +168,26 @@ START_TEST(test_printf_float)
 }
 END_TEST
 
+START_TEST(test_printf_pri)
+{
+	verify("255", "%" PRIu8, (u_int8_t)0xFF);
+	verify("65535", "%" PRIu16, (u_int16_t)0xFFFF);
+	verify("4294967295", "%" PRIu32, (u_int32_t)0x1FFFFFFFFll);
+	verify("18446744073709551615", "%" PRIu64, (u_int64_t)0xFFFFFFFFFFFFFFFFll);
+
+	verify("-1", "%" PRId8, (int8_t)-1);
+	verify("-1", "%" PRId16, (int16_t)-1);
+	verify("-1", "%" PRId32, (int32_t)-1);
+	verify("-1", "%" PRId64, (int64_t)-1);
+
+	verify("1", "%" PRIuMAX, (uintmax_t)1);
+	verify("1", "%" PRIuPTR, (uintptr_t)1);
+
+	verify("-1", "%" PRIdMAX, (intmax_t)-1);
+	verify("-1", "%" PRIdPTR, (intptr_t)-1);
+}
+END_TEST
+
 Suite *printf_suite_create()
 {
 	Suite *s;
@@ -158,6 +196,7 @@ Suite *printf_suite_create()
 	s = suite_create("printf");
 
 	tc = tcase_create("strings");
+	tcase_add_test(tc, test_printf_null);
 	tcase_add_test(tc, test_printf_strings);
 	suite_add_tcase(s, tc);
 
@@ -181,5 +220,9 @@ Suite *printf_suite_create()
 	tcase_add_test(tc, test_printf_float);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("PRI*");
+	tcase_add_test(tc, test_printf_pri);
+	suite_add_tcase(s, tc);
+
 	return s;
 }
diff --git a/src/libstrongswan/tests/test_rsa.c b/src/libstrongswan/tests/suites/test_rsa.c
index 4c75c34bc..2c1c6fb8d 100644
--- a/src/libstrongswan/tests/test_rsa.c
+++ b/src/libstrongswan/tests/suites/test_rsa.c
@@ -117,7 +117,7 @@ static void test_bad_sigs(public_key_t *pubkey)
  * RSA key sizes to test
  */
 static int key_sizes[] = {
-	786, 1024, 1536, 2048, 3072, 4096,
+	768, 1024, 1536, 2048, 3072, 4096,
 };
 
 START_TEST(test_gen)
@@ -377,11 +377,17 @@ Suite *rsa_suite_create()
 {
 	Suite *s;
 	TCase *tc;
+	int gen_count = countof(key_sizes);
 
 	s = suite_create("rsa");
 
+	if (getenv("TESTS_REDUCED_KEYLENGTHS") != NULL)
+	{
+		gen_count = min(1, gen_count);
+	}
+
 	tc = tcase_create("generate");
-	tcase_add_loop_test(tc, test_gen, 0, countof(key_sizes));
+	tcase_add_loop_test(tc, test_gen, 0, gen_count);
 	tcase_set_timeout(tc, 8);
 	suite_add_tcase(s, tc);
 
diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c
new file mode 100644
index 000000000..096465191
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_settings.c
@@ -0,0 +1,920 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <unistd.h>
+
+#include <utils/settings.h>
+#include <utils/chunk.h>
+#include <utils/utils.h>
+#include <collections/linked_list.h>
+
+static char *path = "/tmp/strongswan-settings-test";
+static settings_t *settings;
+
+static void create_settings(chunk_t contents)
+{
+	ck_assert(chunk_write(contents, path, 0022, TRUE));
+	settings = settings_create(path);
+}
+
+START_SETUP(setup_base_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = val1\n"
+		"	# this gets overridden below\n"
+		"	key2 = val2\n"
+		"	none = \n"
+		"	sub1 {\n"
+		"		key = value\n"
+		"		key2 = value2\n"
+		"		subsub {\n"
+		"			foo = bar\n"
+		"		}\n"
+		"		# subsub is a section and a value\n"
+		"		subsub = section value\n"
+		"	}\n"
+		"	sub% {\n"
+		"		id = %any\n"
+		"	}\n"
+		"	key2 = with spaces\n"
+		"}\n"
+		"out = side\n"
+		"other {\n"
+		"	key1 = other val\n"
+		"	empty {\n"
+		"	}\n"
+		"}"));
+}
+END_SETUP
+
+START_TEARDOWN(teardown_config)
+{
+	settings->destroy(settings);
+	unlink(path);
+}
+END_TEARDOWN
+
+#define verify_string(expected, key, ...) \
+	ck_assert_str_eq(expected, settings->get_str(settings, key, NULL, ##__VA_ARGS__))
+#define verify_null(key, ...) \
+	ck_assert(!settings->get_str(settings, key, NULL, ##__VA_ARGS__))
+
+START_TEST(test_get_str)
+{
+	verify_string("val1", "main.key1");
+	verify_string("val1", "main..key1");
+	verify_string("val1", ".main.key1");
+	verify_string("with spaces", "main.key2");
+	verify_string("value", "main.sub1.key");
+	verify_string("value2", "main.sub1.key2");
+	verify_string("bar", "main.sub1.subsub.foo");
+	verify_string("section value", "main.sub1.subsub");
+	verify_string("%any", "main.sub%%.id");
+	verify_string("side", "out");
+	verify_string("other val", "other.key1");
+
+	/* FIXME: should this rather be undefined i.e. return the default value? */
+	verify_string("", "main.none");
+
+	verify_null("main.key3");
+	verify_null("other.sub");
+}
+END_TEST
+
+enum {
+	KEY1,
+	SUB1
+} settings_test_enum;
+
+enum_name_t *test_settings_test_names;
+
+ENUM_BEGIN(test_settings_test_names, KEY1, SUB1,
+	"key1", "sub1");
+ENUM_END(test_settings_test_names, SUB1);
+
+START_TEST(test_get_str_printf)
+{
+	verify_string("val1", "%s.key1", "main");
+	verify_string("val1", "%s.%s", "main", "key1");
+	verify_string("val1", "%s.%N", "main", test_settings_test_names, KEY1);
+	verify_string("val1", "%s.%s%d", "main", "key", 1);
+	verify_string("bar", "%s.sub1.%s.foo", "main", "subsub");
+	verify_string("bar", "%s.%N.%s.foo", "main", test_settings_test_names, SUB1, "subsub");
+	verify_string("bar", "%s.sub%d.%s.foo", "main", 1, "subsub");
+	verify_string("%any", "%s.sub%%.id", "main");
+
+	/* FIXME: this is a bit inconsistent, while this works */
+	verify_string("value2", "main.%s%u.key2", "sub", 1);
+	/* this won't because no argument is consumed for %u so key1 will be tried
+	 * granted, we never actually used any other specifiers, but we should
+	 * probably document it at least */
+	verify_null("main.%s%u.key%d", "sub", 1, 2);
+
+	verify_null("%s.%s%d", "main", "key", 3);
+}
+END_TEST
+
+START_TEST(test_set_str)
+{
+	settings->set_str(settings, "main.key1", "val");
+	verify_string("val", "main.key1");
+	settings->set_str(settings, "main.key1", "longer value");
+	verify_string("longer value", "main.key1");
+	settings->set_str(settings, "main", "main val");
+	verify_string("main val", "main");
+	settings->set_str(settings, "main.sub1.new", "added");
+	verify_string("added", "main.sub1.new");
+	settings->set_str(settings, "main.sub2.newsub.foo", "bar");
+	verify_string("bar", "main.sub2.newsub.foo");
+	settings->set_str(settings, "new.newsub.foo", "bar");
+	verify_string("bar", "new.newsub.foo");
+	settings->set_str(settings, "main.key1", NULL);
+	verify_null("main.key1");
+}
+END_TEST
+
+START_TEST(test_set_str_printf)
+{
+	settings->set_str(settings, "%s.key1", "val", "main");
+	verify_string("val", "main.key1");
+	settings->set_str(settings, "main.%N.new", "added", test_settings_test_names, SUB1);
+	verify_string("added", "main.sub1.new");
+	settings->set_str(settings, "main.%s%d.newsub.%s", "bar", "sub", 2, "foo");
+	verify_string("bar", "main.sub2.newsub.foo");
+}
+END_TEST
+
+START_TEST(test_set_default_str)
+{
+	settings->set_default_str(settings, "main.key1", "default");
+	verify_string("val1", "main.key1");
+	settings->set_default_str(settings, "main.sub1.new", "added");
+	verify_string("added", "main.sub1.new");
+	settings->set_str(settings, "main.sub1.new", "changed");
+	verify_string("changed", "main.sub1.new");
+}
+END_TEST
+
+START_SETUP(setup_bool_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = yes\n"
+		"	key2 = true\n"
+		"	key3 = Enabled\n"
+		"	key4 = 1\n"
+		"	key5 = no\n"
+		"	key6 = FALSE\n"
+		"	key7 = disabled\n"
+		"	key8 = 0\n"
+		"	key9 = 5\n"
+		"	none = \n"
+		"	foo = bar\n"
+		"}"));
+}
+END_SETUP
+
+#define verify_bool(expected, def, key, ...) \
+	ck_assert(expected == settings->get_bool(settings, key, def, ##__VA_ARGS__))
+
+START_TEST(test_get_bool)
+{
+	verify_bool(TRUE, FALSE, "main.key1");
+	verify_bool(TRUE, FALSE, "main.key2");
+	verify_bool(TRUE, FALSE, "main.key3");
+	verify_bool(TRUE, FALSE, "main.key4");
+	verify_bool(FALSE, TRUE, "main.key5");
+	verify_bool(FALSE, TRUE, "main.key6");
+	verify_bool(FALSE, TRUE, "main.key7");
+	verify_bool(FALSE, TRUE, "main.key8");
+
+	verify_bool(FALSE, FALSE, "main.none");
+	verify_bool(TRUE, TRUE, "main.none");
+	verify_bool(FALSE, FALSE, "main.foo");
+	verify_bool(TRUE, TRUE, "main.foo");
+
+	verify_bool(FALSE, FALSE, "main.key9");
+	verify_bool(TRUE, TRUE, "main.key9");
+	verify_bool(FALSE, FALSE, "main");
+	verify_bool(TRUE, TRUE, "main");
+
+}
+END_TEST
+
+START_TEST(test_set_bool)
+{
+	settings->set_str(settings, "main.key1", "no");
+	verify_bool(FALSE, TRUE, "main.key1");
+	settings->set_bool(settings, "main.key2", FALSE);
+	verify_bool(FALSE, TRUE, "main.key2");
+	settings->set_str(settings, "main.key3", NULL);
+	verify_bool(FALSE, FALSE, "main.key3");
+	verify_bool(TRUE, TRUE, "main.key3");
+	settings->set_bool(settings, "main.key5", TRUE);
+	verify_bool(TRUE, FALSE, "main.key5");
+	settings->set_bool(settings, "main.new", TRUE);
+	verify_bool(TRUE, FALSE, "main.new");
+}
+END_TEST
+
+START_SETUP(setup_int_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = 5\n"
+		"	# gets cut off\n"
+		"	key2 = 5.5\n"
+		"	key3 = -42\n"
+		"	none = \n"
+		"	foo1 = bar\n"
+		"	foo2 = bar13\n"
+		"	foo3 = 13bar\n"
+		"}"));
+}
+END_SETUP
+
+#define verify_int(expected, def, key, ...) \
+	ck_assert_int_eq(expected, settings->get_int(settings, key, def, ##__VA_ARGS__))
+
+START_TEST(test_get_int)
+{
+	verify_int(5, 0, "main.key1");
+	verify_int(5, 0, "main.key2");
+	verify_int(-42, 0, "main.key3");
+
+	/* FIXME: do we want this behavior? */
+	verify_int(0, 11, "main.none");
+	verify_int(0, 11, "main.foo1");
+	verify_int(0, 11, "main.foo2");
+	verify_int(13, 11, "main.foo3");
+
+	verify_int(13, 13, "main.key4");
+	verify_int(-13, -13, "main");
+}
+END_TEST
+
+START_TEST(test_set_int)
+{
+	settings->set_str(settings, "main.key1", "13");
+	verify_int(13, 0, "main.key1");
+	settings->set_int(settings, "main.key2", 6);
+	verify_int(6, 0, "main.key2");
+	settings->set_int(settings, "main.key3", -6);
+	verify_int(-6, 0, "main.key3");
+	settings->set_str(settings, "main.key3", NULL);
+	verify_int(15, 15, "main.key3");
+	settings->set_int(settings, "main.new", 314);
+	verify_int(314, 0, "main.new");
+}
+END_TEST
+
+START_SETUP(setup_double_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = 5\n"
+		"	key2 = 5.5\n"
+		"	key3 = -42\n"
+		"	key4 = -42.5\n"
+		"	none = \n"
+		"	foo1 = bar\n"
+		"	foo2 = bar13.5\n"
+		"	foo3 = 13.5bar\n"
+		"}"));
+}
+END_SETUP
+
+#define verify_double(expected, def, key, ...) \
+	ck_assert(expected == settings->get_double(settings, key, def, ##__VA_ARGS__))
+
+START_TEST(test_get_double)
+{
+	verify_double(5, 0, "main.key1");
+	verify_double(5.5, 0, "main.key2");
+	verify_double(-42, 0, "main.key3");
+	verify_double(-42.5, 0, "main.key4");
+
+	/* FIXME: do we want this behavior? */
+	verify_double(0, 11.5, "main.none");
+	verify_double(0, 11.5, "main.foo1");
+	verify_double(0, 11.5, "main.foo2");
+	verify_double(13.5, 11.5, "main.foo3");
+
+	verify_double(11.5, 11.5, "main.key5");
+	verify_double(-11.5, -11.5, "main");
+}
+END_TEST
+
+START_TEST(test_set_double)
+{
+	settings->set_str(settings, "main.key1", "5.5");
+	verify_double(5.5, 0, "main.key1");
+	settings->set_double(settings, "main.key2", 13);
+	verify_double(13, 0, "main.key2");
+	settings->set_double(settings, "main.key3", -13.5);
+	verify_double(-13.5, 0, "main.key3");
+	settings->set_double(settings, "main.key4", 11.5);
+	verify_double(11.5, 0, "main.key4");
+	settings->set_str(settings, "main.key4", NULL);
+	verify_double(42.5, 42.5, "main.key4");
+	settings->set_double(settings, "main.new", 3.14);
+	verify_double(3.14, 0, "main.new");
+}
+END_TEST
+
+START_SETUP(setup_time_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = 5s\n"
+		"	key2 = 5m\n"
+		"	key3 = 5h\n"
+		"	key4 = 5d\n"
+		"	none = \n"
+		"	foo1 = bar\n"
+		"	foo2 = bar13\n"
+		"	foo3 = 13bar\n"
+		"}"));
+}
+END_SETUP
+
+#define verify_time(expected, def, key, ...) \
+	ck_assert_int_eq(expected, settings->get_time(settings, key, def, ##__VA_ARGS__))
+
+START_TEST(test_get_time)
+{
+	verify_time(5, 0, "main.key1");
+	verify_time(300, 0, "main.key2");
+	verify_time(18000, 0, "main.key3");
+	verify_time(432000, 0, "main.key4");
+
+	/* FIXME: do we want this behavior? */
+	verify_time(0, 11, "main.none");
+	verify_time(0, 11, "main.foo1");
+	verify_time(0, 11, "main.foo2");
+	verify_time(13, 11, "main.foo3");
+
+	verify_time(11, 11, "main.key5");
+	verify_time(11, 11, "main");
+}
+END_TEST
+
+START_TEST(test_set_time)
+{
+	settings->set_str(settings, "main.key1", "15m");
+	verify_time(900, 0, "main.key1");
+	settings->set_time(settings, "main.key2", 15);
+	verify_time(15, 0, "main.key2");
+	settings->set_str(settings, "main.key3", NULL);
+	verify_time(300, 300, "main.key3");
+	settings->set_time(settings, "main.new", 314);
+	verify_time(314, 0, "main.new");
+}
+END_TEST
+
+static bool verify_section(linked_list_t *verifier, char *section)
+{
+	enumerator_t *enumerator;
+	char *current;
+	bool result = FALSE;
+
+	enumerator = verifier->create_enumerator(verifier);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (streq(current, section))
+		{
+			verifier->remove_at(verifier, enumerator);
+			result = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return result;
+}
+
+static void verify_sections(linked_list_t *verifier, char *parent)
+{
+	enumerator_t *enumerator;
+	char *section;
+
+	enumerator = settings->create_section_enumerator(settings, parent);
+	while (enumerator->enumerate(enumerator, &section))
+	{
+		ck_assert(verify_section(verifier, section));
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(0, verifier->get_count(verifier));
+	verifier->destroy(verifier);
+}
+
+START_TEST(test_section_enumerator)
+{
+	linked_list_t *verifier;
+
+	verifier = linked_list_create_with_items("sub1", "sub%", NULL);
+	verify_sections(verifier, "main");
+
+	settings->set_str(settings, "main.sub2.new", "added");
+	verifier = linked_list_create_with_items("sub1", "sub%", "sub2", NULL);
+	verify_sections(verifier, "main");
+
+	verifier = linked_list_create_with_items("subsub", NULL);
+	verify_sections(verifier, "main.sub1");
+
+	verifier = linked_list_create_with_items(NULL);
+	verify_sections(verifier, "main.sub%%");
+
+	verifier = linked_list_create_with_items(NULL);
+	verify_sections(verifier, "main.key1");
+
+	verifier = linked_list_create_with_items(NULL);
+	verify_sections(verifier, "main.unknown");
+}
+END_TEST
+
+static bool verify_key_value(linked_list_t *keys, linked_list_t *values,
+							 char *key, char *value)
+{
+	enumerator_t *enum_keys, *enum_values;
+	char *current_key, *current_value;
+	bool result = FALSE;
+
+	enum_keys = keys->create_enumerator(keys);
+	enum_values = values->create_enumerator(values);
+	while (enum_keys->enumerate(enum_keys, &current_key) &&
+		   enum_values->enumerate(enum_values, &current_value))
+	{
+		if (streq(current_key, key))
+		{
+			ck_assert_str_eq(current_value, value);
+			keys->remove_at(keys, enum_keys);
+			values->remove_at(values, enum_values);
+			result = TRUE;
+			break;
+		}
+	}
+	enum_keys->destroy(enum_keys);
+	enum_values->destroy(enum_values);
+	return result;
+}
+
+static void verify_key_values(linked_list_t *keys, linked_list_t *values,
+							  char *parent)
+{
+	enumerator_t *enumerator;
+	char *key, *value;
+
+	enumerator = settings->create_key_value_enumerator(settings, parent);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		ck_assert(verify_key_value(keys, values, key, value));
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(0, keys->get_count(keys));
+	keys->destroy(keys);
+	values->destroy(values);
+}
+
+START_TEST(test_key_value_enumerator)
+{
+	linked_list_t *keys, *values;
+
+	keys = linked_list_create_with_items("key1", "key2", "none", NULL);
+	values = linked_list_create_with_items("val1", "with spaces", "", NULL);
+	verify_key_values(keys, values, "main");
+
+	keys = linked_list_create_with_items("key", "key2", "subsub", NULL);
+	values = linked_list_create_with_items("value", "value2", "section value", NULL);
+	verify_key_values(keys, values, "main.sub1");
+
+	settings->set_str(settings, "main.sub2.new", "added");
+	keys = linked_list_create_with_items("new", NULL);
+	values = linked_list_create_with_items("added", NULL);
+	verify_key_values(keys, values, "main.sub2");
+
+	keys = linked_list_create_with_items(NULL);
+	values = linked_list_create_with_items(NULL);
+	verify_key_values(keys, values, "other.empty");
+
+	settings->set_str(settings, "other.empty.new", "added");
+	keys = linked_list_create_with_items("new", NULL);
+	values = linked_list_create_with_items("added", NULL);
+	verify_key_values(keys, values, "other.empty");
+
+	keys = linked_list_create_with_items(NULL);
+	values = linked_list_create_with_items(NULL);
+	verify_key_values(keys, values, "main.unknown");
+}
+END_TEST
+
+#define include1 "/tmp/strongswan-settings-test-include1"
+#define include2 "/tmp/strongswan-settings-test-include2"
+
+START_SETUP(setup_include_config)
+{
+	chunk_t inc1 = chunk_from_str(
+		"main {\n"
+		"	key1 = n1\n"
+		"	key2 = n2\n"
+		"	none = \n"
+		"	sub1 {\n"
+		"		key3 = value\n"
+		"	}\n"
+		"	sub2 {\n"
+		"		sub3 = val3\n"
+		"	}\n"
+		"	include " include2 "\n"
+		"}");
+	chunk_t inc2 = chunk_from_str(
+		"key2 = v2\n"
+		"sub1 {\n"
+		"	key = val\n"
+		"}");
+	ck_assert(chunk_write(inc1, include1, 0022, TRUE));
+	ck_assert(chunk_write(inc2, include2, 0022, TRUE));
+}
+END_SETUP
+
+START_TEARDOWN(teardown_include_config)
+{
+	settings->destroy(settings);
+	unlink(include2);
+	unlink(include1);
+	unlink(path);
+}
+END_TEARDOWN
+
+static void verify_include()
+{
+	verify_string("n1", "main.key1");
+	verify_string("v2", "main.key2");
+	verify_string("", "main.none");
+	verify_string("val", "main.sub1.key");
+	verify_string("v2", "main.sub1.key2");
+	verify_string("val", "main.sub1.sub1.key");
+	verify_string("value", "main.sub1.key3");
+	verify_string("value", "main.sub1.include");
+	verify_string("val3", "main.sub2.sub3");
+}
+
+START_TEST(test_include)
+{
+	chunk_t contents = chunk_from_str(
+		"main {\n"
+		"	key1 = val1\n"
+		"	key2 = val2\n"
+		"	none = x\n"
+		"	sub1 {\n"
+		"		include = value\n"
+		"		key2 = value2\n"
+		"		include " include2 "\n"
+		"	}\n"
+		"}\n"
+		"# currently there must be a newline after include statements\n"
+		"include " include1 "\n");
+
+	create_settings(contents);
+	verify_include();
+}
+END_TEST
+
+START_TEST(test_load_files)
+{
+	chunk_t contents = chunk_from_str(
+		"main {\n"
+		"	key1 = val1\n"
+		"	key2 = val2\n"
+		"	none = x\n"
+		"	sub1 {\n"
+		"		include = value\n"
+		"		key2 = v2\n"
+		"		sub1 {\n"
+		"			key = val\n"
+		"		}\n"
+		"	}\n"
+		"}");
+
+	create_settings(contents);
+
+	ck_assert(settings->load_files(settings, include1, TRUE));
+	verify_include();
+
+	ck_assert(settings->load_files(settings, include2, FALSE));
+	verify_null("main.key1");
+	verify_string("v2", "key2");
+	verify_string("val", "sub1.key");
+	verify_null("main.sub1.key3");
+}
+END_TEST
+
+START_TEST(test_load_files_section)
+{
+	chunk_t contents = chunk_from_str(
+		"main {\n"
+		"	key1 = val1\n"
+		"	key2 = val2\n"
+		"	none = x\n"
+		"	sub1 {\n"
+		"		include = value\n"
+		"		key2 = value2\n"
+		"	}\n"
+		"}");
+
+	create_settings(contents);
+
+	ck_assert(settings->load_files_section(settings, include1, TRUE, ""));
+	ck_assert(settings->load_files_section(settings, include2, TRUE, "main.sub1"));
+	verify_include();
+
+	/* non existing files are no failure */
+	ck_assert(settings->load_files_section(settings, include1".conf", TRUE, ""));
+	verify_include();
+
+	/* unreadable files are */
+	ck_assert(chunk_write(contents, include1".no", 0444, TRUE));
+	ck_assert(!settings->load_files_section(settings, include1".no", TRUE, ""));
+	unlink(include1".no");
+	verify_include();
+
+	ck_assert(settings->load_files_section(settings, include2, FALSE, "main"));
+	verify_null("main.key1");
+	verify_string("v2", "main.key2");
+	verify_string("val", "main.sub1.key");
+	verify_null("main.sub1.key3");
+	verify_null("main.sub2.sub3");
+
+	ck_assert(settings->load_files_section(settings, include2, TRUE, "main.sub2"));
+	verify_string("v2", "main.sub2.key2");
+	verify_string("val", "main.sub2.sub1.key");
+}
+END_TEST
+
+START_SETUP(setup_fallback_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = val1\n"
+		"	sub1 {\n"
+		"		key1 = val1\n"
+		"	}\n"
+		"}\n"
+		"sub {\n"
+		"	key1 = subval1\n"
+		"	key2 = subval2\n"
+		"	subsub {\n"
+		"		subkey1 = subsubval1\n"
+		"	}\n"
+		"}\n"
+		"base {\n"
+		"	key1 = baseval1\n"
+		"	key2 = baseval2\n"
+		"	sub1 {\n"
+		"		key1 = subbase1\n"
+		"		key2 = subbase2\n"
+		"		key3 = subbase3\n"
+		"		subsub {\n"
+		"			subkey1 = subsubbaseval1\n"
+		"			subkey2 = subsubbaseval2\n"
+		"		}\n"
+		"	}\n"
+		"	sub2 {\n"
+		"		key4 = subbase4\n"
+		"	}\n"
+		"}"));
+}
+END_SETUP
+
+START_TEST(test_add_fallback)
+{
+	linked_list_t *keys, *values;
+
+	settings->add_fallback(settings, "main.sub1", "sub");
+	verify_string("val1", "main.sub1.key1");
+	verify_string("subval2", "main.sub1.key2");
+	verify_string("subsubval1", "main.sub1.subsub.subkey1");
+
+	/* fallbacks are preserved even if the complete config is replaced */
+	settings->load_files(settings, path, FALSE);
+	verify_string("val1", "main.sub1.key1");
+	verify_string("subval2", "main.sub1.key2");
+	verify_string("subsubval1", "main.sub1.subsub.subkey1");
+
+	keys = linked_list_create_with_items("sub1", NULL);
+	verify_sections(keys, "main");
+	keys = linked_list_create_with_items("subsub", NULL);
+	verify_sections(keys, "main.sub1");
+
+	keys = linked_list_create_with_items("key1", NULL);
+	values = linked_list_create_with_items("val1", NULL);
+	verify_key_values(keys, values, "main");
+
+	keys = linked_list_create_with_items("key1", "key2", NULL);
+	values = linked_list_create_with_items("val1", "subval2", NULL);
+	verify_key_values(keys, values, "main.sub1");
+
+	keys = linked_list_create_with_items("subkey1", NULL);
+	values = linked_list_create_with_items("subsubval1", NULL);
+	verify_key_values(keys, values, "main.sub1.subsub");
+
+	settings->add_fallback(settings, "main", "base");
+	verify_string("val1", "main.key1");
+	verify_string("baseval2", "main.key2");
+	verify_string("val1", "main.sub1.key1");
+	verify_string("subval2", "main.sub1.key2");
+	verify_string("subsubval1", "main.sub1.subsub.subkey1");
+	verify_string("subsubbaseval2", "main.sub1.subsub.subkey2");
+	verify_string("subbase3", "main.sub1.key3");
+	verify_string("subbase4", "main.sub2.key4");
+
+
+	keys = linked_list_create_with_items("sub1", "sub2", NULL);
+	verify_sections(keys, "main");
+	keys = linked_list_create_with_items("subsub", NULL);
+	verify_sections(keys, "main.sub1");
+
+	keys = linked_list_create_with_items("key1", "key2", NULL);
+	values = linked_list_create_with_items("val1", "baseval2", NULL);
+	verify_key_values(keys, values, "main");
+
+	keys = linked_list_create_with_items("key1", "key2", "key3", NULL);
+	values = linked_list_create_with_items("val1", "subval2", "subbase3", NULL);
+	verify_key_values(keys, values, "main.sub1");
+
+	keys = linked_list_create_with_items("subkey1", "subkey2", NULL);
+	values = linked_list_create_with_items("subsubval1", "subsubbaseval2", NULL);
+	verify_key_values(keys, values, "main.sub1.subsub");
+
+	settings->set_str(settings, "main.sub1.key2", "val2");
+	verify_string("val2", "main.sub1.key2");
+	settings->set_str(settings, "main.sub1.subsub.subkey2", "val2");
+	verify_string("val2", "main.sub1.subsub.subkey2");
+	verify_string("subsubval1", "main.sub1.subsub.subkey1");
+}
+END_TEST
+
+START_TEST(test_add_fallback_printf)
+{
+	settings->add_fallback(settings, "%s.sub1", "sub", "main");
+	verify_string("val1", "main.sub1.key1");
+	verify_string("subval2", "main.sub1.key2");
+	verify_string("subsubval1", "main.sub1.subsub.subkey1");
+
+	settings->add_fallback(settings, "%s.%s2", "%s.%s1", "main", "sub");
+	verify_string("val1", "main.sub2.key1");
+	verify_string("subval2", "main.sub2.key2");
+	verify_string("subsubval1", "main.sub2.subsub.subkey1");
+}
+END_TEST
+
+START_SETUP(setup_invalid_config)
+{
+	create_settings(chunk_from_str(
+		"# section without name\n"
+		"{\n"
+		"	key1 = val1\n"
+		"}\n"
+		"main {\n"
+		"	key2 = val2\n"
+		"   # value without key\n"
+		"	= val3\n"
+		"	key4 = val4\n"
+		"	# key without value does not change it\n"
+		"	key4\n"
+		"	# subsection without name\n"
+		"	{\n"
+		"		key5 = val5\n"
+		"	}\n"
+		"	# empty include pattern\n"
+		"	include\n"
+		"	key6 = val6\n"
+		"}"));
+}
+END_SETUP
+
+START_TEST(test_invalid)
+{
+	linked_list_t *keys, *values;
+	chunk_t contents;
+
+	verify_null("key1");
+	verify_null(".key1");
+	verify_null("%s.key1", "");
+	verify_string("val2", "main.key2");
+	verify_string("val4", "main.key4");
+	verify_null("main..key5");
+	verify_string("val6", "main.key6");
+
+	keys = linked_list_create_with_items("main", NULL);
+	verify_sections(keys, "");
+
+	keys = linked_list_create_with_items(NULL);
+	verify_sections(keys, "main");
+
+	keys = linked_list_create_with_items("key2", "key4", "key6", NULL);
+	values = linked_list_create_with_items("val2", "val4", "val6", NULL);
+	verify_key_values(keys, values, "main");
+
+	/* FIXME: we should probably fix this */
+	contents = chunk_from_str(
+		"requires = newline");
+	ck_assert(chunk_write(contents, path, 0022, TRUE));
+	ck_assert(!settings->load_files(settings, path, FALSE));
+
+	contents = chunk_from_str(
+		"unterminated {\n"
+		"	not = valid\n");
+	ck_assert(chunk_write(contents, path, 0022, TRUE));
+	ck_assert(!settings->load_files(settings, path, FALSE));
+
+	contents = chunk_from_str(
+		"singleline { not = valid }\n");
+	ck_assert(chunk_write(contents, path, 0022, TRUE));
+	ck_assert(!settings->load_files(settings, path, FALSE));
+}
+END_TEST
+
+Suite *settings_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("settings");
+
+	tc = tcase_create("get/set_str (basic behavior)");
+	tcase_add_checked_fixture(tc, setup_base_config, teardown_config);
+	tcase_add_test(tc, test_get_str);
+	tcase_add_test(tc, test_get_str_printf);
+	tcase_add_test(tc, test_set_str);
+	tcase_add_test(tc, test_set_str_printf);
+	tcase_add_test(tc, test_set_default_str);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get/set_bool");
+	tcase_add_checked_fixture(tc, setup_bool_config, teardown_config);
+	tcase_add_test(tc, test_get_bool);
+	tcase_add_test(tc, test_set_bool);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get/set_int");
+	tcase_add_checked_fixture(tc, setup_int_config, teardown_config);
+	tcase_add_test(tc, test_get_int);
+	tcase_add_test(tc, test_set_int);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get/set_double");
+	tcase_add_checked_fixture(tc, setup_double_config, teardown_config);
+	tcase_add_test(tc, test_get_double);
+	tcase_add_test(tc, test_set_double);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get/set_time");
+	tcase_add_checked_fixture(tc, setup_time_config, teardown_config);
+	tcase_add_test(tc, test_get_time);
+	tcase_add_test(tc, test_set_time);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("section enumerator");
+	tcase_add_checked_fixture(tc, setup_base_config, teardown_config);
+	tcase_add_test(tc, test_section_enumerator);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("key/value enumerator");
+	tcase_add_checked_fixture(tc, setup_base_config, teardown_config);
+	tcase_add_test(tc, test_key_value_enumerator);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("include/load_files[_section]");
+	tcase_add_checked_fixture(tc, setup_include_config, teardown_include_config);
+	tcase_add_test(tc, test_include);
+	tcase_add_test(tc, test_load_files);
+	tcase_add_test(tc, test_load_files_section);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("fallback");
+	tcase_add_checked_fixture(tc, setup_fallback_config, teardown_config);
+	tcase_add_test(tc, test_add_fallback);
+	tcase_add_test(tc, test_add_fallback_printf);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("invalid data");
+	tcase_add_checked_fixture(tc, setup_invalid_config, teardown_config);
+	tcase_add_test(tc, test_invalid);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_stream.c b/src/libstrongswan/tests/suites/test_stream.c
new file mode 100644
index 000000000..2d3173d46
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_stream.c
@@ -0,0 +1,267 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <unistd.h>
+
+static char* services[] = {
+	"unix:///tmp/strongswan-test-service.sck",
+	"tcp://127.0.0.1:7766",
+	"tcp://[::1]:7766",
+};
+
+static char msg[] = "testmessage";
+static int msglen = 12;
+
+static bool servicing(void *data, stream_t *stream)
+{
+	char buf[64];
+	ssize_t len, total;
+
+	ck_assert(streq((char*)data, "test"));
+
+	for (total = 0; total < msglen;)
+	{
+		len = stream->read(stream, buf, sizeof(buf), TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+	for (total = 0; total < msglen;)
+	{
+		len = stream->write(stream, buf, len, TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+
+	return FALSE;
+}
+
+START_TEST(test_sync)
+{
+	char buf[64];
+	stream_service_t *service;
+	stream_t *stream;
+	ssize_t len, total;
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	service = lib->streams->create_service(lib->streams, services[_i], 1);
+	ck_assert(service != NULL);
+	service->on_accept(service, servicing, "test", JOB_PRIO_HIGH, 1);
+
+	stream = lib->streams->connect(lib->streams, services[_i]);
+	ck_assert(stream != NULL);
+	for (total = 0; total < msglen;)
+	{
+		len = stream->write(stream, msg, msglen, TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+	for (total = 0; total < msglen;)
+	{
+		len = stream->read(stream, buf, sizeof(buf), TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+	ck_assert(streq(buf, msg));
+	stream->destroy(stream);
+
+	service->destroy(service);
+}
+END_TEST
+
+static bool on_write(void *data, stream_t *stream)
+{
+	ssize_t len, total;
+
+	ck_assert(streq((char*)data, "test-write"));
+	for (total = 0; total < msglen;)
+	{
+		len = stream->write(stream, msg, msglen, TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+	return FALSE;
+}
+
+static bool read_done = FALSE;
+
+static bool on_read(void *data, stream_t *stream)
+{
+	ssize_t len, total;
+	char buf[64];
+
+	ck_assert(streq((char*)data, "test-read"));
+	for (total = 0; total < msglen;)
+	{
+		len = stream->read(stream, buf, sizeof(buf), TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+	ck_assert(streq(buf, msg));
+	read_done = TRUE;
+	return FALSE;
+}
+
+START_TEST(test_async)
+{
+	stream_service_t *service;
+	stream_t *stream;
+
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	service = lib->streams->create_service(lib->streams, services[_i], 1);
+	ck_assert(service != NULL);
+	service->on_accept(service, servicing, "test", JOB_PRIO_HIGH, 0);
+
+	stream = lib->streams->connect(lib->streams, services[_i]);
+	ck_assert(stream != NULL);
+	read_done = FALSE;
+	stream->on_write(stream, (stream_cb_t)on_write, "test-write");
+	stream->on_read(stream, (stream_cb_t)on_read, "test-read");
+
+	while (!read_done)
+	{
+		usleep(1000);
+	}
+	stream->destroy(stream);
+
+	service->destroy(service);
+}
+END_TEST
+
+static bool all(void *data, stream_t *stream)
+{
+	char buf[64], *pos;
+	ssize_t len;
+	int i;
+
+	pos = buf;
+	for (i = 0; i < msglen; i++)
+	{
+		len = stream->read(stream, pos, 1, TRUE);
+		ck_assert_int_eq(len, 1);
+		pos += len;
+	}
+	pos = buf;
+	for (i = 0; i < msglen; i++)
+	{
+		len = stream->write(stream, pos, 1, TRUE);
+		ck_assert_int_eq(len, 1);
+		pos += len;
+	}
+
+	return FALSE;
+}
+
+START_TEST(test_all)
+{
+	char buf[64];
+	stream_service_t *service;
+	stream_t *stream;
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	service = lib->streams->create_service(lib->streams, services[_i], 1);
+	ck_assert(service != NULL);
+	service->on_accept(service, all, NULL, JOB_PRIO_HIGH, 1);
+
+	stream = lib->streams->connect(lib->streams, services[_i]);
+	ck_assert(stream != NULL);
+	ck_assert(stream->write_all(stream, msg, msglen));
+	ck_assert(stream->read_all(stream, buf, msglen));
+	ck_assert(streq(buf, msg));
+	stream->destroy(stream);
+
+	service->destroy(service);
+}
+END_TEST
+
+static bool concurrency(void *data, stream_t *stream)
+{
+	static refcount_t refs = 0;
+	u_int current;
+	ssize_t len;
+
+	current = ref_get(&refs);
+	ck_assert(current <= 3);
+	len = stream->write(stream, "x", 1, TRUE);
+	ck_assert_int_eq(len, 1);
+	usleep(1000);
+	ignore_result(ref_put(&refs));
+
+	return FALSE;
+}
+
+START_TEST(test_concurrency)
+{
+	stream_service_t *service;
+	stream_t *streams[10];
+	ssize_t len;
+	char x;
+	int i;
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	service = lib->streams->create_service(lib->streams, services[_i], 10);
+	ck_assert(service != NULL);
+	service->on_accept(service, concurrency, NULL, JOB_PRIO_HIGH, 3);
+
+	for (i = 0; i < countof(streams); i++)
+	{
+		streams[i] = lib->streams->connect(lib->streams, services[_i]);
+		ck_assert(streams[i] != NULL);
+	}
+	for (i = 0; i < countof(streams); i++)
+	{
+		len = streams[i]->read(streams[i], &x, 1, TRUE);
+		ck_assert_int_eq(len, 1);
+		ck_assert_int_eq(x, 'x');
+	}
+	for (i = 0; i < countof(streams); i++)
+	{
+		streams[i]->destroy(streams[i]);
+	}
+	service->destroy(service);
+}
+END_TEST
+
+Suite *stream_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("stream");
+
+	tc = tcase_create("sync");
+	tcase_add_loop_test(tc, test_sync, 0, countof(services));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("async");
+	tcase_add_loop_test(tc, test_async, 0, countof(services));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("all");
+	tcase_add_loop_test(tc, test_all, 0, countof(services));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("concurrency");
+	tcase_add_loop_test(tc, test_concurrency, 0, countof(services));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_test_rng.c b/src/libstrongswan/tests/suites/test_test_rng.c
new file mode 100644
index 000000000..9a983b677
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_test_rng.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <tests/utils/test_rng.h>
+#include <utils/test.h>
+
+START_TEST(test_test_rng)
+{
+	rng_t *entropy;
+	chunk_t in, in1, in2, out;
+
+	in1 = chunk_from_chars(0x01, 0x02, 0x03, 0x04, 0x05, 0x06);
+	in2 = chunk_from_chars(0x07, 0x08);
+	in = chunk_cat("cc", in1, in2);
+
+	entropy = test_rng_create(in);
+	ck_assert(entropy->allocate_bytes(entropy, 6, &out));
+	ck_assert(chunk_equals(in1, out));
+	ck_assert(entropy->get_bytes(entropy, 2, out.ptr));
+	ck_assert(memeq(in2.ptr, out.ptr, in2.len));
+	ck_assert(!entropy->get_bytes(entropy, 4, out.ptr));
+	chunk_free(&out);
+	ck_assert(!entropy->allocate_bytes(entropy, 4, &out));
+	entropy->destroy(entropy);
+	chunk_free(&in);
+}
+END_TEST
+
+
+Suite *test_rng_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("test_rng");
+
+	tc = tcase_create("test_rng");
+	tcase_add_test(tc, test_test_rng);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_threading.c b/src/libstrongswan/tests/suites/test_threading.c
new file mode 100644
index 000000000..844959e46
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_threading.c
@@ -0,0 +1,1466 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <sched.h>
+#include <unistd.h>
+
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <threading/rwlock.h>
+#include <threading/rwlock_condvar.h>
+#include <threading/spinlock.h>
+#include <threading/semaphore.h>
+#include <threading/thread_value.h>
+
+/*******************************************************************************
+ * recursive mutex test
+ */
+
+#define THREADS 20
+
+/**
+ * Thread barrier data
+ */
+typedef struct {
+	mutex_t *mutex;
+	condvar_t *cond;
+	int count;
+	int current;
+	bool active;
+} barrier_t;
+
+/**
+ * Create a thread barrier for count threads
+ */
+static barrier_t* barrier_create(int count)
+{
+	barrier_t *this;
+
+	INIT(this,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.cond = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.count = count,
+	);
+
+	return this;
+}
+
+/**
+ * Destroy a thread barrier
+ */
+static void barrier_destroy(barrier_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	this->cond->destroy(this->cond);
+	free(this);
+}
+
+/**
+ * Wait to have configured number of threads in barrier
+ */
+static bool barrier_wait(barrier_t *this)
+{
+	bool winner = FALSE;
+
+	this->mutex->lock(this->mutex);
+	if (!this->active)
+	{	/* first, reset */
+		this->active = TRUE;
+		this->current = 0;
+	}
+
+	this->current++;
+	while (this->current < this->count)
+	{
+		this->cond->wait(this->cond, this->mutex);
+	}
+	if (this->active)
+	{	/* first, win */
+		winner = TRUE;
+		this->active = FALSE;
+	}
+	this->mutex->unlock(this->mutex);
+	this->cond->broadcast(this->cond);
+	sched_yield();
+
+	return winner;
+}
+
+/**
+ * Barrier for some tests
+ */
+static barrier_t *barrier;
+
+/**
+ * A mutex for tests requiring one
+ */
+static mutex_t *mutex;
+
+/**
+ * A condvar for tests requiring one
+ */
+static condvar_t *condvar;
+
+/**
+ * A counter for signaling
+ */
+static int sigcount;
+
+static void *mutex_run(void *data)
+{
+	int locked = 0;
+	int i;
+
+	/* wait for all threads before getting in action */
+	barrier_wait(barrier);
+
+	for (i = 0; i < 100; i++)
+	{
+		mutex->lock(mutex);
+		mutex->lock(mutex);
+		mutex->lock(mutex);
+		locked++;
+		sched_yield();
+		if (locked > 1)
+		{
+			fail("two threads locked the mutex concurrently");
+		}
+		locked--;
+		mutex->unlock(mutex);
+		mutex->unlock(mutex);
+		mutex->unlock(mutex);
+	}
+	return NULL;
+}
+
+START_TEST(test_mutex)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	barrier = barrier_create(THREADS);
+	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+
+	for (i = 0; i < 10; i++)
+	{
+		mutex->lock(mutex);
+		mutex->unlock(mutex);
+	}
+	for (i = 0; i < 10; i++)
+	{
+		mutex->lock(mutex);
+	}
+	for (i = 0; i < 10; i++)
+	{
+		mutex->unlock(mutex);
+	}
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(mutex_run, NULL);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	mutex->destroy(mutex);
+	barrier_destroy(barrier);
+}
+END_TEST
+
+/**
+ * Spinlock for testing
+ */
+static spinlock_t *spinlock;
+
+static void *spinlock_run(void *data)
+{
+	int i, *locked = (int*)data;
+
+	barrier_wait(barrier);
+
+	for (i = 0; i < 1000; i++)
+	{
+		spinlock->lock(spinlock);
+		(*locked)++;
+		ck_assert_int_eq(*locked, 1);
+		(*locked)--;
+		spinlock->unlock(spinlock);
+	}
+	return NULL;
+}
+
+START_TEST(test_spinlock)
+{
+	thread_t *threads[THREADS];
+	int i, locked = 0;
+
+	barrier = barrier_create(THREADS);
+	spinlock = spinlock_create();
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(spinlock_run, &locked);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	spinlock->destroy(spinlock);
+	barrier_destroy(barrier);
+}
+END_TEST
+
+static void *condvar_run(void *data)
+{
+	mutex->lock(mutex);
+	sigcount++;
+	condvar->signal(condvar);
+	mutex->unlock(mutex);
+	return NULL;
+}
+
+START_TEST(test_condvar)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(condvar_run, NULL);
+	}
+
+	mutex->lock(mutex);
+	while (sigcount < THREADS)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	mutex->unlock(mutex);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+static void *condvar_recursive_run(void *data)
+{
+	mutex->lock(mutex);
+	mutex->lock(mutex);
+	mutex->lock(mutex);
+	sigcount++;
+	condvar->signal(condvar);
+	mutex->unlock(mutex);
+	mutex->unlock(mutex);
+	mutex->unlock(mutex);
+	return NULL;
+}
+
+START_TEST(test_condvar_recursive)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	mutex->lock(mutex);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(condvar_recursive_run, NULL);
+	}
+
+	mutex->lock(mutex);
+	mutex->lock(mutex);
+	while (sigcount < THREADS)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	mutex->unlock(mutex);
+	mutex->unlock(mutex);
+	mutex->unlock(mutex);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+static void *condvar_run_broad(void *data)
+{
+	mutex->lock(mutex);
+	while (sigcount < 0)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	mutex->unlock(mutex);
+	return NULL;
+}
+
+START_TEST(test_condvar_broad)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(condvar_run_broad, NULL);
+	}
+
+	sched_yield();
+
+	mutex->lock(mutex);
+	sigcount = 1;
+	condvar->broadcast(condvar);
+	mutex->unlock(mutex);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+START_TEST(test_condvar_timed)
+{
+	thread_t *thread;
+	timeval_t start, end, diff = { .tv_usec = 50000 };
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	mutex->lock(mutex);
+	while (TRUE)
+	{
+		time_monotonic(&start);
+		if (condvar->timed_wait(condvar, mutex, diff.tv_usec / 1000))
+		{
+			break;
+		}
+	}
+	time_monotonic(&end);
+	mutex->unlock(mutex);
+	timersub(&end, &start, &end);
+	ck_assert_msg(timercmp(&end, &diff, >), "end: %u.%u, diff: %u.%u",
+					end.tv_sec, end.tv_usec, diff.tv_sec, diff.tv_usec);
+
+	thread = thread_create(condvar_run, NULL);
+
+	mutex->lock(mutex);
+	while (sigcount == 0)
+	{
+		ck_assert(!condvar->timed_wait(condvar, mutex, 1000));
+	}
+	mutex->unlock(mutex);
+
+	thread->join(thread);
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+START_TEST(test_condvar_timed_abs)
+{
+	thread_t *thread;
+	timeval_t start, end, abso, diff = { .tv_usec = 50000 };
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	mutex->lock(mutex);
+	while (TRUE)
+	{
+		time_monotonic(&start);
+		timeradd(&start, &diff, &abso);
+		if (condvar->timed_wait_abs(condvar, mutex, abso))
+		{
+			break;
+		}
+	}
+	time_monotonic(&end);
+	mutex->unlock(mutex);
+	ck_assert_msg(timercmp(&end, &diff, >), "end: %u.%u, diff: %u.%u",
+					end.tv_sec, end.tv_usec, abso.tv_sec, abso.tv_usec);
+
+	thread = thread_create(condvar_run, NULL);
+
+	time_monotonic(&start);
+	diff.tv_sec = 1;
+	timeradd(&start, &diff, &abso);
+	mutex->lock(mutex);
+	while (sigcount == 0)
+	{
+		ck_assert(!condvar->timed_wait_abs(condvar, mutex, abso));
+	}
+	mutex->unlock(mutex);
+
+	thread->join(thread);
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+static void *condvar_cancel_run(void *data)
+{
+	thread_cancelability(FALSE);
+
+	mutex->lock(mutex);
+
+	sigcount++;
+	condvar->broadcast(condvar);
+
+	thread_cleanup_push((void*)mutex->unlock, mutex);
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	thread_cleanup_pop(TRUE);
+
+	return NULL;
+}
+
+START_TEST(test_condvar_cancel)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(condvar_cancel_run, NULL);
+	}
+
+	/* wait for all threads */
+	mutex->lock(mutex);
+	while (sigcount < THREADS)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	mutex->unlock(mutex);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+/**
+ * RWlock for different tests
+ */
+static rwlock_t *rwlock;
+
+static void *rwlock_run(refcount_t *refs)
+{
+	rwlock->read_lock(rwlock);
+	ref_get(refs);
+	sched_yield();
+	ignore_result(ref_put(refs));
+	rwlock->unlock(rwlock);
+
+	if (rwlock->try_write_lock(rwlock))
+	{
+		ck_assert_int_eq(*refs, 0);
+		sched_yield();
+		rwlock->unlock(rwlock);
+	}
+
+	rwlock->write_lock(rwlock);
+	ck_assert_int_eq(*refs, 0);
+	sched_yield();
+	rwlock->unlock(rwlock);
+
+	rwlock->read_lock(rwlock);
+	rwlock->read_lock(rwlock);
+	ref_get(refs);
+	sched_yield();
+	ignore_result(ref_put(refs));
+	rwlock->unlock(rwlock);
+	rwlock->unlock(rwlock);
+
+	return NULL;
+}
+
+START_TEST(test_rwlock)
+{
+	thread_t *threads[THREADS];
+	refcount_t refs = 0;
+	int i;
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create((void*)rwlock_run, &refs);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	rwlock->destroy(rwlock);
+}
+END_TEST
+
+/**
+ * Rwlock condvar
+ */
+static rwlock_condvar_t *rwcond;
+
+static void *rwlock_condvar_run(void *data)
+{
+	rwlock->write_lock(rwlock);
+	sigcount++;
+	rwcond->signal(rwcond);
+	rwlock->unlock(rwlock);
+	return NULL;
+}
+
+START_TEST(test_rwlock_condvar)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	rwcond = rwlock_condvar_create();
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(rwlock_condvar_run, NULL);
+	}
+
+	rwlock->write_lock(rwlock);
+	while (sigcount < THREADS)
+	{
+		rwcond->wait(rwcond, rwlock);
+	}
+	rwlock->unlock(rwlock);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	rwlock->destroy(rwlock);
+	rwcond->destroy(rwcond);
+}
+END_TEST
+
+static void *rwlock_condvar_run_broad(void *data)
+{
+	rwlock->write_lock(rwlock);
+	while (sigcount < 0)
+	{
+		rwcond->wait(rwcond, rwlock);
+	}
+	rwlock->unlock(rwlock);
+	return NULL;
+}
+
+START_TEST(test_rwlock_condvar_broad)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	rwcond = rwlock_condvar_create();
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(rwlock_condvar_run_broad, NULL);
+	}
+
+	sched_yield();
+
+	rwlock->write_lock(rwlock);
+	sigcount = 1;
+	rwcond->broadcast(rwcond);
+	rwlock->unlock(rwlock);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	rwlock->destroy(rwlock);
+	rwcond->destroy(rwcond);
+}
+END_TEST
+
+START_TEST(test_rwlock_condvar_timed)
+{
+	thread_t *thread;
+	timeval_t start, end, diff = { .tv_usec = 50000 };
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	rwcond = rwlock_condvar_create();
+	sigcount = 0;
+
+	rwlock->write_lock(rwlock);
+	while (TRUE)
+	{
+		time_monotonic(&start);
+		if (rwcond->timed_wait(rwcond, rwlock, diff.tv_usec / 1000))
+		{
+			break;
+		}
+	}
+	rwlock->unlock(rwlock);
+	time_monotonic(&end);
+	timersub(&end, &start, &end);
+	ck_assert_msg(timercmp(&end, &diff, >), "end: %u.%u, diff: %u.%u",
+					end.tv_sec, end.tv_usec, diff.tv_sec, diff.tv_usec);
+
+	thread = thread_create(rwlock_condvar_run, NULL);
+
+	rwlock->write_lock(rwlock);
+	while (sigcount == 0)
+	{
+		ck_assert(!rwcond->timed_wait(rwcond, rwlock, 1000));
+	}
+	rwlock->unlock(rwlock);
+
+	thread->join(thread);
+	rwlock->destroy(rwlock);
+	rwcond->destroy(rwcond);
+}
+END_TEST
+
+START_TEST(test_rwlock_condvar_timed_abs)
+{
+	thread_t *thread;
+	timeval_t start, end, abso, diff = { .tv_usec = 50000 };
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	rwcond = rwlock_condvar_create();
+	sigcount = 0;
+
+	rwlock->write_lock(rwlock);
+	while (TRUE)
+	{
+		time_monotonic(&start);
+		timeradd(&start, &diff, &abso);
+		if (rwcond->timed_wait_abs(rwcond, rwlock, abso))
+		{
+			break;
+		}
+	}
+	rwlock->unlock(rwlock);
+	time_monotonic(&end);
+	ck_assert_msg(timercmp(&end, &abso, >), "end: %u.%u, abso: %u.%u",
+					end.tv_sec, end.tv_usec, abso.tv_sec, abso.tv_usec);
+
+	thread = thread_create(rwlock_condvar_run, NULL);
+
+	time_monotonic(&start);
+	diff.tv_sec = 1;
+	timeradd(&start, &diff, &abso);
+	rwlock->write_lock(rwlock);
+	while (sigcount == 0)
+	{
+		ck_assert(!rwcond->timed_wait_abs(rwcond, rwlock, abso));
+	}
+	rwlock->unlock(rwlock);
+
+	thread->join(thread);
+	rwlock->destroy(rwlock);
+	rwcond->destroy(rwcond);
+}
+END_TEST
+
+static void *rwlock_condvar_cancel_run(void *data)
+{
+	thread_cancelability(FALSE);
+
+	rwlock->write_lock(rwlock);
+
+	sigcount++;
+	rwcond->broadcast(rwcond);
+
+	thread_cleanup_push((void*)rwlock->unlock, rwlock);
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		rwcond->wait(rwcond, rwlock);
+	}
+	thread_cleanup_pop(TRUE);
+
+	return NULL;
+}
+
+START_TEST(test_rwlock_condvar_cancel)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	rwcond = rwlock_condvar_create();
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(rwlock_condvar_cancel_run, NULL);
+	}
+
+	/* wait for all threads */
+	rwlock->write_lock(rwlock);
+	while (sigcount < THREADS)
+	{
+		rwcond->wait(rwcond, rwlock);
+	}
+	rwlock->unlock(rwlock);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	rwlock->destroy(rwlock);
+	rwcond->destroy(rwcond);
+}
+END_TEST
+
+/**
+ * Semaphore for different tests
+ */
+static semaphore_t *semaphore;
+
+static void *semaphore_run(void *data)
+{
+	semaphore->post(semaphore);
+	return NULL;
+}
+
+START_TEST(test_semaphore)
+{
+	thread_t *threads[THREADS];
+	int i, initial = 5;
+
+	semaphore = semaphore_create(initial);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(semaphore_run, NULL);
+	}
+	for (i = 0; i < THREADS + initial; i++)
+	{
+		semaphore->wait(semaphore);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	semaphore->destroy(semaphore);
+}
+END_TEST
+
+START_TEST(test_semaphore_timed)
+{
+	thread_t *thread;
+	timeval_t start, end, diff = { .tv_usec = 50000 };
+
+	semaphore = semaphore_create(0);
+
+	time_monotonic(&start);
+	ck_assert(semaphore->timed_wait(semaphore, diff.tv_usec / 1000));
+	time_monotonic(&end);
+	timersub(&end, &start, &end);
+	ck_assert_msg(timercmp(&end, &diff, >), "end: %u.%u, diff: %u.%u",
+					end.tv_sec, end.tv_usec, diff.tv_sec, diff.tv_usec);
+
+	thread = thread_create(semaphore_run, NULL);
+
+	ck_assert(!semaphore->timed_wait(semaphore, 1000));
+
+	thread->join(thread);
+	semaphore->destroy(semaphore);
+}
+END_TEST
+
+START_TEST(test_semaphore_timed_abs)
+{
+	thread_t *thread;
+	timeval_t start, end, abso, diff = { .tv_usec = 50000 };
+
+	semaphore = semaphore_create(0);
+
+	time_monotonic(&start);
+	timeradd(&start, &diff, &abso);
+	ck_assert(semaphore->timed_wait_abs(semaphore, abso));
+	time_monotonic(&end);
+	ck_assert_msg(timercmp(&end, &abso, >), "end: %u.%u, abso: %u.%u",
+					end.tv_sec, end.tv_usec, abso.tv_sec, abso.tv_usec);
+
+	thread = thread_create(semaphore_run, NULL);
+
+	time_monotonic(&start);
+	diff.tv_sec = 1;
+	timeradd(&start, &diff, &abso);
+	ck_assert(!semaphore->timed_wait_abs(semaphore, abso));
+
+	thread->join(thread);
+	semaphore->destroy(semaphore);
+}
+END_TEST
+
+static void *semaphore_cancel_run(void *data)
+{
+	refcount_t *ready = (refcount_t*)data;
+
+	thread_cancelability(FALSE);
+	ref_get(ready);
+
+	thread_cancelability(TRUE);
+	semaphore->wait(semaphore);
+
+	ck_assert(FALSE);
+	return NULL;
+}
+
+START_TEST(test_semaphore_cancel)
+{
+	thread_t *threads[THREADS];
+	refcount_t ready = 0;
+	int i;
+
+	semaphore = semaphore_create(0);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(semaphore_cancel_run, &ready);
+	}
+	while (ready < THREADS)
+	{
+		sched_yield();
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	semaphore->destroy(semaphore);
+}
+END_TEST
+
+static void *join_run(void *data)
+{
+	/* force some context switches */
+	sched_yield();
+	return (void*)((uintptr_t)data + THREADS);
+}
+
+START_TEST(test_join)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(join_run, (void*)(uintptr_t)i);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		ck_assert_int_eq((uintptr_t)threads[i]->join(threads[i]), i + THREADS);
+	}
+}
+END_TEST
+
+static void *exit_join_run(void *data)
+{
+	sched_yield();
+	thread_exit((void*)((uintptr_t)data + THREADS));
+	/* not reached */
+	ck_assert(FALSE);
+	return NULL;
+}
+
+START_TEST(test_join_exit)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(exit_join_run, (void*)(uintptr_t)i);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		ck_assert_int_eq((uintptr_t)threads[i]->join(threads[i]), i + THREADS);
+	}
+}
+END_TEST
+
+static void *detach_run(void *data)
+{
+	refcount_t *running = (refcount_t*)data;
+
+	ignore_result(ref_put(running));
+	return NULL;
+}
+
+START_TEST(test_detach)
+{
+	thread_t *threads[THREADS];
+	int i;
+	refcount_t running = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		ref_get(&running);
+		threads[i] = thread_create(detach_run, &running);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->detach(threads[i]);
+	}
+	while (running > 0)
+	{
+		sched_yield();
+	}
+	/* no checks done here, but we check that thread state gets cleaned
+	 * up with leak detective. */
+}
+END_TEST
+
+static void *detach_exit_run(void *data)
+{
+	refcount_t *running = (refcount_t*)data;
+
+	ignore_result(ref_put(running));
+	thread_exit(NULL);
+	/* not reached */
+	ck_assert(FALSE);
+	return NULL;
+}
+
+START_TEST(test_detach_exit)
+{
+	thread_t *threads[THREADS];
+	int i;
+	refcount_t running = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		ref_get(&running);
+		threads[i] = thread_create(detach_exit_run, &running);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->detach(threads[i]);
+	}
+	while (running > 0)
+	{
+		sched_yield();
+	}
+	/* no checks done here, but we check that thread state gets cleaned
+	 * up with leak detective. */
+}
+END_TEST
+
+static void *cancel_run(void *data)
+{
+	/* default cancellability should be TRUE, so don't change it */
+	while (TRUE)
+	{
+		sleep(10);
+	}
+	return NULL;
+}
+
+START_TEST(test_cancel)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(cancel_run, NULL);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+}
+END_TEST
+
+static void *cancel_onoff_run(void *data)
+{
+	bool *cancellable = (bool*)data;
+
+	thread_cancelability(FALSE);
+	*cancellable = FALSE;
+
+	/* we should not get cancelled here */
+	usleep(50000);
+
+	*cancellable = TRUE;
+	thread_cancelability(TRUE);
+
+	/* but here */
+	while (TRUE)
+	{
+		sleep(10);
+	}
+	return NULL;
+}
+
+START_TEST(test_cancel_onoff)
+{
+	thread_t *threads[THREADS];
+	bool cancellable[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		cancellable[i] = TRUE;
+		threads[i] = thread_create(cancel_onoff_run, &cancellable[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		/* wait until thread has cleared its cancellability */
+		while (cancellable[i])
+		{
+			sched_yield();
+		}
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert(cancellable[i]);
+	}
+}
+END_TEST
+
+static void *cancel_point_run(void *data)
+{
+	thread_cancelability(FALSE);
+	while (TRUE)
+	{
+		/* implicitly enables cancellability */
+		thread_cancellation_point();
+	}
+	return NULL;
+}
+
+START_TEST(test_cancel_point)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(cancel_point_run, NULL);
+	}
+	sched_yield();
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+}
+END_TEST
+
+static void cleanup1(void *data)
+{
+	uintptr_t *value = (uintptr_t*)data;
+
+	ck_assert_int_eq(*value, 1);
+	(*value)++;
+}
+
+static void cleanup2(void *data)
+{
+	uintptr_t *value = (uintptr_t*)data;
+
+	ck_assert_int_eq(*value, 2);
+	(*value)++;
+}
+
+static void cleanup3(void *data)
+{
+	uintptr_t *value = (uintptr_t*)data;
+
+	ck_assert_int_eq(*value, 3);
+	(*value)++;
+}
+
+static void *cleanup_run(void *data)
+{
+	thread_cleanup_push(cleanup3, data);
+	thread_cleanup_push(cleanup2, data);
+	thread_cleanup_push(cleanup1, data);
+	return NULL;
+}
+
+START_TEST(test_cleanup)
+{
+	thread_t *threads[THREADS];
+	uintptr_t values[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		values[i] = 1;
+		threads[i] = thread_create(cleanup_run, &values[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert_int_eq(values[i], 4);
+	}
+}
+END_TEST
+
+static void *cleanup_exit_run(void *data)
+{
+	thread_cleanup_push(cleanup3, data);
+	thread_cleanup_push(cleanup2, data);
+	thread_cleanup_push(cleanup1, data);
+	thread_exit(NULL);
+	ck_assert(FALSE);
+	return NULL;
+}
+
+START_TEST(test_cleanup_exit)
+{
+	thread_t *threads[THREADS];
+	uintptr_t values[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		values[i] = 1;
+		threads[i] = thread_create(cleanup_exit_run, &values[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert_int_eq(values[i], 4);
+	}
+}
+END_TEST
+
+static void *cleanup_cancel_run(void *data)
+{
+	thread_cancelability(FALSE);
+
+	thread_cleanup_push(cleanup3, data);
+	thread_cleanup_push(cleanup2, data);
+	thread_cleanup_push(cleanup1, data);
+
+	thread_cancelability(TRUE);
+
+	while (TRUE)
+	{
+		sleep(1);
+	}
+	return NULL;
+}
+
+START_TEST(test_cleanup_cancel)
+{
+	thread_t *threads[THREADS];
+	uintptr_t values[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		values[i] = 1;
+		threads[i] = thread_create(cleanup_cancel_run, &values[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert_int_eq(values[i], 4);
+	}
+}
+END_TEST
+
+static void *cleanup_pop_run(void *data)
+{
+	thread_cleanup_push(cleanup3, data);
+	thread_cleanup_push(cleanup2, data);
+	thread_cleanup_push(cleanup1, data);
+
+	thread_cleanup_push(cleanup2, data);
+	thread_cleanup_pop(FALSE);
+
+	thread_cleanup_pop(TRUE);
+	return NULL;
+}
+
+START_TEST(test_cleanup_pop)
+{
+	thread_t *threads[THREADS];
+	uintptr_t values[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		values[i] = 1;
+		threads[i] = thread_create(cleanup_pop_run, &values[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert_int_eq(values[i], 4);
+	}
+}
+END_TEST
+
+static thread_value_t *tls[10];
+
+static void *tls_run(void *data)
+{
+	uintptr_t value = (uintptr_t)data;
+	int i, j;
+
+	for (i = 0; i < countof(tls); i++)
+	{
+		ck_assert(tls[i]->get(tls[i]) == NULL);
+	}
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i]->set(tls[i], (void*)(value * i));
+	}
+	for (j = 0; j < 1000; j++)
+	{
+		for (i = 0; i < countof(tls); i++)
+		{
+			tls[i]->set(tls[i], (void*)(value * i));
+			ck_assert(tls[i]->get(tls[i]) == (void*)(value * i));
+		}
+		sched_yield();
+	}
+	for (i = 0; i < countof(tls); i++)
+	{
+		ck_assert(tls[i]->get(tls[i]) == (void*)(value * i));
+	}
+	return (void*)(value + 1);
+}
+
+START_TEST(test_tls)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i] = thread_value_create(NULL);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(tls_run, (void*)(uintptr_t)i);
+	}
+
+	ck_assert_int_eq((uintptr_t)tls_run((void*)(uintptr_t)(THREADS + 1)),
+					 THREADS + 2);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		ck_assert_int_eq((uintptr_t)threads[i]->join(threads[i]), i + 1);
+	}
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i]->destroy(tls[i]);
+	}
+}
+END_TEST
+
+static void tls_cleanup(void *data)
+{
+	uintptr_t *value = (uintptr_t*)data;
+
+	(*value)--;
+}
+
+static void *tls_cleanup_run(void *data)
+{
+	int i;
+
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i]->set(tls[i], data);
+	}
+	return NULL;
+}
+
+START_TEST(test_tls_cleanup)
+{
+	thread_t *threads[THREADS];
+	uintptr_t values[THREADS], main_value = countof(tls);
+	int i;
+
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i] = thread_value_create(tls_cleanup);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		values[i] = countof(tls);
+		threads[i] = thread_create(tls_cleanup_run, &values[i]);
+	}
+
+	tls_cleanup_run(&main_value);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert_int_eq(values[i], 0);
+	}
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i]->destroy(tls[i]);
+	}
+	ck_assert_int_eq(main_value, 0);
+}
+END_TEST
+
+Suite *threading_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("threading");
+
+	tc = tcase_create("recursive mutex");
+	tcase_add_test(tc, test_mutex);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("spinlock");
+	tcase_add_test(tc, test_spinlock);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("condvar");
+	tcase_add_test(tc, test_condvar);
+	tcase_add_test(tc, test_condvar_recursive);
+	tcase_add_test(tc, test_condvar_broad);
+	tcase_add_test(tc, test_condvar_timed);
+	tcase_add_test(tc, test_condvar_timed_abs);
+	tcase_add_test(tc, test_condvar_cancel);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("rwlock");
+	tcase_add_test(tc, test_rwlock);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("rwlock condvar");
+	tcase_add_test(tc, test_rwlock_condvar);
+	tcase_add_test(tc, test_rwlock_condvar_broad);
+	tcase_add_test(tc, test_rwlock_condvar_timed);
+	tcase_add_test(tc, test_rwlock_condvar_timed_abs);
+	tcase_add_test(tc, test_rwlock_condvar_cancel);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("semaphore");
+	tcase_add_test(tc, test_semaphore);
+	tcase_add_test(tc, test_semaphore_timed);
+	tcase_add_test(tc, test_semaphore_timed_abs);
+	tcase_add_test(tc, test_semaphore_cancel);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("thread joining");
+	tcase_add_test(tc, test_join);
+	tcase_add_test(tc, test_join_exit);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("thread detaching");
+	tcase_add_test(tc, test_detach);
+	tcase_add_test(tc, test_detach_exit);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("thread cancellation");
+	tcase_add_test(tc, test_cancel);
+	tcase_add_test(tc, test_cancel_onoff);
+	tcase_add_test(tc, test_cancel_point);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("thread cleanup");
+	tcase_add_test(tc, test_cleanup);
+	tcase_add_test(tc, test_cleanup_exit);
+	tcase_add_test(tc, test_cleanup_cancel);
+	tcase_add_test(tc, test_cleanup_pop);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("thread local storage");
+	tcase_add_test(tc, test_tls);
+	tcase_add_test(tc, test_tls_cleanup);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c
index 3ca0412b4..0260726b2 100644
--- a/src/libstrongswan/tests/test_utils.c
+++ b/src/libstrongswan/tests/suites/test_utils.c
@@ -346,6 +346,46 @@ START_TEST(test_memstr)
 END_TEST
 
 /*******************************************************************************
+ * utils_memrchr
+ */
+
+static struct {
+	char *s;
+	int c;
+	size_t n;
+	int offset;
+} memrchr_data[] = {
+	{NULL, 'f', 0, -1},
+	{NULL, 'f', 3, -1},
+	{"", 'f', 0, -1},
+	{"", '\0', 1, 0},
+	{"foo", '\0', 3, -1},
+	{"foo", '\0', 4, 3},
+	{"foo", 'f', 3, 0},
+	{"foo", 'o', 3, 2},
+	{"foo", 'o', 2, 1},
+	{"foo", 'o', 1, -1},
+	{"foo", 'o', 0, -1},
+	{"foo", 'x', 3, -1},
+};
+
+START_TEST(test_utils_memrchr)
+{
+	void *ret;
+
+	ret = utils_memrchr(memrchr_data[_i].s, memrchr_data[_i].c, memrchr_data[_i].n);
+	if (memrchr_data[_i].offset >= 0)
+	{
+		ck_assert(ret == memrchr_data[_i].s + memrchr_data[_i].offset);
+	}
+	else
+	{
+		ck_assert(ret == NULL);
+	}
+}
+END_TEST
+
+/*******************************************************************************
  * translate
  */
 
@@ -385,6 +425,140 @@ START_TEST(test_translate)
 END_TEST
 
 /*******************************************************************************
+ * strreplace
+ */
+
+static struct {
+	char *in;
+	char *out;
+	char *search;
+	char *replace;
+	bool allocated;
+} strreplace_data[] = {
+	/* invalid arguments */
+	{NULL, NULL, NULL, NULL, FALSE},
+	{"", "", NULL, NULL, FALSE},
+	{"", "", "", NULL, FALSE},
+	{"", "", NULL, "", FALSE},
+	{"", "", "", "", FALSE},
+	{"", "", "", "asdf", FALSE},
+	{"", "", "asdf", "", FALSE},
+	{"asdf", "asdf", NULL, NULL, FALSE},
+	{"asdf", "asdf", "", NULL, FALSE},
+	{"asdf", "asdf", NULL, "", FALSE},
+	{"asdf", "asdf", "", "", FALSE},
+	{"asdf", "asdf", "", "asdf", FALSE},
+	{"asdf", "asdf", "asdf", NULL, FALSE},
+	{"qwer", "qwer", "", "asdf", FALSE},
+	/* replacement shorter */
+	{"asdf", "", "asdf", "", TRUE},
+	{"asdfasdf", "", "asdf", "", TRUE},
+	{"asasdfdf", "asdf", "asdf", "", TRUE},
+	{"asdf", "df", "as", "", TRUE},
+	{"asdf", "as", "df", "", TRUE},
+	{"qwer", "qwer", "asdf", "", FALSE},
+	/* replacement same length */
+	{"a", "b", "a", "b", TRUE},
+	{"aaa", "bbb", "a", "b", TRUE},
+	{"aaa", "bbb", "aaa", "bbb", TRUE},
+	{"asdf", "asdf", "asdf", "asdf", TRUE},
+	{"qwer", "qwer", "asdf", "asdf", FALSE},
+	/* replacement longer */
+	{"asdf", "asdf", "", "asdf", FALSE},
+	{"asdf", "asdfasdf", "asdf", "asdfasdf", TRUE},
+	{"asdf", "asdfsdf", "a", "asdf", TRUE},
+	{"asdf", "asdasdf", "f", "asdf", TRUE},
+	{"aaa", "asdfasdfasdf", "a", "asdf", TRUE},
+	{"qwer", "qwer", "asdf", "asdfasdf", FALSE},
+	/* real examples */
+	{"http://x.org/no/spaces", "http://x.org/no/spaces", " ", "%20", FALSE},
+	{"http://x.org/end ", "http://x.org/end%20", " ", "%20", TRUE},
+	{" http://x.org/start", "%20http://x.org/start", " ", "%20", TRUE},
+	{" http://x.org/both ", "%20http://x.org/both%20", " ", "%20", TRUE},
+	{"http://x.org/ /slash", "http://x.org/%20/slash", " ", "%20", TRUE},
+	{"http://x.org/   /three", "http://x.org/%20%20%20/three", " ", "%20", TRUE},
+	{"http://x.org/      ", "http://x.org/%20%20%20%20%20%20", " ", "%20", TRUE},
+	{"http://x.org/%20/encoded", "http://x.org/%20/encoded", " ", "%20", FALSE},
+};
+
+START_TEST(test_strreplace)
+{
+	char *ret;
+
+	ret = strreplace(strreplace_data[_i].in, strreplace_data[_i].search,
+					 strreplace_data[_i].replace);
+	if (ret && strreplace_data[_i].out)
+	{
+		ck_assert_str_eq(ret, strreplace_data[_i].out);
+	}
+	else
+	{
+		ck_assert(ret == strreplace_data[_i].out);
+	}
+	if (strreplace_data[_i].allocated)
+	{
+		ck_assert(ret != strreplace_data[_i].in);
+		free(ret);
+	}
+	else
+	{
+		ck_assert(ret == strreplace_data[_i].in);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * path_dirname/basename
+ */
+
+static struct {
+	char *path;
+	char *dir;
+	char *base;
+} path_data[] = {
+	{NULL, ".", "."},
+	{"", ".", "."},
+	{".", ".", "."},
+	{"..", ".", ".."},
+	{"/", "/", "/"},
+	{"//", "/", "/"},
+	{"foo", ".", "foo"},
+	{"f/", ".", "f"},
+	{"foo/", ".", "foo"},
+	{"foo//", ".", "foo"},
+	{"/f", "/", "f"},
+	{"/f/", "/", "f"},
+	{"/foo", "/", "foo"},
+	{"/foo/", "/", "foo"},
+	{"//foo/", "/", "foo"},
+	{"foo/bar", "foo", "bar"},
+	{"foo//bar", "foo", "bar"},
+	{"/foo/bar", "/foo", "bar"},
+	{"/foo/bar/", "/foo", "bar"},
+	{"/foo/bar/baz", "/foo/bar", "baz"},
+};
+
+START_TEST(test_path_dirname)
+{
+	char *dir;
+
+	dir = path_dirname(path_data[_i].path);
+	ck_assert_str_eq(path_data[_i].dir, dir);
+	free(dir);
+}
+END_TEST
+
+START_TEST(test_path_basename)
+{
+	char *base;
+
+	base = path_basename(path_data[_i].path);
+	ck_assert_str_eq(path_data[_i].base, base);
+	free(base);
+}
+END_TEST
+
+/*******************************************************************************
  * time_printf_hook
  */
 
@@ -539,10 +713,23 @@ Suite *utils_suite_create()
 	tcase_add_loop_test(tc, test_memstr, 0, countof(memstr_data));
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("utils_memrchr");
+	tcase_add_loop_test(tc, test_utils_memrchr, 0, countof(memrchr_data));
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("translate");
 	tcase_add_loop_test(tc, test_translate, 0, countof(translate_data));
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("strreplace");
+	tcase_add_loop_test(tc, test_strreplace, 0, countof(strreplace_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("path_dirname/basename");
+	tcase_add_loop_test(tc, test_path_dirname, 0, countof(path_data));
+	tcase_add_loop_test(tc, test_path_basename, 0, countof(path_data));
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("printf_hooks");
 	tcase_add_loop_test(tc, test_time_printf_hook, 0, countof(time_data));
 	tcase_add_loop_test(tc, test_time_delta_printf_hook, 0, countof(time_delta_data));
diff --git a/src/libstrongswan/tests/test_vectors.c b/src/libstrongswan/tests/suites/test_vectors.c
index f2817d314..242ac9d09 100644
--- a/src/libstrongswan/tests/test_vectors.c
+++ b/src/libstrongswan/tests/suites/test_vectors.c
@@ -21,7 +21,8 @@
 
 START_TEST(test_vectors)
 {
-	fail_if(lib->crypto->get_test_vector_failures(lib->crypto));
+	u_int failed = lib->crypto->get_test_vector_failures(lib->crypto);
+	fail_if(failed > 0, "%u test vectors failed", failed);
 }
 END_TEST
 
diff --git a/src/libstrongswan/tests/suites/test_watcher.c b/src/libstrongswan/tests/suites/test_watcher.c
new file mode 100644
index 000000000..9415bead9
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_watcher.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <library.h>
+
+#include <sched.h>
+#include <unistd.h>
+#include <errno.h>
+
+static char testbuf[1] = "";
+
+static bool readcb(void *data, int fd, watcher_event_t event)
+{
+	ck_assert_int_eq(*(int*)data, fd);
+	ck_assert_int_eq(event, WATCHER_READ);
+
+	if (recv(fd, testbuf, 1, MSG_DONTWAIT) != 1)
+	{
+		ck_assert(errno == EAGAIN || errno == EWOULDBLOCK);
+	}
+	return TRUE;
+}
+
+START_TEST(test_read)
+{
+	int fd[2];
+	char c;
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, fd) != -1);
+
+	lib->watcher->add(lib->watcher, fd[0], WATCHER_READ, readcb, &fd[0]);
+
+	for (c = 'a'; c <= 'z'; c++)
+	{
+		ck_assert_int_eq(write(fd[1], &c, 1), 1);
+		while (testbuf[0] != c)
+		{
+			sched_yield();
+		}
+	}
+
+	lib->watcher->remove(lib->watcher, fd[0]);
+	close(fd[0]);
+	close(fd[1]);
+
+	lib->processor->cancel(lib->processor);
+}
+END_TEST
+
+static bool writecb(void *data, int fd, watcher_event_t event)
+{
+	ck_assert_int_eq(event, WATCHER_WRITE);
+	if (send(fd, data, 1, MSG_DONTWAIT) != 1)
+	{
+		ck_assert(errno == EAGAIN || errno == EWOULDBLOCK);
+	}
+	return TRUE;
+}
+
+START_TEST(test_write)
+{
+	int fd[2];
+	char in = 'x', out;
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, fd) != -1);
+
+	lib->watcher->add(lib->watcher, fd[1], WATCHER_WRITE, writecb, &in);
+
+	ck_assert_int_eq(read(fd[0], &out, 1), 1);
+	ck_assert_int_eq(out, in);
+
+	lib->watcher->remove(lib->watcher, fd[1]);
+	close(fd[1]);
+	close(fd[0]);
+
+	lib->processor->cancel(lib->processor);
+}
+END_TEST
+
+static bool multiread(void *data, int fd, watcher_event_t event)
+{
+	ck_assert_int_eq(event, WATCHER_READ);
+	if (recv(fd, data, 1, MSG_DONTWAIT) != 1)
+	{
+		ck_assert(errno == EAGAIN || errno == EWOULDBLOCK);
+	}
+	return TRUE;
+}
+
+START_TEST(test_multiread)
+{
+	int fd[10][2], i;
+	char in, out[countof(fd)];
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	for (i = 0; i < countof(fd); i++)
+	{
+		ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, fd[i]) != -1);
+		lib->watcher->add(lib->watcher, fd[i][0],
+						  WATCHER_READ, multiread, &out[i]);
+	}
+
+	for (i = 0; i < countof(fd); i++)
+	{
+		for (in = 'a'; in <= 'z'; in++)
+		{
+			ck_assert_int_eq(write(fd[i][1], &in, 1), 1);
+			while (out[i] != in)
+			{
+				sched_yield();
+			}
+		}
+	}
+
+	for (i = 0; i < countof(fd); i++)
+	{
+		lib->watcher->remove(lib->watcher, fd[i][0]);
+		close(fd[i][1]);
+		close(fd[i][0]);
+	}
+
+	lib->processor->cancel(lib->processor);
+}
+END_TEST
+
+static bool multiwrite(void *data, int fd, watcher_event_t event)
+{
+	ck_assert_int_eq(event, WATCHER_WRITE);
+	if (send(fd, data, 1, MSG_DONTWAIT) != 1)
+	{
+		ck_assert(errno == EAGAIN || errno == EWOULDBLOCK);
+	}
+	return TRUE;
+}
+
+START_TEST(test_multiwrite)
+{
+	int fd[10][2], i, j;
+	u_char out, in[countof(fd)];
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	for (i = 0; i < countof(fd); i++)
+	{
+		ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, fd[i]) != -1);
+		in[i] = i;
+		lib->watcher->add(lib->watcher, fd[i][1],
+						  WATCHER_WRITE, multiwrite, &in[i]);
+	}
+
+	for (j = 0; j < 10; j++)
+	{
+		for (i = 0; i < countof(fd); i++)
+		{
+			ck_assert_int_eq(read(fd[i][0], &out, 1), 1);
+			ck_assert_int_eq(out, i);
+		}
+	}
+
+	for (i = 0; i < countof(fd); i++)
+	{
+		lib->watcher->remove(lib->watcher, fd[i][1]);
+		close(fd[i][1]);
+		close(fd[i][0]);
+	}
+
+	lib->processor->cancel(lib->processor);
+}
+END_TEST
+
+Suite *watcher_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("watcher");
+
+	tc = tcase_create("read");
+	tcase_add_test(tc, test_read);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("write");
+	tcase_add_test(tc, test_write);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("multiread");
+	tcase_add_test(tc, test_multiread);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("multiwrite");
+	tcase_add_test(tc, test_multiwrite);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c
index f85858504..0b26ee128 100644
--- a/src/libstrongswan/tests/test_runner.c
+++ b/src/libstrongswan/tests/test_runner.c
@@ -1,6 +1,8 @@
 /*
  * Copyright (C) 2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,48 +15,170 @@
  * for more details.
  */
 
-#include <unistd.h>
-
 #include "test_runner.h"
 
 #include <library.h>
 #include <plugins/plugin_feature.h>
+#include <collections/array.h>
+#include <utils/test.h>
 
 #include <dirent.h>
+#include <unistd.h>
+#include <limits.h>
+
+/**
+ * Get a tty color escape character for stderr
+ */
+#define TTY(color) tty_escape_get(2, TTY_FG_##color)
 
 /**
- * Load plugins from builddir
+ * Initialize the lookup table for testable functions (defined in libstrongswan)
  */
-static bool load_plugins()
+static void testable_functions_create() __attribute__ ((constructor(1000)));
+static void testable_functions_create()
 {
-	enumerator_t *enumerator;
-	char *name, path[PATH_MAX], dir[64];
+	testable_functions = hashtable_create(hashtable_hash_str,
+										  hashtable_equals_str, 8);
+}
+
+/**
+ * Destroy the lookup table for testable functions
+ */
+static void testable_functions_destroy() __attribute__ ((destructor(1000)));
+static void testable_functions_destroy()
+{
+	testable_functions->destroy(testable_functions);
+	/* if leak detective is enabled plugins are not actually unloaded, which
+	 * means their destructor is called AFTER this one when the process
+	 * terminates, even though the priority says differently, make sure this
+	 * does not crash */
+	testable_functions = NULL;
+}
+
+/**
+ * Load all available test suites
+ */
+static array_t *load_suites(test_configuration_t configs[],
+							test_runner_init_t init)
+{
+	array_t *suites;
+	bool old = FALSE;
+	int i;
 
-	enumerator = enumerator_create_token(PLUGINS, " ", "");
-	while (enumerator->enumerate(enumerator, &name))
+	library_init(NULL, "test-runner");
+
+	test_setup_handler();
+
+	if (init && !init(TRUE))
 	{
-		snprintf(dir, sizeof(dir), "%s", name);
-		translate(dir, "-", "_");
-		snprintf(path, sizeof(path), "%s/%s/.libs", PLUGINDIR, dir);
-		lib->plugins->add_path(lib->plugins, path);
+		library_deinit();
+		return NULL;
 	}
-	enumerator->destroy(enumerator);
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
-	return lib->plugins->load(lib->plugins, PLUGINS);
+	if (lib->leak_detective)
+	{
+		old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
+	}
+
+	suites = array_create(0, 0);
+
+	for (i = 0; configs[i].suite; i++)
+	{
+		if (configs[i].feature.type == 0 ||
+			lib->plugins->has_feature(lib->plugins, configs[i].feature))
+		{
+			array_insert(suites, -1, configs[i].suite());
+		}
+	}
+
+	if (lib->leak_detective)
+	{
+		lib->leak_detective->set_state(lib->leak_detective, old);
+	}
+
+	if (init)
+	{
+		init(FALSE);
+	}
+	library_deinit();
+
+	return suites;
 }
 
-int main()
+/**
+ * Unload and destroy test suites and associated data
+ */
+static void unload_suites(array_t *suites)
 {
-	SRunner *sr;
-	int nf;
+	test_suite_t *suite;
+	test_case_t *tcase;
 
-	/* test cases are forked and there is no cleanup, so disable leak detective.
-	 * if test_suite.h is included leak detective is enabled in test cases */
-	setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
-	/* redirect all output to stderr (to redirect make's stdout to /dev/null) */
-	dup2(2, 1);
+	while (array_remove(suites, 0, &suite))
+	{
+		while (array_remove(suite->tcases, 0, &tcase))
+		{
+			array_destroy(tcase->functions);
+			array_destroy(tcase->fixtures);
+		}
+		free(suite);
+	}
+	array_destroy(suites);
+}
 
-	library_init(NULL);
+/**
+ * Run a single test function, return FALSE on failure
+ */
+static bool run_test(test_function_t *tfun, int i)
+{
+	if (test_restore_point())
+	{
+		tfun->cb(i);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Invoke fixture setup/teardown
+ */
+static bool call_fixture(test_case_t *tcase, bool up)
+{
+	enumerator_t *enumerator;
+	test_fixture_t *fixture;
+	bool failure = FALSE;
+
+	enumerator = array_create_enumerator(tcase->fixtures);
+	while (enumerator->enumerate(enumerator, &fixture))
+	{
+		if (test_restore_point())
+		{
+			if (up)
+			{
+				fixture->setup();
+			}
+			else
+			{
+				fixture->teardown();
+			}
+		}
+		else
+		{
+			failure = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return !failure;
+}
+
+/**
+ * Test initialization, initializes libstrongswan for the next run
+ */
+static bool pre_test(test_runner_init_t init)
+{
+	library_init(NULL, "test-runner");
 
 	/* use non-blocking RNG to generate keys fast */
 	lib->settings->set_default_str(lib->settings,
@@ -62,45 +186,305 @@ int main()
 			lib->settings->get_str(lib->settings,
 				"libstrongswan.plugins.random.urandom", "/dev/urandom"));
 
-	if (!load_plugins())
+	if (lib->leak_detective)
+	{
+		/* disable leak reports during testing */
+		lib->leak_detective->set_report_cb(lib->leak_detective,
+										   NULL, NULL, NULL);
+	}
+	if (init && !init(TRUE))
 	{
 		library_deinit();
-		return EXIT_FAILURE;
+		return FALSE;
 	}
-	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+	dbg_default_set_level(LEVEL_SILENT);
+	return TRUE;
+}
+
+/**
+ * Failure description
+ */
+typedef struct {
+	char *name;
+	char msg[512 - sizeof(char*) - 2 * sizeof(int)];
+	const char *file;
+	int line;
+	int i;
+	backtrace_t *bt;
+} failure_t;
+
+/**
+ * Data passed to leak report callbacks
+ */
+typedef struct {
+	array_t *failures;
+	char *name;
+	int i;
+	int leaks;
+} report_data_t;
+
+/**
+ * Leak report callback, build failures from leaks
+ */
+static void report_leaks(report_data_t *data, int count, size_t bytes,
+						 backtrace_t *bt, bool detailed)
+{
+	failure_t failure = {
+		.name = data->name,
+		.i = data->i,
+		.bt = bt->clone(bt),
+	};
+
+	snprintf(failure.msg, sizeof(failure.msg),
+			 "Leak detected: %d allocations using %zu bytes", count, bytes);
+
+	array_insert(data->failures, -1, &failure);
+}
+
+/**
+ * Leak summary callback, check if any leaks found
+ */
+static void sum_leaks(report_data_t *data, int count, size_t bytes,
+					  int whitelisted)
+{
+	data->leaks = count;
+}
+
+/**
+ * Do library cleanup and optionally check for memory leaks
+ */
+static bool post_test(test_runner_init_t init, bool check_leaks,
+					  array_t *failures, char *name, int i)
+{
+	report_data_t data = {
+		.failures = failures,
+		.name = name,
+		.i = i,
+	};
 
-	sr = srunner_create(NULL);
-	srunner_add_suite(sr, bio_reader_suite_create());
-	srunner_add_suite(sr, bio_writer_suite_create());
-	srunner_add_suite(sr, chunk_suite_create());
-	srunner_add_suite(sr, enum_suite_create());
-	srunner_add_suite(sr, enumerator_suite_create());
-	srunner_add_suite(sr, linked_list_suite_create());
-	srunner_add_suite(sr, linked_list_enumerator_suite_create());
-	srunner_add_suite(sr, hashtable_suite_create());
-	srunner_add_suite(sr, array_suite_create());
-	srunner_add_suite(sr, identification_suite_create());
-	srunner_add_suite(sr, threading_suite_create());
-	srunner_add_suite(sr, utils_suite_create());
-	srunner_add_suite(sr, host_suite_create());
-	srunner_add_suite(sr, vectors_suite_create());
-	srunner_add_suite(sr, printf_suite_create());
-	if (lib->plugins->has_feature(lib->plugins,
-								  PLUGIN_DEPENDS(PRIVKEY_GEN, KEY_RSA)))
-	{
-		srunner_add_suite(sr, rsa_suite_create());
-	}
-	if (lib->plugins->has_feature(lib->plugins,
-								  PLUGIN_DEPENDS(PRIVKEY_GEN, KEY_ECDSA)))
-	{
-		srunner_add_suite(sr, ecdsa_suite_create());
-	}
-
-	srunner_run_all(sr, CK_NORMAL);
-	nf = srunner_ntests_failed(sr);
-
-	srunner_free(sr);
+	if (init)
+	{
+		init(FALSE);
+	}
+	if (check_leaks && lib->leak_detective)
+	{
+		lib->leak_detective->set_report_cb(lib->leak_detective,
+								(leak_detective_report_cb_t)report_leaks,
+								(leak_detective_summary_cb_t)sum_leaks, &data);
+	}
 	library_deinit();
 
-	return (nf == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+	return data.leaks != 0;
+}
+
+/**
+ * Collect failure information, add failure_t to array
+ */
+static void collect_failure_info(array_t *failures, char *name, int i)
+{
+	failure_t failure = {
+		.name = name,
+		.i = i,
+		.bt = test_failure_backtrace(),
+	};
+
+	failure.line = test_failure_get(failure.msg, sizeof(failure.msg),
+									&failure.file);
+
+	array_insert(failures, -1, &failure);
+}
+
+/**
+ * Print array of collected failure_t to stderr
+ */
+static void print_failures(array_t *failures)
+{
+	failure_t failure;
+
+	backtrace_init();
+
+	while (array_remove(failures, 0, &failure))
+	{
+		fprintf(stderr, "      %sFailure in '%s': %s (",
+				TTY(RED), failure.name, failure.msg);
+		if (failure.line)
+		{
+			fprintf(stderr, "%s:%d, ", failure.file, failure.line);
+		}
+		fprintf(stderr, "i = %d)%s\n", failure.i, TTY(DEF));
+		if (failure.bt)
+		{
+			failure.bt->log(failure.bt, stderr, TRUE);
+			failure.bt->destroy(failure.bt);
+		}
+	}
+
+	backtrace_deinit();
+}
+
+/**
+ * Run a single test case with fixtures
+ */
+static bool run_case(test_case_t *tcase, test_runner_init_t init)
+{
+	enumerator_t *enumerator;
+	test_function_t *tfun;
+	int passed = 0;
+	array_t *failures;
+
+	failures = array_create(sizeof(failure_t), 0);
+
+	fprintf(stderr, "    Running case '%s': ", tcase->name);
+	fflush(stderr);
+
+	enumerator = array_create_enumerator(tcase->functions);
+	while (enumerator->enumerate(enumerator, &tfun))
+	{
+		int i, rounds = 0;
+
+		for (i = tfun->start; i < tfun->end; i++)
+		{
+			if (pre_test(init))
+			{
+				bool ok = FALSE, leaks = FALSE;
+
+				test_setup_timeout(tcase->timeout);
+
+				if (call_fixture(tcase, TRUE))
+				{
+					if (run_test(tfun, i))
+					{
+						if (call_fixture(tcase, FALSE))
+						{
+							ok = TRUE;
+						}
+					}
+					else
+					{
+						call_fixture(tcase, FALSE);
+					}
+
+				}
+				leaks = post_test(init, ok, failures, tfun->name, i);
+
+				test_setup_timeout(0);
+
+				if (ok)
+				{
+					if (!leaks)
+					{
+						rounds++;
+						fprintf(stderr, "%s+%s", TTY(GREEN), TTY(DEF));
+					}
+				}
+				else
+				{
+					collect_failure_info(failures, tfun->name, i);
+				}
+				if (!ok || leaks)
+				{
+					fprintf(stderr, "%s-%s", TTY(RED), TTY(DEF));
+				}
+			}
+			else
+			{
+				fprintf(stderr, "!");
+			}
+		}
+		fflush(stderr);
+		if (rounds == tfun->end - tfun->start)
+		{
+			passed++;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	fprintf(stderr, "\n");
+
+	print_failures(failures);
+	array_destroy(failures);
+
+	return passed == array_count(tcase->functions);
+}
+
+/**
+ * Run a single test suite
+ */
+static bool run_suite(test_suite_t *suite, test_runner_init_t init)
+{
+	enumerator_t *enumerator;
+	test_case_t *tcase;
+	int passed = 0;
+
+	fprintf(stderr, "  Running suite '%s':\n", suite->name);
+
+	enumerator = array_create_enumerator(suite->tcases);
+	while (enumerator->enumerate(enumerator, &tcase))
+	{
+		if (run_case(tcase, init))
+		{
+			passed++;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (passed == array_count(suite->tcases))
+	{
+		fprintf(stderr, "  %sPassed all %u '%s' test cases%s\n",
+				TTY(GREEN), array_count(suite->tcases), suite->name, TTY(DEF));
+		return TRUE;
+	}
+	fprintf(stderr, "  %sPassed %u/%u '%s' test cases%s\n",
+			TTY(RED), passed, array_count(suite->tcases), suite->name, TTY(DEF));
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+int test_runner_run(const char *name, test_configuration_t configs[],
+					test_runner_init_t init)
+{
+	array_t *suites;
+	test_suite_t *suite;
+	enumerator_t *enumerator;
+	int passed = 0, result;
+
+	/* redirect all output to stderr (to redirect make's stdout to /dev/null) */
+	dup2(2, 1);
+
+	suites = load_suites(configs, init);
+	if (!suites)
+	{
+		return EXIT_FAILURE;
+	}
+
+	fprintf(stderr, "Running %u '%s' test suites:\n", array_count(suites), name);
+
+	enumerator = array_create_enumerator(suites);
+	while (enumerator->enumerate(enumerator, &suite))
+	{
+		if (run_suite(suite, init))
+		{
+			passed++;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (passed == array_count(suites))
+	{
+		fprintf(stderr, "%sPassed all %u '%s' suites%s\n",
+				TTY(GREEN), array_count(suites), name, TTY(DEF));
+		result = EXIT_SUCCESS;
+	}
+	else
+	{
+		fprintf(stderr, "%sPassed %u of %u '%s' suites%s\n",
+				TTY(RED), passed, array_count(suites), name, TTY(DEF));
+		result = EXIT_FAILURE;
+	}
+
+	unload_suites(suites);
+
+	return result;
 }
diff --git a/src/libstrongswan/tests/test_runner.h b/src/libstrongswan/tests/test_runner.h
index 6315abba7..643b622e5 100644
--- a/src/libstrongswan/tests/test_runner.h
+++ b/src/libstrongswan/tests/test_runner.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2013 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,27 +13,65 @@
  * for more details.
  */
 
+/**
+ * @defgroup libtest libtest
+ *
+ * @defgroup test_utils test_utils
+ * @ingroup libtest
+ *
+ * @defgroup test_runner test_runner
+ * @{ @ingroup libtest
+ */
+
 #ifndef TEST_RUNNER_H_
 #define TEST_RUNNER_H_
 
-#include <check.h>
-
-Suite *bio_reader_suite_create();
-Suite *bio_writer_suite_create();
-Suite *chunk_suite_create();
-Suite *enum_suite_create();
-Suite *enumerator_suite_create();
-Suite *linked_list_suite_create();
-Suite *linked_list_enumerator_suite_create();
-Suite *hashtable_suite_create();
-Suite *array_suite_create();
-Suite *identification_suite_create();
-Suite *threading_suite_create();
-Suite *utils_suite_create();
-Suite *vectors_suite_create();
-Suite *ecdsa_suite_create();
-Suite *rsa_suite_create();
-Suite *host_suite_create();
-Suite *printf_suite_create();
-
-#endif /** TEST_RUNNER_H_ */
+#include "test_suite.h"
+
+#include <plugins/plugin_feature.h>
+
+typedef struct test_configuration_t test_configuration_t;
+
+/**
+ * Callback called before and after each test case to de-/initialize the
+ * environment (e.g. to load plugins).  It is also called before and after the
+ * test suites are loaded.
+ *
+ * It is called after libstrongswan has been initialized and likewise before it
+ * gets deinitialized.
+ *
+ * @param init			TRUE during initialization
+ * @return				FALSE if de-/init failed
+ */
+typedef bool (*test_runner_init_t)(bool init);
+
+/**
+ * Test configuration, suite constructor with plugin dependency
+ */
+struct test_configuration_t {
+
+	/**
+	 * Constructor function to create suite.
+	 */
+	test_suite_t *(*suite)();
+
+	/**
+	 * Plugin feature this test suite depends on
+	 */
+	plugin_feature_t feature;
+};
+
+/**
+ * Run test configuration.
+ *
+ * The configs array must be terminated with a NULL element.
+ *
+ * @param name			name of test runner
+ * @param config		test suite constructors with dependencies
+ * @param init_cb		init/deinit callback
+ * @return				test result, EXIT_SUCCESS if all tests passed
+ */
+int test_runner_run(const char *name, test_configuration_t config[],
+					test_runner_init_t init_cb);
+
+#endif /** TEST_RUNNER_H_ @}*/
diff --git a/src/libstrongswan/tests/test_suite.c b/src/libstrongswan/tests/test_suite.c
new file mode 100644
index 000000000..0f2e74b7c
--- /dev/null
+++ b/src/libstrongswan/tests/test_suite.c
@@ -0,0 +1,277 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <signal.h>
+#include <unistd.h>
+
+#include <pthread.h>
+
+/**
+ * Failure message buf
+ */
+static char failure_buf[512];
+
+/**
+ * Source file failure occurred
+ */
+static const char *failure_file;
+
+/**
+ * Line of source file failure occurred
+ */
+static int failure_line;
+
+/**
+ * Backtrace of failure, if any
+ */
+static backtrace_t *failure_backtrace;
+
+/**
+ * Longjump restore point when failing
+ */
+sigjmp_buf test_restore_point_env;
+
+/**
+ * See header.
+ */
+test_suite_t* test_suite_create(const char *name)
+{
+	test_suite_t *suite;
+
+	INIT(suite,
+		.name = name,
+		.tcases = array_create(0, 0),
+	);
+	return suite;
+}
+
+/**
+ * See header.
+ */
+test_case_t* test_case_create(const char *name)
+{
+	test_case_t *tcase;
+
+	INIT(tcase,
+		.name = name,
+		.functions = array_create(sizeof(test_function_t), 0),
+		.fixtures = array_create(sizeof(test_fixture_t), 0),
+		.timeout = TEST_FUNCTION_DEFAULT_TIMEOUT,
+	);
+	return tcase;
+}
+
+/**
+ * See header.
+ */
+void test_case_add_checked_fixture(test_case_t *tcase, test_fixture_cb_t setup,
+								   test_fixture_cb_t teardown)
+{
+	test_fixture_t fixture = {
+		.setup = setup,
+		.teardown = teardown,
+	};
+	array_insert(tcase->fixtures, -1, &fixture);
+}
+
+/**
+ * See header.
+ */
+void test_case_add_test_name(test_case_t *tcase, char *name,
+							 test_function_cb_t cb, int start, int end)
+{
+	test_function_t fun = {
+		.name = name,
+		.cb = cb,
+		.start = start,
+		.end = end,
+	};
+	array_insert(tcase->functions, -1, &fun);
+}
+
+/**
+ * See header.
+ */
+void test_case_set_timeout(test_case_t *tcase, int s)
+{
+	tcase->timeout = s;
+}
+
+/**
+ * See header.
+ */
+void test_suite_add_case(test_suite_t *suite, test_case_t *tcase)
+{
+	array_insert(suite->tcases, -1, tcase);
+}
+
+/**
+ * Main thread performing tests
+ */
+static pthread_t main_thread;
+
+/**
+ * Let test case fail
+ */
+static inline void test_failure()
+{
+	if (pthread_self() == main_thread)
+	{
+		siglongjmp(test_restore_point_env, 1);
+	}
+	else
+	{
+		pthread_kill(main_thread, SIGUSR1);
+		/* how can we stop just the thread? longjmp to a restore point? */
+	}
+}
+
+/**
+ * See header.
+ */
+void test_fail_vmsg(const char *file, int line, char *fmt, va_list args)
+{
+	vsnprintf(failure_buf, sizeof(failure_buf), fmt, args);
+	failure_line = line;
+	failure_file = file;
+
+	test_failure();
+}
+
+/**
+ * See header.
+ */
+void test_fail_msg(const char *file, int line, char *fmt, ...)
+{
+	va_list args;
+
+	va_start(args, fmt);
+	vsnprintf(failure_buf, sizeof(failure_buf), fmt, args);
+	failure_line = line;
+	failure_file = file;
+	va_end(args);
+
+	test_failure();
+}
+
+/**
+ * Signal handler catching critical and alarm signals
+ */
+static void test_sighandler(int signal)
+{
+	char *signame;
+	bool old = FALSE;
+
+	switch (signal)
+	{
+		case SIGUSR1:
+			/* a different thread failed, abort test */
+			return test_failure();
+		case SIGSEGV:
+			signame = "SIGSEGV";
+			break;
+		case SIGILL:
+			signame = "SIGILL";
+			break;
+		case SIGBUS:
+			signame = "SIGBUS";
+			break;
+		case SIGALRM:
+			signame = "timeout";
+			break;
+		default:
+			signame = "SIG";
+			break;
+	}
+	if (lib->leak_detective)
+	{
+		old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
+	}
+	failure_backtrace = backtrace_create(3);
+	if (lib->leak_detective)
+	{
+		lib->leak_detective->set_state(lib->leak_detective, old);
+	}
+	test_fail_msg(NULL, 0, "%s(%d)", signame, signal);
+	/* unable to restore a valid context for that thread, terminate */
+	fprintf(stderr, "\n%s(%d) outside of main thread:\n", signame, signal);
+	failure_backtrace->log(failure_backtrace, stderr, TRUE);
+	fprintf(stderr, "terminating...\n");
+	abort();
+}
+
+/**
+ * See header.
+ */
+void test_setup_handler()
+{
+	struct sigaction action = {
+		.sa_handler = test_sighandler,
+	};
+
+	main_thread = pthread_self();
+
+	/* signal handler inherited by all threads */
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	/* ignore ALRM/USR1, these are catched by main thread only */
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGALRM, &action, NULL);
+	sigaction(SIGUSR1, &action, NULL);
+}
+
+/**
+ * See header.
+ */
+void test_setup_timeout(int s)
+{
+	struct sigaction action = {
+		.sa_handler = test_sighandler,
+	};
+
+	/* This called by main thread only. Setup handler for timeout and
+	 * failure cross-thread signaling. */
+	sigaction(SIGALRM, &action, NULL);
+	sigaction(SIGUSR1, &action, NULL);
+
+	alarm(s);
+}
+
+/**
+ * See header.
+ */
+int test_failure_get(char *msg, int len, const char **file)
+{
+	strncpy(msg, failure_buf, len - 1);
+	msg[len - 1] = 0;
+	*file = failure_file;
+	return failure_line;
+}
+
+/**
+ * See header.
+ */
+backtrace_t *test_failure_backtrace()
+{
+	backtrace_t *bt;
+
+	bt = failure_backtrace;
+	failure_backtrace = NULL;
+
+	return bt;
+}
diff --git a/src/libstrongswan/tests/test_suite.h b/src/libstrongswan/tests/test_suite.h
index 2a2861323..c44f149f5 100644
--- a/src/libstrongswan/tests/test_suite.h
+++ b/src/libstrongswan/tests/test_suite.h
@@ -1,6 +1,8 @@
 /*
  * Copyright (C) 2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,98 +15,318 @@
  * for more details.
  */
 
-#ifndef TEST_UTILS_H_
-#define TEST_UTILS_H_
+/**
+ * @defgroup test_suite test_suite
+ * @{ @ingroup libtest
+ */
+
+#ifndef TEST_SUITE_H_
+#define TEST_SUITE_H_
+
+#define _GNU_SOURCE
+#include <setjmp.h>
 
-#include <check.h>
 #include <library.h>
 #include <utils/debug.h>
+#include <utils/backtrace.h>
+#include <collections/array.h>
+
+typedef struct test_suite_t test_suite_t;
+typedef struct test_case_t test_case_t;
+typedef struct test_function_t test_function_t;
+typedef struct test_fixture_t test_fixture_t;
 
 /**
- * Used to mark test cases that use test fixtures.
+ * Default timeout for a single test function
  */
-#define UNIT_TEST_FIXTURE_USED "UNIT_TEST_FIXTURE_USED"
+#define TEST_FUNCTION_DEFAULT_TIMEOUT 2
 
 /**
- * Check for memory leaks and fail if any are encountered.
+ * Test function implementation
  */
-#define CHECK_FOR_LEAKS() do \
-{ \
-	if (lib->leak_detective) \
-	{ \
-		if (lib->leak_detective->leaks(lib->leak_detective)) { \
-			lib->leak_detective->report(lib->leak_detective, TRUE); \
-		} \
-		ck_assert_int_eq(lib->leak_detective->leaks(lib->leak_detective), 0); \
-	} \
-} \
-while(0)
+typedef void (*test_function_cb_t)(int);
+
+/**
+ * Fixture for a test case.
+ */
+typedef void (*test_fixture_cb_t)(void);
+
+/**
+ * A test suite; a collection of test cases with fixtures
+ */
+struct test_suite_t {
+	/** name of the test suite */
+	const char *name;
+	/** test cases registered, as test_case_t* */
+	array_t *tcases;
+};
 
 /**
- * Extended versions of the START|END_TEST macros that use leak detective.
+ * A test case; multiple test functions using the same fixtures
+ */
+struct test_case_t {
+	/** name of the test case */
+	const char *name;
+	/** tests registered, as test_function_t */
+	array_t *functions;
+	/** fixture for tests, as test_fixture_t */
+	array_t *fixtures;
+	/** timeout for each function, in s */
+	int timeout;
+};
+
+/**
+ * A test function, with optional loop setup
+ */
+struct test_function_t {
+	/** name of test function */
+	char *name;
+	/** tests function registered, test_function_t* */
+	test_function_cb_t cb;
+	/** start for loop test */
+	int start;
+	/** end for loop test */
+	int end;
+};
+
+/**
+ * Registered fixture for a test case
+ */
+struct test_fixture_t {
+	test_fixture_cb_t setup;
+	test_fixture_cb_t teardown;
+};
+
+/**
+ * Create a new test suite
  *
- * Since each test case runs in its own fork of the test runner the stuff
- * allocated before the test starts is not freed, so leak detective is disabled
- * by default to prevent false positives.  By enabling it right when the test
- * starts we at least capture leaks created by the tested objects/functions and
- * the test case itself.  This allows writing test cases for cleanup functions.
+ * @param name		name of the test suite
+ * @return			test suite
+ */
+test_suite_t* test_suite_create(const char *name);
+
+/**
+ * Create a new test case
  *
- * To define test fixture with possibly allocated/destroyed memory that is
- * allocated/freed in a test case use the START|END_SETUP|TEARDOWN macros.
+ * @param name		name of test case
+ * @return			test case
  */
-#undef START_TEST
-#define START_TEST(name) \
-static void name (int _i CK_ATTRIBUTE_UNUSED) \
-{ \
-	tcase_fn_start(""#name, __FILE__, __LINE__); \
-	dbg_default_set_level(LEVEL_SILENT); \
-	if (lib->leak_detective) \
-	{ \
-		lib->leak_detective->set_state(lib->leak_detective, TRUE); \
-	}
+test_case_t* test_case_create(const char *name);
 
-#undef END_TEST
-#define END_TEST \
-	if (!lib->get(lib, UNIT_TEST_FIXTURE_USED)) \
-	{ \
-		CHECK_FOR_LEAKS(); \
-	} \
-}
+/**
+ * Add a setup/teardown function to the test case
+ *
+ * @param tcase		test case to add a fixture to
+ * @param setup		setup function called before each test
+ * @param teardown	cleanup function called after each test
+ */
+void test_case_add_checked_fixture(test_case_t *tcase, test_fixture_cb_t setup,
+								   test_fixture_cb_t teardown);
+
+/**
+ * Add a test function to a test case, with a name, looped several times
+ *
+ * @param name		name of the test case
+ * @param tcase		test case to add test function to
+ * @param cb		callback function to invoke for test
+ * @param start		start of loop counter
+ * @param end		end of loop counter
+ */
+void test_case_add_test_name(test_case_t *tcase, char *name,
+							 test_function_cb_t cb, int start, int end);
+
+/**
+ * Add a test function to a test case
+ *
+ * @param tcase		test case to add test function to
+ * @param cb		callback function to invoke for test
+ */
+#define test_case_add_test(tcase, cb) \
+	test_case_add_test_name(tcase, #cb, cb, 0, 1)
+
+/**
+ * Add a test function to a test case, looped several times
+ *
+ * @param tcase		test case to add test function to
+ * @param cb		callback function to invoke for test
+ * @param start		start of loop counter
+ * @param end		end of loop counter
+ */
+#define test_case_add_loop_test(tcase, cb, start, end) \
+	test_case_add_test_name(tcase, #cb, cb, start, end)
+
+/**
+ * Set a custom timeout for test functions in a test case
+ *
+ * @param tcase		test case to set timeout for
+ * @param s			test timeout in s
+ */
+void test_case_set_timeout(test_case_t *tcase, int s);
+
+/**
+ * Add a test function to a test case, looped several times
+ *
+ * @param suite		test suite to add test case to
+ * @param tcase		test case to add
+ */
+void test_suite_add_case(test_suite_t *suite, test_case_t *tcase);
 
 /**
- * Define a function to setup a test fixture that can be used with the above
- * macros.
+ * sigjmp restore point used by test_restore_point
+ */
+extern sigjmp_buf test_restore_point_env;
+
+/**
+ * Set or return from an execution restore point
+ *
+ * This call sets a restore execution point and returns TRUE after it has
+ * been set up. On test failure, the execution is returned to the restore point
+ * and FALSE is returned to indicate test failure.
+ *
+ * @return			TRUE if restore point set, FALSE when restored
  */
-#define START_SETUP(name) \
-static void name() \
-{ \
-	lib->set(lib, UNIT_TEST_FIXTURE_USED, (void*)TRUE); \
-	if (lib->leak_detective) \
+#define test_restore_point() (sigsetjmp(test_restore_point_env, 1) == 0)
+
+/**
+ * Set up signal handlers for test cases
+ */
+void test_setup_handler();
+
+/**
+ * Set up a timeout to let a test fail
+ *
+ * @param s			timeout, 0 to disable timeout
+ */
+void test_setup_timeout(int s);
+
+/**
+ * Get info about a test failure
+ *
+ * @param msg		buffer receiving failure info
+ * @param len		size of msg buffer
+ * @param file		pointer receiving source code file
+ * @return			source code line number
+ */
+int test_failure_get(char *msg, int len, const char **file);
+
+/**
+ * Get a backtrace for a failure.
+ *
+ * @return			allocated backtrace of test failure, if any
+ */
+backtrace_t *test_failure_backtrace();
+
+/**
+ * Let a test fail and set a message using vprintf style arguments.
+ *
+ * @param file		source code file name
+ * @param line		source code line number
+ * @param fmt		printf format string
+ * @param args		argument list for fmt
+ */
+void test_fail_vmsg(const char *file, int line, char *fmt, va_list args);
+
+/**
+ * Let a test fail and set a message using printf style arguments.
+ *
+ * @param file		source code file name
+ * @param line		source code line number
+ * @param fmt		printf format string
+ * @param ...		arguments for fmt
+ */
+void test_fail_msg(const char *file, int line, char *fmt, ...);
+
+/**
+ * Check if two integers equal, fail test if not
+ *
+ * @param a			first integer
+ * @param b			second integer
+ */
+#define test_int_eq(a, b) \
+({ \
+	typeof(a) _a = a; \
+	typeof(b) _b = b; \
+	if (_a != _b) \
 	{ \
-		lib->leak_detective->set_state(lib->leak_detective, TRUE); \
-	}
+		test_fail_msg(__FILE__, __LINE__, #a " != " #b " (%d != %d)", _a, _b); \
+	} \
+})
 
 /**
- * End a setup function
+ * Check if two strings equal, fail test if not
+ *
+ * @param a			first string
+ * @param b			second string
  */
-#define END_SETUP }
+#define test_str_eq(a, b) \
+({ \
+	char* _a = (char*)a; \
+	char* _b = (char*)b; \
+	if (!_a || !_b || !streq(_a, _b)) \
+	{ \
+		test_fail_msg(__FILE__, __LINE__, \
+					  #a " != " #b " (\"%s\" != \"%s\")", _a, _b); \
+	} \
+})
 
 /**
- * Define a function to teardown a test fixture that can be used with the above
- * macros.
+ * Check if a statement evaluates to TRUE, fail test if not
+ *
+ * @param x			statement to evaluate
  */
-#define START_TEARDOWN(name) \
-static void name() \
-{
+#define test_assert(x) \
+({ \
+	if (!(x)) \
+	{ \
+		test_fail_msg(__FILE__, __LINE__, #x); \
+	} \
+})
 
 /**
- * End a teardown function
+ * Check if a statement evaluates to TRUE, fail and print a message if not
+ *
+ * @param x			statement to evaluate
+ * @param fmt		message format string
+ * @param ...		fmt printf arguments
  */
-#define END_TEARDOWN \
-	if (lib->get(lib, UNIT_TEST_FIXTURE_USED)) \
+#define test_assert_msg(x, fmt, ...) \
+({ \
+	if (!(x)) \
 	{ \
-		CHECK_FOR_LEAKS(); \
+		test_fail_msg(__FILE__, __LINE__, #x ": " fmt, ##__VA_ARGS__); \
 	} \
-}
+})
+
+
+
+/* "check unit testing" compatibility */
+#define Suite test_suite_t
+#define TCase test_case_t
+#define ck_assert_int_eq test_int_eq
+#define ck_assert test_assert
+#define ck_assert_msg test_assert_msg
+#define ck_assert_str_eq test_str_eq
+#define fail(fmt, ...) test_fail_msg(__FILE__, __LINE__, fmt, ##__VA_ARGS__)
+#define fail_if(x, fmt, ...) \
+({ \
+	if (x) \
+	{ \
+		test_fail_msg(__FILE__, __LINE__, #x ": " fmt, ##__VA_ARGS__); \
+	} \
+})
+#define fail_unless test_assert_msg
+#define suite_create test_suite_create
+#define tcase_create test_case_create
+#define tcase_add_checked_fixture test_case_add_checked_fixture
+#define tcase_add_test test_case_add_test
+#define tcase_add_loop_test test_case_add_loop_test
+#define tcase_set_timeout test_case_set_timeout
+#define suite_add_tcase test_suite_add_case
+#define START_TEST(name) static void name (int _i) {
+#define END_TEST }
+#define START_SETUP(name) static void name() {
+#define END_SETUP }
+#define START_TEARDOWN(name) static void name() {
+#define END_TEARDOWN }
 
-#endif /** TEST_UTILS_H_ */
+#endif /** TEST_SUITE_H_ @}*/
diff --git a/src/libstrongswan/tests/test_threading.c b/src/libstrongswan/tests/test_threading.c
deleted file mode 100644
index 0c768b3e2..000000000
--- a/src/libstrongswan/tests/test_threading.c
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Copyright (C) 2013 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sched.h>
-#include <pthread.h>
-
-#include "test_suite.h"
-
-#include <threading/mutex.h>
-
-/*******************************************************************************
- * recursive mutex test
- */
-
-#define THREADS 20
-
-static mutex_t *mutex;
-
-static pthread_barrier_t mutex_barrier;
-
-static int mutex_locked = 0;
-
-static void *mutex_run(void *data)
-{
-	int i;
-
-	/* wait for all threads before getting in action */
-	pthread_barrier_wait(&mutex_barrier);
-
-	for (i = 0; i < 100; i++)
-	{
-		mutex->lock(mutex);
-		mutex->lock(mutex);
-		mutex->lock(mutex);
-		mutex_locked++;
-		sched_yield();
-		if (mutex_locked > 1)
-		{
-			fail("two threads locked the mutex concurrently");
-		}
-		mutex_locked--;
-		mutex->unlock(mutex);
-		mutex->unlock(mutex);
-		mutex->unlock(mutex);
-	}
-	return NULL;
-}
-
-START_TEST(test_mutex)
-{
-	pthread_t threads[THREADS];
-	int i;
-
-	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-
-	for (i = 0; i < 10; i++)
-	{
-		mutex->lock(mutex);
-		mutex->unlock(mutex);
-	}
-	for (i = 0; i < 10; i++)
-	{
-		mutex->lock(mutex);
-	}
-	for (i = 0; i < 10; i++)
-	{
-		mutex->unlock(mutex);
-	}
-
-	pthread_barrier_init(&mutex_barrier, NULL, THREADS);
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_create(&threads[i], NULL, mutex_run, NULL);
-	}
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_join(threads[i], NULL);
-	}
-	pthread_barrier_destroy(&mutex_barrier);
-
-	mutex->destroy(mutex);
-}
-END_TEST
-
-Suite *threading_suite_create()
-{
-	Suite *s;
-	TCase *tc;
-
-	s = suite_create("threading");
-
-	tc = tcase_create("recursive mutex");
-	tcase_add_test(tc, test_mutex);
-	suite_add_tcase(s, tc);
-
-	return s;
-}
diff --git a/src/libstrongswan/tests/tests.c b/src/libstrongswan/tests/tests.c
new file mode 100644
index 000000000..9f2adfd15
--- /dev/null
+++ b/src/libstrongswan/tests/tests.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, args) \
+	{ .suite = x, .feature = PLUGIN_DEPENDS(type, args) },
+#include "tests.h"
+	{ .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+	if (init)
+	{
+		plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
+		if (!lib->plugins->load(lib->plugins, PLUGINS))
+		{
+			return FALSE;
+		}
+	}
+	else
+	{
+		lib->processor->set_threads(lib->processor, 0);
+		lib->processor->cancel(lib->processor);
+		lib->plugins->unload(lib->plugins);
+	}
+	return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+	return test_runner_run("libstrongswan", tests, test_runner_init);
+}
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
new file mode 100644
index 000000000..82a5137c1
--- /dev/null
+++ b/src/libstrongswan/tests/tests.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(bio_reader_suite_create)
+TEST_SUITE(bio_writer_suite_create)
+TEST_SUITE(chunk_suite_create)
+TEST_SUITE(enum_suite_create)
+TEST_SUITE(enumerator_suite_create)
+TEST_SUITE(linked_list_suite_create)
+TEST_SUITE(linked_list_enumerator_suite_create)
+TEST_SUITE(hashtable_suite_create)
+TEST_SUITE(array_suite_create)
+TEST_SUITE(identification_suite_create)
+TEST_SUITE(threading_suite_create)
+TEST_SUITE(watcher_suite_create)
+TEST_SUITE(stream_suite_create)
+TEST_SUITE(utils_suite_create)
+TEST_SUITE(settings_suite_create)
+TEST_SUITE(vectors_suite_create)
+TEST_SUITE_DEPEND(ecdsa_suite_create, PRIVKEY_GEN, KEY_ECDSA)
+TEST_SUITE_DEPEND(rsa_suite_create, PRIVKEY_GEN, KEY_RSA)
+TEST_SUITE(host_suite_create)
+TEST_SUITE(printf_suite_create)
+TEST_SUITE(hasher_suite_create)
+TEST_SUITE(crypter_suite_create)
+TEST_SUITE(pen_suite_create)
+TEST_SUITE(asn1_suite_create)
+TEST_SUITE(asn1_parser_suite_create)
+TEST_SUITE(test_rng_suite_create)
+TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
+TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://")
diff --git a/src/libstrongswan/tests/utils/test_rng.c b/src/libstrongswan/tests/utils/test_rng.c
new file mode 100644
index 000000000..01569509b
--- /dev/null
+++ b/src/libstrongswan/tests/utils/test_rng.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_rng.h"
+
+typedef struct private_rng_t private_rng_t;
+
+/**
+ * Private data.
+ */
+struct private_rng_t {
+
+	/**
+	 * Public interface.
+	 */
+	rng_t public;
+
+	/**
+	 * Entropy string.
+	 */
+	chunk_t entropy;
+};
+
+METHOD(rng_t, get_bytes, bool,
+	private_rng_t *this, size_t bytes, u_int8_t *buffer)
+{
+	if (bytes > this->entropy.len)
+	{
+		return FALSE;
+	}
+	memcpy(buffer, this->entropy.ptr, bytes);
+	this->entropy = chunk_skip(this->entropy, bytes);
+	return TRUE;
+}
+
+METHOD(rng_t, allocate_bytes, bool,
+	private_rng_t *this, size_t bytes, chunk_t *chunk)
+{
+	if (bytes > this->entropy.len)
+	{
+		*chunk = chunk_empty;
+		return FALSE;
+	}
+
+	*chunk = chunk_alloc(bytes);
+	memcpy(chunk->ptr, this->entropy.ptr, bytes);
+	this->entropy = chunk_skip(this->entropy, bytes);
+	return TRUE;
+}
+
+METHOD(rng_t, destroy, void,
+	private_rng_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+rng_t *test_rng_create(chunk_t entropy)
+{
+	private_rng_t *this;
+
+	INIT(this,
+		.public = {
+			.get_bytes = _get_bytes,
+			.allocate_bytes = _allocate_bytes,
+			.destroy = _destroy,
+		},
+		.entropy = entropy,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/tests/utils/test_rng.h b/src/libstrongswan/tests/utils/test_rng.h
new file mode 100644
index 000000000..e588f3be7
--- /dev/null
+++ b/src/libstrongswan/tests/utils/test_rng.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * rng_t providing NIST SP 800-90A entropy test vectors
+ *
+ * @defgroup test_rng test_rng
+ * @{ @ingroup test_utils
+ */
+
+#ifndef TEST_RNG_H_
+#define TEST_RNG_H_
+
+#include <library.h>
+
+/**
+ * Creates a test_rng_t instance.
+ *
+ * @param entropy	entropy test vector
+ * @return			created test_rng_t
+ */
+rng_t *test_rng_create(chunk_t entropy);
+
+#endif /** TEST_RNG_H_ @} */
diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h
index 31b9e1b3a..8d3c30e9b 100644
--- a/src/libstrongswan/threading/thread.h
+++ b/src/libstrongswan/threading/thread.h
@@ -71,7 +71,6 @@ typedef void *(*thread_main_t)(void *arg);
  */
 typedef void (*thread_cleanup_t)(void *arg);
 
-
 /**
  * Thread wrapper implements simple, portable and advanced thread functions.
  *
@@ -110,10 +109,8 @@ struct thread_t {
 	 *					a call to exit.
 	 */
 	void *(*join)(thread_t *this);
-
 };
 
-
 /**
  * Create a new thread instance.
  *
@@ -168,6 +165,10 @@ bool thread_cancelability(bool enable);
 
 /**
  * Force creation of a cancellation point in the calling thread.
+ *
+ * This temporarily enables thread cancelability, tests for a pending
+ * cancellation request and then disables cancelability again if it was
+ * disabled before the call to thread_cancellation_point().
  */
 void thread_cancellation_point();
 
@@ -188,6 +189,4 @@ void threads_init();
  */
 void threads_deinit();
 
-
 #endif /** THREADING_THREAD_H_ @} */
-
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index fb2c4d1e8..f1584620b 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -314,7 +314,7 @@ static void print_sourceline(FILE *file, char *filename, void *ptr, void *base)
 	bool old = FALSE;
 
 	bfd_mutex->lock(bfd_mutex);
-	if (lib->leak_detective)
+	if (lib && lib->leak_detective)
 	{
 		old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
 	}
@@ -324,7 +324,7 @@ static void print_sourceline(FILE *file, char *filename, void *ptr, void *base)
 		data.entry = entry;
 		bfd_map_over_sections(entry->abfd, (void*)find_addr, &data);
 	}
-	if (lib->leak_detective)
+	if (lib && lib->leak_detective)
 	{
 		lib->leak_detective->set_state(lib->leak_detective, old);
 	}
diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h
index 416f58898..16e84c4d9 100644
--- a/src/libstrongswan/utils/backtrace.h
+++ b/src/libstrongswan/utils/backtrace.h
@@ -21,12 +21,12 @@
 #ifndef BACKTRACE_H_
 #define BACKTRACE_H_
 
+typedef struct backtrace_t backtrace_t;
+
 #include <stdio.h>
 
 #include <library.h>
 
-typedef struct backtrace_t backtrace_t;
-
 /**
  * A backtrace registers the frames on the stack during creation.
  */
diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h
index fe11a4dfc..20c18554b 100644
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@@ -44,6 +44,9 @@ typedef struct capabilities_t capabilities_t;
 #ifndef CAP_NET_RAW
 # define CAP_NET_RAW 13
 #endif
+#ifndef CAP_DAC_OVERRIDE
+# define CAP_DAC_OVERRIDE 1
+#endif
 
 /**
  * POSIX capability dropping abstraction layer.
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
index 644b8060f..47181719a 100644
--- a/src/libstrongswan/utils/chunk.c
+++ b/src/libstrongswan/utils/chunk.c
@@ -18,6 +18,9 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#ifdef HAVE_MMAP
+# include <sys/mman.h>
+#endif
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
@@ -25,7 +28,6 @@
 #include <ctype.h>
 
 #include "chunk.h"
-#include "debug.h"
 
 /**
  * Empty chunk.
@@ -206,15 +208,16 @@ void chunk_split(chunk_t chunk, const char *mode, ...)
 /**
  * Described in header.
  */
-bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force)
+bool chunk_write(chunk_t chunk, char *path, mode_t mask, bool force)
 {
 	mode_t oldmask;
 	FILE *fd;
 	bool good = FALSE;
+	int tmp = 0;
 
 	if (!force && access(path, F_OK) == 0)
 	{
-		DBG1(DBG_LIB, "  %s file '%s' already exists", label, path);
+		errno = EEXIST;
 		return FALSE;
 	}
 	oldmask = umask(mask);
@@ -223,58 +226,206 @@ bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force
 	{
 		if (fwrite(chunk.ptr, sizeof(u_char), chunk.len, fd) == chunk.len)
 		{
-			DBG1(DBG_LIB, "  written %s file '%s' (%d bytes)",
-				 label, path, chunk.len);
 			good = TRUE;
 		}
 		else
 		{
-			DBG1(DBG_LIB, "  writing %s file '%s' failed: %s",
-				 label, path, strerror(errno));
+			tmp = errno;
 		}
 		fclose(fd);
 	}
 	else
 	{
-		DBG1(DBG_LIB, "  could not open %s file '%s': %s", label, path,
-			 strerror(errno));
+		tmp = errno;
 	}
 	umask(oldmask);
+	errno = tmp;
 	return good;
 }
 
 /**
  * Described in header.
  */
-chunk_t chunk_from_fd(int fd)
+bool chunk_from_fd(int fd, chunk_t *out)
 {
-	char buf[8096];
-	char *pos = buf;
-	ssize_t len, total = 0;
+	struct stat sb;
+	char *buf, *tmp;
+	ssize_t len, total = 0, bufsize;
+
+	if (fstat(fd, &sb) == 0 && S_ISREG(sb.st_mode))
+	{
+		bufsize = sb.st_size;
+	}
+	else
+	{
+		bufsize = 256;
+	}
+	buf = malloc(bufsize);
+	if (!buf)
+	{	/* for huge files */
+		return FALSE;
+	}
 
 	while (TRUE)
 	{
-		len = read(fd, pos, buf + sizeof(buf) - pos);
+		len = read(fd, buf + total, bufsize - total);
 		if (len < 0)
 		{
-			DBG1(DBG_LIB, "reading from file descriptor failed: %s",
-				 strerror(errno));
-			return chunk_empty;
+			free(buf);
+			return FALSE;
 		}
 		if (len == 0)
 		{
 			break;
 		}
 		total += len;
-		if (total == sizeof(buf))
+		if (total == bufsize)
+		{
+			bufsize *= 2;
+			tmp = realloc(buf, bufsize);
+			if (!tmp)
+			{
+				free(buf);
+				return FALSE;
+			}
+			buf = tmp;
+		}
+	}
+	if (total == 0)
+	{
+		free(buf);
+		buf = NULL;
+	}
+	else if (total < bufsize)
+	{
+		buf = realloc(buf, total);
+	}
+	*out = chunk_create(buf, total);
+	return TRUE;
+}
+
+/**
+ * Implementation for mmap()ed chunks
+ */
+typedef struct {
+	/* public chunk interface */
+	chunk_t public;
+	/* FD of open file */
+	int fd;
+	/* mmap() address */
+	void *map;
+	/* size of map */
+	size_t len;
+	/* do we write? */
+	bool wr;
+} mmaped_chunk_t;
+
+/**
+ * See header.
+ */
+chunk_t *chunk_map(char *path, bool wr)
+{
+	mmaped_chunk_t *chunk;
+	struct stat sb;
+	int tmp;
+
+	INIT(chunk,
+		.fd = open(path, wr ? O_RDWR : O_RDONLY),
+		.wr = wr,
+	);
+
+	if (chunk->fd == -1)
+	{
+		free(chunk);
+		return NULL;
+	}
+	if (fstat(chunk->fd, &sb) == -1)
+	{
+		tmp = errno;
+		chunk_unmap(&chunk->public);
+		errno = tmp;
+		return NULL;
+	}
+#ifdef HAVE_MMAP
+	chunk->len = sb.st_size;
+	/* map non-empty files only, as mmap() complains otherwise */
+	if (chunk->len)
+	{
+		/* in read-only mode, we allow writes, but don't sync to disk */
+		chunk->map = mmap(NULL, chunk->len, PROT_READ | PROT_WRITE,
+						  wr ? MAP_SHARED : MAP_PRIVATE, chunk->fd, 0);
+		if (chunk->map == MAP_FAILED)
 		{
-			DBG1(DBG_LIB, "buffer too small to read from file descriptor");
-			return chunk_empty;
+			tmp = errno;
+			chunk_unmap(&chunk->public);
+			errno = tmp;
+			return NULL;
 		}
 	}
-	return chunk_clone(chunk_create(buf, total));
+	chunk->public = chunk_create(chunk->map, chunk->len);
+#else /* !HAVE_MMAP */
+	if (!chunk_from_fd(chunk->fd, &chunk->public))
+	{
+		tmp = errno;
+		chunk_unmap(&chunk->public);
+		errno = tmp;
+		return NULL;
+	}
+	chunk->map = chunk->public.ptr;
+	chunk->len = chunk->public.len;
+#endif /* !HAVE_MMAP */
+	return &chunk->public;
 }
 
+/**
+ * See header.
+ */
+bool chunk_unmap(chunk_t *public)
+{
+	mmaped_chunk_t *chunk;
+	bool ret = FALSE;
+	int tmp = 0;
+
+	chunk = (mmaped_chunk_t*)public;
+#ifdef HAVE_MMAP
+	if (chunk->map && chunk->map != MAP_FAILED)
+	{
+		ret = munmap(chunk->map, chunk->len) == 0;
+		tmp = errno;
+	}
+#else /* !HAVE_MMAP */
+	if (chunk->wr)
+	{
+		if (lseek(chunk->fd, 0, SEEK_SET) != -1)
+		{
+			int len, total = 0;
+
+			ret = TRUE;
+			while (total < chunk->len)
+			{
+				len = write(chunk->fd, chunk->map + total, chunk->len - total);
+				if (len <= 0)
+				{
+					ret = FALSE;
+					break;
+				}
+				total += len;
+			}
+		}
+		tmp = errno;
+	}
+	else
+	{
+		ret = TRUE;
+	}
+	free(chunk->map);
+#endif /* !HAVE_MMAP */
+	close(chunk->fd);
+	free(chunk);
+	errno = tmp;
+
+	return ret;
+}
 
 /** hex conversion digits */
 static char hexdig_upper[] = "0123456789ABCDEF";
diff --git a/src/libstrongswan/utils/chunk.h b/src/libstrongswan/utils/chunk.h
index d3751da70..33f66caec 100644
--- a/src/libstrongswan/utils/chunk.h
+++ b/src/libstrongswan/utils/chunk.h
@@ -90,22 +90,52 @@ void chunk_split(chunk_t chunk, const char *mode, ...);
 /**
  * Write the binary contents of a chunk_t to a file
  *
+ * If the write fails, errno is set appropriately.
+ *
  * @param chunk			contents to write to file
  * @param path			path where file is written to
- * @param label			label specifying file type
  * @param mask			file mode creation mask
  * @param force			overwrite existing file by force
  * @return				TRUE if write operation was successful
  */
-bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force);
+bool chunk_write(chunk_t chunk, char *path, mode_t mask, bool force);
 
 /**
  * Store data read from FD into a chunk
  *
+ * On error, errno is set appropriately.
+ *
  * @param fd			file descriptor to read from
- * @return				chunk or chunk_empty on failure
+ * @param chunk			chunk receiving allocated buffer
+ * @return				TRUE if successful, FALSE on failure
+ */
+bool chunk_from_fd(int fd, chunk_t *chunk);
+
+/**
+ * mmap() a file to a chunk
+ *
+ * The returned chunk structure is allocated from heap, but it must be freed
+ * through chunk_unmap(). A user may alter the chunk ptr or len, but must pass
+ * the chunk pointer returned from chunk_map() to chunk_unmap() after use.
+ *
+ * On error, errno is set appropriately.
+ *
+ * @param path			path of file to map
+ * @param wr			TRUE to sync writes to disk
+ * @return				mapped chunk, NULL on error
+ */
+chunk_t *chunk_map(char *path, bool wr);
+
+/**
+ * munmap() a chunk previously mapped with chunk_map()
+ *
+ * When unmapping a writeable map, the return value should be checked to
+ * ensure changes landed on disk.
+ *
+ * @param chunk			pointer returned from chunk_map()
+ * @return				TRUE of changes written back to file
  */
-chunk_t chunk_from_fd(int fd);
+bool chunk_unmap(chunk_t *chunk);
 
 /**
  * Convert a chunk of data to hex encoding.
@@ -191,17 +221,17 @@ static inline void chunk_clear(chunk_t *chunk)
 /**
  * Initialize a chunk using a char array
  */
-#define chunk_from_chars(...) ((chunk_t){(char[]){__VA_ARGS__}, sizeof((char[]){__VA_ARGS__})})
+#define chunk_from_chars(...) ((chunk_t){(u_char[]){__VA_ARGS__}, sizeof((u_char[]){__VA_ARGS__})})
 
 /**
  * Initialize a chunk to point to a thing
  */
-#define chunk_from_thing(thing) chunk_create((char*)&(thing), sizeof(thing))
+#define chunk_from_thing(thing) chunk_create((u_char*)&(thing), sizeof(thing))
 
 /**
  * Initialize a chunk from a string, not containing 0-terminator
  */
-#define chunk_from_str(str) ({char *x = (str); chunk_create(x, strlen(x));})
+#define chunk_from_str(str) ({char *x = (str); chunk_create((u_char*)x, strlen(x));})
 
 /**
  * Allocate a chunk on the heap
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 9c43ad570..e7eb63bc6 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -332,8 +332,13 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 		buf += written;
 		len -= written;
 
+		written = 0;
 		chunk_printable(data, &printable, '?');
-		written = snprintf(buf, len, "%.*s", (int)printable.len, printable.ptr);
+		if (printable.ptr)
+		{
+			written = snprintf(buf, len, "%.*s", (int)printable.len,
+							   printable.ptr);
+		}
 		chunk_free(&printable);
 		if (written < 0 || written >= len)
 		{
diff --git a/src/libstrongswan/utils/integrity_checker.c b/src/libstrongswan/utils/integrity_checker.c
index d59a76232..b66df02e7 100644
--- a/src/libstrongswan/utils/integrity_checker.c
+++ b/src/libstrongswan/utils/integrity_checker.c
@@ -22,7 +22,6 @@
 #include <fcntl.h>
 #include <errno.h>
 #include <unistd.h>
-#include <sys/mman.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
@@ -61,40 +60,17 @@ METHOD(integrity_checker_t, build_file, u_int32_t,
 	private_integrity_checker_t *this, char *file, size_t *len)
 {
 	u_int32_t checksum;
-	chunk_t contents;
-	struct stat sb;
-	void *addr;
-	int fd;
+	chunk_t *contents;
 
-	fd = open(file, O_RDONLY);
-	if (fd == -1)
+	contents = chunk_map(file, FALSE);
+	if (!contents)
 	{
 		DBG1(DBG_LIB, "  opening '%s' failed: %s", file, strerror(errno));
 		return 0;
 	}
-
-	if (fstat(fd, &sb) == -1)
-	{
-		DBG1(DBG_LIB, "  getting file size of '%s' failed: %s", file,
-			 strerror(errno));
-		close(fd);
-		return 0;
-	}
-
-	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		DBG1(DBG_LIB, "  mapping '%s' failed: %s", file, strerror(errno));
-		close(fd);
-		return 0;
-	}
-
-	*len = sb.st_size;
-	contents = chunk_create(addr, sb.st_size);
-	checksum = chunk_hash_static(contents);
-
-	munmap(addr, sb.st_size);
-	close(fd);
+	*len = contents->len;
+	checksum = chunk_hash_static(*contents);
+	chunk_unmap(contents);
 
 	return checksum;
 }
@@ -318,4 +294,3 @@ integrity_checker_t *integrity_checker_create(char *checksum_library)
 	}
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 725e04f7c..82eadcb97 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -59,6 +59,21 @@ struct private_leak_detective_t {
 	 * public functions
 	 */
 	leak_detective_t public;
+
+	/**
+	 * Registered report() function
+	 */
+	leak_detective_report_cb_t report_cb;
+
+	/**
+	 * Registered report() summary function
+	 */
+	leak_detective_summary_cb_t report_scb;
+
+	/**
+	 * Registered user data for callbacks
+	 */
+	void *report_data;
 };
 
 /**
@@ -318,9 +333,16 @@ HOOK(size_t, size, const void *ptr)
  */
 static bool register_hooks()
 {
+	static bool once = FALSE;
 	malloc_zone_t *zone;
 	void *page;
 
+	if (once)
+	{
+		return TRUE;
+	}
+	once = TRUE;
+
 	zone = malloc_default_zone();
 	if (zone->version != MALLOC_ZONE_VERSION)
 	{
@@ -461,7 +483,7 @@ static void* real_realloc(void *ptr, size_t size)
 static bool register_hooks()
 {
 	void *buf = real_malloc(8);
-	real_realloc(buf, 16);
+	buf = real_realloc(buf, 16);
 	real_free(buf);
 	return TRUE;
 }
@@ -477,7 +499,7 @@ static bool register_hooks()
 char *whitelist[] = {
 	/* backtraces, including own */
 	"backtrace_create",
-	"safe_strerror",
+	"strerror_safe",
 	/* pthread stuff */
 	"pthread_create",
 	"pthread_setspecific",
@@ -565,7 +587,12 @@ char *whitelist[] = {
  */
 static void init_static_allocations()
 {
+	struct tm tm;
+	time_t t = 0;
+
 	tzset();
+	gmtime_r(&t, &tm);
+	localtime_r(&t, &tm);
 }
 
 /**
@@ -599,7 +626,8 @@ static bool equals(backtrace_t *a, backtrace_t *b)
  * Summarize and print backtraces
  */
 static int print_traces(private_leak_detective_t *this,
-						FILE *out, int thresh, int thresh_count,
+						leak_detective_report_cb_t cb, void *user,
+						int thresh, int thresh_count,
 						bool detailed, int *whitelisted, size_t *sum)
 {
 	int leaks = 0;
@@ -652,16 +680,20 @@ static int print_traces(private_leak_detective_t *this,
 		leaks++;
 	}
 	lock->unlock(lock);
+
 	enumerator = entries->create_enumerator(entries);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		if (out &&
-			(!thresh || entry->bytes >= thresh) &&
-			(!thresh_count || entry->count >= thresh_count))
+		if (cb)
 		{
-			fprintf(out, "%d bytes total, %d allocations, %d bytes average:\n",
-					entry->bytes, entry->count, entry->bytes / entry->count);
-			entry->backtrace->log(entry->backtrace, out, detailed);
+			if (!thresh || entry->bytes >= thresh)
+			{
+				if (!thresh_count || entry->count >= thresh_count)
+				{
+					this->report_cb(this->report_data, entry->count,
+									entry->bytes, entry->backtrace, detailed);
+				}
+			}
 		}
 		entry->backtrace->destroy(entry->backtrace);
 		free(entry);
@@ -681,38 +713,30 @@ METHOD(leak_detective_t, report, void,
 		int leaks, whitelisted = 0;
 		size_t sum = 0;
 
-		leaks = print_traces(this, stderr, 0, 0, detailed, &whitelisted, &sum);
-		switch (leaks)
+		leaks = print_traces(this, this->report_cb, this->report_data,
+							 0, 0, detailed, &whitelisted, &sum);
+		if (this->report_scb)
 		{
-			case 0:
-				fprintf(stderr, "No leaks detected");
-				break;
-			case 1:
-				fprintf(stderr, "One leak detected");
-				break;
-			default:
-				fprintf(stderr, "%d leaks detected, %zu bytes", leaks, sum);
-				break;
+			this->report_scb(this->report_data, leaks, sum, whitelisted);
 		}
-		fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted);
-	}
-	else
-	{
-		fprintf(stderr, "Leak detective disabled\n");
 	}
 }
 
+METHOD(leak_detective_t, set_report_cb, void,
+	private_leak_detective_t *this, leak_detective_report_cb_t cb,
+	leak_detective_summary_cb_t scb, void *user)
+{
+	this->report_cb = cb;
+	this->report_scb = scb;
+	this->report_data = user;
+}
+
 METHOD(leak_detective_t, leaks, int,
 	private_leak_detective_t *this)
 {
-	if (lib->leak_detective)
-	{
-		int leaks, whitelisted = 0;
+	int whitelisted = 0;
 
-		leaks = print_traces(this, NULL, 0, 0, FALSE, &whitelisted, NULL);
-		return leaks;
-	}
-	return 0;
+	return print_traces(this, NULL, NULL, 0, 0, FALSE, &whitelisted, NULL);
 }
 
 METHOD(leak_detective_t, set_state, bool,
@@ -722,22 +746,26 @@ METHOD(leak_detective_t, set_state, bool,
 }
 
 METHOD(leak_detective_t, usage, void,
-	private_leak_detective_t *this, FILE *out)
+	private_leak_detective_t *this, leak_detective_report_cb_t cb,
+	leak_detective_summary_cb_t scb, void *user)
 {
 	bool detailed;
-	int thresh, thresh_count;
+	int thresh, thresh_count, leaks, whitelisted = 0;
 	size_t sum = 0;
 
 	thresh = lib->settings->get_int(lib->settings,
-					"libstrongswan.leak_detective.usage_threshold", 10240);
+						"%s.leak_detective.usage_threshold", 10240, lib->ns);
 	thresh_count = lib->settings->get_int(lib->settings,
-					"libstrongswan.leak_detective.usage_threshold_count", 0);
+						"%s.leak_detective.usage_threshold_count", 0, lib->ns);
 	detailed = lib->settings->get_bool(lib->settings,
-					"libstrongswan.leak_detective.detailed", TRUE);
+						"%s.leak_detective.detailed", TRUE, lib->ns);
 
-	print_traces(this, out, thresh, thresh_count, detailed, NULL, &sum);
-
-	fprintf(out, "Total memory usage: %zu\n", sum);
+	leaks = print_traces(this, cb, user, thresh, thresh_count,
+						 detailed, &whitelisted, &sum);
+	if (scb)
+	{
+		scb(user, leaks, sum, whitelisted);
+	}
 }
 
 /**
@@ -924,6 +952,7 @@ METHOD(leak_detective_t, destroy, void,
 	lock->destroy(lock);
 	thread_disabled->destroy(thread_disabled);
 	free(this);
+	first_header.next = NULL;
 }
 
 /*
@@ -936,8 +965,9 @@ leak_detective_t *leak_detective_create()
 	INIT(this,
 		.public = {
 			.report = _report,
-			.leaks = _leaks,
+			.set_report_cb = _set_report_cb,
 			.usage = _usage,
+			.leaks = _leaks,
 			.set_state = _set_state,
 			.destroy = _destroy,
 		},
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
index 7a29e81d7..3fd0b8c93 100644
--- a/src/libstrongswan/utils/leak_detective.h
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -24,6 +24,30 @@
 typedef struct leak_detective_t leak_detective_t;
 
 #include <library.h>
+#include <utils/backtrace.h>
+
+/**
+ * Callback function to report leak/usage information
+ *
+ * @param user			user specific data
+ * @param count			number of allocations
+ * @param bytes			total size of allocations
+ * @param bt			backtrace of allocation
+ * @param detailed		TRUE to show a detailed backtrace
+ */
+typedef void (*leak_detective_report_cb_t)(void *user, int count, size_t bytes,
+										   backtrace_t *bt, bool detailed);
+
+/**
+ * Callback function to report leak/usage summary information
+ *
+ * @param user			user specific data
+ * @param count			total number of allocations
+ * @param bytes			total size of all reported allocations
+ * @param whitelisted	number of allocations suppressed by whitelist
+ */
+typedef void (*leak_detective_summary_cb_t)(void* user, int count, size_t bytes,
+										    int whitelisted);
 
 /**
  * Leak detective finds leaks and bad frees using malloc hooks.
@@ -36,25 +60,39 @@ typedef struct leak_detective_t leak_detective_t;
 struct leak_detective_t {
 
 	/**
-	 * Report leaks to stderr.
+	 * Report leaks to the registered callback functions.
 	 *
 	 * @param detailed 		TRUE to resolve line/filename of leak (slow)
 	 */
 	void (*report)(leak_detective_t *this, bool detailed);
 
 	/**
-	 * Number of detected leaks.
+	 * Report current memory usage to out.
+	 * Set callback functions invoked during a report().
 	 *
-	 * @return				number of leaks
+	 * @param cb			callback invoked for each detected leak
+	 * @param scb			summary callback invoked at end of report
+	 * @param user			user data to supply to callbacks
 	 */
-	int (*leaks)(leak_detective_t *this);
+	void (*set_report_cb)(leak_detective_t *this, leak_detective_report_cb_t cb,
+						  leak_detective_summary_cb_t scb, void *user);
 
 	/**
-	 * Report current memory usage to out.
+	 * Report current memory usage using a callbacks.
+	 *
+	 * @param cb			callback invoked for each allocation
+	 * @param scb			summary callback invoked at end of usage report
+	 * @param user			user data supplied to callbacks
+	 */
+	void (*usage)(leak_detective_t *this, leak_detective_report_cb_t cb,
+				  leak_detective_summary_cb_t scb, void *user);
+
+	/**
+	 * Number of detected leaks.
 	 *
-	 * @param out			target to write usage report to
+	 * @return				number of leaks
 	 */
-	void (*usage)(leak_detective_t *this, FILE *out);
+	int (*leaks)(leak_detective_t *this);
 
 	/**
 	 * Enable/disable leak detective hooks for the current thread.
diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
index d00abef20..c79d4b87a 100644
--- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
+++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
@@ -122,10 +122,14 @@ size_t print_in_hook(printf_hook_data_t *data, char *fmt, ...)
 
 	if (written > data->n)
 	{
-		written = data->n;
+		data->q += data->n;
+		data->n = 0;
+	}
+	else
+	{
+		data->q += written;
+		data->n -= written;
 	}
-	data->q += written;
-	data->n += written;
 	return written;
 }
 
@@ -725,12 +729,6 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap)
 
 						switch (ch)
 						{
-							case 'P':
-							{
-								/* Upper case pointer */
-								flags |= FL_UPPER;
-								/* fall through */
-							}
 							case 'p':
 							{
 								/* Pointer */
diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c b/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c
index 8fd1aed4a..5efe1d990 100644
--- a/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c
+++ b/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c
@@ -19,10 +19,10 @@
 #include <utils/utils.h>
 #include <utils/debug.h>
 
-#include <printf.h>
 #include <stdio.h>
 #include <stdarg.h>
 #include <string.h>
+#include <printf.h>
 
 typedef struct private_printf_hook_t private_printf_hook_t;
 typedef struct printf_hook_handler_t printf_hook_handler_t;
diff --git a/src/libstrongswan/utils/settings.c b/src/libstrongswan/utils/settings.c
index 809ca10ab..490490a1e 100644
--- a/src/libstrongswan/utils/settings.c
+++ b/src/libstrongswan/utils/settings.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2014 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -20,7 +20,6 @@
 #include <stdio.h>
 #include <errno.h>
 #include <limits.h>
-#include <libgen.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
@@ -31,6 +30,8 @@
 
 #include "settings.h"
 
+#include "collections/array.h"
+#include "collections/hashtable.h"
 #include "collections/linked_list.h"
 #include "threading/rwlock.h"
 #include "utils/debug.h"
@@ -78,14 +79,19 @@ struct section_t {
 	char *name;
 
 	/**
+	 * fallback sections, as section_t
+	 */
+	array_t *fallbacks;
+
+	/**
 	 * subsections, as section_t
 	 */
-	linked_list_t *sections;
+	array_t *sections;
 
 	/**
 	 * key value pairs, as kv_t
 	 */
-	linked_list_t *kv;
+	array_t *kv;
 };
 
 /**
@@ -134,8 +140,6 @@ static section_t *section_create(char *name)
 	section_t *this;
 	INIT(this,
 		.name = strdupnull(name),
-		.sections = linked_list_create(),
-		.kv = linked_list_create(),
 	);
 	return this;
 }
@@ -145,37 +149,73 @@ static section_t *section_create(char *name)
  */
 static void section_destroy(section_t *this)
 {
-	this->kv->destroy_function(this->kv, (void*)kv_destroy);
-	this->sections->destroy_function(this->sections, (void*)section_destroy);
+	array_destroy_function(this->sections, (void*)section_destroy, NULL);
+	array_destroy_function(this->kv, (void*)kv_destroy, NULL);
+	array_destroy(this->fallbacks);
 	free(this->name);
 	free(this);
 }
 
 /**
- * Purge contents of a section
+ * Purge contents of a section, returns if section can be safely removed.
  */
-static void section_purge(section_t *this)
+static bool section_purge(section_t *this)
 {
-	this->kv->destroy_function(this->kv, (void*)kv_destroy);
-	this->kv = linked_list_create();
-	this->sections->destroy_function(this->sections, (void*)section_destroy);
-	this->sections = linked_list_create();
+	section_t *current;
+	int i;
+
+	array_destroy_function(this->kv, (void*)kv_destroy, NULL);
+	this->kv = NULL;
+	/* we ensure sections used as fallback, or configured with fallbacks (or
+	 * having any such subsections) are not removed */
+	for (i = array_count(this->sections) - 1; i >= 0; i--)
+	{
+		array_get(this->sections, i, &current);
+		if (section_purge(current))
+		{
+			array_remove(this->sections, i, NULL);
+			section_destroy(current);
+		}
+	}
+	return !this->fallbacks && !array_count(this->sections);
 }
 
 /**
  * callback to find a section by name
  */
-static bool section_find(section_t *this, char *name)
+static int section_find(const void *a, const void *b)
 {
-	return streq(this->name, name);
+	const char *key = a;
+	const section_t *item = b;
+	return strcmp(key, item->name);
+}
+
+/**
+ * callback to sort sections by name
+ */
+static int section_sort(const void *a, const void *b, void *user)
+{
+	const section_t *sa = a, *sb = b;
+	return strcmp(sa->name, sb->name);
 }
 
 /**
  * callback to find a kv pair by key
  */
-static bool kv_find(kv_t *this, char *key)
+static int kv_find(const void *a, const void *b)
+{
+	const char *key = a;
+	const kv_t *item = b;
+	return strcmp(key, item->key);
+}
+
+/**
+ * callback to sort kv pairs by key
+ */
+static int kv_sort(const void *a, const void *b, void *user)
 {
-	return streq(this->key, key);
+	const kv_t *kva = a, *kvb = b;
+	return strcmp(kva->key, kvb->key);
 }
 
 /**
@@ -184,17 +224,16 @@ static bool kv_find(kv_t *this, char *key)
 static bool print_key(char *buf, int len, char *start, char *key, va_list args)
 {
 	va_list copy;
+	char *pos = start;
 	bool res;
-	char *pos;
 
 	va_copy(copy, args);
-	while (start < key)
+	while (TRUE)
 	{
-		pos = strchr(start, '%');
+		pos = memchr(pos, '%', key - pos);
 		if (!pos)
 		{
-			start += strlen(start) + 1;
-			continue;
+			break;
 		}
 		pos++;
 		switch (*pos)
@@ -215,11 +254,7 @@ static bool print_key(char *buf, int len, char *start, char *key, va_list args)
 				DBG1(DBG_CFG, "settings with %%%c not supported!", *pos);
 				break;
 		}
-		start = pos;
-		if (*start)
-		{
-			start++;
-		}
+		pos++;
 	}
 	res = vsnprintf(buf, len, key, copy) < len;
 	va_end(copy);
@@ -251,14 +286,17 @@ static section_t *find_section_buffered(section_t *section,
 	{
 		return NULL;
 	}
-	if (section->sections->find_first(section->sections,
-									  (linked_list_match_t)section_find,
-									  (void**)&found, buf) != SUCCESS)
+	if (!strlen(buf))
+	{
+		found = section;
+	}
+	else if (array_bsearch(section->sections, buf, section_find, &found) == -1)
 	{
 		if (ensure)
 		{
 			found = section_create(buf);
-			section->sections->insert_last(section->sections, found);
+			array_insert_create(&section->sections, ARRAY_TAIL, found);
+			array_sort(section->sections, section_sort, NULL);
 		}
 	}
 	if (found && pos)
@@ -269,10 +307,74 @@ static section_t *find_section_buffered(section_t *section,
 }
 
 /**
- * Find a section by a given key (thread-safe).
+ * Find all sections via a given key considering fallbacks, using buffered key,
+ * reusable buffer.
+ */
+static void find_sections_buffered(section_t *section, char *start, char *key,
+						va_list args, char *buf, int len, array_t **sections)
+{
+	section_t *found = NULL, *fallback;
+	char *pos;
+	int i;
+
+	if (!section)
+	{
+		return;
+	}
+	pos = strchr(key, '.');
+	if (pos)
+	{
+		*pos = '\0';
+	}
+	if (!print_key(buf, len, start, key, args))
+	{
+		return;
+	}
+	if (pos)
+	{	/* restore so we can follow fallbacks */
+		*pos = '.';
+	}
+	if (!strlen(buf))
+	{
+		found = section;
+	}
+	else
+	{
+		array_bsearch(section->sections, buf, section_find, &found);
+	}
+	if (found)
+	{
+		if (pos)
+		{
+			find_sections_buffered(found, start, pos+1, args, buf, len,
+								   sections);
+		}
+		else
+		{
+			array_insert_create(sections, ARRAY_TAIL, found);
+			for (i = 0; i < array_count(found->fallbacks); i++)
+			{
+				array_get(found->fallbacks, i, &fallback);
+				array_insert_create(sections, ARRAY_TAIL, fallback);
+			}
+		}
+	}
+	if (section->fallbacks)
+	{
+		for (i = 0; i < array_count(section->fallbacks); i++)
+		{
+			array_get(section->fallbacks, i, &fallback);
+			find_sections_buffered(fallback, start, key, args, buf, len,
+								   sections);
+		}
+	}
+}
+
+/**
+ * Ensure that the section with the given key exists (thread-safe).
  */
-static section_t *find_section(private_settings_t *this, section_t *section,
-							   char *key, va_list args)
+static section_t *ensure_section(private_settings_t *this, section_t *section,
+								 const char *key, va_list args)
 {
 	char buf[128], keybuf[512];
 	section_t *found;
@@ -281,42 +383,101 @@ static section_t *find_section(private_settings_t *this, section_t *section,
 	{
 		return NULL;
 	}
-	this->lock->read_lock(this->lock);
+	/* we might have to change the tree */
+	this->lock->write_lock(this->lock);
 	found = find_section_buffered(section, keybuf, keybuf, args, buf,
-								  sizeof(buf), FALSE);
+								  sizeof(buf), TRUE);
 	this->lock->unlock(this->lock);
 	return found;
 }
 
 /**
- * Ensure that the section with the given key exists (thread-safe).
+ * Find a section by a given key with its fallbacks (not thread-safe!).
+ * Sections are returned in depth-first order (array is allocated). NULL is
+ * returned if no sections are found.
  */
-static section_t *ensure_section(private_settings_t *this, section_t *section,
-								 char *key, va_list args)
+static array_t *find_sections(private_settings_t *this, section_t *section,
+							  char *key, va_list args)
 {
 	char buf[128], keybuf[512];
-	section_t *found;
+	array_t *sections = NULL;
 
 	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
 	{
 		return NULL;
 	}
-	/* we might have to change the tree */
+	find_sections_buffered(section, keybuf, keybuf, args, buf,
+						   sizeof(buf), &sections);
+	return sections;
+}
+
+/**
+ * Check if the given fallback section already exists
+ */
+static bool fallback_exists(section_t *section, section_t *fallback)
+{
+	if (section == fallback)
+	{
+		return TRUE;
+	}
+	else if (section->fallbacks)
+	{
+		section_t *existing;
+		int i;
+
+		for (i = 0; i < array_count(section->fallbacks); i++)
+		{
+			array_get(section->fallbacks, i, &existing);
+			if (existing == fallback)
+			{
+				return TRUE;
+			}
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Ensure that the section with the given key exists and add the given fallback
+ * section (thread-safe).
+ */
+static void add_fallback_to_section(private_settings_t *this,
+							section_t *section, const char *key, va_list args,
+							section_t *fallback)
+{
+	char buf[128], keybuf[512];
+	section_t *found;
+
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
+	{
+		return;
+	}
 	this->lock->write_lock(this->lock);
 	found = find_section_buffered(section, keybuf, keybuf, args, buf,
 								  sizeof(buf), TRUE);
+	if (!fallback_exists(found, fallback))
+	{
+		/* to ensure sections referred to as fallback are not purged, we create
+		 * the array there too */
+		if (!fallback->fallbacks)
+		{
+			fallback->fallbacks = array_create(0, 0);
+		}
+		array_insert_create(&found->fallbacks, ARRAY_TAIL, fallback);
+	}
 	this->lock->unlock(this->lock);
-	return found;
 }
 
 /**
  * Find the key/value pair for a key, using buffered key, reusable buffer
  * If "ensure" is TRUE, the sections (and key/value pair) are created if they
  * don't exist.
+ * Fallbacks are only considered if "ensure" is FALSE.
  */
 static kv_t *find_value_buffered(section_t *section, char *start, char *key,
 								 va_list args, char *buf, int len, bool ensure)
 {
+	int i;
 	char *pos;
 	kv_t *kv = NULL;
 	section_t *found = NULL;
@@ -330,25 +491,40 @@ static kv_t *find_value_buffered(section_t *section, char *start, char *key,
 	if (pos)
 	{
 		*pos = '\0';
-		pos++;
-
 		if (!print_key(buf, len, start, key, args))
 		{
 			return NULL;
 		}
-		if (section->sections->find_first(section->sections,
-										  (linked_list_match_t)section_find,
-										  (void**)&found, buf) != SUCCESS)
+		/* restore so we can retry for fallbacks */
+		*pos = '.';
+		if (!strlen(buf))
+		{
+			found = section;
+		}
+		else if (array_bsearch(section->sections, buf, section_find,
+							   &found) == -1)
 		{
-			if (!ensure)
+			if (ensure)
 			{
-				return NULL;
+				found = section_create(buf);
+				array_insert_create(&section->sections, ARRAY_TAIL, found);
+				array_sort(section->sections, section_sort, NULL);
+			}
+		}
+		if (found)
+		{
+			kv = find_value_buffered(found, start, pos+1, args, buf, len,
+									 ensure);
+		}
+		if (!kv && !ensure && section->fallbacks)
+		{
+			for (i = 0; !kv && i < array_count(section->fallbacks); i++)
+			{
+				array_get(section->fallbacks, i, &found);
+				kv = find_value_buffered(found, start, key, args, buf, len,
+										 ensure);
 			}
-			found = section_create(buf);
-			section->sections->insert_last(section->sections, found);
 		}
-		return find_value_buffered(found, start, pos, args, buf, len,
-								   ensure);
 	}
 	else
 	{
@@ -356,13 +532,22 @@ static kv_t *find_value_buffered(section_t *section, char *start, char *key,
 		{
 			return NULL;
 		}
-		if (section->kv->find_first(section->kv, (linked_list_match_t)kv_find,
-									(void**)&kv, buf) != SUCCESS)
+		if (array_bsearch(section->kv, buf, kv_find, &kv) == -1)
 		{
 			if (ensure)
 			{
 				kv = kv_create(buf, NULL);
-				section->kv->insert_last(section->kv, kv);
+				array_insert_create(&section->kv, ARRAY_TAIL, kv);
+				array_sort(section->kv, kv_sort, NULL);
+			}
+			else if (section->fallbacks)
+			{
+				for (i = 0; !kv && i < array_count(section->fallbacks); i++)
+				{
+					array_get(section->fallbacks, i, &found);
+					kv = find_value_buffered(found, start, key, args, buf, len,
+											 ensure);
+				}
 			}
 		}
 	}
@@ -429,7 +614,7 @@ static void set_value(private_settings_t *this, section_t *section,
 }
 
 METHOD(settings_t, get_str, char*,
-	   private_settings_t *this, char *key, char *def, ...)
+	private_settings_t *this, char *key, char *def, ...)
 {
 	char *value;
 	va_list args;
@@ -470,7 +655,7 @@ inline bool settings_value_as_bool(char *value, bool def)
 }
 
 METHOD(settings_t, get_bool, bool,
-	   private_settings_t *this, char *key, bool def, ...)
+	private_settings_t *this, char *key, bool def, ...)
 {
 	char *value;
 	va_list args;
@@ -500,7 +685,7 @@ inline int settings_value_as_int(char *value, int def)
 }
 
 METHOD(settings_t, get_int, int,
-	   private_settings_t *this, char *key, int def, ...)
+	private_settings_t *this, char *key, int def, ...)
 {
 	char *value;
 	va_list args;
@@ -530,7 +715,7 @@ inline double settings_value_as_double(char *value, double def)
 }
 
 METHOD(settings_t, get_double, double,
-	   private_settings_t *this, char *key, double def, ...)
+	private_settings_t *this, char *key, double def, ...)
 {
 	char *value;
 	va_list args;
@@ -576,7 +761,7 @@ inline u_int32_t settings_value_as_time(char *value, u_int32_t def)
 }
 
 METHOD(settings_t, get_time, u_int32_t,
-	   private_settings_t *this, char *key, u_int32_t def, ...)
+	private_settings_t *this, char *key, u_int32_t def, ...)
 {
 	char *value;
 	va_list args;
@@ -588,7 +773,7 @@ METHOD(settings_t, get_time, u_int32_t,
 }
 
 METHOD(settings_t, set_str, void,
-	   private_settings_t *this, char *key, char *value, ...)
+	private_settings_t *this, char *key, char *value, ...)
 {
 	va_list args;
 	va_start(args, value);
@@ -597,7 +782,7 @@ METHOD(settings_t, set_str, void,
 }
 
 METHOD(settings_t, set_bool, void,
-	   private_settings_t *this, char *key, bool value, ...)
+	private_settings_t *this, char *key, bool value, ...)
 {
 	va_list args;
 	va_start(args, value);
@@ -606,7 +791,7 @@ METHOD(settings_t, set_bool, void,
 }
 
 METHOD(settings_t, set_int, void,
-	   private_settings_t *this, char *key, int value, ...)
+	private_settings_t *this, char *key, int value, ...)
 {
 	char val[16];
 	va_list args;
@@ -619,7 +804,7 @@ METHOD(settings_t, set_int, void,
 }
 
 METHOD(settings_t, set_double, void,
-	   private_settings_t *this, char *key, double value, ...)
+	private_settings_t *this, char *key, double value, ...)
 {
 	char val[64];
 	va_list args;
@@ -632,7 +817,7 @@ METHOD(settings_t, set_double, void,
 }
 
 METHOD(settings_t, set_time, void,
-	   private_settings_t *this, char *key, u_int32_t value, ...)
+	private_settings_t *this, char *key, u_int32_t value, ...)
 {
 	char val[16];
 	va_list args;
@@ -645,7 +830,7 @@ METHOD(settings_t, set_time, void,
 }
 
 METHOD(settings_t, set_default_str, bool,
-	   private_settings_t *this, char *key, char *value, ...)
+	private_settings_t *this, char *key, char *value, ...)
 {
 	char *old;
 	va_list args;
@@ -665,63 +850,143 @@ METHOD(settings_t, set_default_str, bool,
 }
 
 /**
+ * Data for enumerators
+ */
+typedef struct {
+	/** settings_t instance */
+	private_settings_t *settings;
+	/** sections to enumerate */
+	array_t *sections;
+	/** sections/keys that were already enumerated */
+	hashtable_t *seen;
+} enumerator_data_t;
+
+/**
+ * Destroy enumerator data
+ */
+static void enumerator_destroy(enumerator_data_t *this)
+{
+	this->settings->lock->unlock(this->settings->lock);
+	this->seen->destroy(this->seen);
+	array_destroy(this->sections);
+	free(this);
+}
+
+/**
  * Enumerate section names, not sections
  */
-static bool section_filter(void *null, section_t **in, char **out)
+static bool section_filter(hashtable_t *seen, section_t **in, char **out)
 {
 	*out = (*in)->name;
+	if (seen->get(seen, *out))
+	{
+		return FALSE;
+	}
+	seen->put(seen, *out, *out);
 	return TRUE;
 }
 
+/**
+ * Enumerate sections of the given section
+ */
+static enumerator_t *section_enumerator(section_t *section,
+										enumerator_data_t *data)
+{
+	return enumerator_create_filter(array_create_enumerator(section->sections),
+				(void*)section_filter, data->seen, NULL);
+}
+
 METHOD(settings_t, create_section_enumerator, enumerator_t*,
-	   private_settings_t *this, char *key, ...)
+	private_settings_t *this, char *key, ...)
 {
-	section_t *section;
+	enumerator_data_t *data;
+	array_t *sections;
 	va_list args;
 
+	this->lock->read_lock(this->lock);
 	va_start(args, key);
-	section = find_section(this, this->top, key, args);
+	sections = find_sections(this, this->top, key, args);
 	va_end(args);
 
-	if (!section)
+	if (!sections)
 	{
+		this->lock->unlock(this->lock);
 		return enumerator_create_empty();
 	}
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(
-				section->sections->create_enumerator(section->sections),
-				(void*)section_filter, this->lock, (void*)this->lock->unlock);
+	INIT(data,
+		.settings = this,
+		.sections = sections,
+		.seen = hashtable_create(hashtable_hash_str, hashtable_equals_str, 8),
+	);
+	return enumerator_create_nested(array_create_enumerator(sections),
+					(void*)section_enumerator, data, (void*)enumerator_destroy);
 }
 
 /**
  * Enumerate key and values, not kv_t entries
  */
-static bool kv_filter(void *null, kv_t **in, char **key,
+static bool kv_filter(hashtable_t *seen, kv_t **in, char **key,
 					  void *none, char **value)
 {
 	*key = (*in)->key;
+	if (seen->get(seen, *key))
+	{
+		return FALSE;
+	}
 	*value = (*in)->value;
+	seen->put(seen, *key, *key);
 	return TRUE;
 }
 
+/**
+ * Enumerate key/value pairs of the given section
+ */
+static enumerator_t *kv_enumerator(section_t *section, enumerator_data_t *data)
+{
+	return enumerator_create_filter(array_create_enumerator(section->kv),
+					(void*)kv_filter, data->seen, NULL);
+}
+
 METHOD(settings_t, create_key_value_enumerator, enumerator_t*,
-	   private_settings_t *this, char *key, ...)
+	private_settings_t *this, char *key, ...)
 {
-	section_t *section;
+	enumerator_data_t *data;
+	array_t *sections;
 	va_list args;
 
+	this->lock->read_lock(this->lock);
 	va_start(args, key);
-	section = find_section(this, this->top, key, args);
+	sections = find_sections(this, this->top, key, args);
 	va_end(args);
 
-	if (!section)
+	if (!sections)
 	{
+		this->lock->unlock(this->lock);
 		return enumerator_create_empty();
 	}
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(
-					section->kv->create_enumerator(section->kv),
-					(void*)kv_filter, this->lock, (void*)this->lock->unlock);
+	INIT(data,
+		.settings = this,
+		.sections = sections,
+		.seen = hashtable_create(hashtable_hash_str, hashtable_equals_str, 8),
+	);
+	return enumerator_create_nested(array_create_enumerator(sections),
+					(void*)kv_enumerator, data, (void*)enumerator_destroy);
+}
+
+METHOD(settings_t, add_fallback, void,
+	private_settings_t *this, const char *key, const char *fallback, ...)
+{
+	section_t *section;
+	va_list args;
+
+	/* find/create the fallback */
+	va_start(args, fallback);
+	section = ensure_section(this, this->top, fallback, args);
+	va_end(args);
+
+	va_start(args, fallback);
+	add_fallback_to_section(this, this->top, key, args, section);
+	va_end(args);
 }
 
 /**
@@ -881,15 +1146,15 @@ static bool parse_section(linked_list_t *contents, char *file, int level,
 							 section->name);
 						continue;
 					}
-					if (section->sections->find_first(section->sections,
-											(linked_list_match_t)section_find,
-											(void**)&sub, key) != SUCCESS)
+					if (array_bsearch(section->sections, key, section_find,
+									  &sub) == -1)
 					{
 						sub = section_create(key);
 						if (parse_section(contents, file, level, &inner, sub))
 						{
-							section->sections->insert_last(section->sections,
-														   sub);
+							array_insert_create(&section->sections, ARRAY_TAIL,
+												sub);
+							array_sort(section->sections, section_sort, NULL);
 							continue;
 						}
 						section_destroy(sub);
@@ -916,12 +1181,11 @@ static bool parse_section(linked_list_t *contents, char *file, int level,
 							 section->name);
 						continue;
 					}
-					if (section->kv->find_first(section->kv,
-								(linked_list_match_t)kv_find,
-								(void**)&kv, key) != SUCCESS)
+					if (array_bsearch(section->kv, key, kv_find, &kv) == -1)
 					{
 						kv = kv_create(key, value);
-						section->kv->insert_last(section->kv, kv);
+						array_insert_create(&section->kv, ARRAY_TAIL, kv);
+						array_sort(section->kv, kv_sort, NULL);
 					}
 					else
 					{	/* replace with the most recently read value */
@@ -1037,8 +1301,7 @@ static bool parse_files(linked_list_t *contents, char *file, int level,
 	}
 	else
 	{	/* base relative paths to the directory of the current file */
-		char *dir = strdup(file);
-		dir = dirname(dir);
+		char *dir = path_dirname(file);
 		if (snprintf(pat, sizeof(pat), "%s/%s", dir, pattern) >= sizeof(pat))
 		{
 			DBG1(DBG_LIB, "include pattern too long, ignored");
@@ -1092,37 +1355,37 @@ static void section_extend(section_t *base, section_t *extension)
 	section_t *sec;
 	kv_t *kv;
 
-	enumerator = extension->sections->create_enumerator(extension->sections);
+	enumerator = array_create_enumerator(extension->sections);
 	while (enumerator->enumerate(enumerator, (void**)&sec))
 	{
 		section_t *found;
-		if (base->sections->find_first(base->sections,
-					(linked_list_match_t)section_find, (void**)&found,
-					sec->name) == SUCCESS)
+		if (array_bsearch(base->sections, sec->name, section_find,
+			&found) != -1)
 		{
 			section_extend(found, sec);
 		}
 		else
 		{
-			extension->sections->remove_at(extension->sections, enumerator);
-			base->sections->insert_last(base->sections, sec);
+			array_remove_at(extension->sections, enumerator);
+			array_insert_create(&base->sections, ARRAY_TAIL, sec);
+			array_sort(base->sections, section_sort, NULL);
 		}
 	}
 	enumerator->destroy(enumerator);
 
-	enumerator = extension->kv->create_enumerator(extension->kv);
+	enumerator = array_create_enumerator(extension->kv);
 	while (enumerator->enumerate(enumerator, (void**)&kv))
 	{
 		kv_t *found;
-		if (base->kv->find_first(base->kv, (linked_list_match_t)kv_find,
-					(void**)&found, kv->key) == SUCCESS)
+		if (array_bsearch(base->kv, kv->key, kv_find, &found) != -1)
 		{
 			found->value = kv->value;
 		}
 		else
 		{
-			extension->kv->remove_at(extension->kv, enumerator);
-			base->kv->insert_last(base->kv, kv);
+			array_remove_at(extension->kv, enumerator);
+			array_insert_create(&base->kv, ARRAY_TAIL, kv);
+			array_sort(base->kv, kv_sort, NULL);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -1179,13 +1442,13 @@ static bool load_files_internal(private_settings_t *this, section_t *parent,
 }
 
 METHOD(settings_t, load_files, bool,
-	   private_settings_t *this, char *pattern, bool merge)
+	private_settings_t *this, char *pattern, bool merge)
 {
 	return load_files_internal(this, this->top, pattern, merge);
 }
 
 METHOD(settings_t, load_files_section, bool,
-	   private_settings_t *this, char *pattern, bool merge, char *key, ...)
+	private_settings_t *this, char *pattern, bool merge, char *key, ...)
 {
 	section_t *section;
 	va_list args;
@@ -1202,7 +1465,7 @@ METHOD(settings_t, load_files_section, bool,
 }
 
 METHOD(settings_t, destroy, void,
-	   private_settings_t *this)
+	private_settings_t *this)
 {
 	section_destroy(this->top);
 	this->contents->destroy_function(this->contents, (void*)free);
@@ -1232,6 +1495,7 @@ settings_t *settings_create(char *file)
 			.set_default_str = _set_default_str,
 			.create_section_enumerator = _create_section_enumerator,
 			.create_key_value_enumerator = _create_key_value_enumerator,
+			.add_fallback = _add_fallback,
 			.load_files = _load_files,
 			.load_files_section = _load_files_section,
 			.destroy = _destroy,
diff --git a/src/libstrongswan/utils/settings.h b/src/libstrongswan/utils/settings.h
index df0c534e9..46403c4d3 100644
--- a/src/libstrongswan/utils/settings.h
+++ b/src/libstrongswan/utils/settings.h
@@ -269,6 +269,31 @@ struct settings_t {
 												 char *section, ...);
 
 	/**
+	 * Add a fallback for the given section.
+	 *
+	 * Example: When the fallback 'section-two' is configured for
+	 * 'section-one.two' any failed lookup for a section or key in
+	 * 'section-one.two' will result in a lookup for the same section/key
+	 * in 'section-two'.
+	 *
+	 * @note Lookups are depth-first and currently strictly top-down.
+	 * For instance, if app.sec had lib1.sec as fallback and lib1 had lib2 as
+	 * fallback the keys/sections in lib2.sec would not be considered.  But if
+	 * app had lib3 as fallback the contents of lib3.sec would (as app is passed
+	 * during the initial lookup).  In the last example the order during
+	 * enumerations would be app.sec, lib1.sec, lib3.sec.
+	 *
+	 * @note Additional arguments will be applied to both section format
+	 * strings so they must be compatible.
+	 *
+	 * @param section	section for which a fallback is configured, printf style
+	 * @param fallback	fallback section, printf style
+	 * @param ...		argument list for section and fallback
+	 */
+	void (*add_fallback)(settings_t *this, const char *section,
+						 const char *fallback, ...);
+
+	/**
 	 * Load settings from the files matching the given pattern.
 	 *
 	 * If merge is TRUE, existing sections are extended, existing values
diff --git a/src/libstrongswan/utils/test.c b/src/libstrongswan/utils/test.c
new file mode 100644
index 000000000..7de5a7661
--- /dev/null
+++ b/src/libstrongswan/utils/test.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test.h"
+
+#include <library.h>
+
+/**
+ * A collection of testable functions
+ */
+hashtable_t *testable_functions;
+
+/*
+ * Described in header.
+ */
+void testable_function_register(char *name, void *fn)
+{
+	if (testable_functions)
+	{
+		bool old = FALSE;
+		if (lib->leak_detective)
+		{
+			old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
+		}
+		if (fn)
+		{
+			testable_functions->put(testable_functions, name, fn);
+		}
+		else
+		{
+			testable_functions->remove(testable_functions, name);
+		}
+		if (lib->leak_detective)
+		{
+			lib->leak_detective->set_state(lib->leak_detective, old);
+		}
+	}
+}
diff --git a/src/libstrongswan/utils/test.h b/src/libstrongswan/utils/test.h
new file mode 100644
index 000000000..5b7289244
--- /dev/null
+++ b/src/libstrongswan/utils/test.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup test test
+ * @{ @ingroup utils
+ */
+
+#ifndef TEST_H_
+#define TEST_H_
+
+#include "collections/hashtable.h"
+
+/**
+ * Collection of testable functions.
+ *
+ * @note Is initialized only if libtest is loaded.
+ */
+extern hashtable_t *testable_functions;
+
+/**
+ * Register a (possibly static) function so that it can be called from tests.
+ *
+ * @param name		name (namespace/function)
+ * @param fn		function to register (set to NULL to unregister)
+ */
+void testable_function_register(char *name, void *fn);
+
+/**
+ * Macro to automatically register/unregister a function that can be called
+ * from tests.
+ *
+ * @note The constructor has a priority set so that it runs after the
+ * constructor that creates the hashtable.  The destructor, on the other hand,
+ * does not have a priority set, as test coverage would report that function as
+ * untested otherwise.
+ *
+ * @param ns		namespace
+ * @param fn		function to register
+ */
+#define EXPORT_FUNCTION_FOR_TESTS(ns, fn) \
+static void testable_function_register_##fn() __attribute__ ((constructor(2000))); \
+static void testable_function_register_##fn() \
+{ \
+	testable_function_register(#ns "/" #fn, fn); \
+} \
+static void testable_function_unregister_##fn() __attribute__ ((destructor)); \
+static void testable_function_unregister_##fn() \
+{ \
+	testable_function_register(#ns "/" #fn, NULL); \
+}
+
+/**
+ * Import a registered function so that it can be called from tests.
+ *
+ * @note If the imported function is static (or no conflicting header files
+ * are included) ret can be prefixed with static to declare the function static.
+ *
+ * @note We allocate an arbitrary amount of stack space, hopefully enough for
+ * all arguments.
+ *
+ * @param ns		namespace of the function
+ * @param name		name of the function
+ * @param ret		return type of the function
+ * @param ...		arguments of the function
+ */
+#define IMPORT_FUNCTION_FOR_TESTS(ns, name, ret, ...) \
+ret name(__VA_ARGS__) \
+{ \
+	void (*fn)() = NULL; \
+	if (testable_functions) \
+	{ \
+		fn = testable_functions->get(testable_functions, #ns "/" #name); \
+	} \
+	if (fn) \
+	{ \
+		void *args = __builtin_apply_args(); \
+		__builtin_return(__builtin_apply(fn, args, 16*sizeof(void*))); \
+	} \
+	test_fail_msg(__FILE__, __LINE__, "function " #name " (" #ns ") not found"); \
+	__builtin_return(NULL); \
+}
+
+#endif /** TEST_H_ @}*/
diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c
index 266fb4357..fe80edb82 100644
--- a/src/libstrongswan/utils/utils.c
+++ b/src/libstrongswan/utils/utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2014 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,8 +14,7 @@
  * for more details.
  */
 
-#include "utils.h"
-
+#define _GNU_SOURCE /* for memrchr */
 #include <sys/stat.h>
 #include <string.h>
 #include <stdio.h>
@@ -27,6 +26,8 @@
 #include <time.h>
 #include <pthread.h>
 
+#include "utils.h"
+
 #include "collections/enumerator.h"
 #include "utils/debug.h"
 #include "utils/chunk.h"
@@ -102,7 +103,7 @@ void memwipe_noinline(void *ptr, size_t n)
  */
 void *memstr(const void *haystack, const char *needle, size_t n)
 {
-	unsigned const char *pos = haystack;
+	const u_char *pos = haystack;
 	size_t l;
 
 	if (!haystack || !needle || (l = strlen(needle)) == 0)
@@ -122,6 +123,28 @@ void *memstr(const void *haystack, const char *needle, size_t n)
 /**
  * Described in header.
  */
+void *utils_memrchr(const void *s, int c, size_t n)
+{
+	const u_char *pos;
+
+	if (!s || !n)
+	{
+		return NULL;
+	}
+
+	for (pos = s + n - 1; pos >= (u_char*)s; pos--)
+	{
+		if (*pos == (u_char)c)
+		{
+			return (void*)pos;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Described in header.
+ */
 char* translate(char *str, const char *from, const char *to)
 {
 	char *pos = str;
@@ -144,6 +167,115 @@ char* translate(char *str, const char *from, const char *to)
 /**
  * Described in header.
  */
+char* strreplace(const char *str, const char *search, const char *replace)
+{
+	size_t len, slen, rlen, count = 0;
+	char *res, *pos, *found, *dst;
+
+	if (!str || !*str || !search || !*search || !replace)
+	{
+		return (char*)str;
+	}
+	slen = strlen(search);
+	rlen = strlen(replace);
+	if (slen != rlen)
+	{
+		for (pos = (char*)str; (pos = strstr(pos, search)); pos += slen)
+		{
+			found = pos;
+			count++;
+		}
+		if (!count)
+		{
+			return (char*)str;
+		}
+		len = (found - str) + strlen(found) + count * (rlen - slen);
+	}
+	else
+	{
+		len = strlen(str);
+	}
+	found = strstr(str, search);
+	if (!found)
+	{
+		return (char*)str;
+	}
+	dst = res = malloc(len + 1);
+	pos = (char*)str;
+	do
+	{
+		len = found - pos;
+		memcpy(dst, pos, len);
+		dst += len;
+		memcpy(dst, replace, rlen);
+		dst += rlen;
+		pos = found + slen;
+	}
+	while ((found = strstr(pos, search)));
+	strcpy(dst, pos);
+	return res;
+}
+
+/**
+ * Described in header.
+ */
+char* path_dirname(const char *path)
+{
+	char *pos;
+
+	pos = path ? strrchr(path, '/') : NULL;
+
+	if (pos && !pos[1])
+	{	/* if path ends with slashes we have to look beyond them */
+		while (pos > path && *pos == '/')
+		{	/* skip trailing slashes */
+			pos--;
+		}
+		pos = memrchr(path, '/', pos - path + 1);
+	}
+	if (!pos)
+	{
+		return strdup(".");
+	}
+	while (pos > path && *pos == '/')
+	{	/* skip superfluous slashes */
+		pos--;
+	}
+	return strndup(path, pos - path + 1);
+}
+
+/**
+ * Described in header.
+ */
+char* path_basename(const char *path)
+{
+	char *pos, *trail = NULL;
+
+	if (!path || !*path)
+	{
+		return strdup(".");
+	}
+	pos = strrchr(path, '/');
+	if (pos && !pos[1])
+	{	/* if path ends with slashes we have to look beyond them */
+		while (pos > path && *pos == '/')
+		{	/* skip trailing slashes */
+			pos--;
+		}
+		if (pos == path && *pos == '/')
+		{	/* contains only slashes */
+			return strdup("/");
+		}
+		trail = pos + 1;
+		pos = memrchr(path, '/', trail - path);
+	}
+	pos = pos ? pos + 1 : (char*)path;
+	return trail ? strndup(pos, trail - pos) : strdup(pos);
+}
+
+/**
+ * Described in header.
+ */
 bool mkdir_p(const char *path, mode_t mode)
 {
 	int len;
@@ -251,84 +383,6 @@ char* tty_escape_get(int fd, tty_escape_t escape)
 	return "";
 }
 
-/**
- * The size of the thread-specific error buffer
- */
-#define STRERROR_BUF_LEN 256
-
-/**
- * Key to store thread-specific error buffer
- */
-static pthread_key_t strerror_buf_key;
-
-/**
- * Only initialize the key above once
- */
-static pthread_once_t strerror_buf_key_once = PTHREAD_ONCE_INIT;
-
-/**
- * Create the key used for the thread-specific error buffer
- */
-static void create_strerror_buf_key()
-{
-	pthread_key_create(&strerror_buf_key, free);
-}
-
-/**
- * Retrieve the error buffer assigned to the current thread (or create it)
- */
-static inline char *get_strerror_buf()
-{
-	char *buf;
-
-	pthread_once(&strerror_buf_key_once, create_strerror_buf_key);
-	buf = pthread_getspecific(strerror_buf_key);
-	if (!buf)
-	{
-		buf = malloc(STRERROR_BUF_LEN);
-		pthread_setspecific(strerror_buf_key, buf);
-	}
-	return buf;
-}
-
-#ifdef HAVE_STRERROR_R
-/*
- * Described in header.
- */
-const char *safe_strerror(int errnum)
-{
-	char *buf = get_strerror_buf(), *msg;
-
-#ifdef STRERROR_R_CHAR_P
-	/* char* version which may or may not return the original buffer */
-	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN);
-#else
-	/* int version returns 0 on success */
-	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN) ? "Unknown error" : buf;
-#endif
-	return msg;
-}
-#else /* HAVE_STRERROR_R */
-/* we actually wan't to call strerror(3) below */
-#undef strerror
-/*
- * Described in header.
- */
-const char *safe_strerror(int errnum)
-{
-	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
-	char *buf = get_strerror_buf();
-
-	/* use a mutex to ensure calling strerror(3) is thread-safe */
-	pthread_mutex_lock(&mutex);
-	strncpy(buf, strerror(errnum), STRERROR_BUF_LEN);
-	pthread_mutex_unlock(&mutex);
-	buf[STRERROR_BUF_LEN - 1] = '\0';
-	return buf;
-}
-#endif /* HAVE_STRERROR_R */
-
-
 #ifndef HAVE_CLOSEFROM
 /**
  * Described in header.
@@ -570,7 +624,7 @@ int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 		"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
 	};
 	time_t *time = *((time_t**)(args[0]));
-	bool utc = *((bool*)(args[1]));;
+	bool utc = *((int*)(args[1]));
 	struct tm t;
 
 	if (*time == UNDEFINED_TIME)
diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h
index cda7edf08..a55e7d831 100644
--- a/src/libstrongswan/utils/utils.h
+++ b/src/libstrongswan/utils/utils.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2014 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -30,6 +30,7 @@
 #include <string.h>
 
 #include "enum.h"
+#include "utils/strerror.h"
 
 /**
  * strongSwan program return codes
@@ -464,6 +465,20 @@ static inline void memwipe(void *ptr, size_t n)
 void *memstr(const void *haystack, const char *needle, size_t n);
 
 /**
+ * Replacement for memrchr(3) if it is not provided by the C library.
+ *
+ * @param s		start of the memory area to search
+ * @param c		character to search
+ * @param n		length of memory area to search
+ * @return		pointer to the found character or NULL
+ */
+void *utils_memrchr(const void *s, int c, size_t n);
+
+#ifndef HAVE_MEMRCHR
+#define memrchr(s,c,n) utils_memrchr(s,c,n)
+#endif
+
+/**
  * Translates the characters in the given string, searching for characters
  * in 'from' and mapping them to characters in 'to'.
  * The two characters sets 'from' and 'to' must contain the same number of
@@ -472,36 +487,59 @@ void *memstr(const void *haystack, const char *needle, size_t n);
 char *translate(char *str, const char *from, const char *to);
 
 /**
- * Creates a directory and all required parent directories.
+ * Replaces all occurrences of search in the given string with replace.
  *
- * @param path		path to the new directory
- * @param mode		permissions of the new directory/directories
- * @return			TRUE on success
+ * Allocates memory only if anything is replaced in the string.  The original
+ * string is also returned if any of the arguments are invalid (e.g. if search
+ * is empty or any of them are NULL).
+ *
+ * @param str		original string
+ * @param search	string to search for and replace
+ * @param replace	string to replace found occurrences with
+ * @return			allocated string, if anything got replaced, str otherwise
  */
-bool mkdir_p(const char *path, mode_t mode);
+char *strreplace(const char *str, const char *search, const char *replace);
 
 /**
- * Thread-safe wrapper around strerror and strerror_r.
+ * Like dirname(3) returns the directory part of the given null-terminated
+ * pathname, up to but not including the final '/' (or '.' if no '/' is found).
+ * Trailing '/' are not counted as part of the pathname.
  *
- * This is required because the first is not thread-safe (on some platforms)
- * and the second uses two different signatures (POSIX/GNU) and is impractical
- * to use anyway.
+ * The difference is that it does this in a thread-safe manner (i.e. it does not
+ * use static buffers) and does not modify the original path.
  *
- * @param errnum	error code (i.e. errno)
- * @return			error message
+ * @param path		original pathname
+ * @return			allocated directory component
  */
-const char *safe_strerror(int errnum);
+char *path_dirname(const char *path);
 
 /**
- * Replace usages of strerror(3) with thread-safe variant.
+ * Like basename(3) returns the filename part of the given null-terminated path,
+ * i.e. the part following the final '/' (or '.' if path is empty or NULL).
+ * Trailing '/' are not counted as part of the pathname.
+ *
+ * The difference is that it does this in a thread-safe manner (i.e. it does not
+ * use static buffers) and does not modify the original path.
+ *
+ * @param path		original pathname
+ * @return			allocated filename component
  */
-#define strerror(errnum) safe_strerror(errnum)
+char *path_basename(const char *path);
+
+/**
+ * Creates a directory and all required parent directories.
+ *
+ * @param path		path to the new directory
+ * @param mode		permissions of the new directory/directories
+ * @return			TRUE on success
+ */
+bool mkdir_p(const char *path, mode_t mode);
 
 #ifndef HAVE_CLOSEFROM
 /**
  * Close open file descriptors greater than or equal to lowfd.
  *
- * @param lowfd		start closing file descriptoros from here
+ * @param lowfd		start closing file descriptors from here
  */
 void closefrom(int lowfd);
 #endif
diff --git a/src/libstrongswan/utils/utils/strerror.c b/src/libstrongswan/utils/utils/strerror.c
new file mode 100644
index 000000000..95e463f5f
--- /dev/null
+++ b/src/libstrongswan/utils/utils/strerror.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2012-2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <pthread.h>
+
+#include "strerror.h"
+
+/**
+ * The size of the thread-specific error buffer
+ */
+#define STRERROR_BUF_LEN 256
+
+/**
+ * Key to store thread-specific error buffer
+ */
+static pthread_key_t strerror_buf_key;
+
+/**
+ * Only initialize the key above once
+ */
+static pthread_once_t strerror_buf_key_once = PTHREAD_ONCE_INIT;
+
+/**
+ * Create the key used for the thread-specific error buffer
+ */
+static void create_strerror_buf_key()
+{
+	pthread_key_create(&strerror_buf_key, free);
+}
+
+/**
+ * Retrieve the error buffer assigned to the current thread (or create it)
+ */
+static inline char *get_strerror_buf()
+{
+	char *buf;
+
+	pthread_once(&strerror_buf_key_once, create_strerror_buf_key);
+	buf = pthread_getspecific(strerror_buf_key);
+	if (!buf)
+	{
+		buf = malloc(STRERROR_BUF_LEN);
+		pthread_setspecific(strerror_buf_key, buf);
+	}
+	return buf;
+}
+
+#ifdef HAVE_STRERROR_R
+/*
+ * Described in header.
+ */
+const char *strerror_safe(int errnum)
+{
+	char *buf = get_strerror_buf(), *msg;
+
+#ifdef STRERROR_R_CHAR_P
+	/* char* version which may or may not return the original buffer */
+	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN);
+#else
+	/* int version returns 0 on success */
+	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN) ? "Unknown error" : buf;
+#endif
+	return msg;
+}
+#else /* HAVE_STRERROR_R */
+/* we actually wan't to call strerror(3) below */
+#undef strerror
+/*
+ * Described in header.
+ */
+const char *strerror_safe(int errnum)
+{
+	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+	char *buf = get_strerror_buf();
+
+	/* use a mutex to ensure calling strerror(3) is thread-safe */
+	pthread_mutex_lock(&mutex);
+	strncpy(buf, strerror(errnum), STRERROR_BUF_LEN);
+	pthread_mutex_unlock(&mutex);
+	buf[STRERROR_BUF_LEN - 1] = '\0';
+	return buf;
+}
+#endif /* HAVE_STRERROR_R */
diff --git a/src/libstrongswan/utils/utils/strerror.h b/src/libstrongswan/utils/utils/strerror.h
new file mode 100644
index 000000000..2cb76f12e
--- /dev/null
+++ b/src/libstrongswan/utils/utils/strerror.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2012-2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @{ @ingroup utils
+ */
+
+#ifndef STRERROR_H_
+#define STRERROR_H_
+
+/**
+ * Thread-safe wrapper around strerror and strerror_r.
+ *
+ * This is required because the first is not thread-safe (on some platforms)
+ * and the second uses two different signatures (POSIX/GNU) and is impractical
+ * to use anyway.
+ *
+ * @param errnum	error code (i.e. errno)
+ * @return			error message
+ */
+const char *strerror_safe(int errnum);
+
+/**
+ * Replace usages of strerror(3) with thread-safe variant.
+ */
+#define strerror(errnum) strerror_safe(errnum)
+
+#endif /** STRERROR_H_ @}*/
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index 5e8660a41..87ae2a63d 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 6d33d843d..6b51e7593 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -471,6 +471,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
 		.application = application,
 		.purpose = purpose,
 	);
+	lib->settings->add_fallback(lib->settings, "%s.tls", "libtls", lib->ns);
 
 	this->crypto = tls_crypto_create(&this->public, cache);
 	this->alert = tls_alert_create();
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 12aa049a2..cc73ebaeb 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -711,7 +711,8 @@ static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
 	int i, remaining = 0;
 	char *token, *config;
 
-	config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL);
+	config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
+									lib->ns);
 	if (config)
 	{
 		for (i = 0; i < *count; i++)
@@ -765,7 +766,8 @@ static void filter_cipher_config_suites(private_tls_crypto_t *this,
 	int i, remaining = 0;
 	char *token, *config;
 
-	config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL);
+	config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
+									lib->ns);
 	if (config)
 	{
 		for (i = 0; i < *count; i++)
@@ -830,7 +832,8 @@ static void filter_mac_config_suites(private_tls_crypto_t *this,
 	int i, remaining = 0;
 	char *token, *config;
 
-	config = lib->settings->get_str(lib->settings, "libtls.mac", NULL);
+	config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
+									lib->ns);
 	if (config)
 	{
 		for (i = 0; i < *count; i++)
@@ -879,7 +882,8 @@ static void filter_specific_config_suites(private_tls_crypto_t *this,
 	int i, remaining = 0, suite;
 	char *token, *config;
 
-	config = lib->settings->get_str(lib->settings, "libtls.suites", NULL);
+	config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
+									lib->ns);
 	if (config)
 	{
 		for (i = 0; i < *count; i++)
diff --git a/src/libtnccs/Android.mk b/src/libtnccs/Android.mk
index 4d2803a97..68f85c252 100644
--- a/src/libtnccs/Android.mk
+++ b/src/libtnccs/Android.mk
@@ -35,7 +35,6 @@ endif
 # build libtncif ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libtls \
 	$(strongswan_PATH)/src/libtncif \
 	$(strongswan_PATH)/src/libstrongswan
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index bacea4346..745850ac1 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -270,8 +270,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -339,6 +337,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -427,12 +430,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -447,6 +454,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in
index 79f91f72f..1f839853c 100644
--- a/src/libtnccs/plugins/tnc_imc/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imc/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc.c b/src/libtnccs/plugins/tnc_imc/tnc_imc.c
index 7c52ab384..2d556d9d9 100644
--- a/src/libtnccs/plugins/tnc_imc/tnc_imc.c
+++ b/src/libtnccs/plugins/tnc_imc/tnc_imc.c
@@ -302,7 +302,7 @@ METHOD(imc_t, destroy, void,
 	private_tnc_imc_t *this)
 {
 	if (this->handle && lib->settings->get_bool(lib->settings,
-		"libtnccs.plugins.tnc-imc.dlclose", TRUE))
+		"%s.plugins.tnc-imc.dlclose", TRUE, lib->ns))
 	{
 		dlclose(this->handle);
 	}
diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc_manager.c b/src/libtnccs/plugins/tnc_imc/tnc_imc_manager.c
index 311598fa9..459b6d710 100644
--- a/src/libtnccs/plugins/tnc_imc/tnc_imc_manager.c
+++ b/src/libtnccs/plugins/tnc_imc/tnc_imc_manager.c
@@ -224,7 +224,7 @@ METHOD(imc_manager_t, get_preferred_language, char*,
 	private_tnc_imc_manager_t *this)
 {
 	return lib->settings->get_str(lib->settings,
-				"libtnccs.plugins.tnc-imc.preferred_language", "en");
+				"%s.plugins.tnc-imc.preferred_language", "en", lib->ns);
 }
 
 METHOD(imc_manager_t, notify_connection_change, void,
diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in
index 20087a7a2..45c3569ac 100644
--- a/src/libtnccs/plugins/tnc_imv/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv.c b/src/libtnccs/plugins/tnc_imv/tnc_imv.c
index ebf904513..ab2e55253 100644
--- a/src/libtnccs/plugins/tnc_imv/tnc_imv.c
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.c
@@ -298,7 +298,7 @@ METHOD(imv_t, destroy, void,
 	private_tnc_imv_t *this)
 {
 	if (this->handle && lib->settings->get_bool(lib->settings,
-				"libtnccs.plugins.tnc-imv.dlclose", TRUE))
+				"%s.plugins.tnc-imv.dlclose", TRUE, lib->ns))
 	{
 		dlclose(this->handle);
 	}
diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c
index b4f131b5d..56245015b 100644
--- a/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c
@@ -21,7 +21,6 @@
 
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <sys/mman.h>
 #include <unistd.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -461,7 +460,8 @@ imv_manager_t* tnc_imv_manager_create(void)
 
 	policy = enum_from_name(recommendation_policy_names,
 				lib->settings->get_str(lib->settings,
-					"libtnccs.plugins.tnc-imv.recommendation_policy", "default"));
+					"%s.plugins.tnc-imv.recommendation_policy",
+					"default", lib->ns));
 	this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT;
 	DBG1(DBG_TNC, "TNC recommendation policy is '%N'",
 				   recommendation_policy_names, this->policy);
diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
index 776469098..21ed94de2 100644
--- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in
+++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in
index 76b453a0a..7b4d53ed2 100644
--- a/src/libtnccs/plugins/tnccs_11/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_11/Makefile.in
@@ -230,8 +230,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -299,6 +297,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -387,12 +390,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -407,6 +414,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.c b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
index 91854b587..28c5e52b7 100644
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
@@ -662,7 +662,7 @@ tnccs_t* tnccs_11_create(bool is_server,
 		.callback = cb,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.max_msg_len = lib->settings->get_int(lib->settings,
-							"libtnccs.plugins.tnccs-11.max_message_size", 45000),
+						"%s.plugins.tnccs-11.max_message_size", 45000, lib->ns),
 		.ref = 1,
 	);
 
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in
index 0bb3c7314..63010c301 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.in
@@ -231,8 +231,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -300,6 +298,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -388,12 +391,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -408,6 +415,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
index b631ef579..f78b85a68 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
@@ -1063,9 +1063,9 @@ tnccs_t* tnccs_20_create(bool is_server,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.messages = linked_list_create(),
 		.max_batch_len = lib->settings->get_int(lib->settings,
-							"libtnccs.plugins.tnccs-20.max_batch_size", 65522),
+						"%s.plugins.tnccs-20.max_batch_size", 65522, lib->ns),
 		.max_msg_len = lib->settings->get_int(lib->settings,
-							"libtnccs.plugins.tnccs-20.max_message_size", 65490),
+						"%s.plugins.tnccs-20.max_message_size", 65490, lib->ns),
 		.ref = 1,
 	);
 
diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
index d38aa13cc..6a99188ef 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/tnc/tnc.c b/src/libtnccs/tnc/tnc.c
index 3a5b84596..e002b10e0 100644
--- a/src/libtnccs/tnc/tnc.c
+++ b/src/libtnccs/tnc/tnc.c
@@ -13,14 +13,15 @@
  * for more details.
  */
 
-#include "tnc.h"
-
+#define _GNU_SOURCE /* for stdndup() */
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <sys/mman.h>
 #include <unistd.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <string.h>
+
+#include "tnc.h"
 
 #include <utils/lexparser.h>
 #include <utils/debug.h>
@@ -71,8 +72,10 @@ void libtnccs_init(void)
 		},
 		.ref = 1,
 	);
-
 	tnc = &this->public;
+	lib->settings->add_fallback(lib->settings, "%s.tnc", "libtnccs", lib->ns);
+	lib->settings->add_fallback(lib->settings, "%s.plugins", "libtnccs.plugins",
+								lib->ns);
 }
 
 /**
@@ -94,10 +97,8 @@ void libtnccs_deinit(void)
 static bool load_imcvs_from_config(char *filename, bool is_imc)
 {
 	bool success = FALSE;
-	int fd, line_nr = 0;
-	chunk_t src, line;
-	struct stat sb;
-	void *addr;
+	int line_nr = 0;
+	chunk_t *src, line;
 	char *label;
 
 	if (!filename || !*filename)
@@ -108,30 +109,15 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 	label = is_imc ? "IMC" : "IMV";
 
 	DBG1(DBG_TNC, "loading %ss from '%s'", label, filename);
-	fd = open(filename, O_RDONLY);
-	if (fd == -1)
+	src = chunk_map(filename, FALSE);
+	if (!src)
 	{
 		DBG1(DBG_TNC, "opening configuration file '%s' failed: %s", filename,
 			 strerror(errno));
 		return FALSE;
 	}
-	if (fstat(fd, &sb) == -1)
-	{
-		DBG1(DBG_LIB, "getting file size of '%s' failed: %s", filename,
-			 strerror(errno));
-		close(fd);
-		return FALSE;
-	}
-	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		DBG1(DBG_LIB, "mapping '%s' failed: %s", filename, strerror(errno));
-		close(fd);
-		return FALSE;
-	}
-	src = chunk_create(addr, sb.st_size);
 
-	while (fetchline(&src, &line))
+	while (fetchline(src, &line))
 	{
 		char *name, *path;
 		chunk_t token;
@@ -201,8 +187,7 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 			break;
 		}
 	}
-	munmap(addr, sb.st_size);
-	close(fd);
+	chunk_unmap(src);
 	return success;
 }
 
@@ -266,10 +251,9 @@ bool tnc_manager_register(plugin_t *plugin, plugin_feature_t *feature,
 		{
 			load_imcvs_from_config(
 						lib->settings->get_str(lib->settings,
-									"libtnccs.tnc_config", "/etc/tnc_config"),
+								"%s.tnc.tnc_config", "/etc/tnc_config", lib->ns),
 						is_imc);
 		}
 	}
 	return TRUE;
 }
-
diff --git a/src/libtncif/Android.mk b/src/libtncif/Android.mk
index 13ce6e11a..36d3f4c33 100644
--- a/src/libtncif/Android.mk
+++ b/src/libtncif/Android.mk
@@ -13,7 +13,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(libtncif_la_SOURCES))
 # build libtncif ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libstrongswan
 
 LOCAL_CFLAGS := $(strongswan_CFLAGS)
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index b8c83491f..66ac31127 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -182,8 +182,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -251,6 +249,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -339,12 +342,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -359,6 +366,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 244df091f..08033c461 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -234,8 +234,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -303,6 +301,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -391,12 +394,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -411,6 +418,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/manager/main.c b/src/manager/main.c
index 5c845b157..b6169082f 100644
--- a/src/manager/main.c
+++ b/src/manager/main.c
@@ -34,7 +34,7 @@ int main (int arc, char *argv[])
 	bool debug;
 	int threads, timeout;
 
-	library_init(NULL);
+	library_init(NULL, "manager");
 	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "manager.load", PLUGINS)))
 	{
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 385bb8e70..5452a419a 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -223,8 +223,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -292,6 +290,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -380,12 +383,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -400,6 +407,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/medsrv/main.c b/src/medsrv/main.c
index 6f08b97e5..745fcc359 100644
--- a/src/medsrv/main.c
+++ b/src/medsrv/main.c
@@ -33,7 +33,7 @@ int main(int arc, char *argv[])
 	char *uri;
 	int timeout, threads;
 
-	library_init(NULL);
+	library_init(NULL, "medsrv");
 	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "medsrv.load", PLUGINS)))
 	{
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index e9023b820..b5e00bee6 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -214,8 +214,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -283,6 +281,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,12 +374,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -391,6 +398,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 7074d44be..8862e9ab0 100644
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -29,6 +29,7 @@
 #include <getopt.h>
 #include <ctype.h>
 #include <time.h>
+#include <errno.h>
 
 #include <library.h>
 #include <utils/debug.h>
@@ -228,7 +229,7 @@ int main(int argc, char **argv)
 
 	/* initialize library */
 	atexit(library_deinit);
-	if (!library_init(NULL))
+	if (!library_init(NULL, "openac"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
@@ -515,11 +516,18 @@ int main(int argc, char **argv)
 		/* write the attribute certificate to file */
 		if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk))
 		{
-			if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
+			if (chunk_write(attr_chunk, outfile, 0022, TRUE))
 			{
+				DBG1(DBG_APP, "  written attribute cert file '%s' (%d bytes)",
+						 outfile, attr_chunk.len);
 				write_serial(serial);
 				status = 0;
 			}
+			else
+			{
+				DBG1(DBG_APP, "  writing attribute cert file '%s' failed: %s",
+					 outfile, strerror(errno));
+			}
 		}
 	}
 	else
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 1101366d1..461d958da 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -231,8 +231,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -300,6 +298,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -388,12 +391,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -408,6 +415,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/pki/command.c b/src/pki/command.c
index 984da59b4..b6966ee0b 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -29,7 +29,7 @@
 /**
  * Registered commands.
  */
-command_t cmds[MAX_COMMANDS];
+static command_t cmds[MAX_COMMANDS];
 
 /**
  * active command.
@@ -55,12 +55,12 @@ static options_t *options;
 /**
  * Global options used by all subcommands
  */
-static struct option command_opts[MAX_COMMANDS > MAX_OPTIONS ?: MAX_OPTIONS];
+static struct option command_opts[MAX_COMMANDS > MAX_OPTIONS ? MAX_COMMANDS : MAX_OPTIONS];
 
 /**
  * Global optstring used by all subcommands
  */
-static char command_optstring[(MAX_COMMANDS > MAX_OPTIONS ?: MAX_OPTIONS) * 3];
+static char command_optstring[(MAX_COMMANDS > MAX_OPTIONS ? MAX_COMMANDS : MAX_OPTIONS) * 3];
 
 /**
  * Build command_opts/command_optstr for the active command
@@ -140,23 +140,37 @@ void command_register(command_t command)
 {
 	int i;
 
+	if (registered == MAX_COMMANDS)
+	{
+		fprintf(stderr, "unable to register command, please increase "
+				"MAX_COMMANDS\n");
+		return;
+	}
+
 	cmds[registered] = command;
 	/* append default options, but not to --help */
 	if (!active)
 	{
 		for (i = 0; i < countof(cmds[registered].options) - 1; i++)
 		{
-			if (cmds[registered].options[i].name)
+			if (!cmds[registered].options[i].name)
 			{
-				continue;
+				break;
 			}
+		}
+		if (i > countof(cmds[registered].options) - 3)
+		{
+			fprintf(stderr, "command '%s' registered too many options, please "
+					"increase MAX_OPTIONS\n", command.cmd);
+		}
+		else
+		{
 			cmds[registered].options[i++] = (command_option_t) {
 				"debug",	'v', 1, "set debug level, default: 1"
 			};
 			cmds[registered].options[i++] = (command_option_t) {
 				"options",	'+', 1, "read command line options from file"
 			};
-			break;
 		}
 	}
 	registered++;
@@ -260,4 +274,3 @@ int command_dispatch(int c, char *v[])
 	}
 	return command_usage(c > 1 ? "invalid operation" : NULL);
 }
-
diff --git a/src/pki/command.h b/src/pki/command.h
index 1a884fb73..737f4658d 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -22,12 +22,12 @@
 #define COMMAND_H_
 
 /**
- * Maximum number of commands.
+ * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 10
+#define MAX_COMMANDS 11
 
 /**
- * Maximum number of options in a command (+1)
+ * Maximum number of options in a command (+3)
  */
 #define MAX_OPTIONS 32
 
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 000f63d1a..d5c33b89f 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -14,6 +14,7 @@
  */
 
 #include <time.h>
+#include <errno.h>
 
 #include "pki.h"
 
@@ -382,7 +383,12 @@ static int issue()
 		{
 			chunk_t chunk;
 
-			chunk = chunk_from_fd(0);
+			if (!chunk_from_fd(0, &chunk))
+			{
+				fprintf(stderr, "%s: ", strerror(errno));
+				error = "reading certificate request failed";
+				goto end;
+			}
 			cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
 										  CERT_PKCS10_REQUEST,
 										  BUILD_BLOB, chunk, BUILD_END);
@@ -425,7 +431,12 @@ static int issue()
 		{
 			chunk_t chunk;
 
-			chunk = chunk_from_fd(0);
+			if (!chunk_from_fd(0, &chunk))
+			{
+				fprintf(stderr, "%s: ", strerror(errno));
+				error = "reading public key failed";
+				goto end;
+			}
 			public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
 										 BUILD_BLOB, chunk, BUILD_END);
 			free(chunk.ptr);
@@ -562,4 +573,3 @@ static void __attribute__ ((constructor))reg()
 		}
 	});
 }
-
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index 353670e32..64bb3cc2c 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -13,6 +13,8 @@
  * for more details.
  */
 
+#include <errno.h>
+
 #include "pki.h"
 
 #include <credentials/certificates/certificate.h>
@@ -89,7 +91,11 @@ static int keyid()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading input failed: %s\n", strerror(errno));
+			return 1;
+		}
 		cred = lib->creds->create(lib->creds, type, subtype,
 								  BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
@@ -165,4 +171,3 @@ static void __attribute__ ((constructor))reg()
 		}
 	});
 }
-
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 2261e44ff..077c1ef3e 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -22,6 +22,7 @@
 #include <selectors/traffic_selector.h>
 
 #include <time.h>
+#include <errno.h>
 
 /**
  * Print public key information
@@ -510,7 +511,11 @@ static int print()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading input failed: %s\n", strerror(errno));
+			return 1;
+		}
 		cred = lib->creds->create(lib->creds, type, subtype,
 								  BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index 7f88055ef..260044c4e 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -13,6 +13,8 @@
  * for more details.
  */
 
+#include <errno.h>
+
 #include "pki.h"
 
 #include <credentials/certificates/certificate.h>
@@ -108,7 +110,11 @@ static int pub()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading input failed: %s\n", strerror(errno));
+			return 1;
+		}
 		cred = lib->creds->create(lib->creds, type, subtype,
 								  BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
@@ -186,4 +192,3 @@ static void __attribute__ ((constructor))reg()
 		}
 	});
 }
-
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 628463e7b..5b2c128b7 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -16,6 +16,7 @@
  */
 
 #include <time.h>
+#include <errno.h>
 
 #include "pki.h"
 
@@ -118,7 +119,12 @@ static int req()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading private key failed: %s\n", strerror(errno));
+			error = "";
+			goto end;
+		}
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
 									 BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 6bf0b1353..c28c9c291 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -14,6 +14,7 @@
  */
 
 #include <time.h>
+#include <errno.h>
 
 #include "pki.h"
 
@@ -273,7 +274,12 @@ static int self()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "%s: ", strerror(errno));
+			error = "reading private key failed";
+			goto end;
+		}
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
 									 BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index 96b2b5065..f30dda94d 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -13,6 +13,8 @@
  * for more details.
  */
 
+#include <errno.h>
+
 #include "pki.h"
 
 #include <credentials/certificates/certificate.h>
@@ -57,7 +59,11 @@ static int verify()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading certificate failed: %s\n", strerror(errno));
+			return 1;
+		}
 		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 								  BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index ecba4a9b3..edbde85b5 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -170,8 +170,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -239,6 +237,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -327,12 +330,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -347,6 +354,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 9effd9b15..3fad1ae8a 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-ISSUE" 8 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-ISSUE" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
diff --git a/src/pki/pki.c b/src/pki/pki.c
index ecc0702cd..eb614dd7f 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -168,7 +168,7 @@ static void remove_callback()
 int main(int argc, char *argv[])
 {
 	atexit(library_deinit);
-	if (!library_init(NULL))
+	if (!library_init(NULL, "pki"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
diff --git a/src/pool/Makefile.am b/src/pool/Makefile.am
index 8b429a4ba..b8d662e57 100644
--- a/src/pool/Makefile.am
+++ b/src/pool/Makefile.am
@@ -1,3 +1,5 @@
+if USE_ATTR_SQL
+
 ipsec_PROGRAMS = pool
 
 pool_SOURCES = \
@@ -14,3 +16,8 @@ AM_CPPFLAGS = \
 pool_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la
+
+endif USE_ATTR_SQL
+
+templatesdir = $(pkgdatadir)/templates/database/sql
+dist_templates_DATA = mysql.sql sqlite.sql
diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in
index f8db9ae33..63489034f 100644
--- a/src/pool/Makefile.in
+++ b/src/pool/Makefile.in
@@ -14,6 +14,7 @@
 
 @SET_MAKE@
 
+
 VPATH = @srcdir@
 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
@@ -78,10 +79,10 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-ipsec_PROGRAMS = pool$(EXEEXT)
+@USE_ATTR_SQL_TRUE@ipsec_PROGRAMS = pool$(EXEEXT)
 subdir = src/pool
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
+	$(top_srcdir)/depcomp $(dist_templates_DATA)
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -99,14 +100,16 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(templatesdir)"
 PROGRAMS = $(ipsec_PROGRAMS)
-am_pool_OBJECTS = pool.$(OBJEXT) pool_attributes.$(OBJEXT) \
-	pool_usage.$(OBJEXT)
+am__pool_SOURCES_DIST = pool.c pool_attributes.c pool_attributes.h \
+	pool_usage.h pool_usage.c
+@USE_ATTR_SQL_TRUE@am_pool_OBJECTS = pool.$(OBJEXT) \
+@USE_ATTR_SQL_TRUE@	pool_attributes.$(OBJEXT) \
+@USE_ATTR_SQL_TRUE@	pool_usage.$(OBJEXT)
 pool_OBJECTS = $(am_pool_OBJECTS)
-pool_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la
+@USE_ATTR_SQL_TRUE@pool_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -146,12 +149,40 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
 SOURCES = $(pool_SOURCES)
-DIST_SOURCES = $(pool_SOURCES)
+DIST_SOURCES = $(am__pool_SOURCES_DIST)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+DATA = $(dist_templates_DATA)
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
 # Read a list of newline-separated strings from the standard input,
 # and print each of them once, without duplicates.  Input order is
@@ -186,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -255,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -343,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -363,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -373,19 +412,21 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-pool_SOURCES = \
-	pool.c pool_attributes.c pool_attributes.h \
-	pool_usage.h pool_usage.c
+@USE_ATTR_SQL_TRUE@pool_SOURCES = \
+@USE_ATTR_SQL_TRUE@	pool.c pool_attributes.c pool_attributes.h \
+@USE_ATTR_SQL_TRUE@	pool_usage.h pool_usage.c
 
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
-	-DPLUGINS=\""${pool_plugins}\""
+@USE_ATTR_SQL_TRUE@AM_CPPFLAGS = \
+@USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libstrongswan \
+@USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libhydra \
+@USE_ATTR_SQL_TRUE@	-DPLUGINS=\""${pool_plugins}\""
 
-pool_LDADD = \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la
+@USE_ATTR_SQL_TRUE@pool_LDADD = \
+@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la
 
+templatesdir = $(pkgdatadir)/templates/database/sql
+dist_templates_DATA = mysql.sql sqlite.sql
 all: all-am
 
 .SUFFIXES:
@@ -513,6 +554,27 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
+install-dist_templatesDATA: $(dist_templates_DATA)
+	@$(NORMAL_INSTALL)
+	@list='$(dist_templates_DATA)'; test -n "$(templatesdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(templatesdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(templatesdir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(templatesdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(templatesdir)" || exit $$?; \
+	done
+
+uninstall-dist_templatesDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_templates_DATA)'; test -n "$(templatesdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(templatesdir)'; $(am__uninstall_files_from_dir)
 
 ID: $(am__tagged_files)
 	$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -598,9 +660,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(PROGRAMS)
+all-am: Makefile $(PROGRAMS) $(DATA)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(templatesdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -656,7 +718,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS
+install-data-am: install-dist_templatesDATA install-ipsecPROGRAMS
 
 install-dvi: install-dvi-am
 
@@ -702,7 +764,7 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-ipsecPROGRAMS
+uninstall-am: uninstall-dist_templatesDATA uninstall-ipsecPROGRAMS
 
 .MAKE: install-am install-strip
 
@@ -711,17 +773,19 @@ uninstall-am: uninstall-ipsecPROGRAMS
 	distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+	install-data-am install-dist_templatesDATA install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-am uninstall uninstall-am uninstall-ipsecPROGRAMS
+	tags tags-am uninstall uninstall-am \
+	uninstall-dist_templatesDATA uninstall-ipsecPROGRAMS
 
 
-pool.o :	$(top_builddir)/config.status
+@USE_ATTR_SQL_TRUE@pool.o :	$(top_builddir)/config.status
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/pool/mysql.sql b/src/pool/mysql.sql
new file mode 100644
index 000000000..1b437593d
--- /dev/null
+++ b/src/pool/mysql.sql
@@ -0,0 +1,281 @@
+
+DROP TABLE IF EXISTS `identities`;
+CREATE TABLE `identities` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(4) unsigned NOT NULL,
+  `data` varbinary(64) NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE (`type`, `data`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `child_configs`;
+CREATE TABLE `child_configs` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `name` varchar(32) collate utf8_unicode_ci NOT NULL,
+  `lifetime` mediumint(8) unsigned NOT NULL default '1500',
+  `rekeytime` mediumint(8) unsigned NOT NULL default '1200',
+  `jitter` mediumint(8) unsigned NOT NULL default '60',
+  `updown` varchar(128) collate utf8_unicode_ci default NULL,
+  `hostaccess` tinyint(1) unsigned NOT NULL default '0',
+  `mode` tinyint(4) unsigned NOT NULL default '2',
+  `start_action` tinyint(4) unsigned NOT NULL default '0',
+  `dpd_action` tinyint(4) unsigned NOT NULL default '0',
+  `close_action` tinyint(4) unsigned NOT NULL default '0',
+  `ipcomp` tinyint(4) unsigned NOT NULL default '0',
+  `reqid` mediumint(8) unsigned NOT NULL default '0',
+  PRIMARY KEY (`id`),
+  INDEX (`name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `child_config_traffic_selector`;
+CREATE TABLE `child_config_traffic_selector` (
+  `child_cfg` int(10) unsigned NOT NULL,
+  `traffic_selector` int(10) unsigned NOT NULL,
+  `kind` tinyint(3) unsigned NOT NULL,
+  INDEX (`child_cfg`, `traffic_selector`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `proposals`;
+CREATE TABLE `proposals` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `proposal` varchar(128) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `child_config_proposal`;
+CREATE TABLE `child_config_proposal` (
+  `child_cfg` int(10) unsigned NOT NULL,
+  `prio` smallint(5) unsigned NOT NULL,
+  `prop` int(10) unsigned NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `ike_configs`;
+CREATE TABLE `ike_configs` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `certreq` tinyint(3) unsigned NOT NULL default '1',
+  `force_encap` tinyint(1) NOT NULL default '0',
+  `local` varchar(128) collate utf8_unicode_ci NOT NULL,
+  `remote` varchar(128) collate utf8_unicode_ci NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `ike_config_proposal`;
+CREATE TABLE `ike_config_proposal` (
+  `ike_cfg` int(10) unsigned NOT NULL,
+  `prio` smallint(5) unsigned NOT NULL,
+  `prop` int(10) unsigned NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `peer_configs`;
+CREATE TABLE `peer_configs` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `name` varchar(32) collate utf8_unicode_ci NOT NULL,
+  `ike_version` tinyint(3) unsigned NOT NULL default '2',
+  `ike_cfg` int(10) unsigned NOT NULL,
+  `local_id` varchar(64) collate utf8_unicode_ci NOT NULL,
+  `remote_id` varchar(64) collate utf8_unicode_ci NOT NULL,
+  `cert_policy` tinyint(3) unsigned NOT NULL default '1',
+  `uniqueid` tinyint(3) unsigned NOT NULL default '0',
+  `auth_method` tinyint(3) unsigned NOT NULL default '1',
+  `eap_type` tinyint(3) unsigned NOT NULL default '0',
+  `eap_vendor` smallint(5) unsigned NOT NULL default '0',
+  `keyingtries` tinyint(3) unsigned NOT NULL default '3',
+  `rekeytime` mediumint(8) unsigned NOT NULL default '7200',
+  `reauthtime` mediumint(8) unsigned NOT NULL default '0',
+  `jitter` mediumint(8) unsigned NOT NULL default '180',
+  `overtime` mediumint(8) unsigned NOT NULL default '300',
+  `mobike` tinyint(1) NOT NULL default '1',
+  `dpd_delay` mediumint(8) unsigned NOT NULL default '120',
+  `virtual` varchar(40) default NULL,
+  `pool` varchar(32) default NULL,
+  `mediation` tinyint(1) NOT NULL default '0',
+  `mediated_by` int(10) unsigned NOT NULL default '0',
+  `peer_id` int(10) unsigned NOT NULL default '0',
+  PRIMARY KEY (`id`),
+  INDEX (`name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `peer_config_child_config`;
+CREATE TABLE `peer_config_child_config` (
+  `peer_cfg` int(10) unsigned NOT NULL,
+  `child_cfg` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`peer_cfg`, `child_cfg`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `traffic_selectors`;
+CREATE TABLE `traffic_selectors` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL default '7',
+  `protocol` smallint(5) unsigned NOT NULL default '0',
+  `start_addr` varbinary(16) default NULL,
+  `end_addr` varbinary(16) default NULL,
+  `start_port` smallint(5) unsigned NOT NULL default '0',
+  `end_port` smallint(5) unsigned NOT NULL default '65535',
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS certificates;
+CREATE TABLE certificates (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL,
+  `keytype` tinyint(3) unsigned NOT NULL,
+  `data` BLOB NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS certificate_identity;
+CREATE TABLE certificate_identity (
+  `certificate` int(10) unsigned NOT NULL,
+  `identity` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`certificate`, `identity`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS private_keys;
+CREATE TABLE private_keys (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL,
+  `data` BLOB NOT NULL,
+  PRIMARY KEY  (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS private_key_identity;
+CREATE TABLE private_key_identity (
+  `private_key` int(10) unsigned NOT NULL,
+  `identity` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`private_key`, `identity`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS shared_secrets;
+CREATE TABLE shared_secrets (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL,
+  `data` varbinary(256) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS shared_secret_identity;
+CREATE TABLE shared_secret_identity (
+  `shared_secret` int(10) unsigned NOT NULL,
+  `identity` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`shared_secret`, `identity`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS certificate_authorities;
+CREATE TABLE certificate_authorities (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `certificate` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS certificate_distribution_points;
+CREATE TABLE certificate_distribution_points (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `ca` int(10) unsigned NOT NULL,
+  `type` tinyint(3) unsigned NOT NULL,
+  `uri` varchar(256) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS pools;
+CREATE TABLE pools (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `name` varchar(32) NOT NULL,
+  `start` varbinary(16) NOT NULL,
+  `end` varbinary(16) NOT NULL,
+  `timeout` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE (`name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS addresses;
+CREATE TABLE addresses (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `pool` int(10) unsigned NOT NULL,
+  `address` varbinary(16) NOT NULL,
+  `identity` int(10) unsigned NOT NULL DEFAULT 0,
+  `acquired` int(10) unsigned NOT NULL DEFAULT 0,
+  `released` int(10) unsigned NOT NULL DEFAULT 1,
+  PRIMARY KEY (`id`),
+  INDEX (`pool`),
+  INDEX (`identity`),
+  INDEX (`address`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+DROP TABLE IF EXISTS leases;
+CREATE TABLE leases (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `address` int(10) unsigned NOT NULL,
+  `identity` int(10) unsigned NOT NULL,
+  `acquired` int(10) unsigned NOT NULL,
+  `released` int(10) unsigned DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+DROP TABLE IF EXISTS attribute_pools;
+CREATE TABLE attribute_pools (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `name` varchar(32) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+DROP TABLE IF EXISTS attributes;
+CREATE TABLE attributes (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `identity` int(10) unsigned NOT NULL default '0',
+  `pool` int(10) unsigned NOT NULL default '0',
+  `type` int(10) unsigned NOT NULL,
+  `value` varbinary(16) NOT NULL,
+  PRIMARY KEY (`id`),
+  INDEX (`identity`),
+  INDEX (`pool`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+DROP TABLE IF EXISTS ike_sas;
+CREATE TABLE ike_sas (
+  `local_spi` varbinary(8) NOT NULL,
+  `remote_spi` varbinary(8) NOT NULL,
+  `id` int(10) unsigned NOT NULL,
+  `initiator` tinyint(1) NOT NULL,
+  `local_id_type` tinyint(3) NOT NULL,
+  `local_id_data` varbinary(64) DEFAULT NULL,
+  `remote_id_type` tinyint(3) NOT NULL,
+  `remote_id_data` varbinary(64) DEFAULT NULL,
+  `host_family` tinyint(3) NOT NULL,
+  `local_host_data` varbinary(16) NOT NULL,
+  `remote_host_data` varbinary(16) NOT NULL,
+  `lastuse` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+  PRIMARY KEY (`local_spi`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS logs;
+CREATE TABLE logs (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `local_spi` varbinary(8) NOT NULL,
+  `signal` tinyint(3) NOT NULL,
+  `level` tinyint(3) NOT NULL,
+  `msg` varchar(256) NOT NULL,
+  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
diff --git a/src/pool/pool.c b/src/pool/pool.c
index 05043cd8c..265974860 100644
--- a/src/pool/pool.c
+++ b/src/pool/pool.c
@@ -1212,7 +1212,7 @@ int main(int argc, char *argv[])
 	atexit(library_deinit);
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "pool"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
@@ -1227,11 +1227,16 @@ int main(int argc, char *argv[])
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
-
-	uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL);
+	/* TODO: make database URI or setting key configurable via command line */
+	uri = lib->settings->get_str(lib->settings,
+			"pool.database",
+			lib->settings->get_str(lib->settings,
+				"charon.plugins.attr-sql.database",
+				lib->settings->get_str(lib->settings,
+					"libhydra.plugins.attr-sql.database", NULL)));
 	if (!uri)
 	{
-		fprintf(stderr, "database URI libhydra.plugins.attr-sql.database not set.\n");
+		fprintf(stderr, "database URI pool.database not set.\n");
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 	db = lib->db->create(lib->db, uri);
diff --git a/src/pool/sqlite.sql b/src/pool/sqlite.sql
new file mode 100644
index 000000000..78012630b
--- /dev/null
+++ b/src/pool/sqlite.sql
@@ -0,0 +1,283 @@
+
+
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL,
+  UNIQUE (type, data)
+);
+
+
+DROP TABLE IF EXISTS child_configs;
+CREATE TABLE child_configs (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL,
+  lifetime INTEGER NOT NULL DEFAULT '1500',
+  rekeytime INTEGER NOT NULL DEFAULT '1200',
+  jitter INTEGER NOT NULL DEFAULT '60',
+  updown TEXT DEFAULT NULL,
+  hostaccess INTEGER NOT NULL DEFAULT '0',
+  mode INTEGER NOT NULL DEFAULT '2',
+  start_action INTEGER NOT NULL DEFAULT '0',
+  dpd_action INTEGER NOT NULL DEFAULT '0',
+  close_action INTEGER NOT NULL DEFAULT '0',
+  ipcomp INTEGER NOT NULL DEFAULT '0',
+  reqid INTEGER NOT NULL DEFAULT '0'
+);
+DROP INDEX IF EXISTS child_configs_name;
+CREATE INDEX child_configs_name ON child_configs (
+  name
+);
+
+
+DROP TABLE IF EXISTS child_config_traffic_selector;
+CREATE TABLE child_config_traffic_selector (
+  child_cfg INTEGER NOT NULL,
+  traffic_selector INTEGER NOT NULL,
+  kind INTEGER NOT NULL
+);
+DROP INDEX IF EXISTS child_config_traffic_selector;
+CREATE INDEX child_config_traffic_selector_all ON child_config_traffic_selector (
+  child_cfg, traffic_selector
+);
+
+DROP TABLE IF EXISTS proposals;
+CREATE TABLE proposals (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  proposal TEXT NOT NULL
+);
+
+
+DROP TABLE IF EXISTS child_config_proposal;
+CREATE TABLE child_config_proposal (
+  child_cfg INTEGER NOT NULL,
+  prio INTEGER NOT NULL,
+  prop INTEGER NOT NULL
+);
+
+
+DROP TABLE IF EXISTS ike_configs;
+CREATE TABLE ike_configs (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  certreq INTEGER NOT NULL DEFAULT '1',
+  force_encap INTEGER NOT NULL DEFAULT '0',
+  local TEXT NOT NULL,
+  remote TEXT NOT NULL
+);
+
+
+DROP TABLE IF EXISTS ike_config_proposal;
+CREATE TABLE ike_config_proposal (
+  ike_cfg INTEGER NOT NULL,
+  prio INTEGER NOT NULL,
+  prop INTEGER NOT NULL
+);
+
+
+DROP TABLE IF EXISTS peer_configs;
+CREATE TABLE peer_configs (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL,
+  ike_version INTEGER NOT NULL DEFAULT '2',
+  ike_cfg INTEGER NOT NULL,
+  local_id TEXT NOT NULL,
+  remote_id TEXT NOT NULL,
+  cert_policy INTEGER NOT NULL DEFAULT '1',
+  uniqueid INTEGER NOT NULL DEFAULT '0',
+  auth_method INTEGER NOT NULL DEFAULT '1',
+  eap_type INTEGER NOT NULL DEFAULT '0',
+  eap_vendor INTEGER NOT NULL DEFAULT '0',
+  keyingtries INTEGER NOT NULL DEFAULT '3',
+  rekeytime INTEGER NOT NULL DEFAULT '7200',
+  reauthtime INTEGER NOT NULL DEFAULT '0',
+  jitter INTEGER NOT NULL DEFAULT '180',
+  overtime INTEGER NOT NULL DEFAULT '300',
+  mobike INTEGER NOT NULL DEFAULT '1',
+  dpd_delay INTEGER NOT NULL DEFAULT '120',
+  virtual TEXT DEFAULT NULL,
+  pool TEXT DEFAULT NULL,
+  mediation INTEGER NOT NULL DEFAULT '0',
+  mediated_by INTEGER NOT NULL DEFAULT '0',
+  peer_id INTEGER NOT NULL DEFAULT '0'
+);
+DROP INDEX IF EXISTS peer_configs_name;
+CREATE INDEX peer_configs_name ON peer_configs (
+  name
+);
+
+
+DROP TABLE IF EXISTS peer_config_child_config;
+CREATE TABLE peer_config_child_config (
+  peer_cfg INTEGER NOT NULL,
+  child_cfg INTEGER NOT NULL,
+  PRIMARY KEY (peer_cfg, child_cfg)
+);
+
+
+DROP TABLE IF EXISTS traffic_selectors;
+CREATE TABLE traffic_selectors (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL DEFAULT '7',
+  protocol INTEGER NOT NULL DEFAULT '0',
+  start_addr BLOB DEFAULT NULL,
+  end_addr BLOB DEFAULT NULL,
+  start_port INTEGER NOT NULL DEFAULT '0',
+  end_port INTEGER NOT NULL DEFAULT '65535'
+);
+
+
+DROP TABLE IF EXISTS certificates;
+CREATE TABLE certificates (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  keytype INTEGER NOT NULL,
+  data BLOB NOT NULL
+);
+
+
+DROP TABLE IF EXISTS certificate_identity;
+CREATE TABLE certificate_identity (
+  certificate INTEGER NOT NULL,
+  identity INTEGER NOT NULL,
+  PRIMARY KEY (certificate, identity)
+);
+
+
+DROP TABLE IF EXISTS private_keys;
+CREATE TABLE private_keys (
+  id INTEGER NOT NULL  PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL
+);
+
+
+DROP TABLE IF EXISTS private_key_identity;
+CREATE TABLE private_key_identity (
+  private_key INTEGER NOT NULL,
+  identity INTEGER NOT NULL,
+  PRIMARY KEY (private_key, identity)
+);
+
+
+DROP TABLE IF EXISTS shared_secrets;
+CREATE TABLE shared_secrets (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL
+);
+
+
+DROP TABLE IF EXISTS shared_secret_identity;
+CREATE TABLE shared_secret_identity (
+  shared_secret INTEGER NOT NULL,
+  identity INTEGER NOT NULL,
+  PRIMARY KEY (shared_secret, identity)
+);
+
+
+DROP TABLE IF EXISTS certificate_authorities;
+CREATE TABLE certificate_authorities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  certificate INTEGER NOT NULL
+);
+
+
+DROP TABLE IF EXISTS certificate_distribution_points;
+CREATE TABLE certificate_distribution_points (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  ca INTEGER NOT NULL,
+  type INTEGER NOT NULL,
+  uri TEXT NOT NULL
+);
+
+
+DROP TABLE IF EXISTS pools;
+CREATE TABLE pools (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL UNIQUE,
+  start BLOB NOT NULL,
+  end BLOB NOT NULL,
+  timeout INTEGER NOT NULL
+);
+
+DROP TABLE IF EXISTS addresses;
+CREATE TABLE addresses (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  pool INTEGER NOT NULL,
+  address BLOB NOT NULL,
+  identity INTEGER NOT NULL DEFAULT 0,
+  acquired INTEGER NOT NULL DEFAULT 0,
+  released INTEGER NOT NULL DEFAULT 1
+);
+DROP INDEX IF EXISTS addresses_pool;
+CREATE INDEX addresses_pool ON addresses (
+  pool
+);
+DROP INDEX IF EXISTS addresses_address;
+CREATE INDEX addresses_address ON addresses (
+  address
+);
+DROP INDEX IF EXISTS addresses_identity;
+CREATE INDEX addresses_identity ON addresses (
+  identity
+);
+
+DROP TABLE IF EXISTS leases;
+CREATE TABLE leases (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  address INTEGER NOT NULL,
+  identity INTEGER NOT NULL,
+  acquired INTEGER NOT NULL,
+  released INTEGER NOT NULL
+);
+
+DROP TABLE IF EXISTS attribute_pools;
+CREATE TABLE attribute_pools (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+
+DROP TABLE IF EXISTS attributes;
+CREATE TABLE attributes (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  identity INTEGER NOT NULL DEFAULT 0,
+  pool INTEGER NOT NULL DEFAULT 0,
+  type INTEGER NOT NULL,
+  value BLOB NOT NULL
+);
+DROP INDEX IF EXISTS attributes_identity;
+CREATE INDEX attributes_identity ON attributes (
+  identity
+);
+DROP INDEX IF EXISTS attributes_pool;
+CREATE INDEX attributes_pool ON attributes (
+  pool
+);
+
+DROP TABLE IF EXISTS ike_sas;
+CREATE TABLE ike_sas (
+  local_spi BLOB NOT NULL PRIMARY KEY,
+  remote_spi BLOB NOT NULL,
+  id INTEGER NOT NULL,
+  initiator INTEGER NOT NULL,
+  local_id_type INTEGER NOT NULL,
+  local_id_data BLOB DEFAULT NULL,
+  remote_id_type INTEGER NOT NULL,
+  remote_id_data BLOB DEFAULT NULL,
+  host_family INTEGER NOT NULL,
+  local_host_data BLOB NOT NULL,
+  remote_host_data BLOB NOT NULL,
+  created INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+DROP TABLE IF EXISTS logs;
+CREATE TABLE logs (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  local_spi BLOB NOT NULL,
+  signal INTEGER NOT NULL,
+  level INTEGER NOT NULL,
+  msg TEXT NOT NULL,
+  time INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in
index b82f0f496..61dff904e 100644
--- a/src/pt-tls-client/Makefile.in
+++ b/src/pt-tls-client/Makefile.in
@@ -187,8 +187,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -256,6 +254,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -344,12 +347,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -364,6 +371,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c
index e7d75f078..90edb0c8e 100644
--- a/src/pt-tls-client/pt-tls-client.c
+++ b/src/pt-tls-client/pt-tls-client.c
@@ -166,7 +166,7 @@ static void init()
 			PLUGIN_PROVIDE(CUSTOM, "pt-tls-client"),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
 	};
-	library_init(NULL);
+	library_init(NULL, "pt-tls-client");
 	libtnccs_init();
 
 	dbg = dbg_pt_tls;
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 39b601f8e..06354da5f 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -214,8 +214,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -283,6 +281,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,12 +374,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -391,6 +398,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 1267370ba..d7abcb423 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -24,6 +24,7 @@
 #include <time.h>
 #include <limits.h>
 #include <syslog.h>
+#include <errno.h>
 
 #include <library.h>
 #include <utils/debug.h>
@@ -486,7 +487,7 @@ int main(int argc, char **argv)
 	err_t ugh = NULL;
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "scepclient"))
 	{
 		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
@@ -975,9 +976,10 @@ int main(int argc, char **argv)
 		{	/* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
 
 			DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
-			if (!chunk_write(scep_response, ca_path, "ca cert",  0022, force))
+			if (!chunk_write(scep_response, ca_path, 0022, force))
 			{
-				exit_scepclient("could not write ca cert file '%s'", ca_path);
+				exit_scepclient("could not write ca cert file '%s': %s",
+								ca_path, strerror(errno));
 			}
 		}
 		else
@@ -1031,10 +1033,10 @@ int main(int argc, char **argv)
 				}
 
 				if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
-					!chunk_write(encoding, path,
-								 ca_cert ? "ca cert" : "ra cert", 0022, force))
+					!chunk_write(encoding, path, 0022, force))
 				{
-					exit_scepclient("could not write cert file '%s'", path);
+					exit_scepclient("could not write cert file '%s': %s",
+									path, strerror(errno));
 				}
 				chunk_free(&encoding);
 			}
@@ -1149,9 +1151,10 @@ int main(int argc, char **argv)
 
 		join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10);
 
-		if (!chunk_write(pkcs10_encoding, path, "pkcs10",  0022, force))
+		if (!chunk_write(pkcs10_encoding, path, 0022, force))
 		{
-			exit_scepclient("could not write pkcs10 file '%s'", path);
+			exit_scepclient("could not write pkcs10 file '%s': %s",
+							path, strerror(errno));
 		}
 		filetype_out &= ~PKCS10;   /* delete PKCS10 flag */
 	}
@@ -1172,9 +1175,10 @@ int main(int argc, char **argv)
 
 		DBG2(DBG_APP, "building pkcs1 object:");
 		if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
-			!chunk_write(pkcs1, path, "pkcs1", 0066, force))
+			!chunk_write(pkcs1, path, 0066, force))
 		{
-			exit_scepclient("could not write pkcs1 file '%s'", path);
+			exit_scepclient("could not write pkcs1 file '%s': %s",
+							path, strerror(errno));
 		}
 		filetype_out &= ~PKCS1;   /* delete PKCS1 flag */
 	}
@@ -1236,9 +1240,10 @@ int main(int argc, char **argv)
 		{
 			exit_scepclient("encoding certificate failed");
 		}
-		if (!chunk_write(encoding, path, "self-signed cert", 0022, force))
+		if (!chunk_write(encoding, path, 0022, force))
 		{
-			exit_scepclient("could not write self-signed cert file '%s'", path);
+			exit_scepclient("could not write self-signed cert file '%s': %s",
+							path, strerror(errno));
 		}
 		chunk_free(&encoding);
 		filetype_out &= ~CERT_SELF;   /* delete CERT_SELF flag */
@@ -1300,9 +1305,10 @@ int main(int argc, char **argv)
 
 		join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7);
 
-		if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force))
+		if (!chunk_write(pkcs7, path, 0022, force))
 		{
-			exit_scepclient("could not write pkcs7 file '%s'", path);
+			exit_scepclient("could not write pkcs7 file '%s': %s",
+							path, strerror(errno));
 		}
 		filetype_out &= ~PKCS7;   /* delete PKCS7 flag */
 	}
@@ -1460,9 +1466,10 @@ int main(int argc, char **argv)
 					exit_scepclient("multiple certs received, only first stored");
 				}
 				if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
-					!chunk_write(encoding, path, "requested cert", 0022, force))
+					!chunk_write(encoding, path, 0022, force))
 				{
-					exit_scepclient("could not write cert file '%s'", path);
+					exit_scepclient("could not write cert file '%s': %s",
+									path, strerror(errno));
 				}
 				chunk_free(&encoding);
 				stored = TRUE;
diff --git a/src/starter/Android.mk b/src/starter/Android.mk
index 91575c9ba..c2260be51 100644
--- a/src/starter/Android.mk
+++ b/src/starter/Android.mk
@@ -14,7 +14,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(starter_SOURCES))
 # build starter ----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libstrongswan \
 	$(strongswan_PATH)/src/stroke
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 405d92a3f..7a9154d84 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -211,8 +211,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -280,6 +278,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,12 +371,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -388,6 +395,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 06eb142bd..33916c95c 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -419,10 +419,10 @@ int main (int argc, char **argv)
 	bool attach_gdb = FALSE;
 	bool load_warning = FALSE;
 
-	library_init(NULL);
+	library_init(NULL, "starter");
 	atexit(library_deinit);
 
-	libhydra_init("starter");
+	libhydra_init();
 	atexit(libhydra_deinit);
 
 	/* parse command line */
diff --git a/src/stroke/Android.mk b/src/stroke/Android.mk
index 320314c4d..2accb522d 100644
--- a/src/stroke/Android.mk
+++ b/src/stroke/Android.mk
@@ -10,7 +10,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(stroke_SOURCES))
 # build stroke -----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libstrongswan
 
 LOCAL_CFLAGS := $(strongswan_CFLAGS)
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 8e6ebd572..0b285285b 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -186,8 +186,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -255,6 +253,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -343,12 +346,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -363,6 +370,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 75f014516..69c8ea2a4 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -480,7 +480,7 @@ int main(int argc, char *argv[])
 	const stroke_token_t *token;
 	int res = 0;
 
-	library_init(NULL);
+	library_init(NULL, "stroke");
 	atexit(library_deinit);
 
 	if (argc < 2)
diff --git a/src/strongswan.conf b/src/strongswan.conf
deleted file mode 100644
index 0d82dedfa..000000000
--- a/src/strongswan.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# strongswan.conf - strongSwan configuration file
-
-charon {
-
-	# number of worker threads in charon
-	threads = 16
-
-	# send strongswan vendor ID?
-	# send_vendor_id = yes
-
-	plugins {
-
-		sql {
-			# loglevel to log into sql database
-			loglevel = -1
-
-			# URI to the database
-			# database = sqlite:///path/to/file.db
-			# database = mysql://user:password@localhost/database
-		}
-	}
-
-	# ...
-}
-
-pluto {
-
-}
-
-libstrongswan {
-
-	#  set to no, the DH exponent size is optimized
-	#  dh_exponent_ansi_x9_42 = no
-}
author	Yves-Alexis Perez <corsac@debian.org>	2014-03-11 20:48:48 +0100
committer	Yves-Alexis Perez <corsac@debian.org>	2014-03-11 20:48:48 +0100
commit	15fb7904f4431a6e7c305fd08732458f7f885e7e (patch)
tree	c93b60ee813af70509f00f34e29ebec311762427 /src
parent	5313d2d78ca150515f7f5eb39801c100690b6b29 (diff)
download	vyos-strongswan-15fb7904f4431a6e7c305fd08732458f7f885e7e.tar.gz vyos-strongswan-15fb7904f4431a6e7c305fd08732458f7f885e7e.zip