844 files changed, 34733 insertions, 7303 deletions

diff --git a/Android.common.mk b/Android.common.mk
index a28a1a7a0..14abca868 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.1.1"
+strongswan_VERSION := "5.1.2"
 
diff --git a/Android.mk b/Android.mk
index aa61cc0e7..6ad220b7a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -36,7 +36,6 @@ include $(LOCAL_PATH)/Android.common.mk
 
 # includes
 strongswan_PATH := $(LOCAL_PATH)
-libvstr_PATH := external/strongswan-support/vstr/include
 libcurl_PATH := external/strongswan-support/libcurl/include
 libgmp_PATH := external/strongswan-support/gmp
 openssl_PATH := external/openssl/include
@@ -77,7 +76,7 @@ strongswan_CFLAGS := \
 	-DMONOLITHIC \
 	-DUSE_IKEV1 \
 	-DUSE_IKEV2 \
-	-DUSE_VSTR \
+	-DUSE_BUILTIN_PRINTF \
 	-DDEBUG \
 	-DROUTING_TABLE=0 \
 	-DROUTING_TABLE_PRIO=220 \
diff --git a/Doxyfile.in b/Doxyfile.in
index ac0a96c88..af172e34e 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -487,7 +487,7 @@ SORT_MEMBERS_CTORS_1ST = NO
 # hierarchy of group names into alphabetical order. If set to NO (the default)
 # the group names will appear in their defined order.
 
-SORT_GROUP_NAMES       = NO
+SORT_GROUP_NAMES       = YES
 
 # If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be
 # sorted by fully-qualified names, including namespaces. If set to
diff --git a/Makefile.am b/Makefile.am
index 0e08794c1..7e3c72b3b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = src man init testing
+SUBDIRS = src man conf init testing
 
 if USE_SCRIPTS
   SUBDIRS += scripts
@@ -20,6 +20,9 @@ config_includedir = $(ipseclibdir)/include
 nodist_config_include_HEADERS = config.h
 endif
 
+# we leave config files behind intentionally so prevent distcheck from complaining
+distuninstallcheck_listfiles = find . -type f \! -name '*.conf' -print
+
 Android.common.mk :	Android.common.mk.in configure.ac
 		$(AM_V_GEN) \
 		sed \
@@ -39,7 +42,7 @@ apidoc :	Doxyfile
 
 cov-reset-common:
 		@rm -rf $(top_builddir)/coverage
-		@find $(top_builddir)/{src,scripts} -name "*.gcda" -delete
+		@find $(top_builddir)/src $(top_builddir)/scripts -name "*.gcda" -delete
 
 if COVERAGE
 cov-reset: cov-reset-common
@@ -47,10 +50,12 @@ cov-reset: cov-reset-common
 
 cov-report:
 		@mkdir $(top_builddir)/coverage
-		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir)
+		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \
+			 --rc lcov_branch_coverage=1
 		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
-			 -o $(top_builddir)/coverage/coverage.cleaned.info
-		genhtml --num-spaces 4 --legend \
+			 -o $(top_builddir)/coverage/coverage.cleaned.info \
+			 --rc lcov_branch_coverage=1
+		genhtml --num-spaces 4 --legend --branch-coverage \
 				-t "$(PACKAGE_STRING)" \
 				-o $(top_builddir)/coverage/html \
 				-p `readlink -m $(abs_top_srcdir)`/src \
@@ -67,7 +72,7 @@ coverage:
 endif
 
 clean-local: cov-reset-common
-		@find $(top_builddir)/{src,scripts} -name "*.gcno" -delete
+		@find $(top_builddir)/src $(top_builddir)/scripts -name "*.gcno" -delete
 		@rm -rf apidoc
 
 .PHONY: cov-reset-common cov-reset cov-report coverage
diff --git a/Makefile.in b/Makefile.in
index 7e0df99c8..a81e93f0f 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -190,7 +190,7 @@ am__define_uniq_tagged_files = \
 ETAGS = etags
 CTAGS = ctags
 CSCOPE = cscope
-DIST_SUBDIRS = src man init testing scripts
+DIST_SUBDIRS = src man conf init testing scripts
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -229,7 +229,6 @@ am__relativize = \
 DIST_ARCHIVES = $(distdir).tar.gz
 GZIP_ENV = --best
 DIST_TARGETS = dist-gzip
-distuninstallcheck_listfiles = find . -type f -print
 am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
   | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
 distcleancheck_listfiles = find . -type f -print
@@ -247,8 +246,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -316,6 +313,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -404,12 +406,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -424,6 +430,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -434,7 +441,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-SUBDIRS = src man init testing $(am__append_1)
+SUBDIRS = src man conf init testing $(am__append_1)
 @USE_SILENT_RULES_TRUE@AM_MAKEFLAGS = -s
 ACLOCAL_AMFLAGS = -I m4/config
 EXTRA_DIST = Doxyfile.in LICENSE Android.common.mk.in Android.common.mk Android.mk
@@ -443,6 +450,9 @@ BUILT_SOURCES = Android.common.mk
 MAINTAINERCLEANFILES = Android.common.mk
 @USE_DEV_HEADERS_TRUE@config_includedir = $(ipseclibdir)/include
 @USE_DEV_HEADERS_TRUE@nodist_config_include_HEADERS = config.h
+
+# we leave config files behind intentionally so prevent distcheck from complaining
+distuninstallcheck_listfiles = find . -type f \! -name '*.conf' -print
 all: $(BUILT_SOURCES) config.h
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -971,17 +981,19 @@ apidoc :	Doxyfile
 
 cov-reset-common:
 		@rm -rf $(top_builddir)/coverage
-		@find $(top_builddir)/{src,scripts} -name "*.gcda" -delete
+		@find $(top_builddir)/src $(top_builddir)/scripts -name "*.gcda" -delete
 
 @COVERAGE_TRUE@cov-reset: cov-reset-common
 @COVERAGE_TRUE@		@lcov --zerocounters --directory $(top_builddir)
 
 @COVERAGE_TRUE@cov-report:
 @COVERAGE_TRUE@		@mkdir $(top_builddir)/coverage
-@COVERAGE_TRUE@		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir)
+@COVERAGE_TRUE@		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \
+@COVERAGE_TRUE@			 --rc lcov_branch_coverage=1
 @COVERAGE_TRUE@		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
-@COVERAGE_TRUE@			 -o $(top_builddir)/coverage/coverage.cleaned.info
-@COVERAGE_TRUE@		genhtml --num-spaces 4 --legend \
+@COVERAGE_TRUE@			 -o $(top_builddir)/coverage/coverage.cleaned.info \
+@COVERAGE_TRUE@			 --rc lcov_branch_coverage=1
+@COVERAGE_TRUE@		genhtml --num-spaces 4 --legend --branch-coverage \
 @COVERAGE_TRUE@				-t "$(PACKAGE_STRING)" \
 @COVERAGE_TRUE@				-o $(top_builddir)/coverage/html \
 @COVERAGE_TRUE@				-p `readlink -m $(abs_top_srcdir)`/src \
@@ -996,7 +1008,7 @@ cov-reset-common:
 @COVERAGE_FALSE@		@echo "reconfigure with --enable-coverage"
 
 clean-local: cov-reset-common
-		@find $(top_builddir)/{src,scripts} -name "*.gcno" -delete
+		@find $(top_builddir)/src $(top_builddir)/scripts -name "*.gcno" -delete
 		@rm -rf apidoc
 
 .PHONY: cov-reset-common cov-reset cov-report coverage
diff --git a/NEWS b/NEWS
index 35edec9b4..0d22295d4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,49 @@
+strongswan-5.1.2
+----------------
+
+- A new default configuration file layout is introduced.  The new default
+  strongswan.conf file mainly includes config snippets from the strongswan.d
+  and strongswan.d/charon directories (the latter containing snippets for all
+  plugins).  The snippets, with commented defaults, are automatically
+  generated and installed, if they don't exist yet.  They are also installed
+  in $prefix/share/strongswan/templates so existing files can be compared to
+  the current defaults.
+
+- As an alternative to the non-extensible charon.load setting, the plugins
+  to load in charon (and optionally other applications) can now be determined
+  via the charon.plugins.<name>.load setting for each plugin (enabled in the
+  new default strongswan.conf file via the charon.load_modular option).
+  The load setting optionally takes a numeric priority value that allows
+  reordering the plugins (otherwise the default plugin order is preserved).
+
+- All strongswan.conf settings that were formerly defined in library specific
+  "global" sections are now application specific (e.g. settings for plugins in
+  libstrongswan.plugins can now be set only for charon in charon.plugins).
+  The old options are still supported, which now allows to define defaults for
+  all applications in the libstrongswan section.
+
+- The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum
+  computer IKE key exchange mechanism. The implementation is based on the
+  ntru-crypto library from the NTRUOpenSourceProject. The supported security
+  strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH
+  group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be
+  sent (charon.send_vendor_id = yes) in order to use NTRU.
+
+- Defined a TPMRA remote attestation workitem and added support for it to the
+  Attestation IMV.
+
+- Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as
+  well as multiple subnets in left|rightsubnet have been fixed.
+
+- When enabling its "session" strongswan.conf option, the xauth-pam plugin opens
+  and closes a PAM session for each established IKE_SA. Patch courtesy of
+  Andrea Bonomi.
+
+- The strongSwan unit testing framework has been rewritten without the "check"
+  dependency for improved flexibility and portability. It now properly supports
+  multi-threaded and memory leak testing and brings a bunch of new test cases.
+
+
 strongswan-5.1.1
 ----------------
 
diff --git a/aclocal.m4 b/aclocal.m4
index 73b6cbd9f..e8f46245d 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -494,6 +494,43 @@ AC_PREREQ([2.50])dnl
 am_aux_dir=`cd $ac_aux_dir && pwd`
 ])
 
+# AM_COND_IF                                            -*- Autoconf -*-
+
+# Copyright (C) 2008-2013 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# _AM_COND_IF
+# _AM_COND_ELSE
+# _AM_COND_ENDIF
+# --------------
+# These macros are only used for tracing.
+m4_define([_AM_COND_IF])
+m4_define([_AM_COND_ELSE])
+m4_define([_AM_COND_ENDIF])
+
+# AM_COND_IF(COND, [IF-TRUE], [IF-FALSE])
+# ---------------------------------------
+# If the shell condition COND is true, execute IF-TRUE, otherwise execute
+# IF-FALSE.  Allow automake to learn about conditional instantiating macros
+# (the AC_CONFIG_FOOS).
+AC_DEFUN([AM_COND_IF],
+[m4_ifndef([_AM_COND_VALUE_$1],
+	   [m4_fatal([$0: no such condition "$1"])])dnl
+_AM_COND_IF([$1])dnl
+if test -z "$$1_TRUE"; then :
+  m4_n([$2])[]dnl
+m4_ifval([$3],
+[_AM_COND_ELSE([$1])dnl
+else
+  $3
+])dnl
+_AM_COND_ENDIF([$1])dnl
+fi[]dnl
+])
+
 # AM_CONDITIONAL                                            -*- Autoconf -*-
 
 # Copyright (C) 1997-2013 Free Software Foundation, Inc.
@@ -1133,6 +1170,241 @@ AC_DEFUN([_AM_SET_OPTIONS],
 AC_DEFUN([_AM_IF_OPTION],
 [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
 
+# Copyright (C) 1999-2013 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+
+# AM_PATH_PYTHON([MINIMUM-VERSION], [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+# ---------------------------------------------------------------------------
+# Adds support for distributing Python modules and packages.  To
+# install modules, copy them to $(pythondir), using the python_PYTHON
+# automake variable.  To install a package with the same name as the
+# automake package, install to $(pkgpythondir), or use the
+# pkgpython_PYTHON automake variable.
+#
+# The variables $(pyexecdir) and $(pkgpyexecdir) are provided as
+# locations to install python extension modules (shared libraries).
+# Another macro is required to find the appropriate flags to compile
+# extension modules.
+#
+# If your package is configured with a different prefix to python,
+# users will have to add the install directory to the PYTHONPATH
+# environment variable, or create a .pth file (see the python
+# documentation for details).
+#
+# If the MINIMUM-VERSION argument is passed, AM_PATH_PYTHON will
+# cause an error if the version of python installed on the system
+# doesn't meet the requirement.  MINIMUM-VERSION should consist of
+# numbers and dots only.
+AC_DEFUN([AM_PATH_PYTHON],
+ [
+  dnl Find a Python interpreter.  Python versions prior to 2.0 are not
+  dnl supported. (2.0 was released on October 16, 2000).
+  m4_define_default([_AM_PYTHON_INTERPRETER_LIST],
+[python python2 python3 python3.3 python3.2 python3.1 python3.0 python2.7 dnl
+ python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0])
+
+  AC_ARG_VAR([PYTHON], [the Python interpreter])
+
+  m4_if([$1],[],[
+    dnl No version check is needed.
+    # Find any Python interpreter.
+    if test -z "$PYTHON"; then
+      AC_PATH_PROGS([PYTHON], _AM_PYTHON_INTERPRETER_LIST, :)
+    fi
+    am_display_PYTHON=python
+  ], [
+    dnl A version check is needed.
+    if test -n "$PYTHON"; then
+      # If the user set $PYTHON, use it and don't search something else.
+      AC_MSG_CHECKING([whether $PYTHON version is >= $1])
+      AM_PYTHON_CHECK_VERSION([$PYTHON], [$1],
+			      [AC_MSG_RESULT([yes])],
+			      [AC_MSG_RESULT([no])
+			       AC_MSG_ERROR([Python interpreter is too old])])
+      am_display_PYTHON=$PYTHON
+    else
+      # Otherwise, try each interpreter until we find one that satisfies
+      # VERSION.
+      AC_CACHE_CHECK([for a Python interpreter with version >= $1],
+	[am_cv_pathless_PYTHON],[
+	for am_cv_pathless_PYTHON in _AM_PYTHON_INTERPRETER_LIST none; do
+	  test "$am_cv_pathless_PYTHON" = none && break
+	  AM_PYTHON_CHECK_VERSION([$am_cv_pathless_PYTHON], [$1], [break])
+	done])
+      # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON.
+      if test "$am_cv_pathless_PYTHON" = none; then
+	PYTHON=:
+      else
+        AC_PATH_PROG([PYTHON], [$am_cv_pathless_PYTHON])
+      fi
+      am_display_PYTHON=$am_cv_pathless_PYTHON
+    fi
+  ])
+
+  if test "$PYTHON" = :; then
+  dnl Run any user-specified action, or abort.
+    m4_default([$3], [AC_MSG_ERROR([no suitable Python interpreter found])])
+  else
+
+  dnl Query Python for its version number.  Getting [:3] seems to be
+  dnl the best way to do this; it's what "site.py" does in the standard
+  dnl library.
+
+  AC_CACHE_CHECK([for $am_display_PYTHON version], [am_cv_python_version],
+    [am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[[:3]])"`])
+  AC_SUBST([PYTHON_VERSION], [$am_cv_python_version])
+
+  dnl Use the values of $prefix and $exec_prefix for the corresponding
+  dnl values of PYTHON_PREFIX and PYTHON_EXEC_PREFIX.  These are made
+  dnl distinct variables so they can be overridden if need be.  However,
+  dnl general consensus is that you shouldn't need this ability.
+
+  AC_SUBST([PYTHON_PREFIX], ['${prefix}'])
+  AC_SUBST([PYTHON_EXEC_PREFIX], ['${exec_prefix}'])
+
+  dnl At times (like when building shared libraries) you may want
+  dnl to know which OS platform Python thinks this is.
+
+  AC_CACHE_CHECK([for $am_display_PYTHON platform], [am_cv_python_platform],
+    [am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"`])
+  AC_SUBST([PYTHON_PLATFORM], [$am_cv_python_platform])
+
+  # Just factor out some code duplication.
+  am_python_setup_sysconfig="\
+import sys
+# Prefer sysconfig over distutils.sysconfig, for better compatibility
+# with python 3.x.  See automake bug#10227.
+try:
+    import sysconfig
+except ImportError:
+    can_use_sysconfig = 0
+else:
+    can_use_sysconfig = 1
+# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs:
+# <https://github.com/pypa/virtualenv/issues/118>
+try:
+    from platform import python_implementation
+    if python_implementation() == 'CPython' and sys.version[[:3]] == '2.7':
+        can_use_sysconfig = 0
+except ImportError:
+    pass"
+
+  dnl Set up 4 directories:
+
+  dnl pythondir -- where to install python scripts.  This is the
+  dnl   site-packages directory, not the python standard library
+  dnl   directory like in previous automake betas.  This behavior
+  dnl   is more consistent with lispdir.m4 for example.
+  dnl Query distutils for this directory.
+  AC_CACHE_CHECK([for $am_display_PYTHON script directory],
+    [am_cv_python_pythondir],
+    [if test "x$prefix" = xNONE
+     then
+       am_py_prefix=$ac_default_prefix
+     else
+       am_py_prefix=$prefix
+     fi
+     am_cv_python_pythondir=`$PYTHON -c "
+$am_python_setup_sysconfig
+if can_use_sysconfig:
+    sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'})
+else:
+    from distutils import sysconfig
+    sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix')
+sys.stdout.write(sitedir)"`
+     case $am_cv_python_pythondir in
+     $am_py_prefix*)
+       am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'`
+       am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"`
+       ;;
+     *)
+       case $am_py_prefix in
+         /usr|/System*) ;;
+         *)
+	  am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages
+	  ;;
+       esac
+       ;;
+     esac
+    ])
+  AC_SUBST([pythondir], [$am_cv_python_pythondir])
+
+  dnl pkgpythondir -- $PACKAGE directory under pythondir.  Was
+  dnl   PYTHON_SITE_PACKAGE in previous betas, but this naming is
+  dnl   more consistent with the rest of automake.
+
+  AC_SUBST([pkgpythondir], [\${pythondir}/$PACKAGE])
+
+  dnl pyexecdir -- directory for installing python extension modules
+  dnl   (shared libraries)
+  dnl Query distutils for this directory.
+  AC_CACHE_CHECK([for $am_display_PYTHON extension module directory],
+    [am_cv_python_pyexecdir],
+    [if test "x$exec_prefix" = xNONE
+     then
+       am_py_exec_prefix=$am_py_prefix
+     else
+       am_py_exec_prefix=$exec_prefix
+     fi
+     am_cv_python_pyexecdir=`$PYTHON -c "
+$am_python_setup_sysconfig
+if can_use_sysconfig:
+    sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'})
+else:
+    from distutils import sysconfig
+    sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix')
+sys.stdout.write(sitedir)"`
+     case $am_cv_python_pyexecdir in
+     $am_py_exec_prefix*)
+       am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'`
+       am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"`
+       ;;
+     *)
+       case $am_py_exec_prefix in
+         /usr|/System*) ;;
+         *)
+	   am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages
+	   ;;
+       esac
+       ;;
+     esac
+    ])
+  AC_SUBST([pyexecdir], [$am_cv_python_pyexecdir])
+
+  dnl pkgpyexecdir -- $(pyexecdir)/$(PACKAGE)
+
+  AC_SUBST([pkgpyexecdir], [\${pyexecdir}/$PACKAGE])
+
+  dnl Run any user-specified action.
+  $2
+  fi
+
+])
+
+
+# AM_PYTHON_CHECK_VERSION(PROG, VERSION, [ACTION-IF-TRUE], [ACTION-IF-FALSE])
+# ---------------------------------------------------------------------------
+# Run ACTION-IF-TRUE if the Python interpreter PROG has version >= VERSION.
+# Run ACTION-IF-FALSE otherwise.
+# This test uses sys.hexversion instead of the string equivalent (first
+# word of sys.version), in order to cope with versions such as 2.2c1.
+# This supports Python 2.0 or higher. (2.0 was released on October 16, 2000).
+AC_DEFUN([AM_PYTHON_CHECK_VERSION],
+ [prog="import sys
+# split strings by '.' and convert to numeric.  Append some zeros
+# because we need at least 4 digits for the hex conversion.
+# map returns an iterator in Python 3.0 and a list in 2.x
+minver = list(map(int, '$2'.split('.'))) + [[0, 0, 0]]
+minverhex = 0
+# xrange is not present in Python 3.0 and range returns an iterator
+for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[[i]]
+sys.exit(sys.hexversion < minverhex)"
+  AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])])
+
 # Copyright (C) 2001-2013 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
diff --git a/conf/Makefile.am b/conf/Makefile.am
new file mode 100644
index 000000000..61a0add4d
--- /dev/null
+++ b/conf/Makefile.am
@@ -0,0 +1,163 @@
+# make this relative to the location of strongswan.conf
+strongswanconfdir = `dirname $(strongswan_conf)`
+strongswanddir = $(strongswanconfdir)/strongswan.d
+charonconfdir = $(strongswanddir)/charon
+# copy these files also to /usr/share
+templatesdir = $(pkgdatadir)/templates/config
+optionstemplatedir = $(templatesdir)/strongswan.d
+pluginstemplatedir = $(templatesdir)/plugins
+
+options = \
+	options/attest.opt \
+	options/charon.opt \
+	options/charon-logging.opt \
+	options/imcv.opt \
+	options/manager.opt \
+	options/medsrv.opt \
+	options/pacman.opt \
+	options/pool.opt \
+	options/starter.opt \
+	options/tnc.opt \
+	options/tools.opt
+
+plugins = \
+	plugins/android_log.opt \
+	plugins/attr.opt \
+	plugins/attr-sql.opt \
+	plugins/certexpire.opt \
+	plugins/coupling.opt \
+	plugins/dhcp.opt \
+	plugins/dnscert.opt \
+	plugins/duplicheck.opt \
+	plugins/eap-aka.opt \
+	plugins/eap-aka-3ggp2.opt \
+	plugins/eap-dynamic.opt \
+	plugins/eap-gtc.opt \
+	plugins/eap-peap.opt \
+	plugins/eap-radius.opt \
+	plugins/eap-sim.opt \
+	plugins/eap-simaka-sql.opt \
+	plugins/eap-tls.opt \
+	plugins/eap-tnc.opt \
+	plugins/eap-ttls.opt \
+	plugins/error-notify.opt \
+	plugins/gcrypt.opt \
+	plugins/ha.opt \
+	plugins/imc-attestation.opt \
+	plugins/imc-os.opt \
+	plugins/imc-scanner.opt \
+	plugins/imc-swid.opt \
+	plugins/imc-test.opt \
+	plugins/imv-attestation.opt \
+	plugins/imv-os.opt \
+	plugins/imv-scanner.opt \
+	plugins/imv-test.opt \
+	plugins/ipseckey.opt \
+	plugins/led.opt \
+	plugins/kernel-klips.opt \
+	plugins/kernel-libipsec.opt \
+	plugins/kernel-netlink.opt \
+	plugins/kernel-pfroute.opt \
+	plugins/load-tester.opt \
+	plugins/lookip.opt \
+	plugins/ntru.opt \
+	plugins/openssl.opt \
+	plugins/pkcs11.opt \
+	plugins/radattr.opt \
+	plugins/random.opt \
+	plugins/resolve.opt \
+	plugins/socket-default.opt \
+	plugins/sql.opt \
+	plugins/stroke.opt \
+	plugins/systime-fix.opt \
+	plugins/tnc-ifmap.opt \
+	plugins/tnc-imc.opt \
+	plugins/tnc-imv.opt \
+	plugins/tnc-pdp.opt \
+	plugins/tnccs-11.opt \
+	plugins/tnccs-20.opt \
+	plugins/unbound.opt \
+	plugins/updown.opt \
+	plugins/whitelist.opt \
+	plugins/xauth-eap.opt \
+	plugins/xauth-pam.opt
+
+alloptions = $(options) $(plugins)
+
+confsnippets = $(alloptions:opt=conf)
+
+# we only install snippets for enabled plugins
+plugins_install_tmp = $(charon_plugins:%=plugins/%.tmp)
+plugins_install_src = $(charon_plugins:%=plugins/%.conf)
+# only install snippets for enabled components
+# has to be defined via autoconf as we can't do it with automake conditionals
+options_install_src = $(strongswan_options:%=options/%.conf)
+
+templates_DATA = strongswan.conf
+optionstemplate_DATA = $(options_install_src)
+pluginstemplate_DATA = $(plugins_install_src)
+man_MANS = \
+	strongswan.conf.5
+
+BUILT_SOURCES = default.conf strongswan.conf.5.main $(confsnippets)
+EXTRA_DIST = format-options.py strongswan.conf default.opt \
+	default.conf strongswan.conf.5.main $(alloptions) $(confsnippets)
+
+CLEANFILES=$(man_MANS)
+
+.opt.conf:
+	$(AM_V_GEN) \
+	case "$<" in \
+	*plugins/*) \
+		sed \
+		-e "s:\@PLUGIN_NAME\@:`basename $< .opt`:" \
+		$(srcdir)/default.opt | cat - $< | \
+		$(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins > $(srcdir)/$@ \
+		;; \
+	*) \
+		$(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins $< > $(srcdir)/$@ \
+		;; \
+	esac
+
+# we need another implicit rule to generate files from the generic template only
+# if the rules above did not catch it.  this requires an intermediate step that
+# generates a copy of the generic config template.
+$(plugins_install_tmp):
+	@mkdir -p $(builddir)/plugins
+	@cp $(srcdir)/default.conf $(builddir)/$@
+
+.tmp.conf:
+	$(AM_V_GEN) \
+	sed \
+	-e "s:\@PLUGIN_NAME\@:`basename $< .tmp`:" \
+	$(builddir)/$< > $(builddir)/$@
+
+strongswan.conf.5.main: $(alloptions)
+	$(AM_V_GEN) \
+	cd $(srcdir) && $(PYTHON) format-options.py -f man $(alloptions) > $@
+
+strongswan.conf.5: strongswan.conf.5.head strongswan.conf.5.main strongswan.conf.5.tail
+	$(AM_V_GEN) \
+	cat strongswan.conf.5.head $(srcdir)/strongswan.conf.5.main strongswan.conf.5.tail > $@
+
+clean-local:
+	rm -f plugins/*.conf plugins/*.tmp
+
+maintainer-clean-local:
+	cd $(srcdir) && \
+		rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp
+
+install-data-local: $(plugins_install_src)
+	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)"
+	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)"
+	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)"
+	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
+	for f in $(options_install_src); do \
+		name=`basename $$f`; \
+		test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 "$(srcdir)/$$f" "$(DESTDIR)$(strongswanddir)/$$name" || true; \
+	done
+	for f in $(plugins_install_src); do \
+		name=`basename $$f`; \
+		if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \
+		test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(charonconfdir)/$$name" || true; \
+	done
diff --git a/conf/Makefile.in b/conf/Makefile.in
new file mode 100644
index 000000000..d92593219
--- /dev/null
+++ b/conf/Makefile.in
@@ -0,0 +1,873 @@
+# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = conf
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(srcdir)/strongswan.conf.5.head.in \
+	$(srcdir)/strongswan.conf.5.tail.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES = strongswan.conf.5.head strongswan.conf.5.tail
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+man5dir = $(mandir)/man5
+am__installdirs = "$(DESTDIR)$(man5dir)" \
+	"$(DESTDIR)$(optionstemplatedir)" \
+	"$(DESTDIR)$(pluginstemplatedir)" "$(DESTDIR)$(templatesdir)"
+NROFF = nroff
+MANS = $(man_MANS)
+DATA = $(optionstemplate_DATA) $(pluginstemplate_DATA) \
+	$(templates_DATA)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+
+# make this relative to the location of strongswan.conf
+strongswanconfdir = `dirname $(strongswan_conf)`
+strongswanddir = $(strongswanconfdir)/strongswan.d
+charonconfdir = $(strongswanddir)/charon
+# copy these files also to /usr/share
+templatesdir = $(pkgdatadir)/templates/config
+optionstemplatedir = $(templatesdir)/strongswan.d
+pluginstemplatedir = $(templatesdir)/plugins
+options = \
+	options/attest.opt \
+	options/charon.opt \
+	options/charon-logging.opt \
+	options/imcv.opt \
+	options/manager.opt \
+	options/medsrv.opt \
+	options/pacman.opt \
+	options/pool.opt \
+	options/starter.opt \
+	options/tnc.opt \
+	options/tools.opt
+
+plugins = \
+	plugins/android_log.opt \
+	plugins/attr.opt \
+	plugins/attr-sql.opt \
+	plugins/certexpire.opt \
+	plugins/coupling.opt \
+	plugins/dhcp.opt \
+	plugins/dnscert.opt \
+	plugins/duplicheck.opt \
+	plugins/eap-aka.opt \
+	plugins/eap-aka-3ggp2.opt \
+	plugins/eap-dynamic.opt \
+	plugins/eap-gtc.opt \
+	plugins/eap-peap.opt \
+	plugins/eap-radius.opt \
+	plugins/eap-sim.opt \
+	plugins/eap-simaka-sql.opt \
+	plugins/eap-tls.opt \
+	plugins/eap-tnc.opt \
+	plugins/eap-ttls.opt \
+	plugins/error-notify.opt \
+	plugins/gcrypt.opt \
+	plugins/ha.opt \
+	plugins/imc-attestation.opt \
+	plugins/imc-os.opt \
+	plugins/imc-scanner.opt \
+	plugins/imc-swid.opt \
+	plugins/imc-test.opt \
+	plugins/imv-attestation.opt \
+	plugins/imv-os.opt \
+	plugins/imv-scanner.opt \
+	plugins/imv-test.opt \
+	plugins/ipseckey.opt \
+	plugins/led.opt \
+	plugins/kernel-klips.opt \
+	plugins/kernel-libipsec.opt \
+	plugins/kernel-netlink.opt \
+	plugins/kernel-pfroute.opt \
+	plugins/load-tester.opt \
+	plugins/lookip.opt \
+	plugins/ntru.opt \
+	plugins/openssl.opt \
+	plugins/pkcs11.opt \
+	plugins/radattr.opt \
+	plugins/random.opt \
+	plugins/resolve.opt \
+	plugins/socket-default.opt \
+	plugins/sql.opt \
+	plugins/stroke.opt \
+	plugins/systime-fix.opt \
+	plugins/tnc-ifmap.opt \
+	plugins/tnc-imc.opt \
+	plugins/tnc-imv.opt \
+	plugins/tnc-pdp.opt \
+	plugins/tnccs-11.opt \
+	plugins/tnccs-20.opt \
+	plugins/unbound.opt \
+	plugins/updown.opt \
+	plugins/whitelist.opt \
+	plugins/xauth-eap.opt \
+	plugins/xauth-pam.opt
+
+alloptions = $(options) $(plugins)
+confsnippets = $(alloptions:opt=conf)
+
+# we only install snippets for enabled plugins
+plugins_install_tmp = $(charon_plugins:%=plugins/%.tmp)
+plugins_install_src = $(charon_plugins:%=plugins/%.conf)
+# only install snippets for enabled components
+# has to be defined via autoconf as we can't do it with automake conditionals
+options_install_src = $(strongswan_options:%=options/%.conf)
+templates_DATA = strongswan.conf
+optionstemplate_DATA = $(options_install_src)
+pluginstemplate_DATA = $(plugins_install_src)
+man_MANS = \
+	strongswan.conf.5
+
+BUILT_SOURCES = default.conf strongswan.conf.5.main $(confsnippets)
+EXTRA_DIST = format-options.py strongswan.conf default.opt \
+	default.conf strongswan.conf.5.main $(alloptions) $(confsnippets)
+
+CLEANFILES = $(man_MANS)
+all: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-am
+
+.SUFFIXES:
+.SUFFIXES: .conf .opt .tmp
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu conf/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu conf/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+strongswan.conf.5.head: $(top_builddir)/config.status $(srcdir)/strongswan.conf.5.head.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+strongswan.conf.5.tail: $(top_builddir)/config.status $(srcdir)/strongswan.conf.5.tail.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-man5: $(man_MANS)
+	@$(NORMAL_INSTALL)
+	@list1=''; \
+	list2='$(man_MANS)'; \
+	test -n "$(man5dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.5[a-z]*$$/p'; \
+	fi; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
+	  fi; \
+	done; \
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
+	done; }
+
+uninstall-man5:
+	@$(NORMAL_UNINSTALL)
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir)
+install-optionstemplateDATA: $(optionstemplate_DATA)
+	@$(NORMAL_INSTALL)
+	@list='$(optionstemplate_DATA)'; test -n "$(optionstemplatedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(optionstemplatedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(optionstemplatedir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(optionstemplatedir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(optionstemplatedir)" || exit $$?; \
+	done
+
+uninstall-optionstemplateDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(optionstemplate_DATA)'; test -n "$(optionstemplatedir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(optionstemplatedir)'; $(am__uninstall_files_from_dir)
+install-pluginstemplateDATA: $(pluginstemplate_DATA)
+	@$(NORMAL_INSTALL)
+	@list='$(pluginstemplate_DATA)'; test -n "$(pluginstemplatedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(pluginstemplatedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(pluginstemplatedir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pluginstemplatedir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(pluginstemplatedir)" || exit $$?; \
+	done
+
+uninstall-pluginstemplateDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(pluginstemplate_DATA)'; test -n "$(pluginstemplatedir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(pluginstemplatedir)'; $(am__uninstall_files_from_dir)
+install-templatesDATA: $(templates_DATA)
+	@$(NORMAL_INSTALL)
+	@list='$(templates_DATA)'; test -n "$(templatesdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(templatesdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(templatesdir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(templatesdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(templatesdir)" || exit $$?; \
+	done
+
+uninstall-templatesDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(templates_DATA)'; test -n "$(templatesdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(templatesdir)'; $(am__uninstall_files_from_dir)
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) check-am
+all-am: Makefile $(MANS) $(DATA)
+installdirs:
+	for dir in "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(optionstemplatedir)" "$(DESTDIR)$(pluginstemplatedir)" "$(DESTDIR)$(templatesdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-local mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-data-local install-man \
+	install-optionstemplateDATA install-pluginstemplateDATA \
+	install-templatesDATA
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man: install-man5
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic \
+	maintainer-clean-local
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man uninstall-optionstemplateDATA \
+	uninstall-pluginstemplateDATA uninstall-templatesDATA
+
+uninstall-man: uninstall-man5
+
+.MAKE: all check install install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	clean-local cscopelist-am ctags-am distclean distclean-generic \
+	distclean-libtool distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am \
+	install-data-local install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-man5 \
+	install-optionstemplateDATA install-pdf install-pdf-am \
+	install-pluginstemplateDATA install-ps install-ps-am \
+	install-strip install-templatesDATA installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic maintainer-clean-local mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags-am uninstall uninstall-am uninstall-man uninstall-man5 \
+	uninstall-optionstemplateDATA uninstall-pluginstemplateDATA \
+	uninstall-templatesDATA
+
+
+.opt.conf:
+	$(AM_V_GEN) \
+	case "$<" in \
+	*plugins/*) \
+		sed \
+		-e "s:\@PLUGIN_NAME\@:`basename $< .opt`:" \
+		$(srcdir)/default.opt | cat - $< | \
+		$(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins > $(srcdir)/$@ \
+		;; \
+	*) \
+		$(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins $< > $(srcdir)/$@ \
+		;; \
+	esac
+
+# we need another implicit rule to generate files from the generic template only
+# if the rules above did not catch it.  this requires an intermediate step that
+# generates a copy of the generic config template.
+$(plugins_install_tmp):
+	@mkdir -p $(builddir)/plugins
+	@cp $(srcdir)/default.conf $(builddir)/$@
+
+.tmp.conf:
+	$(AM_V_GEN) \
+	sed \
+	-e "s:\@PLUGIN_NAME\@:`basename $< .tmp`:" \
+	$(builddir)/$< > $(builddir)/$@
+
+strongswan.conf.5.main: $(alloptions)
+	$(AM_V_GEN) \
+	cd $(srcdir) && $(PYTHON) format-options.py -f man $(alloptions) > $@
+
+strongswan.conf.5: strongswan.conf.5.head strongswan.conf.5.main strongswan.conf.5.tail
+	$(AM_V_GEN) \
+	cat strongswan.conf.5.head $(srcdir)/strongswan.conf.5.main strongswan.conf.5.tail > $@
+
+clean-local:
+	rm -f plugins/*.conf plugins/*.tmp
+
+maintainer-clean-local:
+	cd $(srcdir) && \
+		rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp
+
+install-data-local: $(plugins_install_src)
+	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)"
+	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)"
+	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)"
+	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
+	for f in $(options_install_src); do \
+		name=`basename $$f`; \
+		test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 "$(srcdir)/$$f" "$(DESTDIR)$(strongswanddir)/$$name" || true; \
+	done
+	for f in $(plugins_install_src); do \
+		name=`basename $$f`; \
+		if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \
+		test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(charonconfdir)/$$name" || true; \
+	done
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/conf/default.conf b/conf/default.conf
new file mode 100644
index 000000000..41d2e1f85
--- /dev/null
+++ b/conf/default.conf
@@ -0,0 +1,8 @@
+@PLUGIN_NAME@ {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/default.opt b/conf/default.opt
new file mode 100644
index 000000000..8c833642d
--- /dev/null
+++ b/conf/default.opt
@@ -0,0 +1,3 @@
+charon.plugins.@PLUGIN_NAME@.load := yes
+	Whether to load the plugin. Can also be an integer to increase the priority
+	of this plugin.
diff --git a/conf/format-options.py b/conf/format-options.py
new file mode 100755
index 000000000..04afed6d6
--- /dev/null
+++ b/conf/format-options.py
@@ -0,0 +1,337 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2014 Tobias Brunner
+# Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+"""
+Parses strongswan.conf option descriptions and produces configuration file
+and man page snippets.
+
+The format for description files is as follows:
+
+full.option.name [[:]= default]
+	Short description intended as comment in config snippet
+
+	Long description for use in the man page, with
+	simple formatting: _italic_, **bold**
+
+	Second paragraph of the long description
+
+The descriptions must be indented by tabs or spaces but are both optional.
+If only a short description is given it is used for both intended usages.
+Line breaks within a paragraph of the long description or the short description
+are not preserved.  But multiple paragraphs will be separated in the man page.
+Any formatting in the short description is removed when producing config
+snippets.
+
+Options for which a value is assigned with := are not commented out in the
+produced configuration file snippet.  This allows to override a default value,
+that e.g. has to be preserved for legacy reasons, in the generated default
+config.
+
+To describe sections the following format can be used:
+
+full.section.name {[#]}
+	Short description of this section
+
+	Long description as above
+
+If a # is added between the curly braces the section header will be commented
+out in the configuration file snippet, which is useful for example sections.
+"""
+
+import sys
+import re
+from textwrap import TextWrapper
+from optparse import OptionParser
+
+class ConfigOption:
+	"""Representing a configuration option or described section in strongswan.conf"""
+	def __init__(self, name, default = None, section = False, commented = False):
+		self.name = name.split('.')[-1]
+		self.fullname = name
+		self.default = default
+		self.section = section
+		self.commented = commented
+		self.desc = []
+		self.options = []
+
+	def __cmp__(self, other):
+		if self.section == other.section:
+			return  cmp(self.name, other.name)
+		return 1 if self.section else -1
+
+	def add_paragraph(self):
+		"""Adds a new paragraph to the description"""
+		if len(self.desc) and len(self.desc[-1]):
+			self.desc.append("")
+
+	def add(self, line):
+		"""Adds a line to the last paragraph"""
+		if not len(self.desc):
+			self.desc.append(line)
+		elif not len(self.desc[-1]):
+			self.desc[-1] = line
+		else:
+			self.desc[-1] += ' ' + line
+
+	def adopt(self, other):
+		"""Adopts settings from other, which should be more recently parsed"""
+		self.default = other.default
+		self.commented = other.commented
+		self.desc = other.desc
+
+class Parser:
+	"""Parses one or more files of configuration options"""
+	def __init__(self):
+		self.options = []
+
+	def parse(self, file):
+		"""Parses the given file and adds all options to the internal store"""
+		self.__current = None
+		for line in file:
+			self.__parse_line(line)
+		if self.__current:
+			self.__add_option(self.__current)
+
+	def __parse_line(self, line):
+		"""Parses a single line"""
+		if re.match(r'^\s*#', line):
+			return
+		# option definition
+		m = re.match(r'^(?P<name>\S+)\s*((?P<assign>:)?=\s*(?P<default>.+)?)?\s*$', line)
+		if m:
+			if self.__current:
+				self.__add_option(self.__current)
+			self.__current = ConfigOption(m.group('name'), m.group('default'),
+										  commented = not m.group('assign'))
+			return
+		# section definition
+		m = re.match(r'^(?P<name>\S+)\s*\{\s*(?P<comment>#)?\s*\}\s*$', line)
+		if m:
+			if self.__current:
+				self.__add_option(self.__current)
+			self.__current = ConfigOption(m.group('name'), section = True,
+										  commented = m.group('comment'))
+			return
+		# paragraph separator
+		m = re.match(r'^\s*$', line)
+		if m and self.__current:
+			self.__current.add_paragraph()
+		# description line
+		m = re.match(r'^\s+(?P<text>.+?)\s*$', line)
+		if m and self.__current:
+			self.__current.add(m.group('text'))
+
+	def __add_option(self, option):
+		"""Adds the given option to the abstract storage"""
+		option.desc = [desc for desc in option.desc if len(desc)]
+		parts = option.fullname.split('.')
+		parent = self.__get_option(parts[:-1], True)
+		if not parent:
+			parent = self
+		found = next((x for x in parent.options if x.name == option.name
+										and x.section == option.section), None)
+		if found:
+			found.adopt(option)
+		else:
+			parent.options.append(option)
+			parent.options.sort()
+
+	def __get_option(self, parts, create = False):
+		"""Searches/Creates the option (section) based on a list of section names"""
+		option = None
+		options = self.options
+		fullname = ""
+		for name in parts:
+			fullname += '.' + name if len(fullname) else name
+			option = next((x for x in options if x.name == name and x.section), None)
+			if not option:
+				if not create:
+					break
+				option = ConfigOption(fullname, section = True)
+				options.append(option)
+				options.sort()
+			options = option.options
+		return option
+
+	def get_option(self, name):
+		"""Retrieves the option with the given name"""
+		return self.__get_option(name.split('.'))
+
+class TagReplacer:
+	"""Replaces formatting tags in text"""
+	def __init__(self):
+		self.__matcher_b = self.__create_matcher('**')
+		self.__matcher_i = self.__create_matcher('_')
+		self.__replacer = None
+
+	def __create_matcher(self, tag):
+		tag = re.escape(tag)
+		return re.compile(r'''
+			(^|\s|(?P<brack>[(\[])) # prefix with optional opening bracket
+			(?P<tag>''' + tag + r''') # start tag
+			(?P<text>\w|\S.*?\S) # text
+			''' + tag + r''' # end tag
+			(?P<punct>([.,!:)\]]|\(\d+\))*) # punctuation
+			(?=$|\s) # suffix (don't consume it so that subsequent tags can match)
+			''', flags = re.DOTALL | re.VERBOSE)
+
+	def _create_replacer(self):
+		def replacer(m):
+			punct = m.group('punct')
+			if not punct:
+				punct = ''
+			return '{0}{1}{2}'.format(m.group(1), m.group('text'), punct)
+		return replacer
+
+	def replace(self, text):
+		if not self.__replacer:
+			self.__replacer = self._create_replacer()
+		text = re.sub(self.__matcher_b, self.__replacer, text)
+		return re.sub(self.__matcher_i, self.__replacer, text)
+
+class GroffTagReplacer(TagReplacer):
+	def _create_replacer(self):
+		def replacer(m):
+			nl = '\n' if m.group(1) else ''
+			format = 'I' if m.group('tag') == '_' else 'B'
+			brack = m.group('brack')
+			if not brack:
+				brack = ''
+			punct = m.group('punct')
+			if not punct:
+				punct = ''
+			text = re.sub(r'[\r\n\t]', ' ', m.group('text'))
+			return '{0}.R{1} "{2}" "{3}" "{4}"\n'.format(nl, format, brack, text, punct)
+		return replacer
+
+class ConfFormatter:
+	"""Formats options to a strongswan.conf snippet"""
+	def __init__(self):
+		self.__indent = '    '
+		self.__wrapper = TextWrapper(width = 80, replace_whitespace = True,
+									 break_long_words = False, break_on_hyphens = False)
+		self.__tags = TagReplacer()
+
+	def __print_description(self, opt, indent):
+		if len(opt.desc):
+			self.__wrapper.initial_indent = '{0}# '.format(self.__indent * indent)
+			self.__wrapper.subsequent_indent = self.__wrapper.initial_indent
+			print format(self.__wrapper.fill(self.__tags.replace(opt.desc[0])))
+
+	def __print_option(self, opt, indent, commented):
+		"""Print a single option with description and default value"""
+		comment = "# " if commented or opt.commented else ""
+		self.__print_description(opt, indent)
+		if opt.default:
+			print '{0}{1}{2} = {3}'.format(self.__indent * indent, comment, opt.name, opt.default)
+		else:
+			print '{0}{1}{2} ='.format(self.__indent * indent, comment, opt.name)
+		print
+
+	def __print_section(self, section, indent, commented):
+		"""Print a section with all options"""
+		comment = "# " if commented or section.commented else ""
+		self.__print_description(section, indent)
+		print '{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name)
+		print
+		for o in section.options:
+			if o.section:
+				self.__print_section(o, indent + 1, section.commented)
+			else:
+				self.__print_option(o, indent + 1, section.commented)
+		print '{0}{1}}}'.format(self.__indent * indent, comment)
+		print
+
+	def format(self, options):
+		"""Print a list of options"""
+		if not options:
+			return
+		for option in options:
+			if option.section:
+				self.__print_section(option, 0, False)
+			else:
+				self.__print_option(option, 0, False)
+
+class ManFormatter:
+	"""Formats a list of options into a groff snippet"""
+	def __init__(self):
+		self.__wrapper = TextWrapper(width = 80, replace_whitespace = False,
+									 break_long_words = False, break_on_hyphens = False)
+		self.__tags = GroffTagReplacer()
+
+	def __groffize(self, text):
+		"""Encode text as groff text"""
+		text = self.__tags.replace(text)
+		text = re.sub(r'(?<!\\)-', r'\\-', text)
+		# remove any leading whitespace
+		return re.sub(r'^\s+', '', text, flags = re.MULTILINE)
+
+	def __format_option(self, option):
+		"""Print a single option"""
+		if option.section and not len(option.desc):
+			return
+		if option.section:
+			print '.TP\n.B {0}\n.br'.format(option.fullname)
+		else:
+			print '.TP'
+			default = option.default if option.default else ''
+			print '.BR {0} " [{1}]"'.format(option.fullname, default)
+		for para in option.desc if len(option.desc) < 2 else option.desc[1:]:
+			print self.__groffize(self.__wrapper.fill(para))
+			print ''
+
+	def format(self, options):
+		"""Print a list of options"""
+		if not options:
+			return
+		for option in options:
+			if option.section:
+				self.__format_option(option)
+				self.format(option.options)
+			else:
+				self.__format_option(option)
+
+options = OptionParser(usage = "Usage: %prog [options] file1 file2\n\n"
+					   "If no filenames are provided the input is read from stdin.")
+options.add_option("-f", "--format", dest="format", type="choice", choices=["conf", "man"],
+				   help="output format: conf, man [default: %default]", default="conf")
+options.add_option("-r", "--root", dest="root", metavar="NAME",
+				   help="root section of which options are printed, "
+				   "if not found everything is printed")
+(opts, args) = options.parse_args()
+
+parser = Parser()
+if len(args):
+	for filename in args:
+		try:
+			with open(filename, 'r') as file:
+				parser.parse(file)
+		except IOError as e:
+			sys.stderr.write("Unable to open '{0}': {1}\n".format(filename, e.strerror))
+else:
+	parser.parse(sys.stdin)
+
+options = parser.options
+if (opts.root):
+	root = parser.get_option(opts.root)
+	if root:
+		options = root.options
+
+if opts.format == "conf":
+	formatter = ConfFormatter()
+elif opts.format == "man":
+	formatter = ManFormatter()
+
+formatter.format(options)
diff --git a/conf/options/attest.conf b/conf/options/attest.conf
new file mode 100644
index 000000000..1f7f57cb4
--- /dev/null
+++ b/conf/options/attest.conf
@@ -0,0 +1,11 @@
+attest {
+
+    # File measurement information database URI. If it contains a password, make
+    # sure to adjust the permissions of the config file accordingly.
+    # database =
+
+    # Plugins to load in ipsec attest tool.
+    # load =
+
+}
+
diff --git a/conf/options/attest.opt b/conf/options/attest.opt
new file mode 100644
index 000000000..20b14f42d
--- /dev/null
+++ b/conf/options/attest.opt
@@ -0,0 +1,6 @@
+attest.database =
+	File measurement information database URI. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
+
+attest.load =
+	Plugins to load in ipsec attest tool.
diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf
new file mode 100644
index 000000000..c91421dea
--- /dev/null
+++ b/conf/options/charon-logging.conf
@@ -0,0 +1,62 @@
+charon {
+
+    # Section to define file loggers, see LOGGER CONFIGURATION in
+    # strongswan.conf(5).
+    filelog {
+
+        # <filename> is the full path to the log file.
+        # <filename> {
+
+            # Loglevel for a specific subsystem.
+            # <subsystem> = <default>
+
+            # If this option is enabled log entries are appended to the existing
+            # file.
+            # append = yes
+
+            # Default loglevel.
+            # default = 1
+
+            # Enabling this option disables block buffering and enables line
+            # buffering.
+            # flush_line = no
+
+            # Prefix each log entry with the connection name and a unique
+            # numerical identifier for each IKE_SA.
+            # ike_name = no
+
+            # Prefix each log entry with a timestamp. The option accepts a
+            # format string as passed to strftime(3).
+            # time_format =
+
+        # }
+
+    }
+
+    # Section to define syslog loggers, see LOGGER CONFIGURATION in
+    # strongswan.conf(5).
+    syslog {
+
+        # Identifier for use with openlog(3).
+        # identifier =
+
+        # <facility> is one of the supported syslog facilities, see LOGGER
+        # CONFIGURATION in strongswan.conf(5).
+        # <facility> {
+
+            # Loglevel for a specific subsystem.
+            # <subsystem> = <default>
+
+            # Default loglevel.
+            # default = 1
+
+            # Prefix each log entry with the connection name and a unique
+            # numerical identifier for each IKE_SA.
+            # ike_name = no
+
+        # }
+
+    }
+
+}
+
diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt
new file mode 100644
index 000000000..b437a9cc3
--- /dev/null
+++ b/conf/options/charon-logging.opt
@@ -0,0 +1,57 @@
+charon.filelog {}
+	Section to define file loggers, see LOGGER CONFIGURATION in
+	**strongswan.conf**(5).
+
+charon.filelog.<filename> { # }
+	<filename> is the full path to the log file.
+
+charon.filelog.<filename>.default = 1
+	Default loglevel.
+
+	Specifies the default loglevel to be used for subsystems for which no
+	specific loglevel is defined.
+
+charon.filelog.<filename>.<subsystem> = <default>
+	Loglevel for a specific subsystem.
+
+charon.filelog.<filename>.append = yes
+	If this option is enabled log entries are appended to the existing file.
+
+charon.filelog.<filename>.flush_line = no
+	Enabling this option disables block buffering and enables line buffering.
+
+charon.filelog.<filename>.ike_name = no
+	Prefix each log entry with the connection name and a unique numerical
+	identifier for each IKE_SA.
+
+charon.filelog.<filename>.time_format
+	Prefix each log entry with a timestamp. The option accepts a format string
+	as passed to **strftime**(3).
+
+charon.syslog {}
+	Section to define syslog loggers, see LOGGER CONFIGURATION in
+	**strongswan.conf**(5).
+
+charon.syslog.identifier
+	Identifier for use with openlog(3).
+
+	Global identifier used for an **openlog**(3) call, prepended to each log
+	message by syslog.  If not configured, **openlog**(3) is not called, so the
+	value will depend on system defaults (often the program name).
+
+charon.syslog.<facility> { # }
+	<facility> is one of the supported syslog facilities, see LOGGER
+	CONFIGURATION in **strongswan.conf**(5).
+
+charon.syslog.<facility>.default = 1
+	Default loglevel.
+
+	Specifies the default loglevel to be used for subsystems for which no
+	specific loglevel is defined.
+
+charon.syslog.<facility>.<subsystem> = <default>
+	Loglevel for a specific subsystem.
+
+charon.syslog.<facility>.ike_name = no
+	Prefix each log entry with the connection name and a unique numerical
+	identifier for each IKE_SA.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
new file mode 100644
index 000000000..5cab2b1c4
--- /dev/null
+++ b/conf/options/charon.conf
@@ -0,0 +1,281 @@
+# Options for the charon IKE daemon.
+charon {
+
+    # Maximum number of half-open IKE_SAs for a single peer IP.
+    # block_threshold = 5
+
+    # Whether relations in validated certificate chains should be cached in
+    # memory.
+    # cert_cache = yes
+
+    # Send Cisco Unity vendor ID payload (IKEv1 only).
+    # cisco_unity = no
+
+    # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+    # close_ike_on_child_failure = no
+
+    # Number of half-open IKE_SAs that activate the cookie mechanism.
+    # cookie_threshold = 10
+
+    # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+    # strength.
+    # dh_exponent_ansi_x9_42 = yes
+
+    # DNS server assigned to peer via configuration payload (CP).
+    # dns1 =
+
+    # DNS server assigned to peer via configuration payload (CP).
+    # dns2 =
+
+    # Enable Denial of Service protection using cookies and aggressiveness
+    # checks.
+    # dos_protection = yes
+
+    # Compliance with the errata for RFC 4753.
+    # ecp_x_coordinate_only = yes
+
+    # Free objects during authentication (might conflict with plugins).
+    # flush_auth_cfg = no
+
+    # Maximum size (in bytes) of a sent fragment when using the proprietary
+    # IKEv1 fragmentation extension.
+    # fragment_size = 512
+
+    # Name of the group the daemon changes to after startup.
+    # group =
+
+    # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+    # half_open_timeout = 30
+
+    # Enable hash and URL support.
+    # hash_and_url = no
+
+    # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
+    # i_dont_care_about_security_and_use_aggressive_mode_psk = no
+
+    # A space-separated list of routing tables to be excluded from route
+    # lookups.
+    # ignore_routing_tables =
+
+    # Maximum number of IKE_SAs that can be established at the same time before
+    # new connection attempts are blocked.
+    # ikesa_limit = 0
+
+    # Number of exclusively locked segments in the hash table.
+    # ikesa_table_segments = 1
+
+    # Size of the IKE_SA hash table.
+    # ikesa_table_size = 1
+
+    # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+    # inactivity_close_ike = no
+
+    # Limit new connections based on the current number of half open IKE_SAs,
+    # see IKE_SA_INIT DROPPING in strongswan.conf(5).
+    # init_limit_half_open = 0
+
+    # Limit new connections based on the number of queued jobs.
+    # init_limit_job_load = 0
+
+    # Causes charon daemon to ignore IKE initiation requests.
+    # initiator_only = no
+
+    # Install routes into a separate routing table for established IPsec
+    # tunnels.
+    # install_routes = yes
+
+    # Install virtual IP addresses.
+    # install_virtual_ip = yes
+
+    # The name of the interface on which virtual IP addresses should be
+    # installed.
+    # install_virtual_ip_on =
+
+    # Check daemon, libstrongswan and plugin integrity at startup.
+    # integrity_test = no
+
+    # A comma-separated list of network interfaces that should be ignored, if
+    # interfaces_use is specified this option has no effect.
+    # interfaces_ignore =
+
+    # A comma-separated list of network interfaces that should be used by
+    # charon. All other interfaces are ignored.
+    # interfaces_use =
+
+    # NAT keep alive interval.
+    # keep_alive = 20s
+
+    # Plugins to load in the IKE daemon charon.
+    # load =
+
+    # Determine plugins to load via each plugin's load option.
+    # load_modular = no
+
+    # Maximum packet size accepted by charon.
+    # max_packet = 10000
+
+    # Enable multiple authentication exchanges (RFC 4739).
+    # multiple_authentication = yes
+
+    # WINS servers assigned to peer via configuration payload (CP).
+    # nbns1 =
+
+    # WINS servers assigned to peer via configuration payload (CP).
+    # nbns2 =
+
+    # UDP port used locally. If set to 0 a random port will be allocated.
+    # port = 500
+
+    # UDP port used locally in case of NAT-T. If set to 0 a random port will be
+    # allocated.  Has to be different from charon.port, otherwise a random port
+    # will be allocated.
+    # port_nat_t = 4500
+
+    # Process RTM_NEWROUTE and RTM_DELROUTE events.
+    # process_route = yes
+
+    # Delay in ms for receiving packets, to simulate larger RTT.
+    # receive_delay = 0
+
+    # Delay request messages.
+    # receive_delay_request = yes
+
+    # Delay response messages.
+    # receive_delay_response = yes
+
+    # Specific IKEv2 message type to delay, 0 for any.
+    # receive_delay_type = 0
+
+    # Size of the AH/ESP replay window, in packets.
+    # replay_window = 32
+
+    # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+    # in strongswan.conf(5).
+    # retransmit_base = 1.8
+
+    # Timeout in seconds before sending first retransmit.
+    # retransmit_timeout = 4.0
+
+    # Number of times to retransmit a packet before giving up.
+    # retransmit_tries = 5
+
+    # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS
+    # resolution failed), 0 to disable retries.
+    # retry_initiate_interval = 0
+
+    # Initiate CHILD_SA within existing IKE_SAs.
+    # reuse_ikesa = yes
+
+    # Numerical routing table to install routes to.
+    # routing_table =
+
+    # Priority of the routing table.
+    # routing_table_prio =
+
+    # Delay in ms for sending packets, to simulate larger RTT.
+    # send_delay = 0
+
+    # Delay request messages.
+    # send_delay_request = yes
+
+    # Delay response messages.
+    # send_delay_response = yes
+
+    # Specific IKEv2 message type to delay, 0 for any.
+    # send_delay_type = 0
+
+    # Send strongSwan vendor ID payload
+    # send_vendor_id = no
+
+    # Number of worker threads in charon.
+    # threads = 16
+
+    # Name of the user the daemon changes to after startup.
+    # user =
+
+    crypto_test {
+
+        # Benchmark crypto algorithms and order them by efficiency.
+        # bench = no
+
+        # Buffer size used for crypto benchmark.
+        # bench_size = 1024
+
+        # Number of iterations to test each algorithm.
+        # bench_time = 50
+
+        # Test crypto algorithms during registration (requires test vectors
+        # provided by the test-vectors plugin).
+        # on_add = no
+
+        # Test crypto algorithms on each crypto primitive instantiation.
+        # on_create = no
+
+        # Strictly require at least one test vector to enable an algorithm.
+        # required = no
+
+        # Whether to test RNG with TRUE quality; requires a lot of entropy.
+        # rng_true = no
+
+    }
+
+    host_resolver {
+
+        # Maximum number of concurrent resolver threads (they are terminated if
+        # unused).
+        # max_threads = 3
+
+        # Minimum number of resolver threads to keep around.
+        # min_threads = 0
+
+    }
+
+    leak_detective {
+
+        # Includes source file names and line numbers in leak detective output.
+        # detailed = yes
+
+        # Threshold in bytes for leaks to be reported (0 to report all).
+        # usage_threshold = 10240
+
+        # Threshold in number of allocations for leaks to be reported (0 to
+        # report all).
+        # usage_threshold_count = 0
+
+    }
+
+    processor {
+
+        # Section to configure the number of reserved threads per priority class
+        # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
+        priority_threads {
+
+        }
+
+    }
+
+    tls {
+
+        # List of TLS encryption ciphers.
+        # cipher =
+
+        # List of TLS key exchange methods.
+        # key_exchange =
+
+        # List of TLS MAC algorithms.
+        # mac =
+
+        # List of TLS cipher suites.
+        # suites =
+
+    }
+
+    x509 {
+
+        # Discard certificates with unsupported or unknown critical extensions.
+        # enforce_critical = yes
+
+    }
+
+}
+
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
new file mode 100644
index 000000000..c6f4f1e9e
--- /dev/null
+++ b/conf/options/charon.opt
@@ -0,0 +1,284 @@
+charon {}
+	Options for the charon IKE daemon.
+
+	Options for the charon IKE daemon.
+
+	**Note**: Many of the options in this section also apply to **charon-cmd**
+	and other **charon** derivatives.  Just use their respective name (e.g.
+	**charon-cmd** instead of **charon**). For many options defaults can be
+	defined in the **libstrongswan** section.
+
+charon.block_threshold = 5
+	Maximum number of half-open IKE_SAs for a single peer IP.
+
+charon.cert_cache = yes
+	Whether relations in validated certificate chains should be cached in
+	memory.
+
+charon.cisco_unity = no
+	Send Cisco Unity vendor ID payload (IKEv1 only).
+
+charon.close_ike_on_child_failure = no
+	Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+
+charon.cookie_threshold = 10
+	Number of half-open IKE_SAs that activate the cookie mechanism.
+
+charon.crypto_test.bench = no
+	Benchmark crypto algorithms and order them by efficiency.
+
+charon.crypto_test.bench_size = 1024
+	Buffer size used for crypto benchmark.
+
+charon.crypto_test.bench_time = 50
+	Number of iterations to test each algorithm.
+
+charon.crypto_test.on_add = no
+	Test crypto algorithms during registration (requires test vectors provided
+	by the _test-vectors_ plugin).
+
+charon.crypto_test.on_create = no
+	Test crypto algorithms on each crypto primitive instantiation.
+
+charon.crypto_test.required = no
+	Strictly require at least one test vector to enable an algorithm.
+
+charon.crypto_test.rng_true = no
+	Whether to test RNG with TRUE quality; requires a lot of entropy.
+
+charon.dh_exponent_ansi_x9_42 = yes
+	Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+	strength.
+
+charon.dns1
+	DNS server assigned to peer via configuration payload (CP).
+
+charon.dns2
+	DNS server assigned to peer via configuration payload (CP).
+
+charon.dos_protection = yes
+	Enable Denial of Service protection using cookies and aggressiveness checks.
+
+charon.ecp_x_coordinate_only = yes
+	Compliance with the errata for RFC 4753.
+
+charon.flush_auth_cfg = no
+	Free objects during authentication (might conflict with plugins).
+
+	If enabled objects used during authentication (certificates, identities
+	etc.) are released to free memory once an IKE_SA is established. Enabling
+	this might conflict with plugins that later need access to e.g. the used
+	certificates.
+
+charon.fragment_size = 512
+	Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+	fragmentation extension.
+
+charon.group
+	Name of the group the daemon changes to after startup.
+
+charon.half_open_timeout = 30
+	Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+
+charon.hash_and_url = no
+	Enable hash and URL support.
+
+charon.host_resolver.max_threads = 3
+	Maximum number of concurrent resolver threads (they are terminated if
+	unused).
+
+charon.host_resolver.min_threads = 0
+	Minimum number of resolver threads to keep around.
+
+charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
+	Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
+
+	If enabled responders are allowed to use IKEv1 Aggressive Mode with
+	pre-shared keys, which is discouraged due to security concerns (offline
+	attacks on the openly transmitted hash of the PSK).
+
+charon.ignore_routing_tables
+	A space-separated list of routing tables to be excluded from route lookups.
+
+charon.ikesa_limit = 0
+	Maximum number of IKE_SAs that can be established at the same time before
+	new connection attempts are blocked.
+
+charon.ikesa_table_segments = 1
+	Number of exclusively locked segments in the hash table.
+
+charon.ikesa_table_size = 1
+	Size of the IKE_SA hash table.
+
+charon.inactivity_close_ike = no
+	Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+
+charon.init_limit_half_open = 0
+	Limit new connections based on the current number of half open IKE_SAs, see
+	IKE_SA_INIT DROPPING in **strongswan.conf**(5).
+
+charon.init_limit_job_load = 0
+	Limit new connections based on the number of queued jobs.
+
+	Limit new connections based on the number of jobs currently queued for
+	processing (see IKE_SA_INIT DROPPING).
+
+charon.initiator_only = no
+	Causes charon daemon to ignore IKE initiation requests.
+
+charon.install_routes = yes
+	Install routes into a separate routing table for established IPsec tunnels.
+
+charon.install_virtual_ip = yes
+	Install virtual IP addresses.
+
+charon.install_virtual_ip_on
+	The name of the interface on which virtual IP addresses should be installed.
+
+	The name of the interface on which virtual IP addresses should be installed.
+	If not specified the addresses will be installed on the outbound interface.
+
+charon.integrity_test = no
+	Check daemon, libstrongswan and plugin integrity at startup.
+
+charon.interfaces_ignore
+	A comma-separated list of network interfaces that should be ignored, if
+	**interfaces_use** is specified this option has no effect.
+
+charon.interfaces_use
+	A comma-separated list of network interfaces that should be used by charon.
+	All other interfaces are ignored.
+
+charon.keep_alive = 20s
+	NAT keep alive interval.
+
+charon.leak_detective.detailed = yes
+	Includes source file names and line numbers in leak detective output.
+
+charon.leak_detective.usage_threshold = 10240
+	Threshold in bytes for leaks to be reported (0 to report all).
+
+charon.leak_detective.usage_threshold_count = 0
+	Threshold in number of allocations for leaks to be reported (0 to report
+	all).
+
+charon.load
+	Plugins to load in the IKE daemon charon.
+
+charon.load_modular = no
+	Determine plugins to load via each plugin's load option.
+
+	If enabled, the list of plugins to load is determined via the value of the
+	_charon.plugins.<name>.load_ options.  In addition to a simple boolean flag
+	that option may take an integer value indicating the priority of a plugin,
+	which would influence the order of a plugin in the plugin list (the default
+	is 1). If two plugins have the same priority their order in the default
+	plugin list is preserved. Enabled plugins not found in that list are ordered
+	alphabetically before other plugins with the same priority.
+
+charon.max_packet = 10000
+	Maximum packet size accepted by charon.
+
+charon.multiple_authentication = yes
+	Enable multiple authentication exchanges (RFC 4739).
+
+charon.nbns1
+	WINS servers assigned to peer via configuration payload (CP).
+
+charon.nbns2
+	WINS servers assigned to peer via configuration payload (CP).
+
+charon.port = 500
+	UDP port used locally. If set to 0 a random port will be allocated.
+
+charon.port_nat_t = 4500
+	UDP port used locally in case of NAT-T. If set to 0 a random port will be
+	allocated.  Has to be different from **charon.port**, otherwise a random
+	port will be allocated.
+
+charon.process_route = yes
+	Process RTM_NEWROUTE and RTM_DELROUTE events.
+
+charon.processor.priority_threads {}
+	Section to configure the number of reserved threads per priority class
+	see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
+
+charon.receive_delay = 0
+	Delay in ms for receiving packets, to simulate larger RTT.
+
+charon.receive_delay_response = yes
+	Delay response messages.
+
+charon.receive_delay_request = yes
+	Delay request messages.
+
+charon.receive_delay_type = 0
+	Specific IKEv2 message type to delay, 0 for any.
+
+charon.replay_window = 32
+	Size of the AH/ESP replay window, in packets.
+
+charon.retransmit_base = 1.8
+	Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+	in **strongswan.conf**(5).
+
+charon.retransmit_timeout = 4.0
+	Timeout in seconds before sending first retransmit.
+
+charon.retransmit_tries = 5
+	Number of times to retransmit a packet before giving up.
+
+charon.retry_initiate_interval = 0
+	Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+	failed), 0 to disable retries.
+
+charon.reuse_ikesa = yes
+	Initiate CHILD_SA within existing IKE_SAs.
+
+charon.routing_table
+	Numerical routing table to install routes to.
+
+charon.routing_table_prio
+	Priority of the routing table.
+
+charon.send_delay = 0
+	Delay in ms for sending packets, to simulate larger RTT.
+
+charon.send_delay_response = yes
+	Delay response messages.
+
+charon.send_delay_request = yes
+	Delay request messages.
+
+charon.send_delay_type = 0
+	Specific IKEv2 message type to delay, 0 for any.
+
+charon.send_vendor_id = no
+	Send strongSwan vendor ID payload
+
+charon.threads = 16
+	Number of worker threads in charon.
+
+	Number of worker threads in charon. Several of these are reserved for long
+	running tasks in internal modules and plugins. Therefore, make sure you
+	don't set this value too low. The number of idle worker threads listed in
+	_ipsec statusall_ might be used as indicator on the number of reserved
+	threads.
+
+charon.tls.cipher
+	List of TLS encryption ciphers.
+
+charon.tls.key_exchange
+	List of TLS key exchange methods.
+
+charon.tls.mac
+	List of TLS MAC algorithms.
+
+charon.tls.suites
+	List of TLS cipher suites.
+
+charon.user
+	Name of the user the daemon changes to after startup.
+
+charon.x509.enforce_critical = yes
+	Discard certificates with unsupported or unknown critical extensions.
diff --git a/conf/options/imcv.conf b/conf/options/imcv.conf
new file mode 100644
index 000000000..92016ef52
--- /dev/null
+++ b/conf/options/imcv.conf
@@ -0,0 +1,43 @@
+charon {
+
+    # Defaults for options in this section can be configured in the libimcv
+    # section.
+    imcv {
+
+        # Whether IMVs send a standard IETF Assessment Result attribute.
+        # assessment_result = yes
+
+        # Global IMV policy database URI. If it contains a password, make sure
+        # to adjust the permissions of the config file accordingly.
+        # database =
+
+        # Script called for each TNC connection to generate IMV policies.
+        # policy_script = ipsec _imv_policy
+
+        os_info {
+
+            # Manually set the name of the client OS (e.g. Ubuntu).
+            # name =
+
+            # Manually set the version of the client OS (e.g. 12.04 i686).
+            # version =
+
+        }
+
+    }
+
+}
+
+libimcv {
+
+    # Debug level for a stand-alone libimcv library.
+    # debug_level = 1
+
+    # Plugins to load in IMC/IMVs with stand-alone libimcv library.
+    # load = random nonce gmp pubkey x509
+
+    # Disable output to stderr with a stand-alone libimcv library.
+    # stderr_quiet = no
+
+}
+
diff --git a/conf/options/imcv.opt b/conf/options/imcv.opt
new file mode 100644
index 000000000..a249a7b14
--- /dev/null
+++ b/conf/options/imcv.opt
@@ -0,0 +1,28 @@
+charon.imcv {}
+	Defaults for options in this section can be configured in the _libimcv_
+	section.
+
+charon.imcv.assessment_result = yes
+	Whether IMVs send a standard IETF Assessment Result attribute.
+
+charon.imcv.database =
+	Global IMV policy database URI. If it contains a password, make	sure to
+	adjust the permissions of the config file accordingly.
+
+charon.imcv.os_info.name =
+	Manually set the name of the client OS (e.g. Ubuntu).
+
+charon.imcv.os_info.version =
+	Manually set the version of the client OS (e.g. 12.04 i686).
+
+charon.imcv.policy_script = ipsec _imv_policy
+	Script called for each TNC connection to generate IMV policies.
+
+libimcv.debug_level = 1
+	Debug level for a stand-alone _libimcv_ library.
+
+libimcv.load = random nonce gmp pubkey x509
+	Plugins to load in IMC/IMVs with stand-alone _libimcv_ library.
+
+libimcv.stderr_quiet = no
+	Disable output to stderr with a stand-alone _libimcv_ library.
diff --git a/conf/options/manager.conf b/conf/options/manager.conf
new file mode 100644
index 000000000..bb0934688
--- /dev/null
+++ b/conf/options/manager.conf
@@ -0,0 +1,23 @@
+manager {
+
+    # Credential database URI for manager. If it contains a password, make sure
+    # to adjust the permissions of the config file accordingly.
+    # database =
+
+    # Enable debugging in manager.
+    # debug = no
+
+    # Plugins to load in manager.
+    # load =
+
+    # FastCGI socket of manager, to run it statically.
+    # socket =
+
+    # Threads to use for request handling.
+    # threads = 10
+
+    # Session timeout for manager.
+    # timeout = 15m
+
+}
+
diff --git a/conf/options/manager.opt b/conf/options/manager.opt
new file mode 100644
index 000000000..dbac73110
--- /dev/null
+++ b/conf/options/manager.opt
@@ -0,0 +1,18 @@
+manager.database =
+	Credential database URI for manager. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
+
+manager.debug = no
+	Enable debugging in manager.
+
+manager.load =
+	Plugins to load in manager.
+
+manager.socket =
+	FastCGI socket of manager, to run it statically.
+
+manager.threads = 10
+	Threads to use for request handling.
+
+manager.timeout = 15m
+	Session timeout for manager.
diff --git a/conf/options/medsrv.conf b/conf/options/medsrv.conf
new file mode 100644
index 000000000..b3026ea3f
--- /dev/null
+++ b/conf/options/medsrv.conf
@@ -0,0 +1,32 @@
+medsrv {
+
+    # Mediation server database URI. If it contains a password, make sure to
+    # adjust the permissions of the config file accordingly.
+    # database =
+
+    # Debugging in mediation server web application.
+    # debug = no
+
+    # DPD timeout to use in mediation server plugin.
+    # dpd = 5m
+
+    # Plugins to load in mediation server plugin.
+    # load =
+
+    # Minimum password length required for mediation server user accounts.
+    # password_length = 6
+
+    # Rekeying time on mediation connections in mediation server plugin.
+    # rekey = 20m
+
+    # Run Mediation server web application statically on socket.
+    # socket =
+
+    # Number of thread for mediation service web application.
+    # threads = 5
+
+    # Session timeout for mediation service.
+    # timeout = 15m
+
+}
+
diff --git a/conf/options/medsrv.opt b/conf/options/medsrv.opt
new file mode 100644
index 000000000..f673b7e03
--- /dev/null
+++ b/conf/options/medsrv.opt
@@ -0,0 +1,27 @@
+medsrv.database =
+	Mediation server database URI. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
+
+medsrv.debug = no
+	Debugging in mediation server web application.
+
+medsrv.dpd = 5m
+	DPD timeout to use in mediation server plugin.
+
+medsrv.load =
+	Plugins to load in mediation server plugin.
+
+medsrv.password_length = 6
+	Minimum password length required for mediation server user accounts.
+
+medsrv.rekey = 20m
+	Rekeying time on mediation connections in mediation server plugin.
+
+medsrv.socket =
+	Run Mediation server web application statically on socket.
+
+medsrv.threads = 5
+	Number of thread for mediation service web application.
+
+medsrv.timeout = 15m
+	Session timeout for mediation service.
diff --git a/conf/options/pacman.conf b/conf/options/pacman.conf
new file mode 100644
index 000000000..730e5435c
--- /dev/null
+++ b/conf/options/pacman.conf
@@ -0,0 +1,12 @@
+pacman {
+
+    # Database URI for the database that stores the package information. If it
+    # contains a password, make sure to adjust the permissions of the config
+    # file accordingly.
+    # database =
+
+    # Plugins to load in package manager.
+    # load =
+
+}
+
diff --git a/conf/options/pacman.opt b/conf/options/pacman.opt
new file mode 100644
index 000000000..dfb4ba2b1
--- /dev/null
+++ b/conf/options/pacman.opt
@@ -0,0 +1,7 @@
+pacman.database =
+	Database URI for the database that stores the package information. If it
+	contains a password, make sure to adjust the permissions of the config file
+	accordingly.
+
+pacman.load =
+	Plugins to load in package manager.
diff --git a/conf/options/pool.conf b/conf/options/pool.conf
new file mode 100644
index 000000000..297c0f8cf
--- /dev/null
+++ b/conf/options/pool.conf
@@ -0,0 +1,12 @@
+pool {
+
+    # Database URI for the database that stores IP pools and configuration
+    # attributes. If it contains a password, make        sure to adjust the
+    # permissions of the config file accordingly.
+    # database =
+
+    # Plugins to load in ipsec pool tool.
+    # load =
+
+}
+
diff --git a/conf/options/pool.opt b/conf/options/pool.opt
new file mode 100644
index 000000000..79458c779
--- /dev/null
+++ b/conf/options/pool.opt
@@ -0,0 +1,7 @@
+pool.database
+	Database URI for the database that stores IP pools and configuration
+	attributes. If it contains a password, make	sure to adjust the permissions
+	of the config file accordingly.
+
+pool.load =
+	Plugins to load in ipsec pool tool.
diff --git a/conf/options/starter.conf b/conf/options/starter.conf
new file mode 100644
index 000000000..8465f7e53
--- /dev/null
+++ b/conf/options/starter.conf
@@ -0,0 +1,10 @@
+starter {
+
+    # Plugins to load in starter.
+    # load =
+
+    # Disable charon plugin load option warning.
+    # load_warning = yes
+
+}
+
diff --git a/conf/options/starter.opt b/conf/options/starter.opt
new file mode 100644
index 000000000..4e6574d58
--- /dev/null
+++ b/conf/options/starter.opt
@@ -0,0 +1,5 @@
+starter.load =
+	Plugins to load in starter.
+
+starter.load_warning = yes
+	Disable charon plugin load option warning.
diff --git a/conf/options/tnc.conf b/conf/options/tnc.conf
new file mode 100644
index 000000000..6736a2d0a
--- /dev/null
+++ b/conf/options/tnc.conf
@@ -0,0 +1,11 @@
+charon {
+
+    tnc {
+
+        # TNC IMC/IMV configuration file.
+        # tnc_config = /etc/tnc_config
+
+    }
+
+}
+
diff --git a/conf/options/tnc.opt b/conf/options/tnc.opt
new file mode 100644
index 000000000..467723ea6
--- /dev/null
+++ b/conf/options/tnc.opt
@@ -0,0 +1,2 @@
+charon.tnc.tnc_config = /etc/tnc_config
+	TNC IMC/IMV configuration file.
diff --git a/conf/options/tools.conf b/conf/options/tools.conf
new file mode 100644
index 000000000..a3ab099ed
--- /dev/null
+++ b/conf/options/tools.conf
@@ -0,0 +1,21 @@
+openac {
+
+    # Plugins to load in ipsec openac tool.
+    # load =
+
+}
+
+pki {
+
+    # Plugins to load in ipsec pki tool.
+    # load =
+
+}
+
+scepclient {
+
+    # Plugins to load in ipsec scepclient tool.
+    # load =
+
+}
+
diff --git a/conf/options/tools.opt b/conf/options/tools.opt
new file mode 100644
index 000000000..23e6a1c9f
--- /dev/null
+++ b/conf/options/tools.opt
@@ -0,0 +1,8 @@
+openac.load =
+	Plugins to load in ipsec openac tool.
+
+pki.load =
+	Plugins to load in ipsec pki tool.
+
+scepclient.load =
+	Plugins to load in ipsec scepclient tool.
diff --git a/conf/plugins/android_log.conf b/conf/plugins/android_log.conf
new file mode 100644
index 000000000..4d87eed85
--- /dev/null
+++ b/conf/plugins/android_log.conf
@@ -0,0 +1,11 @@
+android_log {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Loglevel for logging to Android specific logger.
+    # loglevel = 1
+
+}
+
diff --git a/conf/plugins/android_log.opt b/conf/plugins/android_log.opt
new file mode 100644
index 000000000..801b8bf19
--- /dev/null
+++ b/conf/plugins/android_log.opt
@@ -0,0 +1,2 @@
+charon.plugins.android_log.loglevel = 1
+	Loglevel for logging to Android specific logger.
diff --git a/conf/plugins/attr-sql.conf b/conf/plugins/attr-sql.conf
new file mode 100644
index 000000000..24d4e809d
--- /dev/null
+++ b/conf/plugins/attr-sql.conf
@@ -0,0 +1,16 @@
+attr-sql {
+
+    # Database URI for attr-sql plugin used by charon. If it contains a
+    # password, make sure to adjust the permissions of the config file
+    # accordingly.
+    # database =
+
+    # Enable logging of SQL IP pool leases.
+    # lease_history = yes
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/attr-sql.opt b/conf/plugins/attr-sql.opt
new file mode 100644
index 000000000..abd749e3e
--- /dev/null
+++ b/conf/plugins/attr-sql.opt
@@ -0,0 +1,6 @@
+charon.plugins.attr-sql.database
+	Database URI for attr-sql plugin used by charon. If it contains a password,
+	make sure to adjust the permissions of the config file accordingly.
+
+charon.plugins.attr-sql.lease_history = yes
+	Enable logging of SQL IP pool leases.
diff --git a/conf/plugins/attr.conf b/conf/plugins/attr.conf
new file mode 100644
index 000000000..7a3645b79
--- /dev/null
+++ b/conf/plugins/attr.conf
@@ -0,0 +1,14 @@
+# Section to specify arbitrary attributes that are assigned to a peer via
+# configuration payload (CP).
+attr {
+
+    # <attr> is an attribute name or an integer, values can be an IP address,
+    # subnet or arbitrary value.
+    # <attr> =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/attr.opt b/conf/plugins/attr.opt
new file mode 100644
index 000000000..f3c187c7b
--- /dev/null
+++ b/conf/plugins/attr.opt
@@ -0,0 +1,14 @@
+charon.plugins.attr {}
+	Section to specify arbitrary attributes that are assigned to a peer via
+	configuration payload (CP).
+
+charon.plugins.attr.<attr>
+	<attr> is an attribute name or an integer, values can be an IP address,
+	subnet or arbitrary value.
+
+	**<attr>** can be either _address_, _netmask_, _dns_, _nbns_, _dhcp_,
+	_subnet_, _split-include_, _split-exclude_ or the numeric identifier of the
+	attribute type. The assigned value can be an IPv4/IPv6 address, a subnet in
+	CIDR notation or an arbitrary value depending on the attribute type.  For
+	some attribute types multiple values may be specified as a comma separated
+	list.
diff --git a/conf/plugins/certexpire.conf b/conf/plugins/certexpire.conf
new file mode 100644
index 000000000..543848c15
--- /dev/null
+++ b/conf/plugins/certexpire.conf
@@ -0,0 +1,38 @@
+certexpire {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    csv {
+
+        # Cron style string specifying CSV export times.
+        # cron =
+
+        # String to use in empty intermediate CA fields.
+        # empty_string =
+
+        # Use a fixed intermediate CA field count.
+        # fixed_fields = yes
+
+        # Force export of all trustchains we have a private key for.
+        # force = yes
+
+        # strftime(3) format string to export expiration dates as.
+        # format = %d:%m:%Y
+
+        # strftime(3) format string for the CSV file name to export local
+        # certificates to.
+        # local =
+
+        # strftime(3) format string for the CSV file name to export remote
+        # certificates to.
+        # remote =
+
+        # CSV field separator.
+        # separator = ,
+
+    }
+
+}
+
diff --git a/conf/plugins/certexpire.opt b/conf/plugins/certexpire.opt
new file mode 100644
index 000000000..7c165383a
--- /dev/null
+++ b/conf/plugins/certexpire.opt
@@ -0,0 +1,25 @@
+charon.plugins.certexpire.csv.cron
+	Cron style string specifying CSV export times.
+
+charon.plugins.certexpire.csv.empty_string =
+	String to use in empty intermediate CA fields.
+
+charon.plugins.certexpire.csv.fixed_fields = yes
+	Use a fixed intermediate CA field count.
+
+charon.plugins.certexpire.csv.force = yes
+	Force export of all trustchains we have a private key for.
+
+charon.plugins.certexpire.csv.format = %d:%m:%Y
+	**strftime**(3) format string to export expiration dates as.
+
+charon.plugins.certexpire.csv.local
+	**strftime**(3) format string for the CSV file name to export local
+	certificates to.
+
+charon.plugins.certexpire.csv.remote
+	**strftime**(3) format string for the CSV file name to export remote
+	certificates to.
+
+charon.plugins.certexpire.csv.separator = ,
+	CSV field separator.
diff --git a/conf/plugins/coupling.conf b/conf/plugins/coupling.conf
new file mode 100644
index 000000000..a5c3d7868
--- /dev/null
+++ b/conf/plugins/coupling.conf
@@ -0,0 +1,17 @@
+coupling {
+
+    # File to store coupling list to.
+    # file =
+
+    # Hashing algorithm to fingerprint coupled certificates.
+    # hash = sha1
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Maximum number of coupling entries to create.
+    # max = 1
+
+}
+
diff --git a/conf/plugins/coupling.opt b/conf/plugins/coupling.opt
new file mode 100644
index 000000000..179579d47
--- /dev/null
+++ b/conf/plugins/coupling.opt
@@ -0,0 +1,8 @@
+charon.plugins.coupling.file
+	File to store coupling list to.
+
+charon.plugins.coupling.hash = sha1
+	Hashing algorithm to fingerprint coupled certificates.
+
+charon.plugins.coupling.max = 1
+	Maximum number of coupling entries to create.
diff --git a/conf/plugins/dhcp.conf b/conf/plugins/dhcp.conf
new file mode 100644
index 000000000..b0e8c84c8
--- /dev/null
+++ b/conf/plugins/dhcp.conf
@@ -0,0 +1,20 @@
+dhcp {
+
+    # Always use the configured server address.
+    # force_server_address = no
+
+    # Derive user-defined MAC address from hash of IKE identity.
+    # identity_lease = no
+
+    # Interface name the plugin uses for address allocation.
+    # interface =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # DHCP server unicast or broadcast IP address.
+    # server = 255.255.255.255
+
+}
+
diff --git a/conf/plugins/dhcp.opt b/conf/plugins/dhcp.opt
new file mode 100644
index 000000000..9c7b86091
--- /dev/null
+++ b/conf/plugins/dhcp.opt
@@ -0,0 +1,22 @@
+charon.plugins.dhcp.force_server_address = no
+	Always use the configured server address.
+
+	Always use the configured server address. This might be helpful if the DHCP
+	server runs on the same host as strongSwan, and the DHCP daemon does not
+	listen on the loopback interface.  In that case the server cannot be reached
+	via unicast (or even 255.255.255.255) as that would be routed via loopback.
+	Setting this option to yes and configuring the local broadcast address (e.g.
+	192.168.0.255) as server address might work.
+
+charon.plugins.dhcp.identity_lease = no
+	Derive user-defined MAC address from hash of IKE identity.
+
+charon.plugins.dhcp.server = 255.255.255.255
+	DHCP server unicast or broadcast IP address.
+
+charon.plugins.dhcp.interface
+	Interface name the plugin uses for address allocation.
+
+	Interface name the plugin uses for address allocation. The default is to
+	bind to any (0.0.0.0) and let the system decide which way to route the
+	packets to the DHCP server.
diff --git a/conf/plugins/dnscert.conf b/conf/plugins/dnscert.conf
new file mode 100644
index 000000000..c29b6ed43
--- /dev/null
+++ b/conf/plugins/dnscert.conf
@@ -0,0 +1,11 @@
+dnscert {
+
+    # Enable fetching of CERT RRs via DNS.
+    # enable = no
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/dnscert.opt b/conf/plugins/dnscert.opt
new file mode 100644
index 000000000..fd5a8d819
--- /dev/null
+++ b/conf/plugins/dnscert.opt
@@ -0,0 +1,2 @@
+charon.plugins.dnscert.enable = no
+	Enable fetching of CERT RRs via DNS.
diff --git a/conf/plugins/duplicheck.conf b/conf/plugins/duplicheck.conf
new file mode 100644
index 000000000..212fe404d
--- /dev/null
+++ b/conf/plugins/duplicheck.conf
@@ -0,0 +1,14 @@
+duplicheck {
+
+    # Enable duplicheck plugin (if loaded).
+    # enable = yes
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Socket provided by the duplicheck plugin.
+    # socket = unix://${piddir}/charon.dck
+
+}
+
diff --git a/conf/plugins/duplicheck.opt b/conf/plugins/duplicheck.opt
new file mode 100644
index 000000000..ff54fe3a8
--- /dev/null
+++ b/conf/plugins/duplicheck.opt
@@ -0,0 +1,5 @@
+charon.plugins.duplicheck.enable = yes
+	Enable duplicheck plugin (if loaded).
+
+charon.plugins.duplicheck.socket = unix://${piddir}/charon.dck
+	Socket provided by the duplicheck plugin.
diff --git a/conf/plugins/eap-aka-3ggp2.conf b/conf/plugins/eap-aka-3ggp2.conf
new file mode 100644
index 000000000..c52c99609
--- /dev/null
+++ b/conf/plugins/eap-aka-3ggp2.conf
@@ -0,0 +1,10 @@
+eap-aka-3ggp2 {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # seq_check =
+
+}
+
diff --git a/conf/plugins/eap-aka-3ggp2.opt b/conf/plugins/eap-aka-3ggp2.opt
new file mode 100644
index 000000000..9e2a42b3f
--- /dev/null
+++ b/conf/plugins/eap-aka-3ggp2.opt
@@ -0,0 +1 @@
+charon.plugins.eap-aka-3ggp2.seq_check =
diff --git a/conf/plugins/eap-aka.conf b/conf/plugins/eap-aka.conf
new file mode 100644
index 000000000..278f1d677
--- /dev/null
+++ b/conf/plugins/eap-aka.conf
@@ -0,0 +1,10 @@
+eap-aka {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # request_identity = yes
+
+}
+
diff --git a/conf/plugins/eap-aka.opt b/conf/plugins/eap-aka.opt
new file mode 100644
index 000000000..e8d166db9
--- /dev/null
+++ b/conf/plugins/eap-aka.opt
@@ -0,0 +1 @@
+charon.plugins.eap-aka.request_identity = yes
diff --git a/conf/plugins/eap-dynamic.conf b/conf/plugins/eap-dynamic.conf
new file mode 100644
index 000000000..7b738b1b2
--- /dev/null
+++ b/conf/plugins/eap-dynamic.conf
@@ -0,0 +1,14 @@
+eap-dynamic {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Prefer peer's proposed EAP methods.
+    # prefer_user = no
+
+    # The preferred EAP method(s) to be used.
+    # preferred =
+
+}
+
diff --git a/conf/plugins/eap-dynamic.opt b/conf/plugins/eap-dynamic.opt
new file mode 100644
index 000000000..2d50a0aab
--- /dev/null
+++ b/conf/plugins/eap-dynamic.opt
@@ -0,0 +1,13 @@
+charon.plugins.eap-dynamic.preferred =
+	The preferred EAP method(s) to be used.
+
+	The preferred EAP method(s) to be used.  If it is not given the first
+	registered method will be used initially.  If a comma separated list is
+	given the methods are tried in the given order before trying the rest of
+	the registered methods.
+
+charon.plugins.eap-dynamic.prefer_user = no
+	Prefer peer's proposed EAP methods.
+
+	If enabled the EAP methods proposed in an EAP-Nak message sent by the peer
+	are preferred over the methods registered locally.
diff --git a/conf/plugins/eap-gtc.conf b/conf/plugins/eap-gtc.conf
new file mode 100644
index 000000000..4760f3fc8
--- /dev/null
+++ b/conf/plugins/eap-gtc.conf
@@ -0,0 +1,11 @@
+eap-gtc {
+
+    # XAuth backend to be used for credential verification.
+    # backend = pam
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/eap-gtc.opt b/conf/plugins/eap-gtc.opt
new file mode 100644
index 000000000..3fe8b7d68
--- /dev/null
+++ b/conf/plugins/eap-gtc.opt
@@ -0,0 +1,2 @@
+charon.plugins.eap-gtc.backend = pam
+	XAuth backend to be used for credential verification.
diff --git a/conf/plugins/eap-peap.conf b/conf/plugins/eap-peap.conf
new file mode 100644
index 000000000..600e16426
--- /dev/null
+++ b/conf/plugins/eap-peap.conf
@@ -0,0 +1,30 @@
+eap-peap {
+
+    # Maximum size of an EAP-PEAP packet.
+    # fragment_size = 1024
+
+    # Include length in non-fragmented EAP-PEAP packets.
+    # include_length = no
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Maximum number of processed EAP-PEAP packets (0 = no limit).
+    # max_message_count = 32
+
+    # Phase2 EAP client authentication method.
+    # phase2_method = mschapv2
+
+    # Phase2 EAP Identity request piggybacked by server onto TLS Finished
+    # message.
+    # phase2_piggyback = no
+
+    # Start phase2 EAP TNC protocol after successful client authentication.
+    # phase2_tnc = no
+
+    # Request peer authentication based on a client certificate.
+    # request_peer_auth = no
+
+}
+
diff --git a/conf/plugins/eap-peap.opt b/conf/plugins/eap-peap.opt
new file mode 100644
index 000000000..6fe88606d
--- /dev/null
+++ b/conf/plugins/eap-peap.opt
@@ -0,0 +1,20 @@
+charon.plugins.eap-peap.fragment_size = 1024
+	Maximum size of an EAP-PEAP packet.
+
+charon.plugins.eap-peap.max_message_count = 32
+	Maximum number of processed EAP-PEAP packets (0 = no limit).
+
+charon.plugins.eap-peap.include_length = no
+	Include length in non-fragmented EAP-PEAP packets.
+
+charon.plugins.eap-peap.phase2_method = mschapv2
+	Phase2 EAP client authentication method.
+
+charon.plugins.eap-peap.phase2_piggyback = no
+	Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
+
+charon.plugins.eap-peap.phase2_tnc = no
+	Start phase2 EAP TNC protocol after successful client authentication.
+
+charon.plugins.eap-peap.request_peer_auth = no
+	Request peer authentication based on a client certificate.
diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf
new file mode 100644
index 000000000..53023b81e
--- /dev/null
+++ b/conf/plugins/eap-radius.conf
@@ -0,0 +1,86 @@
+eap-radius {
+
+    # Send RADIUS accounting information to RADIUS servers.
+    # accounting = no
+
+    # If enabled, accounting is disabled unless an IKE_SA has at least one
+    # virtual IP.
+    # accounting_requires_vip = no
+
+    # Use class attributes in RADIUS-Accept messages as group membership
+    # information.
+    # class_group = no
+
+    # Closes all IKE_SAs if communication with the RADIUS server times out. If
+    # it is not set only the current IKE_SA is closed.
+    # close_all_on_timeout = no
+
+    # Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
+    # eap_start = no
+
+    # Use filter_id attribute as group membership information.
+    # filter_id = no
+
+    # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+    # EAP method.
+    # id_prefix =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # NAS-Identifier to include in RADIUS messages.
+    # nas_identifier = strongSwan
+
+    # Port of RADIUS server (authentication).
+    # port = 1812
+
+    # Shared secret between RADIUS and NAS. If set, make sure to adjust the
+    # permissions of the config file accordingly.
+    # secret =
+
+    # IP/Hostname of RADIUS server.
+    # server =
+
+    # Number of sockets (ports) to use, increase for high load.
+    # sockets = 1
+
+    dae {
+
+        # Enables support for the Dynamic Authorization Extension (RFC 5176).
+        # enable = no
+
+        # Address to listen for DAE messages from the RADIUS server.
+        # listen = 0.0.0.0
+
+        # Port to listen for DAE requests.
+        # port = 3799
+
+        # Shared secret used to verify/sign DAE messages. If set, make sure to
+        # adjust the permissions of the config file accordingly.
+        # secret =
+
+    }
+
+    forward {
+
+        # RADIUS attributes to be forwarded from IKEv2 to RADIUS.
+        # ike_to_radius =
+
+        # Same as ike_to_radius but from RADIUS to IKEv2.
+        # radius_to_ike =
+
+    }
+
+    # Section to specify multiple RADIUS servers.
+    servers {
+
+    }
+
+    # Section to configure multiple XAuth authentication rounds via RADIUS.
+    xauth {
+
+    }
+
+}
+
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt
new file mode 100644
index 000000000..0edd3458c
--- /dev/null
+++ b/conf/plugins/eap-radius.opt
@@ -0,0 +1,105 @@
+charon.plugins.eap-radius.accounting = no
+	Send RADIUS accounting information to RADIUS servers.
+
+charon.plugins.eap-radius.accounting_requires_vip = no
+	If enabled, accounting is disabled unless an IKE_SA has at least one
+	virtual IP.
+
+charon.plugins.eap-radius.class_group = no
+	Use class attributes in RADIUS-Accept messages as group membership
+	information.
+
+	Use the _class_ attribute sent in the RADIUS-Accept message as group
+	membership information that is compared to the groups specified in the
+	**rightgroups** option in **ipsec.conf**(5).
+
+charon.plugins.eap-radius.close_all_on_timeout = no
+	Closes all IKE_SAs if communication with the RADIUS server times out. If it
+	is not set only the current IKE_SA is closed.
+
+charon.plugins.eap-radius.dae.enable = no
+	Enables support for the Dynamic Authorization Extension (RFC 5176).
+
+charon.plugins.eap-radius.dae.listen = 0.0.0.0
+	Address to listen for DAE messages from the RADIUS server.
+
+charon.plugins.eap-radius.dae.port = 3799
+	Port to listen for DAE requests.
+
+charon.plugins.eap-radius.dae.secret
+	Shared secret used to verify/sign DAE messages. If set, make sure to adjust
+	the permissions of the config file accordingly.
+
+charon.plugins.eap-radius.eap_start = no
+	Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
+
+charon.plugins.eap-radius.filter_id = no
+	Use filter_id attribute as group membership information.
+
+	If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use
+	the _filter_id_ attribute sent in the RADIUS-Accept message as group
+	membership information that is compared to the groups specified in the
+	**rightgroups** option in **ipsec.conf**(5).
+
+charon.plugins.eap-radius.forward.ike_to_radius
+	RADIUS attributes to be forwarded from IKEv2 to RADIUS.
+
+	RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
+	name or attribute number, a colon can be used to specify vendor-specific
+	attributes, e.g. Reply-Message, or 11, or 36906:12).
+
+charon.plugins.eap-radius.forward.radius_to_ike =
+	Same as ike_to_radius but from RADIUS to IKEv2.
+
+	Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to
+	IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+	attributes.
+
+charon.plugins.eap-radius.id_prefix
+	Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+	EAP method.
+
+charon.plugins.eap-radius.nas_identifier = strongSwan
+	NAS-Identifier to include in RADIUS messages.
+
+charon.plugins.eap-radius.port = 1812
+	Port of RADIUS server (authentication).
+
+charon.plugins.eap-radius.secret =
+	Shared secret between RADIUS and NAS. If set, make sure to adjust the
+	permissions of the config file accordingly.
+
+charon.plugins.eap-radius.server =
+	IP/Hostname of RADIUS server.
+
+charon.plugins.eap-radius.servers {}
+	Section to specify multiple RADIUS servers.
+
+	Section to specify multiple RADIUS servers. The **nas_identifier**,
+	**secret**, **sockets** and **port** (or **auth_port**) options can be
+	specified for each server. A server's IP/Hostname can be configured using
+	the **address** option. The **acct_port** [1813] option can be used to
+	specify the port used for RADIUS accounting. For each RADIUS server a
+	priority can be specified using the **preference** [0] option.
+
+charon.plugins.eap-radius.sockets = 1
+	Number of sockets (ports) to use, increase for high load.
+
+charon.plugins.eap-radius.xauth {}
+	Section to configure multiple XAuth authentication rounds via RADIUS.
+
+	Section to configure multiple XAuth authentication rounds via RADIUS.
+	The subsections define so called authentication profiles with arbitrary
+	names. In each profile section one or more XAuth types can be configured,
+	with an assigned message. For each type a separate XAuth exchange will be
+	initiated and all replies get concatenated into the User-Password attribute,
+	which then gets verified over RADIUS.
+
+	Available XAuth types are **password**, **passcode**, **nextpin**, and
+	**answer**. This type is not relevant to strongSwan or the AAA server, but
+	the client may show a different dialog (along with the configured message).
+
+	To use the configured profiles, they have to be configured in the respective
+	connection in **ipsec.conf**(5) by appending the profile name, separated by
+	a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_
+	or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_.
diff --git a/conf/plugins/eap-sim.conf b/conf/plugins/eap-sim.conf
new file mode 100644
index 000000000..96ec2e02c
--- /dev/null
+++ b/conf/plugins/eap-sim.conf
@@ -0,0 +1,10 @@
+eap-sim {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # request_identity = yes
+
+}
+
diff --git a/conf/plugins/eap-sim.opt b/conf/plugins/eap-sim.opt
new file mode 100644
index 000000000..052454c0e
--- /dev/null
+++ b/conf/plugins/eap-sim.opt
@@ -0,0 +1 @@
+charon.plugins.eap-sim.request_identity = yes
diff --git a/conf/plugins/eap-simaka-sql.conf b/conf/plugins/eap-simaka-sql.conf
new file mode 100644
index 000000000..1574a5a85
--- /dev/null
+++ b/conf/plugins/eap-simaka-sql.conf
@@ -0,0 +1,12 @@
+eap-simaka-sql {
+
+    # database =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # remove_used = no
+
+}
+
diff --git a/conf/plugins/eap-simaka-sql.opt b/conf/plugins/eap-simaka-sql.opt
new file mode 100644
index 000000000..6b87a7e94
--- /dev/null
+++ b/conf/plugins/eap-simaka-sql.opt
@@ -0,0 +1,3 @@
+charon.plugins.eap-simaka-sql.database =
+
+charon.plugins.eap-simaka-sql.remove_used = no
diff --git a/conf/plugins/eap-tls.conf b/conf/plugins/eap-tls.conf
new file mode 100644
index 000000000..e3ce7ded7
--- /dev/null
+++ b/conf/plugins/eap-tls.conf
@@ -0,0 +1,17 @@
+eap-tls {
+
+    # Maximum size of an EAP-TLS packet.
+    # fragment_size = 1024
+
+    # Include length in non-fragmented EAP-TLS packets.
+    # include_length = yes
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Maximum number of processed EAP-TLS packets (0 = no limit).
+    # max_message_count = 32
+
+}
+
diff --git a/conf/plugins/eap-tls.opt b/conf/plugins/eap-tls.opt
new file mode 100644
index 000000000..e7b96523a
--- /dev/null
+++ b/conf/plugins/eap-tls.opt
@@ -0,0 +1,8 @@
+charon.plugins.eap-tls.fragment_size = 1024
+	Maximum size of an EAP-TLS packet.
+
+charon.plugins.eap-tls.max_message_count = 32
+	Maximum number of processed EAP-TLS packets (0 = no limit).
+
+charon.plugins.eap-tls.include_length = yes
+	Include length in non-fragmented EAP-TLS packets.
diff --git a/conf/plugins/eap-tnc.conf b/conf/plugins/eap-tnc.conf
new file mode 100644
index 000000000..aca72f1ed
--- /dev/null
+++ b/conf/plugins/eap-tnc.conf
@@ -0,0 +1,15 @@
+eap-tnc {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Maximum number of processed EAP-TNC packets (0 = no limit).
+    # max_message_count = 10
+
+    # IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0,
+    # tnccs-dynamic).
+    # protocol = tnccs-1.1
+
+}
+
diff --git a/conf/plugins/eap-tnc.opt b/conf/plugins/eap-tnc.opt
new file mode 100644
index 000000000..8e060ceda
--- /dev/null
+++ b/conf/plugins/eap-tnc.opt
@@ -0,0 +1,6 @@
+charon.plugins.eap-tnc.max_message_count = 10
+	Maximum number of processed EAP-TNC packets (0 = no limit).
+
+charon.plugins.eap-tnc.protocol = tnccs-1.1
+	IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_,
+	_tnccs-dynamic_).
diff --git a/conf/plugins/eap-ttls.conf b/conf/plugins/eap-ttls.conf
new file mode 100644
index 000000000..5229625e0
--- /dev/null
+++ b/conf/plugins/eap-ttls.conf
@@ -0,0 +1,30 @@
+eap-ttls {
+
+    # Maximum size of an EAP-TTLS packet.
+    # fragment_size = 1024
+
+    # Include length in non-fragmented EAP-TTLS packets.
+    # include_length = yes
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Maximum number of processed EAP-TTLS packets (0 = no limit).
+    # max_message_count = 32
+
+    # Phase2 EAP client authentication method.
+    # phase2_method = md5
+
+    # Phase2 EAP Identity request piggybacked by server onto TLS Finished
+    # message.
+    # phase2_piggyback = no
+
+    # Start phase2 EAP TNC protocol after successful client authentication.
+    # phase2_tnc = no
+
+    # Request peer authentication based on a client certificate.
+    # request_peer_auth = no
+
+}
+
diff --git a/conf/plugins/eap-ttls.opt b/conf/plugins/eap-ttls.opt
new file mode 100644
index 000000000..21a6cb674
--- /dev/null
+++ b/conf/plugins/eap-ttls.opt
@@ -0,0 +1,20 @@
+charon.plugins.eap-ttls.fragment_size = 1024
+	Maximum size of an EAP-TTLS packet.
+
+charon.plugins.eap-ttls.max_message_count = 32
+	Maximum number of processed EAP-TTLS packets (0 = no limit).
+
+charon.plugins.eap-ttls.include_length = yes
+	Include length in non-fragmented EAP-TTLS packets.
+
+charon.plugins.eap-ttls.phase2_method = md5
+	Phase2 EAP client authentication method.
+
+charon.plugins.eap-ttls.phase2_piggyback = no
+	Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
+
+charon.plugins.eap-ttls.phase2_tnc = no
+	Start phase2 EAP TNC protocol after successful client authentication.
+
+charon.plugins.eap-ttls.request_peer_auth = no
+	Request peer authentication based on a client certificate.
diff --git a/conf/plugins/error-notify.conf b/conf/plugins/error-notify.conf
new file mode 100644
index 000000000..5915a0971
--- /dev/null
+++ b/conf/plugins/error-notify.conf
@@ -0,0 +1,11 @@
+error-notify {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Socket provided by the error-notify plugin.
+    # socket = unix://${piddir}/charon.enfy
+
+}
+
diff --git a/conf/plugins/error-notify.opt b/conf/plugins/error-notify.opt
new file mode 100644
index 000000000..44ea0551e
--- /dev/null
+++ b/conf/plugins/error-notify.opt
@@ -0,0 +1,2 @@
+charon.plugins.error-notify.socket = unix://${piddir}/charon.enfy
+	Socket provided by the error-notify plugin.
diff --git a/conf/plugins/gcrypt.conf b/conf/plugins/gcrypt.conf
new file mode 100644
index 000000000..fce2c7a6e
--- /dev/null
+++ b/conf/plugins/gcrypt.conf
@@ -0,0 +1,11 @@
+gcrypt {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Use faster random numbers in gcrypt; for testing only, produces weak keys!
+    # quick_random = no
+
+}
+
diff --git a/conf/plugins/gcrypt.opt b/conf/plugins/gcrypt.opt
new file mode 100644
index 000000000..c6b0505d7
--- /dev/null
+++ b/conf/plugins/gcrypt.opt
@@ -0,0 +1,2 @@
+charon.plugins.gcrypt.quick_random = no
+	Use faster random numbers in gcrypt; for testing only, produces weak keys!
diff --git a/conf/plugins/ha.conf b/conf/plugins/ha.conf
new file mode 100644
index 000000000..e8b2fa48d
--- /dev/null
+++ b/conf/plugins/ha.conf
@@ -0,0 +1,32 @@
+ha {
+
+    # Interval in seconds to automatically balance handled segments between
+    # nodes. Set to 0 to disable.
+    # autobalance = 0
+
+    # fifo_interface = yes
+
+    # heartbeat_delay = 1000
+
+    # heartbeat_timeout = 2100
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # local =
+
+    # monitor = yes
+
+    # pools =
+
+    # remote =
+
+    # resync = yes
+
+    # secret =
+
+    # segment_count = 1
+
+}
+
diff --git a/conf/plugins/ha.opt b/conf/plugins/ha.opt
new file mode 100644
index 000000000..77d5b7888
--- /dev/null
+++ b/conf/plugins/ha.opt
@@ -0,0 +1,23 @@
+charon.plugins.ha.autobalance = 0
+	Interval in seconds to automatically balance handled segments between nodes.
+	Set to 0 to disable.
+
+charon.plugins.ha.fifo_interface = yes
+
+charon.plugins.ha.heartbeat_delay = 1000
+
+charon.plugins.ha.heartbeat_timeout = 2100
+
+charon.plugins.ha.local =
+
+charon.plugins.ha.monitor = yes
+
+charon.plugins.ha.pools =
+
+charon.plugins.ha.remote =
+
+charon.plugins.ha.resync = yes
+
+charon.plugins.ha.secret =
+
+charon.plugins.ha.segment_count = 1
diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf
new file mode 100644
index 000000000..ffb1b45a3
--- /dev/null
+++ b/conf/plugins/imc-attestation.conf
@@ -0,0 +1,26 @@
+imc-attestation {
+
+    # AIK encrypted private key blob file.
+    # aik_blob =
+
+    # AIK certificate file.
+    # aik_cert =
+
+    # AIK public key file.
+    # aik_key =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # DH nonce length.
+    # nonce_len = 20
+
+    # Whether to send pcr_before and pcr_after info.
+    # pcr_info = yes
+
+    # Use Quote2 AIK signature instead of Quote signature.
+    # use_quote2 = yes
+
+}
+
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
new file mode 100644
index 000000000..9c108053b
--- /dev/null
+++ b/conf/plugins/imc-attestation.opt
@@ -0,0 +1,17 @@
+charon.plugins.imc-attestation.aik_blob =
+	AIK encrypted private key blob file.
+
+charon.plugins.imc-attestation.aik_cert =
+	AIK certificate file.
+
+charon.plugins.imc-attestation.aik_key =
+	AIK public key file.
+
+charon.plugins.imc-attestation.nonce_len = 20
+	DH nonce length.
+
+charon.plugins.imc-attestation.use_quote2 = yes
+	Use Quote2 AIK signature instead of Quote signature.
+
+charon.plugins.imc-attestation.pcr_info = yes
+	Whether to send pcr_before and pcr_after info.
\ No newline at end of file
diff --git a/conf/plugins/imc-os.conf b/conf/plugins/imc-os.conf
new file mode 100644
index 000000000..1d245d3f3
--- /dev/null
+++ b/conf/plugins/imc-os.conf
@@ -0,0 +1,11 @@
+imc-os {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Send operating system info without being prompted.
+    # push_info = yes
+
+}
+
diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt
new file mode 100644
index 000000000..2a6333f93
--- /dev/null
+++ b/conf/plugins/imc-os.opt
@@ -0,0 +1,2 @@
+charon.plugins.imc-os.push_info = yes
+	Send operating system info without being prompted.
diff --git a/conf/plugins/imc-scanner.conf b/conf/plugins/imc-scanner.conf
new file mode 100644
index 000000000..7f2f53106
--- /dev/null
+++ b/conf/plugins/imc-scanner.conf
@@ -0,0 +1,11 @@
+imc-scanner {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Send open listening ports without being prompted.
+    # push_info = yes
+
+}
+
diff --git a/conf/plugins/imc-scanner.opt b/conf/plugins/imc-scanner.opt
new file mode 100644
index 000000000..84e6dfa2f
--- /dev/null
+++ b/conf/plugins/imc-scanner.opt
@@ -0,0 +1,2 @@
+charon.plugins.imc-scanner.push_info = yes
+	Send open listening ports without being prompted.
diff --git a/conf/plugins/imc-swid.conf b/conf/plugins/imc-swid.conf
new file mode 100644
index 000000000..8b3317163
--- /dev/null
+++ b/conf/plugins/imc-swid.conf
@@ -0,0 +1,11 @@
+imc-swid {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Directory where SWID tags are located.
+    # swid_directory = ${prefix}/share
+
+}
+
diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt
new file mode 100644
index 000000000..67f7c79c4
--- /dev/null
+++ b/conf/plugins/imc-swid.opt
@@ -0,0 +1,2 @@
+charon.plugins.imc-swid.swid_directory = ${prefix}/share
+	Directory where SWID tags are located.
diff --git a/conf/plugins/imc-test.conf b/conf/plugins/imc-test.conf
new file mode 100644
index 000000000..0d66e3d0c
--- /dev/null
+++ b/conf/plugins/imc-test.conf
@@ -0,0 +1,23 @@
+imc-test {
+
+    # Number of additional IMC IDs.
+    # additional_ids = 0
+
+    # Command to be sent to the Test IMV.
+    # command = none
+
+    # Size of dummy attribute to be sent to the Test IMV (0 = disabled).
+    # dummy_size = 0
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Do a handshake retry.
+    # retry = no
+
+    # Command to be sent to the Test IMV in the handshake retry.
+    # retry_command =
+
+}
+
diff --git a/conf/plugins/imc-test.opt b/conf/plugins/imc-test.opt
new file mode 100644
index 000000000..c3169b5af
--- /dev/null
+++ b/conf/plugins/imc-test.opt
@@ -0,0 +1,14 @@
+charon.plugins.imc-test.additional_ids = 0
+	Number of additional IMC IDs.
+
+charon.plugins.imc-test.command = none
+	Command to be sent to the Test IMV.
+
+charon.plugins.imc-test.dummy_size = 0
+	Size of dummy attribute to be sent to the Test IMV (0 = disabled).
+
+charon.plugins.imc-test.retry = no
+	Do a handshake retry.
+
+charon.plugins.imc-test.retry_command =
+	Command to be sent to the Test IMV in the handshake retry.
diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf
new file mode 100644
index 000000000..48ffba839
--- /dev/null
+++ b/conf/plugins/imv-attestation.conf
@@ -0,0 +1,42 @@
+imc-attestation {
+
+    # Dummy data if the TBOOT log is not retrieved.
+    # pcr17_after =
+
+    # Dummy data if the TBOOT log is not retrieved.
+    # pcr17_before =
+
+    # Dummy data if the TBOOT log is not retrieved.
+    # pcr17_meas =
+
+    # Dummy data if the TBOOT log is not retrieved.
+    # pcr18_after =
+
+    # Dummy data if the TBOOT log is not retrieved.
+    # pcr18_before =
+
+    # Dummy data if the TBOOT log is not retrieved.
+    # pcr18_meas =
+
+}
+
+imv-attestation {
+
+    # Path to directory with AIK cacerts.
+    # cadir =
+
+    # Preferred Diffie-Hellman group.
+    # dh_group = ecp256
+
+    # Preferred measurement hash algorithm.
+    # hash_algorithm = sha256
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # DH minimum nonce length.
+    # min_nonce_len = 0
+
+}
+
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
new file mode 100644
index 000000000..c0ae20488
--- /dev/null
+++ b/conf/plugins/imv-attestation.opt
@@ -0,0 +1,29 @@
+charon.plugins.imv-attestation.cadir =
+	Path to directory with AIK cacerts.
+
+charon.plugins.imv-attestation.dh_group = ecp256
+	Preferred Diffie-Hellman group.
+
+charon.plugins.imv-attestation.hash_algorithm = sha256
+	Preferred measurement hash algorithm.
+
+charon.plugins.imv-attestation.min_nonce_len = 0
+	DH minimum nonce length.
+
+charon.plugins.imc-attestation.pcr17_after
+	Dummy data if the TBOOT log is not retrieved.
+
+charon.plugins.imc-attestation.pcr17_before
+	Dummy data if the TBOOT log is not retrieved.
+
+charon.plugins.imc-attestation.pcr17_meas
+	Dummy data if the TBOOT log is not retrieved.
+
+charon.plugins.imc-attestation.pcr18_after
+	Dummy data if the TBOOT log is not retrieved.
+
+charon.plugins.imc-attestation.pcr18_before
+	Dummy data if the TBOOT log is not retrieved.
+
+charon.plugins.imc-attestation.pcr18_meas
+	Dummy data if the TBOOT log is not retrieved.
diff --git a/conf/plugins/imv-os.conf b/conf/plugins/imv-os.conf
new file mode 100644
index 000000000..8f0da3760
--- /dev/null
+++ b/conf/plugins/imv-os.conf
@@ -0,0 +1,11 @@
+imv-os {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # URI pointing to operating system remediation instructions.
+    # remediation_uri =
+
+}
+
diff --git a/conf/plugins/imv-os.opt b/conf/plugins/imv-os.opt
new file mode 100644
index 000000000..eab926201
--- /dev/null
+++ b/conf/plugins/imv-os.opt
@@ -0,0 +1,2 @@
+charon.plugins.imv-os.remediation_uri =
+	URI pointing to operating system remediation instructions.
diff --git a/conf/plugins/imv-scanner.conf b/conf/plugins/imv-scanner.conf
new file mode 100644
index 000000000..25719d0ef
--- /dev/null
+++ b/conf/plugins/imv-scanner.conf
@@ -0,0 +1,11 @@
+imv-scanner {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # URI pointing to scanner remediation instructions.
+    # remediation_uri =
+
+}
+
diff --git a/conf/plugins/imv-scanner.opt b/conf/plugins/imv-scanner.opt
new file mode 100644
index 000000000..7af87493b
--- /dev/null
+++ b/conf/plugins/imv-scanner.opt
@@ -0,0 +1,2 @@
+charon.plugins.imv-scanner.remediation_uri =
+	URI pointing to scanner remediation instructions.
diff --git a/conf/plugins/imv-test.conf b/conf/plugins/imv-test.conf
new file mode 100644
index 000000000..9bd248792
--- /dev/null
+++ b/conf/plugins/imv-test.conf
@@ -0,0 +1,11 @@
+imv-test {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Number of IMC-IMV retry rounds.
+    # rounds = 0
+
+}
+
diff --git a/conf/plugins/imv-test.opt b/conf/plugins/imv-test.opt
new file mode 100644
index 000000000..2cbddc8f6
--- /dev/null
+++ b/conf/plugins/imv-test.opt
@@ -0,0 +1,2 @@
+charon.plugins.imv-test.rounds = 0
+	Number of IMC-IMV retry rounds.
diff --git a/conf/plugins/ipseckey.conf b/conf/plugins/ipseckey.conf
new file mode 100644
index 000000000..f2e5e5877
--- /dev/null
+++ b/conf/plugins/ipseckey.conf
@@ -0,0 +1,11 @@
+ipseckey {
+
+    # Enable fetching of IPSECKEY RRs via DNS.
+    # enable = no
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/ipseckey.opt b/conf/plugins/ipseckey.opt
new file mode 100644
index 000000000..d4cff26dd
--- /dev/null
+++ b/conf/plugins/ipseckey.opt
@@ -0,0 +1,2 @@
+charon.plugins.ipseckey.enable = no
+	Enable fetching of IPSECKEY RRs via DNS.
diff --git a/conf/plugins/kernel-klips.conf b/conf/plugins/kernel-klips.conf
new file mode 100644
index 000000000..10ca30839
--- /dev/null
+++ b/conf/plugins/kernel-klips.conf
@@ -0,0 +1,14 @@
+kernel-klips {
+
+    # Number of ipsecN devices.
+    # ipsec_dev_count = 4
+
+    # Set MTU of ipsecN device.
+    # ipsec_dev_mtu = 0
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/kernel-klips.opt b/conf/plugins/kernel-klips.opt
new file mode 100644
index 000000000..ad9806e71
--- /dev/null
+++ b/conf/plugins/kernel-klips.opt
@@ -0,0 +1,5 @@
+charon.plugins.kernel-klips.ipsec_dev_count = 4
+	Number of ipsecN devices.
+
+charon.plugins.kernel-klips.ipsec_dev_mtu = 0
+	Set MTU of ipsecN device.
diff --git a/conf/plugins/kernel-libipsec.conf b/conf/plugins/kernel-libipsec.conf
new file mode 100644
index 000000000..3411be2ff
--- /dev/null
+++ b/conf/plugins/kernel-libipsec.conf
@@ -0,0 +1,11 @@
+kernel-libipsec {
+
+    # Allow that the remote traffic selector equals the IKE peer.
+    # allow_peer_ts = no
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/kernel-libipsec.opt b/conf/plugins/kernel-libipsec.opt
new file mode 100644
index 000000000..e76db63d9
--- /dev/null
+++ b/conf/plugins/kernel-libipsec.opt
@@ -0,0 +1,7 @@
+charon.plugins.kernel-libipsec.allow_peer_ts = no
+	Allow that the remote traffic selector equals the IKE peer.
+
+	Allow that the remote traffic selector equals the IKE peer. The route
+	installed for such traffic (via TUN device) usually prevents further IKE
+	traffic. The fwmark options for the _kernel-netlink_ and _socket-default_
+	plugins can be used to circumvent that problem.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
new file mode 100644
index 000000000..670746963
--- /dev/null
+++ b/conf/plugins/kernel-netlink.conf
@@ -0,0 +1,19 @@
+kernel-netlink {
+
+    # Firewall mark to set on the routing rule that directs traffic to our
+    # routing table.
+    # fwmark =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Whether to trigger roam events when interfaces, addresses or routes
+    # change.
+    # roam_events = yes
+
+    # Lifetime of XFRM acquire state in kernel.
+    # xfrm_acq_expires = 165
+
+}
+
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
new file mode 100644
index 000000000..a8e421b6e
--- /dev/null
+++ b/conf/plugins/kernel-netlink.opt
@@ -0,0 +1,18 @@
+charon.plugins.kernel-netlink.fwmark =
+	Firewall mark to set on the routing rule that directs traffic to our routing
+	table.
+
+	Firewall mark to set on the routing rule that directs traffic to our routing
+	table. The format is [!]mark[/mask], where the optional exclamation mark
+	inverts the meaning (i.e. the rule only applies to packets that don't match
+	the mark).
+
+charon.plugins.kernel-netlink.roam_events = yes
+	Whether to trigger roam events when interfaces, addresses or routes change.
+
+charon.plugins.kernel-netlink.xfrm_acq_expires = 165
+	Lifetime of XFRM acquire state in kernel.
+
+	Lifetime of XFRM acquire state in kernel. The value gets written to
+	/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
+	acquire messages sent.
diff --git a/conf/plugins/kernel-pfroute.conf b/conf/plugins/kernel-pfroute.conf
new file mode 100644
index 000000000..9aa4dcac0
--- /dev/null
+++ b/conf/plugins/kernel-pfroute.conf
@@ -0,0 +1,12 @@
+kernel-pfroute {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Time in ms to wait until virtual IP addresses appear/disappear before
+    # failing.
+    # vip_wait = 1000
+
+}
+
diff --git a/conf/plugins/kernel-pfroute.opt b/conf/plugins/kernel-pfroute.opt
new file mode 100644
index 000000000..8b9bb9169
--- /dev/null
+++ b/conf/plugins/kernel-pfroute.opt
@@ -0,0 +1,3 @@
+charon.plugins.kernel-pfroute.vip_wait = 1000
+	Time in ms to wait until virtual IP addresses appear/disappear before
+	failing.
diff --git a/conf/plugins/led.conf b/conf/plugins/led.conf
new file mode 100644
index 000000000..0f34adb07
--- /dev/null
+++ b/conf/plugins/led.conf
@@ -0,0 +1,12 @@
+led {
+
+    # activity_led =
+
+    # blink_time = 50
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/led.opt b/conf/plugins/led.opt
new file mode 100644
index 000000000..9e2f1ac61
--- /dev/null
+++ b/conf/plugins/led.opt
@@ -0,0 +1,3 @@
+charon.plugins.led.activity_led =
+
+charon.plugins.led.blink_time = 50
diff --git a/conf/plugins/load-tester.conf b/conf/plugins/load-tester.conf
new file mode 100644
index 000000000..e69c029d6
--- /dev/null
+++ b/conf/plugins/load-tester.conf
@@ -0,0 +1,138 @@
+# Section to configure the load-tester plugin, see LOAD TESTS in
+# strongswan.conf(5) for details.
+load-tester {
+
+    # Whether to keep dynamic addresses even after the associated SA got
+    # terminated.
+    # addrs_keep = no
+
+    # Network prefix length to use when installing dynamic addresses. If set to
+    # -1 the full address is used (i.e. 32 or 128).
+    # addrs_prefix = 16
+
+    # Directory to load (intermediate) CA certificates from.
+    # ca_dir =
+
+    # Seconds to start CHILD_SA rekeying after setup.
+    # child_rekey = 600
+
+    # Delay between initiatons for each thread.
+    # delay = 0
+
+    # Delete an IKE_SA as soon as it has been established.
+    # delete_after_established = no
+
+    # Digest algorithm used when issuing certificates.
+    # digest = sha1
+
+    # DPD delay to use in load test.
+    # dpd_delay = 0
+
+    # Base port to be used for requests (each client uses a different port).
+    # dynamic_port = 0
+
+    # EAP secret to use in load test.
+    # eap_password = default-pwd
+
+    # Enable the load testing plugin. WARNING: Never enable this plugin on
+    # productive systems. It provides preconfigured credentials and allows an
+    # attacker to authenticate as any user.
+    # enable = no
+
+    # CHILD_SA proposal to use for load tests.
+    # esp = aes128-sha1
+
+    # Fake the kernel interface to allow load-testing against self.
+    # fake_kernel = no
+
+    # Seconds to start IKE_SA rekeying after setup.
+    # ike_rekey = 0
+
+    # Global limit of concurrently established SAs during load test.
+    # init_limit = 0
+
+    # Address to initiate from.
+    # initiator = 0.0.0.0
+
+    # Authentication method(s) the intiator uses.
+    # initiator_auth = pubkey
+
+    # Initiator ID used in load test.
+    # initiator_id =
+
+    # Initiator ID to match against as responder.
+    # initiator_match =
+
+    # Traffic selector on initiator side, as proposed by initiator.
+    # initiator_tsi =
+
+    # Traffic selector on responder side, as proposed by initiator.
+    # initiator_tsr =
+
+    # Number of concurrent initiator threads to use in load test.
+    # initiators = 0
+
+    # Path to the issuer certificate (if not configured a hard-coded default
+    # value is used).
+    # issuer_cert =
+
+    # Path to private key that is used to issue certificates (if not configured
+    # a hard-coded default value is used).
+    # issuer_key =
+
+    # Number of IKE_SAs to initiate by each initiator in load test.
+    # iterations = 1
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # IPsec mode to use, one of tunnel, transport, or beet.
+    # mode = tunnel
+
+    # Provide INTERNAL_IPV4_ADDRs from a named pool.
+    # pool =
+
+    # Preshared key to use in load test.
+    # preshared_key = <default-psk>
+
+    # IKE proposal to use in load test.
+    # proposal = aes128-sha1-modp768
+
+    # Request an INTERNAL_IPV4_ADDR from the server.
+    # request_virtual_ip = no
+
+    # Address to initiation connections to.
+    # responder = 127.0.0.1
+
+    # Authentication method(s) the responder uses.
+    # responder_auth = pubkey
+
+    # Responder ID used in load test.
+    # responder_id =
+
+    # Traffic selector on initiator side, as narrowed by responder.
+    # responder_tsi = initiator_tsi
+
+    # Traffic selector on responder side, as narrowed by responder.
+    # responder_tsr = initiator_tsr
+
+    # Shutdown the daemon after all IKE_SAs have been established.
+    # shutdown_when_complete = no
+
+    # Socket provided by the load-tester plugin.
+    # socket = unix://${piddir}/charon.ldt
+
+    # IKE version to use (0 means use IKEv2 as initiator and accept any version
+    # as responder).
+    # version = 0
+
+    # Section that contains key/value pairs with address pools (in CIDR
+    # notation) to use for a specific network interface e.g. eth0 =
+    # 10.10.0.0/16.
+    addrs {
+
+    }
+
+}
+
diff --git a/conf/plugins/load-tester.opt b/conf/plugins/load-tester.opt
new file mode 100644
index 000000000..7afe32618
--- /dev/null
+++ b/conf/plugins/load-tester.opt
@@ -0,0 +1,128 @@
+charon.plugins.load-tester {}
+	Section to configure the load-tester plugin, see LOAD TESTS in
+	**strongswan.conf**(5) for details.
+
+charon.plugins.load-tester.addrs {}
+	Section that contains key/value pairs with address pools (in CIDR notation)
+	to use for a specific network interface e.g. eth0 = 10.10.0.0/16.
+
+charon.plugins.load-tester.addrs_keep = no
+	Whether to keep dynamic addresses even after the associated SA got
+	terminated.
+
+charon.plugins.load-tester.addrs_prefix = 16
+	Network prefix length to use when installing dynamic addresses.
+	If set to -1 the full address is used (i.e. 32 or 128).
+
+charon.plugins.load-tester.ca_dir =
+	Directory to load (intermediate) CA certificates from.
+
+charon.plugins.load-tester.child_rekey = 600
+	Seconds to start CHILD_SA rekeying after setup.
+
+charon.plugins.load-tester.delay = 0
+	Delay between initiatons for each thread.
+
+charon.plugins.load-tester.delete_after_established = no
+	Delete an IKE_SA as soon as it has been established.
+
+charon.plugins.load-tester.digest = sha1
+	Digest algorithm used when issuing certificates.
+
+charon.plugins.load-tester.dpd_delay = 0
+	DPD delay to use in load test.
+
+charon.plugins.load-tester.dynamic_port = 0
+	Base port to be used for requests (each client uses a different port).
+
+charon.plugins.load-tester.eap_password = default-pwd
+	EAP secret to use in load test.
+
+charon.plugins.load-tester.enable = no
+	Enable the load testing plugin. **WARNING**: Never enable this plugin on
+	productive systems. It provides preconfigured credentials and allows an
+	attacker to authenticate as any user.
+
+charon.plugins.load-tester.esp = aes128-sha1
+	CHILD_SA proposal to use for load tests.
+
+charon.plugins.load-tester.fake_kernel = no
+	Fake the kernel interface to allow load-testing against self.
+
+charon.plugins.load-tester.ike_rekey = 0
+	Seconds to start IKE_SA rekeying after setup.
+
+charon.plugins.load-tester.init_limit = 0
+	Global limit of concurrently established SAs during load test.
+
+charon.plugins.load-tester.initiator = 0.0.0.0
+	Address to initiate from.
+
+charon.plugins.load-tester.initiators = 0
+	Number of concurrent initiator threads to use in load test.
+
+charon.plugins.load-tester.initiator_auth = pubkey
+	Authentication method(s) the intiator uses.
+
+charon.plugins.load-tester.initiator_id =
+	Initiator ID used in load test.
+
+charon.plugins.load-tester.initiator_match =
+	Initiator ID to match against as responder.
+
+charon.plugins.load-tester.initiator_tsi =
+	Traffic selector on initiator side, as proposed by initiator.
+
+charon.plugins.load-tester.initiator_tsr =
+	Traffic selector on responder side, as proposed by initiator.
+
+charon.plugins.load-tester.iterations = 1
+	Number of IKE_SAs to initiate by each initiator in load test.
+
+charon.plugins.load-tester.issuer_cert =
+	Path to the issuer certificate (if not configured a hard-coded default value
+	is used).
+
+charon.plugins.load-tester.issuer_key =
+	Path to private key that is used to issue certificates (if not configured a
+	hard-coded default value is used).
+
+charon.plugins.load-tester.mode = tunnel
+	IPsec mode to use, one of _tunnel_, _transport_, or _beet_.
+
+charon.plugins.load-tester.pool =
+	Provide INTERNAL_IPV4_ADDRs from a named pool.
+
+charon.plugins.load-tester.preshared_key = <default-psk>
+	Preshared key to use in load test.
+
+charon.plugins.load-tester.proposal = aes128-sha1-modp768
+	IKE proposal to use in load test.
+
+charon.plugins.load-tester.responder = 127.0.0.1
+	Address to initiation connections to.
+
+charon.plugins.load-tester.responder_auth = pubkey
+	Authentication method(s) the responder uses.
+
+charon.plugins.load-tester.responder_id =
+	Responder ID used in load test.
+
+charon.plugins.load-tester.responder_tsi = initiator_tsi
+	Traffic selector on initiator side, as narrowed by responder.
+
+charon.plugins.load-tester.responder_tsr = initiator_tsr
+	Traffic selector on responder side, as narrowed by responder.
+
+charon.plugins.load-tester.request_virtual_ip = no
+	Request an INTERNAL_IPV4_ADDR from the server.
+
+charon.plugins.load-tester.shutdown_when_complete = no
+	Shutdown the daemon after all IKE_SAs have been established.
+
+charon.plugins.load-tester.socket = unix://${piddir}/charon.ldt
+	Socket provided by the load-tester plugin.
+
+charon.plugins.load-tester.version = 0
+	IKE version to use (0 means use IKEv2 as initiator and accept any version as
+	responder).
diff --git a/conf/plugins/lookip.conf b/conf/plugins/lookip.conf
new file mode 100644
index 000000000..53958221f
--- /dev/null
+++ b/conf/plugins/lookip.conf
@@ -0,0 +1,11 @@
+lookip {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Socket provided by the lookip plugin.
+    # socket = unix://${piddir}/charon.lkp
+
+}
+
diff --git a/conf/plugins/lookip.opt b/conf/plugins/lookip.opt
new file mode 100644
index 000000000..443eb34bb
--- /dev/null
+++ b/conf/plugins/lookip.opt
@@ -0,0 +1,2 @@
+charon.plugins.lookip.socket = unix://${piddir}/charon.lkp
+	Socket provided by the lookip plugin.
diff --git a/conf/plugins/ntru.conf b/conf/plugins/ntru.conf
new file mode 100644
index 000000000..6487b3653
--- /dev/null
+++ b/conf/plugins/ntru.conf
@@ -0,0 +1,17 @@
+ntru {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Number of pseudo-random bit requests from the DRBG before an automatic
+    # reseeding occurs.
+    # max_drbg_requests = 4294967294
+
+    # The following parameter sets are available: x9_98_speed, x9_98_bandwidth,
+    # x9_98_balance and optimum, the last set not being part of the X9.98
+    # standard but having the best performance.
+    # parameter_set = optimum
+
+}
+
diff --git a/conf/plugins/ntru.opt b/conf/plugins/ntru.opt
new file mode 100644
index 000000000..8e1bebd87
--- /dev/null
+++ b/conf/plugins/ntru.opt
@@ -0,0 +1,8 @@
+charon.plugins.ntru.max_drbg_requests = 4294967294
+	Number of pseudo-random bit requests from the DRBG before an automatic
+	reseeding occurs.
+
+charon.plugins.ntru.parameter_set = optimum
+	The following parameter sets are available: **x9_98_speed**,
+	**x9_98_bandwidth**, **x9_98_balance** and **optimum**, the last set not
+	being part of the X9.98 standard but having the best performance.
diff --git a/conf/plugins/openssl.conf b/conf/plugins/openssl.conf
new file mode 100644
index 000000000..08ed7592b
--- /dev/null
+++ b/conf/plugins/openssl.conf
@@ -0,0 +1,14 @@
+openssl {
+
+    # ENGINE ID to use in the OpenSSL plugin.
+    # engine_id = pkcs11
+
+    # Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
+    # fips_mode = 0
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/openssl.opt b/conf/plugins/openssl.opt
new file mode 100644
index 000000000..55d8dcaa1
--- /dev/null
+++ b/conf/plugins/openssl.opt
@@ -0,0 +1,5 @@
+charon.plugins.openssl.engine_id = pkcs11
+	ENGINE ID to use in the OpenSSL plugin.
+
+charon.plugins.openssl.fips_mode = 0
+	Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
diff --git a/conf/plugins/pkcs11.conf b/conf/plugins/pkcs11.conf
new file mode 100644
index 000000000..35248c2ce
--- /dev/null
+++ b/conf/plugins/pkcs11.conf
@@ -0,0 +1,37 @@
+pkcs11 {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Whether to load certificates from tokens.
+    # load_certs = yes
+
+    # Reload certificates from all tokens if charon receives a SIGHUP.
+    # reload_certs = no
+
+    # Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc
+    # option).
+    # use_dh = no
+
+    # Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
+    # operations. ECDSA private keys can be used regardless of this option.
+    # use_ecc = no
+
+    # Whether the PKCS#11 modules should be used to hash data.
+    # use_hasher = no
+
+    # Whether the PKCS#11 modules should be used for public key operations, even
+    # for keys not stored on tokens.
+    # use_pubkey = no
+
+    # Whether the PKCS#11 modules should be used as RNG.
+    # use_rng = no
+
+    # List of available PKCS#11 modules.
+    modules {
+
+    }
+
+}
+
diff --git a/conf/plugins/pkcs11.opt b/conf/plugins/pkcs11.opt
new file mode 100644
index 000000000..f5a202844
--- /dev/null
+++ b/conf/plugins/pkcs11.opt
@@ -0,0 +1,26 @@
+charon.plugins.pkcs11.modules {}
+	List of available PKCS#11 modules.
+
+charon.plugins.pkcs11.load_certs = yes
+	Whether to load certificates from tokens.
+
+charon.plugins.pkcs11.reload_certs = no
+	Reload certificates from all tokens if charon receives a SIGHUP.
+
+charon.plugins.pkcs11.use_dh = no
+	Whether the PKCS#11 modules should be used for DH and ECDH (see _use_ecc_
+	option).
+
+charon.plugins.pkcs11.use_ecc = no
+	Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
+	operations. ECDSA private keys can be used regardless of this option.
+
+charon.plugins.pkcs11.use_hasher = no
+	Whether the PKCS#11 modules should be used to hash data.
+
+charon.plugins.pkcs11.use_pubkey = no
+	Whether the PKCS#11 modules should be used for public key operations, even
+	for keys not stored on tokens.
+
+charon.plugins.pkcs11.use_rng = no
+	Whether the PKCS#11 modules should be used as RNG.
diff --git a/conf/plugins/radattr.conf b/conf/plugins/radattr.conf
new file mode 100644
index 000000000..6b085987d
--- /dev/null
+++ b/conf/plugins/radattr.conf
@@ -0,0 +1,15 @@
+radattr {
+
+    # Directory where RADIUS attributes are stored in client-ID specific files.
+    # dir =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Add attributes to all IKE_AUTH messages (-1) or only to the one with the
+    # given message ID.
+    # message_id = -1
+
+}
+
diff --git a/conf/plugins/radattr.opt b/conf/plugins/radattr.opt
new file mode 100644
index 000000000..dcc1bf2f7
--- /dev/null
+++ b/conf/plugins/radattr.opt
@@ -0,0 +1,9 @@
+charon.plugins.radattr.dir =
+	Directory where RADIUS attributes are stored in client-ID specific files.
+
+charon.plugins.radattr.message_id = -1
+	Add attributes to all IKE_AUTH messages (-1) or only to the one with the
+	given message ID.
+
+	Attributes are added to all IKE_AUTH messages by default (-1), or only to
+	the IKE_AUTH message with the given IKEv2 message ID.
diff --git a/conf/plugins/random.conf b/conf/plugins/random.conf
new file mode 100644
index 000000000..e0af75fd7
--- /dev/null
+++ b/conf/plugins/random.conf
@@ -0,0 +1,18 @@
+random {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # File to read random bytes from.
+    # random = ${random_device}
+
+    # If set to yes the RNG_STRONG class reads random bytes from the same source
+    # as the RNG_TRUE class.
+    # strong_equals_true = no
+
+    # File to read pseudo random bytes from.
+    # urandom = ${urandom_device}
+
+}
+
diff --git a/conf/plugins/random.opt b/conf/plugins/random.opt
new file mode 100644
index 000000000..1cbde288b
--- /dev/null
+++ b/conf/plugins/random.opt
@@ -0,0 +1,9 @@
+charon.plugins.random.random = ${random_device}
+	File to read random bytes from.
+
+charon.plugins.random.urandom = ${urandom_device}
+	File to read pseudo random bytes from.
+
+charon.plugins.random.strong_equals_true = no
+	If set to yes the RNG_STRONG class reads random bytes from the same source
+	as the RNG_TRUE class.
diff --git a/conf/plugins/resolve.conf b/conf/plugins/resolve.conf
new file mode 100644
index 000000000..5d9ca72de
--- /dev/null
+++ b/conf/plugins/resolve.conf
@@ -0,0 +1,18 @@
+resolve {
+
+    # File where to add DNS server entries.
+    # file = /etc/resolv.conf
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    resolvconf {
+
+        # Prefix used for interface names sent to resolvconf(8).
+        # iface_prefix = lo.inet.ipsec.
+
+    }
+
+}
+
diff --git a/conf/plugins/resolve.opt b/conf/plugins/resolve.opt
new file mode 100644
index 000000000..ce65eff9e
--- /dev/null
+++ b/conf/plugins/resolve.opt
@@ -0,0 +1,11 @@
+charon.plugins.resolve.file = /etc/resolv.conf
+	File where to add DNS server entries.
+
+charon.plugins.resolve.resolvconf.iface_prefix = lo.inet.ipsec.
+	Prefix used for interface names sent to resolvconf(8).
+
+	Prefix used for interface names sent to **resolvconf**(8). The nameserver
+	address is appended to this prefix to make it unique.  The result has to be
+	a valid interface name according to the rules defined by resolvconf.  Also,
+	it should have a high priority according to the order defined in
+	**interface-order**(5).
diff --git a/conf/plugins/socket-default.conf b/conf/plugins/socket-default.conf
new file mode 100644
index 000000000..6d4b73dd5
--- /dev/null
+++ b/conf/plugins/socket-default.conf
@@ -0,0 +1,20 @@
+socket-default {
+
+    # Firewall mark to set on outbound packets.
+    # fwmark =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Set source address on outbound packets, if possible.
+    # set_source = yes
+
+    # Listen on IPv4, if possible.
+    # use_ipv4 = yes
+
+    # Listen on IPv6, if possible.
+    # use_ipv6 = yes
+
+}
+
diff --git a/conf/plugins/socket-default.opt b/conf/plugins/socket-default.opt
new file mode 100644
index 000000000..483a0f03d
--- /dev/null
+++ b/conf/plugins/socket-default.opt
@@ -0,0 +1,11 @@
+charon.plugins.socket-default.fwmark =
+	Firewall mark to set on outbound packets.
+
+charon.plugins.socket-default.set_source = yes
+	Set source address on outbound packets, if possible.
+
+charon.plugins.socket-default.use_ipv4 = yes
+	Listen on IPv4, if possible.
+
+charon.plugins.socket-default.use_ipv6 = yes
+	Listen on IPv6, if possible.
diff --git a/conf/plugins/sql.conf b/conf/plugins/sql.conf
new file mode 100644
index 000000000..094231b9c
--- /dev/null
+++ b/conf/plugins/sql.conf
@@ -0,0 +1,15 @@
+sql {
+
+    # Database URI for charon's SQL plugin. If it contains a password, make sure
+    # to adjust the permissions of the config file accordingly.
+    # database =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Loglevel for logging to SQL database.
+    # loglevel = -1
+
+}
+
diff --git a/conf/plugins/sql.opt b/conf/plugins/sql.opt
new file mode 100644
index 000000000..f573bba7e
--- /dev/null
+++ b/conf/plugins/sql.opt
@@ -0,0 +1,6 @@
+charon.plugins.sql.database =
+	Database URI for charon's SQL plugin. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
+
+charon.plugins.sql.loglevel = -1
+	Loglevel for logging to SQL database.
diff --git a/conf/plugins/stroke.conf b/conf/plugins/stroke.conf
new file mode 100644
index 000000000..6dd063053
--- /dev/null
+++ b/conf/plugins/stroke.conf
@@ -0,0 +1,24 @@
+stroke {
+
+    # Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
+    # certificates even if they don't contain a CA basic constraint.
+    # ignore_missing_ca_basic_constraint = no
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Maximum number of stroke messages handled concurrently.
+    # max_concurrent = 4
+
+    # If enabled log level changes via stroke socket are not allowed.
+    # prevent_loglevel_changes = no
+
+    # Socket provided by the stroke plugin.
+    # socket = unix://${piddir}/charon.ctl
+
+    # Timeout in ms for any stroke command. Use 0 to disable the timeout.
+    # timeout = 0
+
+}
+
diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt
new file mode 100644
index 000000000..2cfc2c6fa
--- /dev/null
+++ b/conf/plugins/stroke.opt
@@ -0,0 +1,15 @@
+charon.plugins.stroke.ignore_missing_ca_basic_constraint = no
+	Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
+	certificates even if they don't contain a CA basic constraint.
+
+charon.plugins.stroke.max_concurrent = 4
+	Maximum number of stroke messages handled concurrently.
+
+charon.plugins.stroke.prevent_loglevel_changes = no
+	If enabled log level changes via stroke socket are not allowed.
+
+charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
+	Socket provided by the stroke plugin.
+
+charon.plugins.stroke.timeout = 0
+	Timeout in ms for any stroke command. Use 0 to disable the timeout.
diff --git a/conf/plugins/systime-fix.conf b/conf/plugins/systime-fix.conf
new file mode 100644
index 000000000..f5cd4cd5d
--- /dev/null
+++ b/conf/plugins/systime-fix.conf
@@ -0,0 +1,22 @@
+systime-fix {
+
+    # Interval in seconds to check system time for validity. 0 disables the
+    # check.
+    # interval = 0
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Whether to use reauth or delete if an invalid cert lifetime is detected.
+    # reauth = no
+
+    # Threshold date where system time is considered valid. Disabled if not
+    # specified.
+    # threshold =
+
+    # strptime(3) format used to parse threshold option.
+    # threshold_format = %Y
+
+}
+
diff --git a/conf/plugins/systime-fix.opt b/conf/plugins/systime-fix.opt
new file mode 100644
index 000000000..7abd03627
--- /dev/null
+++ b/conf/plugins/systime-fix.opt
@@ -0,0 +1,12 @@
+charon.plugins.systime-fix.interval = 0
+	Interval in seconds to check system time for validity. 0 disables the check.
+
+charon.plugins.systime-fix.reauth = no
+	Whether to use reauth or delete if an invalid cert lifetime is detected.
+
+charon.plugins.systime-fix.threshold =
+	Threshold date where system time is considered valid. Disabled if not
+	specified.
+
+charon.plugins.systime-fix.threshold_format = %Y
+	**strptime**(3) format used to parse threshold option.
diff --git a/conf/plugins/tnc-ifmap.conf b/conf/plugins/tnc-ifmap.conf
new file mode 100644
index 000000000..02f7c881f
--- /dev/null
+++ b/conf/plugins/tnc-ifmap.conf
@@ -0,0 +1,30 @@
+tnc-ifmap {
+
+    # Path to X.509 certificate file of IF-MAP client.
+    # client_cert =
+
+    # Path to private key file of IF-MAP client.
+    # client_key =
+
+    # Unique name of strongSwan server as a PEP and/or PDP device.
+    # device_name =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Interval in seconds between periodic IF-MAP RenewSession requests.
+    # renew_session_interval = 150
+
+    # Path to X.509 certificate file of IF-MAP server.
+    # server_cert =
+
+    # URI of the form [https://]servername[:port][/path].
+    # server_uri = https://localhost:8444/imap
+
+    # Credentials of IF-MAP client of the form username:password. If set, make
+    # sure to adjust the permissions of the config file accordingly.
+    # username_password =
+
+}
+
diff --git a/conf/plugins/tnc-ifmap.opt b/conf/plugins/tnc-ifmap.opt
new file mode 100644
index 000000000..155c30697
--- /dev/null
+++ b/conf/plugins/tnc-ifmap.opt
@@ -0,0 +1,21 @@
+charon.plugins.tnc-ifmap.client_cert =
+	Path to X.509 certificate file of IF-MAP client.
+
+charon.plugins.tnc-ifmap.client_key =
+	Path to private key file of IF-MAP client.
+
+charon.plugins.tnc-ifmap.device_name =
+	Unique name of strongSwan server as a PEP and/or PDP device.
+
+charon.plugins.tnc-ifmap.renew_session_interval = 150
+	Interval in seconds between periodic IF-MAP RenewSession requests.
+
+charon.plugins.tnc-ifmap.server_uri = https://localhost:8444/imap
+	URI of the form [https://]servername[:port][/path].
+
+charon.plugins.tnc-ifmap.server_cert =
+	Path to X.509 certificate file of IF-MAP server.
+
+charon.plugins.tnc-ifmap.username_password =
+	Credentials of IF-MAP client of the form username:password. If set, make
+	sure to adjust the permissions of the config file accordingly.
diff --git a/conf/plugins/tnc-imc.conf b/conf/plugins/tnc-imc.conf
new file mode 100644
index 000000000..f517abcaf
--- /dev/null
+++ b/conf/plugins/tnc-imc.conf
@@ -0,0 +1,14 @@
+tnc-imc {
+
+    # Unload IMC after use.
+    # dlclose = yes
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Preferred language for TNC recommendations.
+    # preferred_language = en
+
+}
+
diff --git a/conf/plugins/tnc-imc.opt b/conf/plugins/tnc-imc.opt
new file mode 100644
index 000000000..7c9af2a30
--- /dev/null
+++ b/conf/plugins/tnc-imc.opt
@@ -0,0 +1,5 @@
+charon.plugins.tnc-imc.dlclose = yes
+	Unload IMC after use.
+
+charon.plugins.tnc-imc.preferred_language = en
+	Preferred language for TNC recommendations.
diff --git a/conf/plugins/tnc-imv.conf b/conf/plugins/tnc-imv.conf
new file mode 100644
index 000000000..799421983
--- /dev/null
+++ b/conf/plugins/tnc-imv.conf
@@ -0,0 +1,14 @@
+tnc-imv {
+
+    # Unload IMV after use.
+    # dlclose = yes
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # TNC recommendation policy, one of default, any, or all.
+    # recommendation_policy = default
+
+}
+
diff --git a/conf/plugins/tnc-imv.opt b/conf/plugins/tnc-imv.opt
new file mode 100644
index 000000000..788753ce7
--- /dev/null
+++ b/conf/plugins/tnc-imv.opt
@@ -0,0 +1,5 @@
+charon.plugins.tnc-imv.dlclose = yes
+	Unload IMV after use.
+
+charon.plugins.tnc-imv.recommendation_policy = default
+	TNC recommendation policy, one of _default_, _any_, or _all_.
diff --git a/conf/plugins/tnc-pdp.conf b/conf/plugins/tnc-pdp.conf
new file mode 100644
index 000000000..d9e926c9e
--- /dev/null
+++ b/conf/plugins/tnc-pdp.conf
@@ -0,0 +1,41 @@
+tnc-pdp {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Name of the strongSwan PDP as contained in the AAA certificate.
+    # server =
+
+    # Timeout in seconds before closing incomplete connections.
+    # timeout =
+
+    pt_tls {
+
+        # Enable PT-TLS protocol on the strongSwan PDP.
+        # enable = yes
+
+        # PT-TLS server port the strongSwan PDP is listening on.
+        # port = 271
+
+    }
+
+    radius {
+
+        # Enable RADIUS protocol on the strongSwan PDP.
+        # enable = yes
+
+        # EAP tunnel method to be used.
+        # method = ttls
+
+        # RADIUS server port the strongSwan PDP is listening on.
+        # port = 1812
+
+        # Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure
+        # to adjust the permissions of the config file accordingly.
+        # secret =
+
+    }
+
+}
+
diff --git a/conf/plugins/tnc-pdp.opt b/conf/plugins/tnc-pdp.opt
new file mode 100644
index 000000000..22b00db5e
--- /dev/null
+++ b/conf/plugins/tnc-pdp.opt
@@ -0,0 +1,24 @@
+charon.plugins.tnc-pdp.pt_tls.enable = yes
+	Enable PT-TLS protocol on the strongSwan PDP.
+
+charon.plugins.tnc-pdp.pt_tls.port = 271
+	PT-TLS server port the strongSwan PDP is listening on.
+
+charon.plugins.tnc-pdp.radius.enable = yes
+	Enable RADIUS protocol on the strongSwan PDP.
+
+charon.plugins.tnc-pdp.radius.method = ttls
+	EAP tunnel method to be used.
+
+charon.plugins.tnc-pdp.radius.port = 1812
+	RADIUS server port the strongSwan PDP is listening on.
+
+charon.plugins.tnc-pdp.radius.secret =
+	Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to
+	adjust the permissions of the config file accordingly.
+
+charon.plugins.tnc-pdp.server =
+	Name of the strongSwan PDP as contained in the AAA certificate.
+
+charon.plugins.tnc-pdp.timeout =
+	Timeout in seconds before closing incomplete connections.
diff --git a/conf/plugins/tnccs-11.conf b/conf/plugins/tnccs-11.conf
new file mode 100644
index 000000000..9b99786b2
--- /dev/null
+++ b/conf/plugins/tnccs-11.conf
@@ -0,0 +1,11 @@
+tnccs-11 {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Maximum size of a PA-TNC message (XML & Base64 encoding).
+    # max_message_size = 45000
+
+}
+
diff --git a/conf/plugins/tnccs-11.opt b/conf/plugins/tnccs-11.opt
new file mode 100644
index 000000000..eb313fe06
--- /dev/null
+++ b/conf/plugins/tnccs-11.opt
@@ -0,0 +1,2 @@
+charon.plugins.tnccs-11.max_message_size = 45000
+	Maximum size of a PA-TNC message (XML & Base64 encoding).
diff --git a/conf/plugins/tnccs-20.conf b/conf/plugins/tnccs-20.conf
new file mode 100644
index 000000000..9a57ee14d
--- /dev/null
+++ b/conf/plugins/tnccs-20.conf
@@ -0,0 +1,14 @@
+tnccs-20 {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529).
+    # max_batch_size = 65522
+
+    # Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
+    # max_message_size = 65490
+
+}
+
diff --git a/conf/plugins/tnccs-20.opt b/conf/plugins/tnccs-20.opt
new file mode 100644
index 000000000..b15bc3fa1
--- /dev/null
+++ b/conf/plugins/tnccs-20.opt
@@ -0,0 +1,5 @@
+charon.plugins.tnccs-20.max_batch_size = 65522
+	Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529).
+
+charon.plugins.tnccs-20.max_message_size = 65490
+	Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
diff --git a/conf/plugins/unbound.conf b/conf/plugins/unbound.conf
new file mode 100644
index 000000000..8d3003118
--- /dev/null
+++ b/conf/plugins/unbound.conf
@@ -0,0 +1,17 @@
+unbound {
+
+    # File to read trusted keys for DLV (DNSSEC Lookaside Validation) from.
+    # dlv_anchors =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # File to read DNS resolver configuration from.
+    # resolv_conf = /etc/resolv.conf
+
+    # File to read DNSSEC trust anchors from (usually root zone KSK).
+    # trust_anchors = /etc/ipsec.d/dnssec.keys
+
+}
+
diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt
new file mode 100644
index 000000000..f8ca9ca12
--- /dev/null
+++ b/conf/plugins/unbound.opt
@@ -0,0 +1,17 @@
+charon.plugins.unbound.resolv_conf = /etc/resolv.conf
+	File to read DNS resolver configuration from.
+
+charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
+	File to read DNSSEC trust anchors from (usually root zone KSK).
+
+	File to read DNSSEC trust anchors from (usually root zone KSK). The format
+	of the file is the standard DNS Zone file format, anchors can be stored as
+	DS or DNSKEY entries in the file.
+
+charon.plugins.unbound.dlv_anchors =
+	File to read trusted keys for DLV (DNSSEC Lookaside Validation) from.
+
+	File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It
+	uses the same format as _trust_anchors_. Only one DLV can be configured,
+	which is then used as a root trusted DLV, this means that it is a lookaside
+	for the root.
diff --git a/conf/plugins/updown.conf b/conf/plugins/updown.conf
new file mode 100644
index 000000000..8bcd330a8
--- /dev/null
+++ b/conf/plugins/updown.conf
@@ -0,0 +1,12 @@
+updown {
+
+    # Whether the updown script should handle assigned DNS servers (if enabled
+    # they can't be handled by other plugins, like resolve).
+    # dns_handler = no
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/updown.opt b/conf/plugins/updown.opt
new file mode 100644
index 000000000..d8bcc82ab
--- /dev/null
+++ b/conf/plugins/updown.opt
@@ -0,0 +1,7 @@
+charon.plugins.updown.dns_handler = no
+	Whether the updown script should handle assigned DNS servers (if enabled
+	they can't be handled by other plugins, like resolve).
+
+	Whether the updown script should handle DNS servers assigned via IKEv1 Mode
+	Config or IKEv2 Config Payloads (if enabled they can't be handled by other
+	plugins, like resolve)
diff --git a/conf/plugins/whitelist.conf b/conf/plugins/whitelist.conf
new file mode 100644
index 000000000..c68358bf2
--- /dev/null
+++ b/conf/plugins/whitelist.conf
@@ -0,0 +1,14 @@
+whitelist {
+
+    # Enable loaded whitelist plugin.
+    # enable = yes
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Socket provided by the whitelist plugin.
+    # socket = unix://${piddir}/charon.wlst
+
+}
+
diff --git a/conf/plugins/whitelist.opt b/conf/plugins/whitelist.opt
new file mode 100644
index 000000000..023f7e235
--- /dev/null
+++ b/conf/plugins/whitelist.opt
@@ -0,0 +1,6 @@
+charon.plugins.whitelist.enable = yes
+	Enable loaded whitelist plugin.
+
+charon.plugins.whitelist.socket = unix://${piddir}/charon.wlst
+	Socket provided by the whitelist plugin.
+
diff --git a/conf/plugins/xauth-eap.conf b/conf/plugins/xauth-eap.conf
new file mode 100644
index 000000000..25ea2aa36
--- /dev/null
+++ b/conf/plugins/xauth-eap.conf
@@ -0,0 +1,11 @@
+xauth-eap {
+
+    # EAP plugin to be used as backend for XAuth credential verification.
+    # backend = radius
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/xauth-eap.opt b/conf/plugins/xauth-eap.opt
new file mode 100644
index 000000000..1663f935c
--- /dev/null
+++ b/conf/plugins/xauth-eap.opt
@@ -0,0 +1,2 @@
+charon.plugins.xauth-eap.backend = radius
+	EAP plugin to be used as backend for XAuth credential verification.
diff --git a/conf/plugins/xauth-pam.conf b/conf/plugins/xauth-pam.conf
new file mode 100644
index 000000000..aeba19195
--- /dev/null
+++ b/conf/plugins/xauth-pam.conf
@@ -0,0 +1,18 @@
+xauth-pam {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # PAM service to be used for authentication.
+    # pam_service = login
+
+    # Open/close a PAM session for each active IKE_SA.
+    # session = no
+
+    # If an email address is received as an XAuth username, trim it to just the
+    # username part.
+    # trim_email = yes
+
+}
+
diff --git a/conf/plugins/xauth-pam.opt b/conf/plugins/xauth-pam.opt
new file mode 100644
index 000000000..637dea6a6
--- /dev/null
+++ b/conf/plugins/xauth-pam.opt
@@ -0,0 +1,9 @@
+charon.plugins.xauth-pam.pam_service = login
+	PAM service to be used for authentication.
+
+charon.plugins.xauth-pam.session = no
+	Open/close a PAM session for each active IKE_SA.
+
+charon.plugins.xauth-pam.trim_email = yes
+	If an email address is received as an XAuth username, trim it to just the
+	username part.
diff --git a/conf/strongswan.conf b/conf/strongswan.conf
new file mode 100644
index 000000000..d90672861
--- /dev/null
+++ b/conf/strongswan.conf
@@ -0,0 +1,14 @@
+# strongswan.conf - strongSwan configuration file
+#
+# Refer to the strongswan.conf(5) manpage for details
+#
+# Configuration changes should be made in the included files
+
+charon {
+	load_modular = yes
+	plugins {
+		include strongswan.d/charon/*.conf
+	}
+}
+
+include strongswan.d/*.conf
diff --git a/conf/strongswan.conf.5.head.in b/conf/strongswan.conf.5.head.in
new file mode 100644
index 000000000..23454e758
--- /dev/null
+++ b/conf/strongswan.conf.5.head.in
@@ -0,0 +1,127 @@
+.TH STRONGSWAN.CONF 5 "" "@PACKAGE_VERSION@" "strongSwan"
+.SH NAME
+strongswan.conf \- strongSwan configuration file
+.SH DESCRIPTION
+While the
+.IR ipsec.conf (5)
+configuration file is well suited to define IPsec related configuration
+parameters, it is not useful for other strongSwan applications to read options
+from this file.
+The file is hard to parse and only
+.I ipsec starter
+is capable of doing so. As the number of components of the strongSwan project
+is continually growing, a more flexible configuration file was needed, one that
+is easy to extend and can be used by all components. With strongSwan 4.2.1
+.IR strongswan.conf (5)
+was introduced which meets these requirements.
+
+.SH SYNTAX
+The format of the strongswan.conf file consists of hierarchical
+.B sections
+and a list of
+.B key/value pairs
+in each section. Each section has a name, followed by C-Style curly brackets
+defining the section body. Each section body contains a set of subsections
+and key/value pairs:
+.PP
+.EX
+	settings := (section|keyvalue)*
+	section  := name { settings }
+	keyvalue := key = value\\n
+.EE
+.PP
+Values must be terminated by a newline.
+.PP
+Comments are possible using the \fB#\fP-character, but be careful: The parser
+implementation is currently limited and does not like brackets in comments.
+.PP
+Section names and keys may contain any printable character except:
+.PP
+.EX
+	. { } # \\n \\t space
+.EE
+.PP
+An example file in this format might look like this:
+.PP
+.EX
+	a = b
+	section-one {
+		somevalue = asdf
+		subsection {
+			othervalue = xxx
+		}
+		# yei, a comment
+		yetanother = zz
+	}
+	section-two {
+		x = 12
+	}
+.EE
+.PP
+Indentation is optional, you may use tabs or spaces.
+
+.SH INCLUDING FILES
+Using the
+.B include
+statement it is possible to include other files into strongswan.conf, e.g.
+.PP
+.EX
+	include /some/path/*.conf
+.EE
+.PP
+If the file name is not an absolute path, it is considered to be relative
+to the directory of the file containing the include statement. The file name
+may include shell wildcards (see
+.IR sh (1)).
+Also, such inclusions can be nested.
+.PP
+Sections loaded from included files
+.I extend
+previously loaded sections; already existing values are
+.IR replaced .
+It is important to note that settings are added relative to the section the
+include statement is in.
+.PP
+As an example, the following three files result in the same final
+config as the one given above:
+.PP
+.EX
+	a = b
+	section-one {
+		somevalue = before include
+		include include.conf
+	}
+	include other.conf
+
+include.conf:
+	# settings loaded from this file are added to section-one
+	# the following replaces the previous value
+	somevalue = asdf
+	subsection {
+		othervalue = yyy
+	}
+	yetanother = zz
+
+other.conf:
+	# this extends section-one and subsection
+	section-one {
+		subsection {
+			# this replaces the previous value
+			othervalue = xxx
+		}
+	}
+	section-two {
+		x = 12
+	}
+.EE
+
+.SH READING VALUES
+Values are accessed using a dot-separated section list and a key.
+With reference to the example above, accessing
+.B section-one.subsection.othervalue
+will return
+.BR xxx .
+
+.SH DEFINED KEYS
+The following keys are currently defined (using dot notation). The default
+value (if any) is listed in brackets after the key.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
new file mode 100644
index 000000000..282b8fa70
--- /dev/null
+++ b/conf/strongswan.conf.5.main
@@ -0,0 +1,1664 @@
+.TP
+.BR attest.database " []"
+File measurement information database URI. If it contains a password, make sure
+to adjust the permissions of the config file accordingly.
+
+.TP
+.BR attest.load " []"
+Plugins to load in ipsec attest tool.
+
+.TP
+.B charon
+.br
+Options for the charon IKE daemon.
+
+.RB "" "Note" ":"
+Many of the options in this section also apply to
+.RB "" "charon\-cmd" ""
+and
+other
+.RB "" "charon" ""
+derivatives.  Just use their respective name (e.g.
+.RB "" "charon\-cmd" ""
+instead of
+.RB "" "charon" ")."
+For many options defaults can be defined
+in the
+.RB "" "libstrongswan" ""
+section.
+
+.TP
+.BR charon.block_threshold " [5]"
+Maximum number of half\-open IKE_SAs for a single peer IP.
+
+.TP
+.BR charon.cert_cache " [yes]"
+Whether relations in validated certificate chains should be cached in memory.
+
+.TP
+.BR charon.cisco_unity " [no]"
+Send Cisco Unity vendor ID payload (IKEv1 only).
+
+.TP
+.BR charon.close_ike_on_child_failure " [no]"
+Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+
+.TP
+.BR charon.cookie_threshold " [10]"
+Number of half\-open IKE_SAs that activate the cookie mechanism.
+
+.TP
+.BR charon.dh_exponent_ansi_x9_42 " [yes]"
+Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+strength.
+
+.TP
+.BR charon.dns1 " []"
+DNS server assigned to peer via configuration payload (CP).
+
+.TP
+.BR charon.dns2 " []"
+DNS server assigned to peer via configuration payload (CP).
+
+.TP
+.BR charon.dos_protection " [yes]"
+Enable Denial of Service protection using cookies and aggressiveness checks.
+
+.TP
+.BR charon.ecp_x_coordinate_only " [yes]"
+Compliance with the errata for RFC 4753.
+
+.TP
+.BR charon.flush_auth_cfg " [no]"
+If enabled objects used during authentication (certificates, identities etc.)
+are released to free memory once an IKE_SA is established. Enabling this might
+conflict with plugins that later need access to e.g. the used certificates.
+
+.TP
+.BR charon.fragment_size " [512]"
+Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+fragmentation extension.
+
+.TP
+.BR charon.group " []"
+Name of the group the daemon changes to after startup.
+
+.TP
+.BR charon.half_open_timeout " [30]"
+Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+
+.TP
+.BR charon.hash_and_url " [no]"
+Enable hash and URL support.
+
+.TP
+.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
+If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared
+keys, which is discouraged due to security concerns (offline attacks on the
+openly transmitted hash of the PSK).
+
+.TP
+.BR charon.ignore_routing_tables " []"
+A space\-separated list of routing tables to be excluded from route lookups.
+
+.TP
+.BR charon.ikesa_limit " [0]"
+Maximum number of IKE_SAs that can be established at the same time before new
+connection attempts are blocked.
+
+.TP
+.BR charon.ikesa_table_segments " [1]"
+Number of exclusively locked segments in the hash table.
+
+.TP
+.BR charon.ikesa_table_size " [1]"
+Size of the IKE_SA hash table.
+
+.TP
+.BR charon.inactivity_close_ike " [no]"
+Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+
+.TP
+.BR charon.init_limit_half_open " [0]"
+Limit new connections based on the current number of half open IKE_SAs, see
+IKE_SA_INIT DROPPING in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.init_limit_job_load " [0]"
+Limit new connections based on the number of jobs currently queued for
+processing (see IKE_SA_INIT DROPPING).
+
+.TP
+.BR charon.initiator_only " [no]"
+Causes charon daemon to ignore IKE initiation requests.
+
+.TP
+.BR charon.install_routes " [yes]"
+Install routes into a separate routing table for established IPsec tunnels.
+
+.TP
+.BR charon.install_virtual_ip " [yes]"
+Install virtual IP addresses.
+
+.TP
+.BR charon.install_virtual_ip_on " []"
+The name of the interface on which virtual IP addresses should be installed. If
+not specified the addresses will be installed on the outbound interface.
+
+.TP
+.BR charon.integrity_test " [no]"
+Check daemon, libstrongswan and plugin integrity at startup.
+
+.TP
+.BR charon.interfaces_ignore " []"
+A comma\-separated list of network interfaces that should be ignored, if
+.RB "" "interfaces_use" ""
+is specified this option has no effect.
+
+.TP
+.BR charon.interfaces_use " []"
+A comma\-separated list of network interfaces that should be used by charon. All
+other interfaces are ignored.
+
+.TP
+.BR charon.keep_alive " [20s]"
+NAT keep alive interval.
+
+.TP
+.BR charon.load " []"
+Plugins to load in the IKE daemon charon.
+
+.TP
+.BR charon.load_modular " [no]"
+If enabled, the list of plugins to load is determined via the value of the
+.RI "" "charon.plugins.<name>.load" ""
+options.  In addition to a simple boolean flag that
+option may take an integer value indicating the priority of a plugin, which
+would influence the order of a plugin in the plugin list (the default is 1). If
+two plugins have the same priority their order in the default plugin list is
+preserved. Enabled plugins not found in that list are ordered alphabetically
+before other plugins with the same priority.
+
+.TP
+.BR charon.max_packet " [10000]"
+Maximum packet size accepted by charon.
+
+.TP
+.BR charon.multiple_authentication " [yes]"
+Enable multiple authentication exchanges (RFC 4739).
+
+.TP
+.BR charon.nbns1 " []"
+WINS servers assigned to peer via configuration payload (CP).
+
+.TP
+.BR charon.nbns2 " []"
+WINS servers assigned to peer via configuration payload (CP).
+
+.TP
+.BR charon.port " [500]"
+UDP port used locally. If set to 0 a random port will be allocated.
+
+.TP
+.BR charon.port_nat_t " [4500]"
+UDP port used locally in case of NAT\-T. If set to 0 a random port will be
+allocated.  Has to be different from
+.RB "" "charon.port" ","
+otherwise a random port
+will be allocated.
+
+.TP
+.BR charon.process_route " [yes]"
+Process RTM_NEWROUTE and RTM_DELROUTE events.
+
+.TP
+.BR charon.receive_delay " [0]"
+Delay in ms for receiving packets, to simulate larger RTT.
+
+.TP
+.BR charon.receive_delay_request " [yes]"
+Delay request messages.
+
+.TP
+.BR charon.receive_delay_response " [yes]"
+Delay response messages.
+
+.TP
+.BR charon.receive_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any.
+
+.TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+
+.TP
+.BR charon.retransmit_base " [1.8]"
+Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.retransmit_timeout " [4.0]"
+Timeout in seconds before sending first retransmit.
+
+.TP
+.BR charon.retransmit_tries " [5]"
+Number of times to retransmit a packet before giving up.
+
+.TP
+.BR charon.retry_initiate_interval " [0]"
+Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+failed), 0 to disable retries.
+
+.TP
+.BR charon.reuse_ikesa " [yes]"
+Initiate CHILD_SA within existing IKE_SAs.
+
+.TP
+.BR charon.routing_table " []"
+Numerical routing table to install routes to.
+
+.TP
+.BR charon.routing_table_prio " []"
+Priority of the routing table.
+
+.TP
+.BR charon.send_delay " [0]"
+Delay in ms for sending packets, to simulate larger RTT.
+
+.TP
+.BR charon.send_delay_request " [yes]"
+Delay request messages.
+
+.TP
+.BR charon.send_delay_response " [yes]"
+Delay response messages.
+
+.TP
+.BR charon.send_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any.
+
+.TP
+.BR charon.send_vendor_id " [no]"
+Send strongSwan vendor ID payload
+
+.TP
+.BR charon.threads " [16]"
+Number of worker threads in charon. Several of these are reserved for long
+running tasks in internal modules and plugins. Therefore, make sure you don't
+set this value too low. The number of idle worker threads listed in
+.RI "" "ipsec statusall" ""
+might be used as indicator on the number of reserved threads.
+
+.TP
+.BR charon.user " []"
+Name of the user the daemon changes to after startup.
+
+.TP
+.BR charon.crypto_test.bench " [no]"
+Benchmark crypto algorithms and order them by efficiency.
+
+.TP
+.BR charon.crypto_test.bench_size " [1024]"
+Buffer size used for crypto benchmark.
+
+.TP
+.BR charon.crypto_test.bench_time " [50]"
+Number of iterations to test each algorithm.
+
+.TP
+.BR charon.crypto_test.on_add " [no]"
+Test crypto algorithms during registration (requires test vectors provided by
+the
+.RI "" "test\-vectors" ""
+plugin).
+
+.TP
+.BR charon.crypto_test.on_create " [no]"
+Test crypto algorithms on each crypto primitive instantiation.
+
+.TP
+.BR charon.crypto_test.required " [no]"
+Strictly require at least one test vector to enable an algorithm.
+
+.TP
+.BR charon.crypto_test.rng_true " [no]"
+Whether to test RNG with TRUE quality; requires a lot of entropy.
+
+.TP
+.B charon.filelog
+.br
+Section to define file loggers, see LOGGER CONFIGURATION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.B charon.filelog.<filename>
+.br
+<filename> is the full path to the log file.
+
+.TP
+.BR charon.filelog.<filename>.<subsystem> " [<default>]"
+Loglevel for a specific subsystem.
+
+.TP
+.BR charon.filelog.<filename>.append " [yes]"
+If this option is enabled log entries are appended to the existing file.
+
+.TP
+.BR charon.filelog.<filename>.default " [1]"
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+
+.TP
+.BR charon.filelog.<filename>.flush_line " [no]"
+Enabling this option disables block buffering and enables line buffering.
+
+.TP
+.BR charon.filelog.<filename>.ike_name " [no]"
+Prefix each log entry with the connection name and a unique numerical identifier
+for each IKE_SA.
+
+.TP
+.BR charon.filelog.<filename>.time_format " []"
+Prefix each log entry with a timestamp. The option accepts a format string as
+passed to
+.RB "" "strftime" "(3)."
+
+
+.TP
+.BR charon.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused).
+
+.TP
+.BR charon.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around.
+
+.TP
+.B charon.imcv
+.br
+Defaults for options in this section can be configured in the
+.RI "" "libimcv" ""
+section.
+
+.TP
+.BR charon.imcv.assessment_result " [yes]"
+Whether IMVs send a standard IETF Assessment Result attribute.
+
+.TP
+.BR charon.imcv.database " []"
+Global IMV policy database URI. If it contains a password, make sure to adjust
+the permissions of the config file accordingly.
+
+.TP
+.BR charon.imcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies.
+
+.TP
+.BR charon.imcv.os_info.name " []"
+Manually set the name of the client OS (e.g. Ubuntu).
+
+.TP
+.BR charon.imcv.os_info.version " []"
+Manually set the version of the client OS (e.g. 12.04 i686).
+
+.TP
+.BR charon.leak_detective.detailed " [yes]"
+Includes source file names and line numbers in leak detective output.
+
+.TP
+.BR charon.leak_detective.usage_threshold " [10240]"
+Threshold in bytes for leaks to be reported (0 to report all).
+
+.TP
+.BR charon.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all).
+
+.TP
+.BR charon.plugins.android_log.loglevel " [1]"
+Loglevel for logging to Android specific logger.
+
+.TP
+.B charon.plugins.attr
+.br
+Section to specify arbitrary attributes that are assigned to a peer via
+configuration payload (CP).
+
+.TP
+.BR charon.plugins.attr.<attr> " []"
+.RB "" "<attr>" ""
+can be either
+.RI "" "address" ","
+.RI "" "netmask" ","
+.RI "" "dns" ","
+.RI "" "nbns" ","
+.RI "" "dhcp" ","
+.RI "" "subnet" ","
+.RI "" "split\-include" ","
+.RI "" "split\-exclude" ""
+or the numeric identifier of the attribute
+type. The assigned value can be an IPv4/IPv6 address, a subnet in CIDR notation
+or an arbitrary value depending on the attribute type.  For some attribute types
+multiple values may be specified as a comma separated list.
+
+.TP
+.BR charon.plugins.attr-sql.database " []"
+Database URI for attr\-sql plugin used by charon. If it contains a password, make
+sure to adjust the permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.attr-sql.lease_history " [yes]"
+Enable logging of SQL IP pool leases.
+
+.TP
+.BR charon.plugins.certexpire.csv.cron " []"
+Cron style string specifying CSV export times.
+
+.TP
+.BR charon.plugins.certexpire.csv.empty_string " []"
+String to use in empty intermediate CA fields.
+
+.TP
+.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
+Use a fixed intermediate CA field count.
+
+.TP
+.BR charon.plugins.certexpire.csv.force " [yes]"
+Force export of all trustchains we have a private key for.
+
+.TP
+.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
+.RB "" "strftime" "(3)"
+format string to export expiration dates as.
+
+.TP
+.BR charon.plugins.certexpire.csv.local " []"
+.RB "" "strftime" "(3)"
+format string for the CSV file name to export local certificates
+to.
+
+.TP
+.BR charon.plugins.certexpire.csv.remote " []"
+.RB "" "strftime" "(3)"
+format string for the CSV file name to export remote
+certificates to.
+
+.TP
+.BR charon.plugins.certexpire.csv.separator " [,]"
+CSV field separator.
+
+.TP
+.BR charon.plugins.coupling.file " []"
+File to store coupling list to.
+
+.TP
+.BR charon.plugins.coupling.hash " [sha1]"
+Hashing algorithm to fingerprint coupled certificates.
+
+.TP
+.BR charon.plugins.coupling.max " [1]"
+Maximum number of coupling entries to create.
+
+.TP
+.BR charon.plugins.dhcp.force_server_address " [no]"
+Always use the configured server address. This might be helpful if the DHCP
+server runs on the same host as strongSwan, and the DHCP daemon does not listen
+on the loopback interface.  In that case the server cannot be reached via
+unicast (or even 255.255.255.255) as that would be routed via loopback. Setting
+this option to yes and configuring the local broadcast address (e.g.
+192.168.0.255) as server address might work.
+
+.TP
+.BR charon.plugins.dhcp.identity_lease " [no]"
+Derive user\-defined MAC address from hash of IKE identity.
+
+.TP
+.BR charon.plugins.dhcp.interface " []"
+Interface name the plugin uses for address allocation. The default is to bind to
+any (0.0.0.0) and let the system decide which way to route the packets to the
+DHCP server.
+
+.TP
+.BR charon.plugins.dhcp.server " [255.255.255.255]"
+DHCP server unicast or broadcast IP address.
+
+.TP
+.BR charon.plugins.dnscert.enable " [no]"
+Enable fetching of CERT RRs via DNS.
+
+.TP
+.BR charon.plugins.duplicheck.enable " [yes]"
+Enable duplicheck plugin (if loaded).
+
+.TP
+.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
+Socket provided by the duplicheck plugin.
+
+.TP
+.BR charon.plugins.eap-aka.request_identity " [yes]"
+.TP
+.BR charon.plugins.eap-aka-3ggp2.seq_check " []"
+.TP
+.BR charon.plugins.eap-dynamic.prefer_user " [no]"
+If enabled the EAP methods proposed in an EAP\-Nak message sent by the peer are
+preferred over the methods registered locally.
+
+.TP
+.BR charon.plugins.eap-dynamic.preferred " []"
+The preferred EAP method(s) to be used.  If it is not given the first registered
+method will be used initially.  If a comma separated list is given the methods
+are tried in the given order before trying the rest of the registered methods.
+
+.TP
+.BR charon.plugins.eap-gtc.backend " [pam]"
+XAuth backend to be used for credential verification.
+
+.TP
+.BR charon.plugins.eap-peap.fragment_size " [1024]"
+Maximum size of an EAP\-PEAP packet.
+
+.TP
+.BR charon.plugins.eap-peap.include_length " [no]"
+Include length in non\-fragmented EAP\-PEAP packets.
+
+.TP
+.BR charon.plugins.eap-peap.max_message_count " [32]"
+Maximum number of processed EAP\-PEAP packets (0 = no limit).
+
+.TP
+.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
+Phase2 EAP client authentication method.
+
+.TP
+.BR charon.plugins.eap-peap.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
+
+.TP
+.BR charon.plugins.eap-peap.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication.
+
+.TP
+.BR charon.plugins.eap-peap.request_peer_auth " [no]"
+Request peer authentication based on a client certificate.
+
+.TP
+.BR charon.plugins.eap-radius.accounting " [no]"
+Send RADIUS accounting information to RADIUS servers.
+
+.TP
+.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
+If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
+
+.TP
+.BR charon.plugins.eap-radius.class_group " [no]"
+Use the
+.RI "" "class" ""
+attribute sent in the RADIUS\-Accept message as group membership
+information that is compared to the groups specified in the
+.RB "" "rightgroups" ""
+option in
+.RB "" "ipsec.conf" "(5)."
+
+
+.TP
+.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
+Closes all IKE_SAs if communication with the RADIUS server times out. If it is
+not set only the current IKE_SA is closed.
+
+.TP
+.BR charon.plugins.eap-radius.eap_start " [no]"
+Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation.
+
+.TP
+.BR charon.plugins.eap-radius.filter_id " [no]"
+If the RADIUS
+.RI "" "tunnel_type" ""
+attribute with value
+.RB "" "ESP" ""
+is received, use the
+.RI "" "filter_id" ""
+attribute sent in the RADIUS\-Accept message as group membership
+information that is compared to the groups specified in the
+.RB "" "rightgroups" ""
+option in
+.RB "" "ipsec.conf" "(5)."
+
+
+.TP
+.BR charon.plugins.eap-radius.id_prefix " []"
+Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP
+method.
+
+.TP
+.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
+NAS\-Identifier to include in RADIUS messages.
+
+.TP
+.BR charon.plugins.eap-radius.port " [1812]"
+Port of RADIUS server (authentication).
+
+.TP
+.BR charon.plugins.eap-radius.secret " []"
+Shared secret between RADIUS and NAS. If set, make sure to adjust the
+permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.eap-radius.server " []"
+IP/Hostname of RADIUS server.
+
+.TP
+.BR charon.plugins.eap-radius.sockets " [1]"
+Number of sockets (ports) to use, increase for high load.
+
+.TP
+.BR charon.plugins.eap-radius.dae.enable " [no]"
+Enables support for the Dynamic Authorization Extension (RFC 5176).
+
+.TP
+.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
+Address to listen for DAE messages from the RADIUS server.
+
+.TP
+.BR charon.plugins.eap-radius.dae.port " [3799]"
+Port to listen for DAE requests.
+
+.TP
+.BR charon.plugins.eap-radius.dae.secret " []"
+Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
+permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.eap-radius.forward.ike_to_radius " []"
+RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
+or attribute number, a colon can be used to specify vendor\-specific attributes,
+e.g. Reply\-Message, or 11, or 36906:12).
+
+.TP
+.BR charon.plugins.eap-radius.forward.radius_to_ike " []"
+Same as
+.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
+but from RADIUS to
+IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+attributes.
+
+.TP
+.B charon.plugins.eap-radius.servers
+.br
+Section to specify multiple RADIUS servers. The
+.RB "" "nas_identifier" ","
+.RB "" "secret" ","
+.RB "" "sockets" ""
+and
+.RB "" "port" ""
+(or
+.RB "" "auth_port" ")"
+options can be specified for each
+server. A server's IP/Hostname can be configured using the
+.RB "" "address" ""
+option.
+The
+.RB "" "acct_port" ""
+[1813] option can be used to specify the port used for RADIUS
+accounting. For each RADIUS server a priority can be specified using the
+.RB "" "preference" ""
+[0] option.
+
+.TP
+.B charon.plugins.eap-radius.xauth
+.br
+Section to configure multiple XAuth authentication rounds via RADIUS. The
+subsections define so called authentication profiles with arbitrary names. In
+each profile section one or more XAuth types can be configured, with an assigned
+message. For each type a separate XAuth exchange will be initiated and all
+replies get concatenated into the User\-Password attribute, which then gets
+verified over RADIUS.
+
+Available XAuth types are
+.RB "" "password" ","
+.RB "" "passcode" ","
+.RB "" "nextpin" ","
+and
+.RB "" "answer" "."
+This type is not relevant to strongSwan or the AAA server, but the
+client may show a different dialog (along with the configured message).
+
+To use the configured profiles, they have to be configured in the respective
+connection in
+.RB "" "ipsec.conf" "(5)"
+by appending the profile name, separated by a
+colon, to the
+.RB "" "xauth\-radius" ""
+XAauth backend configuration in
+.RI "" "rightauth" ""
+or
+.RI "" "rightauth2" ","
+for instance,
+.RI "" "rightauth2=xauth\-radius:profile" "."
+
+
+.TP
+.BR charon.plugins.eap-sim.request_identity " [yes]"
+.TP
+.BR charon.plugins.eap-simaka-sql.database " []"
+.TP
+.BR charon.plugins.eap-simaka-sql.remove_used " [no]"
+.TP
+.BR charon.plugins.eap-tls.fragment_size " [1024]"
+Maximum size of an EAP\-TLS packet.
+
+.TP
+.BR charon.plugins.eap-tls.include_length " [yes]"
+Include length in non\-fragmented EAP\-TLS packets.
+
+.TP
+.BR charon.plugins.eap-tls.max_message_count " [32]"
+Maximum number of processed EAP\-TLS packets (0 = no limit).
+
+.TP
+.BR charon.plugins.eap-tnc.max_message_count " [10]"
+Maximum number of processed EAP\-TNC packets (0 = no limit).
+
+.TP
+.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]"
+IF\-TNCCS protocol version to be used 
+.RI "(" "tnccs\-1.1" ","
+.RI "" "tnccs\-2.0" ","
+.RI "" "tnccs\-dynamic" ")."
+
+
+.TP
+.BR charon.plugins.eap-ttls.fragment_size " [1024]"
+Maximum size of an EAP\-TTLS packet.
+
+.TP
+.BR charon.plugins.eap-ttls.include_length " [yes]"
+Include length in non\-fragmented EAP\-TTLS packets.
+
+.TP
+.BR charon.plugins.eap-ttls.max_message_count " [32]"
+Maximum number of processed EAP\-TTLS packets (0 = no limit).
+
+.TP
+.BR charon.plugins.eap-ttls.phase2_method " [md5]"
+Phase2 EAP client authentication method.
+
+.TP
+.BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
+
+.TP
+.BR charon.plugins.eap-ttls.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication.
+
+.TP
+.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
+Request peer authentication based on a client certificate.
+
+.TP
+.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
+Socket provided by the error\-notify plugin.
+
+.TP
+.BR charon.plugins.gcrypt.quick_random " [no]"
+Use faster random numbers in gcrypt; for testing only, produces weak keys!
+
+.TP
+.BR charon.plugins.ha.autobalance " [0]"
+Interval in seconds to automatically balance handled segments between nodes. Set
+to 0 to disable.
+
+.TP
+.BR charon.plugins.ha.fifo_interface " [yes]"
+.TP
+.BR charon.plugins.ha.heartbeat_delay " [1000]"
+.TP
+.BR charon.plugins.ha.heartbeat_timeout " [2100]"
+.TP
+.BR charon.plugins.ha.local " []"
+.TP
+.BR charon.plugins.ha.monitor " [yes]"
+.TP
+.BR charon.plugins.ha.pools " []"
+.TP
+.BR charon.plugins.ha.remote " []"
+.TP
+.BR charon.plugins.ha.resync " [yes]"
+.TP
+.BR charon.plugins.ha.secret " []"
+.TP
+.BR charon.plugins.ha.segment_count " [1]"
+.TP
+.BR charon.plugins.imc-attestation.aik_blob " []"
+AIK encrypted private key blob file.
+
+.TP
+.BR charon.plugins.imc-attestation.aik_cert " []"
+AIK certificate file.
+
+.TP
+.BR charon.plugins.imc-attestation.aik_key " []"
+AIK public key file.
+
+.TP
+.BR charon.plugins.imc-attestation.nonce_len " [20]"
+DH nonce length.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr17_after " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr17_before " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr17_meas " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr18_after " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr18_before " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr18_meas " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr_info " [yes]"
+Whether to send pcr_before and pcr_after info.
+
+.TP
+.BR charon.plugins.imc-attestation.use_quote2 " [yes]"
+Use Quote2 AIK signature instead of Quote signature.
+
+.TP
+.BR charon.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted.
+
+.TP
+.BR charon.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted.
+
+.TP
+.BR charon.plugins.imc-swid.swid_directory " [${prefix}/share]"
+Directory where SWID tags are located.
+
+.TP
+.BR charon.plugins.imc-test.additional_ids " [0]"
+Number of additional IMC IDs.
+
+.TP
+.BR charon.plugins.imc-test.command " [none]"
+Command to be sent to the Test IMV.
+
+.TP
+.BR charon.plugins.imc-test.dummy_size " [0]"
+Size of dummy attribute to be sent to the Test IMV (0 = disabled).
+
+.TP
+.BR charon.plugins.imc-test.retry " [no]"
+Do a handshake retry.
+
+.TP
+.BR charon.plugins.imc-test.retry_command " []"
+Command to be sent to the Test IMV in the handshake retry.
+
+.TP
+.BR charon.plugins.imv-attestation.cadir " []"
+Path to directory with AIK cacerts.
+
+.TP
+.BR charon.plugins.imv-attestation.dh_group " [ecp256]"
+Preferred Diffie\-Hellman group.
+
+.TP
+.BR charon.plugins.imv-attestation.hash_algorithm " [sha256]"
+Preferred measurement hash algorithm.
+
+.TP
+.BR charon.plugins.imv-attestation.min_nonce_len " [0]"
+DH minimum nonce length.
+
+.TP
+.BR charon.plugins.imv-os.remediation_uri " []"
+URI pointing to operating system remediation instructions.
+
+.TP
+.BR charon.plugins.imv-scanner.remediation_uri " []"
+URI pointing to scanner remediation instructions.
+
+.TP
+.BR charon.plugins.imv-test.rounds " [0]"
+Number of IMC\-IMV retry rounds.
+
+.TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable fetching of IPSECKEY RRs via DNS.
+
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
+Number of ipsecN devices.
+
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
+Set MTU of ipsecN device.
+
+.TP
+.BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]"
+Allow that the remote traffic selector equals the IKE peer. The route installed
+for such traffic (via TUN device) usually prevents further IKE traffic. The
+fwmark options for the
+.RI "" "kernel\-netlink" ""
+and
+.RI "" "socket\-default" ""
+plugins can be used
+to circumvent that problem.
+
+.TP
+.BR charon.plugins.kernel-netlink.fwmark " []"
+Firewall mark to set on the routing rule that directs traffic to our routing
+table. The format is [!]mark[/mask], where the optional exclamation mark inverts
+the meaning (i.e. the rule only applies to packets that don't match the mark).
+
+.TP
+.BR charon.plugins.kernel-netlink.roam_events " [yes]"
+Whether to trigger roam events when interfaces, addresses or routes change.
+
+.TP
+.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
+Lifetime of XFRM acquire state in kernel. The value gets written to
+/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
+acquire messages sent.
+
+.TP
+.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
+Time in ms to wait until virtual IP addresses appear/disappear before failing.
+
+.TP
+.BR charon.plugins.led.activity_led " []"
+.TP
+.BR charon.plugins.led.blink_time " [50]"
+.TP
+.B charon.plugins.load-tester
+.br
+Section to configure the load\-tester plugin, see LOAD TESTS in
+.RB "" "strongswan.conf" "(5)"
+for details.
+
+.TP
+.BR charon.plugins.load-tester.addrs_keep " [no]"
+Whether to keep dynamic addresses even after the associated SA got terminated.
+
+.TP
+.BR charon.plugins.load-tester.addrs_prefix " [16]"
+Network prefix length to use when installing dynamic addresses. If set to \-1 the
+full address is used (i.e. 32 or 128).
+
+.TP
+.BR charon.plugins.load-tester.ca_dir " []"
+Directory to load (intermediate) CA certificates from.
+
+.TP
+.BR charon.plugins.load-tester.child_rekey " [600]"
+Seconds to start CHILD_SA rekeying after setup.
+
+.TP
+.BR charon.plugins.load-tester.delay " [0]"
+Delay between initiatons for each thread.
+
+.TP
+.BR charon.plugins.load-tester.delete_after_established " [no]"
+Delete an IKE_SA as soon as it has been established.
+
+.TP
+.BR charon.plugins.load-tester.digest " [sha1]"
+Digest algorithm used when issuing certificates.
+
+.TP
+.BR charon.plugins.load-tester.dpd_delay " [0]"
+DPD delay to use in load test.
+
+.TP
+.BR charon.plugins.load-tester.dynamic_port " [0]"
+Base port to be used for requests (each client uses a different port).
+
+.TP
+.BR charon.plugins.load-tester.eap_password " [default-pwd]"
+EAP secret to use in load test.
+
+.TP
+.BR charon.plugins.load-tester.enable " [no]"
+Enable the load testing plugin.
+.RB "" "WARNING" ":"
+Never enable this plugin on
+productive systems. It provides preconfigured credentials and allows an attacker
+to authenticate as any user.
+
+.TP
+.BR charon.plugins.load-tester.esp " [aes128-sha1]"
+CHILD_SA proposal to use for load tests.
+
+.TP
+.BR charon.plugins.load-tester.fake_kernel " [no]"
+Fake the kernel interface to allow load\-testing against self.
+
+.TP
+.BR charon.plugins.load-tester.ike_rekey " [0]"
+Seconds to start IKE_SA rekeying after setup.
+
+.TP
+.BR charon.plugins.load-tester.init_limit " [0]"
+Global limit of concurrently established SAs during load test.
+
+.TP
+.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
+Address to initiate from.
+
+.TP
+.BR charon.plugins.load-tester.initiator_auth " [pubkey]"
+Authentication method(s) the intiator uses.
+
+.TP
+.BR charon.plugins.load-tester.initiator_id " []"
+Initiator ID used in load test.
+
+.TP
+.BR charon.plugins.load-tester.initiator_match " []"
+Initiator ID to match against as responder.
+
+.TP
+.BR charon.plugins.load-tester.initiator_tsi " []"
+Traffic selector on initiator side, as proposed by initiator.
+
+.TP
+.BR charon.plugins.load-tester.initiator_tsr " []"
+Traffic selector on responder side, as proposed by initiator.
+
+.TP
+.BR charon.plugins.load-tester.initiators " [0]"
+Number of concurrent initiator threads to use in load test.
+
+.TP
+.BR charon.plugins.load-tester.issuer_cert " []"
+Path to the issuer certificate (if not configured a hard\-coded default value is
+used).
+
+.TP
+.BR charon.plugins.load-tester.issuer_key " []"
+Path to private key that is used to issue certificates (if not configured a
+hard\-coded default value is used).
+
+.TP
+.BR charon.plugins.load-tester.iterations " [1]"
+Number of IKE_SAs to initiate by each initiator in load test.
+
+.TP
+.BR charon.plugins.load-tester.mode " [tunnel]"
+IPsec mode to use, one of
+.RI "" "tunnel" ","
+.RI "" "transport" ","
+or
+.RI "" "beet" "."
+
+
+.TP
+.BR charon.plugins.load-tester.pool " []"
+Provide INTERNAL_IPV4_ADDRs from a named pool.
+
+.TP
+.BR charon.plugins.load-tester.preshared_key " [<default-psk>]"
+Preshared key to use in load test.
+
+.TP
+.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
+IKE proposal to use in load test.
+
+.TP
+.BR charon.plugins.load-tester.request_virtual_ip " [no]"
+Request an INTERNAL_IPV4_ADDR from the server.
+
+.TP
+.BR charon.plugins.load-tester.responder " [127.0.0.1]"
+Address to initiation connections to.
+
+.TP
+.BR charon.plugins.load-tester.responder_auth " [pubkey]"
+Authentication method(s) the responder uses.
+
+.TP
+.BR charon.plugins.load-tester.responder_id " []"
+Responder ID used in load test.
+
+.TP
+.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
+Traffic selector on initiator side, as narrowed by responder.
+
+.TP
+.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
+Traffic selector on responder side, as narrowed by responder.
+
+.TP
+.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
+Shutdown the daemon after all IKE_SAs have been established.
+
+.TP
+.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
+Socket provided by the load\-tester plugin.
+
+.TP
+.BR charon.plugins.load-tester.version " [0]"
+IKE version to use (0 means use IKEv2 as initiator and accept any version as
+responder).
+
+.TP
+.B charon.plugins.load-tester.addrs
+.br
+Section that contains key/value pairs with address pools (in CIDR notation) to
+use for a specific network interface e.g. eth0 = 10.10.0.0/16.
+
+.TP
+.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
+Socket provided by the lookip plugin.
+
+.TP
+.BR charon.plugins.ntru.max_drbg_requests " [4294967294]"
+Number of pseudo\-random bit requests from the DRBG before an automatic reseeding
+occurs.
+
+.TP
+.BR charon.plugins.ntru.parameter_set " [optimum]"
+The following parameter sets are available:
+.RB "" "x9_98_speed" ","
+.RB "" "x9_98_bandwidth" ","
+.RB "" "x9_98_balance" ""
+and
+.RB "" "optimum" ","
+the last set not being
+part of the X9.98 standard but having the best performance.
+
+.TP
+.BR charon.plugins.openssl.engine_id " [pkcs11]"
+ENGINE ID to use in the OpenSSL plugin.
+
+.TP
+.BR charon.plugins.openssl.fips_mode " [0]"
+Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
+
+.TP
+.BR charon.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens.
+
+.TP
+.BR charon.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP.
+
+.TP
+.BR charon.plugins.pkcs11.use_dh " [no]"
+Whether the PKCS#11 modules should be used for DH and ECDH (see
+.RI "" "use_ecc" ""
+option).
+
+.TP
+.BR charon.plugins.pkcs11.use_ecc " [no]"
+Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
+operations. ECDSA private keys can be used regardless of this option.
+
+.TP
+.BR charon.plugins.pkcs11.use_hasher " [no]"
+Whether the PKCS#11 modules should be used to hash data.
+
+.TP
+.BR charon.plugins.pkcs11.use_pubkey " [no]"
+Whether the PKCS#11 modules should be used for public key operations, even for
+keys not stored on tokens.
+
+.TP
+.BR charon.plugins.pkcs11.use_rng " [no]"
+Whether the PKCS#11 modules should be used as RNG.
+
+.TP
+.B charon.plugins.pkcs11.modules
+.br
+List of available PKCS#11 modules.
+
+.TP
+.BR charon.plugins.radattr.dir " []"
+Directory where RADIUS attributes are stored in client\-ID specific files.
+
+.TP
+.BR charon.plugins.radattr.message_id " [-1]"
+Attributes are added to all IKE_AUTH messages by default (\-1), or only to the
+IKE_AUTH message with the given IKEv2 message ID.
+
+.TP
+.BR charon.plugins.random.random " [${random_device}]"
+File to read random bytes from.
+
+.TP
+.BR charon.plugins.random.strong_equals_true " [no]"
+If set to yes the RNG_STRONG class reads random bytes from the same source as
+the RNG_TRUE class.
+
+.TP
+.BR charon.plugins.random.urandom " [${urandom_device}]"
+File to read pseudo random bytes from.
+
+.TP
+.BR charon.plugins.resolve.file " [/etc/resolv.conf]"
+File where to add DNS server entries.
+
+.TP
+.BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]"
+Prefix used for interface names sent to
+.RB "" "resolvconf" "(8)."
+The nameserver
+address is appended to this prefix to make it unique.  The result has to be a
+valid interface name according to the rules defined by resolvconf.  Also, it
+should have a high priority according to the order defined in
+.RB "" "interface\-order" "(5)."
+
+
+.TP
+.BR charon.plugins.socket-default.fwmark " []"
+Firewall mark to set on outbound packets.
+
+.TP
+.BR charon.plugins.socket-default.set_source " [yes]"
+Set source address on outbound packets, if possible.
+
+.TP
+.BR charon.plugins.socket-default.use_ipv4 " [yes]"
+Listen on IPv4, if possible.
+
+.TP
+.BR charon.plugins.socket-default.use_ipv6 " [yes]"
+Listen on IPv6, if possible.
+
+.TP
+.BR charon.plugins.sql.database " []"
+Database URI for charon's SQL plugin. If it contains a password, make sure to
+adjust the permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.sql.loglevel " [-1]"
+Loglevel for logging to SQL database.
+
+.TP
+.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
+Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
+certificates even if they don't contain a CA basic constraint.
+
+.TP
+.BR charon.plugins.stroke.max_concurrent " [4]"
+Maximum number of stroke messages handled concurrently.
+
+.TP
+.BR charon.plugins.stroke.prevent_loglevel_changes " [no]"
+If enabled log level changes via stroke socket are not allowed.
+
+.TP
+.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
+Socket provided by the stroke plugin.
+
+.TP
+.BR charon.plugins.stroke.timeout " [0]"
+Timeout in ms for any stroke command. Use 0 to disable the timeout.
+
+.TP
+.BR charon.plugins.systime-fix.interval " [0]"
+Interval in seconds to check system time for validity. 0 disables the check.
+
+.TP
+.BR charon.plugins.systime-fix.reauth " [no]"
+Whether to use reauth or delete if an invalid cert lifetime is detected.
+
+.TP
+.BR charon.plugins.systime-fix.threshold " []"
+Threshold date where system time is considered valid. Disabled if not specified.
+
+.TP
+.BR charon.plugins.systime-fix.threshold_format " [%Y]"
+.RB "" "strptime" "(3)"
+format used to parse threshold option.
+
+.TP
+.BR charon.plugins.tnc-ifmap.client_cert " []"
+Path to X.509 certificate file of IF\-MAP client.
+
+.TP
+.BR charon.plugins.tnc-ifmap.client_key " []"
+Path to private key file of IF\-MAP client.
+
+.TP
+.BR charon.plugins.tnc-ifmap.device_name " []"
+Unique name of strongSwan server as a PEP and/or PDP device.
+
+.TP
+.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
+Interval in seconds between periodic IF\-MAP RenewSession requests.
+
+.TP
+.BR charon.plugins.tnc-ifmap.server_cert " []"
+Path to X.509 certificate file of IF\-MAP server.
+
+.TP
+.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
+URI of the form [https://]servername[:port][/path].
+
+.TP
+.BR charon.plugins.tnc-ifmap.username_password " []"
+Credentials of IF\-MAP client of the form username:password. If set, make sure to
+adjust the permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use.
+
+.TP
+.BR charon.plugins.tnc-imc.preferred_language " [en]"
+Preferred language for TNC recommendations.
+
+.TP
+.BR charon.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use.
+
+.TP
+.BR charon.plugins.tnc-imv.recommendation_policy " [default]"
+TNC recommendation policy, one of
+.RI "" "default" ","
+.RI "" "any" ","
+or
+.RI "" "all" "."
+
+
+.TP
+.BR charon.plugins.tnc-pdp.server " []"
+Name of the strongSwan PDP as contained in the AAA certificate.
+
+.TP
+.BR charon.plugins.tnc-pdp.timeout " []"
+Timeout in seconds before closing incomplete connections.
+
+.TP
+.BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]"
+Enable PT\-TLS protocol on the strongSwan PDP.
+
+.TP
+.BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
+PT\-TLS server port the strongSwan PDP is listening on.
+
+.TP
+.BR charon.plugins.tnc-pdp.radius.enable " [yes]"
+Enable RADIUS protocol on the strongSwan PDP.
+
+.TP
+.BR charon.plugins.tnc-pdp.radius.method " [ttls]"
+EAP tunnel method to be used.
+
+.TP
+.BR charon.plugins.tnc-pdp.radius.port " [1812]"
+RADIUS server port the strongSwan PDP is listening on.
+
+.TP
+.BR charon.plugins.tnc-pdp.radius.secret " []"
+Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust
+the permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.tnccs-11.max_message_size " [45000]"
+Maximum size of a PA\-TNC message (XML & Base64 encoding).
+
+.TP
+.BR charon.plugins.tnccs-20.max_batch_size " [65522]"
+Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529).
+
+.TP
+.BR charon.plugins.tnccs-20.max_message_size " [65490]"
+Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497).
+
+.TP
+.BR charon.plugins.unbound.dlv_anchors " []"
+File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
+the same format as
+.RI "" "trust_anchors" "."
+Only one DLV can be configured, which is
+then used as a root trusted DLV, this means that it is a lookaside for the root.
+
+.TP
+.BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from.
+
+.TP
+.BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK). The format of
+the file is the standard DNS Zone file format, anchors can be stored as DS or
+DNSKEY entries in the file.
+
+.TP
+.BR charon.plugins.updown.dns_handler " [no]"
+Whether the updown script should handle DNS servers assigned via IKEv1 Mode
+Config or IKEv2 Config Payloads (if enabled they can't be handled by other
+plugins, like resolve)
+
+.TP
+.BR charon.plugins.whitelist.enable " [yes]"
+Enable loaded whitelist plugin.
+
+.TP
+.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
+Socket provided by the whitelist plugin.
+
+.TP
+.BR charon.plugins.xauth-eap.backend " [radius]"
+EAP plugin to be used as backend for XAuth credential verification.
+
+.TP
+.BR charon.plugins.xauth-pam.pam_service " [login]"
+PAM service to be used for authentication.
+
+.TP
+.BR charon.plugins.xauth-pam.session " [no]"
+Open/close a PAM session for each active IKE_SA.
+
+.TP
+.BR charon.plugins.xauth-pam.trim_email " [yes]"
+If an email address is received as an XAuth username, trim it to just the
+username part.
+
+.TP
+.B charon.processor.priority_threads
+.br
+Section to configure the number of reserved threads per priority class see JOB
+PRIORITY MANAGEMENT in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.B charon.syslog
+.br
+Section to define syslog loggers, see LOGGER CONFIGURATION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.syslog.identifier " []"
+Global identifier used for an
+.RB "" "openlog" "(3)"
+call, prepended to each log message
+by syslog.  If not configured,
+.RB "" "openlog" "(3)"
+is not called, so the value will
+depend on system defaults (often the program name).
+
+.TP
+.B charon.syslog.<facility>
+.br
+<facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION
+in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.syslog.<facility>.<subsystem> " [<default>]"
+Loglevel for a specific subsystem.
+
+.TP
+.BR charon.syslog.<facility>.default " [1]"
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+
+.TP
+.BR charon.syslog.<facility>.ike_name " [no]"
+Prefix each log entry with the connection name and a unique numerical identifier
+for each IKE_SA.
+
+.TP
+.BR charon.tls.cipher " []"
+List of TLS encryption ciphers.
+
+.TP
+.BR charon.tls.key_exchange " []"
+List of TLS key exchange methods.
+
+.TP
+.BR charon.tls.mac " []"
+List of TLS MAC algorithms.
+
+.TP
+.BR charon.tls.suites " []"
+List of TLS cipher suites.
+
+.TP
+.BR charon.tnc.tnc_config " [/etc/tnc_config]"
+TNC IMC/IMV configuration file.
+
+.TP
+.BR charon.x509.enforce_critical " [yes]"
+Discard certificates with unsupported or unknown critical extensions.
+
+.TP
+.BR libimcv.debug_level " [1]"
+Debug level for a stand\-alone
+.RI "" "libimcv" ""
+library.
+
+.TP
+.BR libimcv.load " [random nonce gmp pubkey x509]"
+Plugins to load in IMC/IMVs with stand\-alone
+.RI "" "libimcv" ""
+library.
+
+.TP
+.BR libimcv.stderr_quiet " [no]"
+Disable output to stderr with a stand\-alone
+.RI "" "libimcv" ""
+library.
+
+.TP
+.BR manager.database " []"
+Credential database URI for manager. If it contains a password, make sure to
+adjust the permissions of the config file accordingly.
+
+.TP
+.BR manager.debug " [no]"
+Enable debugging in manager.
+
+.TP
+.BR manager.load " []"
+Plugins to load in manager.
+
+.TP
+.BR manager.socket " []"
+FastCGI socket of manager, to run it statically.
+
+.TP
+.BR manager.threads " [10]"
+Threads to use for request handling.
+
+.TP
+.BR manager.timeout " [15m]"
+Session timeout for manager.
+
+.TP
+.BR medsrv.database " []"
+Mediation server database URI. If it contains a password, make sure to adjust
+the permissions of the config file accordingly.
+
+.TP
+.BR medsrv.debug " [no]"
+Debugging in mediation server web application.
+
+.TP
+.BR medsrv.dpd " [5m]"
+DPD timeout to use in mediation server plugin.
+
+.TP
+.BR medsrv.load " []"
+Plugins to load in mediation server plugin.
+
+.TP
+.BR medsrv.password_length " [6]"
+Minimum password length required for mediation server user accounts.
+
+.TP
+.BR medsrv.rekey " [20m]"
+Rekeying time on mediation connections in mediation server plugin.
+
+.TP
+.BR medsrv.socket " []"
+Run Mediation server web application statically on socket.
+
+.TP
+.BR medsrv.threads " [5]"
+Number of thread for mediation service web application.
+
+.TP
+.BR medsrv.timeout " [15m]"
+Session timeout for mediation service.
+
+.TP
+.BR openac.load " []"
+Plugins to load in ipsec openac tool.
+
+.TP
+.BR pacman.database " []"
+Database URI for the database that stores the package information. If it
+contains a password, make sure to adjust the permissions of the config file
+accordingly.
+
+.TP
+.BR pacman.load " []"
+Plugins to load in package manager.
+
+.TP
+.BR pki.load " []"
+Plugins to load in ipsec pki tool.
+
+.TP
+.BR pool.database " []"
+Database URI for the database that stores IP pools and configuration attributes.
+If it contains a password, make        sure to adjust the permissions of the
+config file accordingly.
+
+.TP
+.BR pool.load " []"
+Plugins to load in ipsec pool tool.
+
+.TP
+.BR scepclient.load " []"
+Plugins to load in ipsec scepclient tool.
+
+.TP
+.BR starter.load " []"
+Plugins to load in starter.
+
+.TP
+.BR starter.load_warning " [yes]"
+Disable charon plugin load option warning.
+
diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
new file mode 100644
index 000000000..72aa7f856
--- /dev/null
+++ b/conf/strongswan.conf.5.tail.in
@@ -0,0 +1,470 @@
+.SH LOGGER CONFIGURATION
+Options in
+.BR strongswan.conf (5)
+provide a much more flexible way to configure loggers for the IKE daemon charon
+than using the
+.B charondebug
+option in
+.BR ipsec.conf (5).
+.PP
+.BR Note :
+If any loggers are specified in strongswan.conf,
+.B charondebug
+does not have any effect.
+.PP
+There are currently two types of loggers:
+.TP
+.B File loggers
+Log directly to a file and are defined by specifying the full path to the
+file as subsection in the
+.B charon.filelog
+section. To log to the console the two special filenames
+.BR stdout " and " stderr
+can be used.
+.TP
+.B Syslog loggers
+Log into a syslog facility and are defined by specifying the facility to log to
+as the name of a subsection in the
+.B charon.syslog
+section. The following facilities are currently supported:
+.BR daemon " and " auth .
+.PP
+Multiple loggers can be defined for each type with different log verbosity for
+the different subsystems of the daemon.
+
+.SS Subsystems
+.TP
+.B dmn
+Main daemon setup/cleanup/signal handling
+.TP
+.B mgr
+IKE_SA manager, handling synchronization for IKE_SA access
+.TP
+.B ike
+IKE_SA
+.TP
+.B chd
+CHILD_SA
+.TP
+.B job
+Jobs queueing/processing and thread pool management
+.TP
+.B cfg
+Configuration management and plugins
+.TP
+.B knl
+IPsec/Networking kernel interface
+.TP
+.B net
+IKE network communication
+.TP
+.B asn
+Low-level encoding/decoding (ASN.1, X.509 etc.)
+.TP
+.B enc
+Packet encoding/decoding encryption/decryption operations
+.TP
+.B tls
+libtls library messages
+.TP
+.B esp
+libipsec library messages
+.TP
+.B lib
+libstrongwan library messages
+.TP
+.B tnc
+Trusted Network Connect
+.TP
+.B imc
+Integrity Measurement Collector
+.TP
+.B imv
+Integrity Measurement Verifier
+.TP
+.B pts
+Platform Trust Service
+.SS Loglevels
+.TP
+.B -1
+Absolutely silent
+.TP
+.B 0
+Very basic auditing logs, (e.g. SA up/SA down)
+.TP
+.B 1
+Generic control flow with errors, a good default to see whats going on
+.TP
+.B 2
+More detailed debugging control flow
+.TP
+.B 3
+Including RAW data dumps in Hex
+.TP
+.B 4
+Also include sensitive material in dumps, e.g. keys
+.SS Example
+.PP
+.EX
+	charon {
+		filelog {
+			/var/log/charon.log {
+				time_format = %b %e %T
+				append = no
+				default = 1
+			}
+			stderr {
+				ike = 2
+				knl = 3
+				ike_name = yes
+			}
+		}
+		syslog {
+			# enable logging to LOG_DAEMON, use defaults
+			daemon {
+			}
+			# minimalistic IKE auditing logging to LOG_AUTHPRIV
+			auth {
+				default = -1
+				ike = 0
+			}
+		}
+	}
+.EE
+
+.SH JOB PRIORITY MANAGEMENT
+Some operations in the IKEv2 daemon charon are currently implemented
+synchronously and blocking. Two examples for such operations are communication
+with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during
+certificate chain verification. Under high load conditions, the thread pool may
+run out of available threads, and some more important jobs, such as liveness
+checking, may not get executed in time.
+.PP
+To prevent thread starvation in such situations job priorities were introduced.
+The job processor will reserve some threads for higher priority jobs, these
+threads are not available for lower priority, locking jobs.
+.SS Implementation
+Currently 4 priorities have been defined, and they are used in charon as
+follows:
+.TP
+.B CRITICAL
+Priority for long-running dispatcher jobs.
+.TP
+.B HIGH
+INFORMATIONAL exchanges, as used by liveness checking (DPD).
+.TP
+.B MEDIUM
+Everything not HIGH/LOW, including IKE_SA_INIT processing.
+.TP
+.B LOW
+IKE_AUTH message processing. RADIUS and CRL fetching block here
+.PP
+Although IKE_SA_INIT processing is computationally expensive, it is explicitly
+assigned to the MEDIUM class. This allows charon to do the DH exchange while
+other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more
+IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING.
+.PP
+The thread pool processes jobs strictly by priority, meaning it will consume all
+higher priority jobs before looking for ones with lower priority. Further, it
+reserves threads for certain priorities. A priority class having reserved
+.I n
+threads will always have
+.I n
+threads available for this class (either currently processing a job, or waiting
+for one).
+.SS Configuration
+To ensure that there are always enough threads available for higher priority
+tasks, threads must be reserved for each priority class.
+.TP
+.BR charon.processor.priority_threads.critical " [0]"
+Threads reserved for CRITICAL priority class jobs
+.TP
+.BR charon.processor.priority_threads.high " [0]"
+Threads reserved for HIGH priority class jobs
+.TP
+.BR charon.processor.priority_threads.medium " [0]"
+Threads reserved for MEDIUM priority class jobs
+.TP
+.BR charon.processor.priority_threads.low " [0]"
+Threads reserved for LOW priority class jobs
+.PP
+Let's consider the following configuration:
+.PP
+.EX
+	charon {
+		processor {
+			priority_threads {
+				high = 1
+				medium = 4
+			}
+		}
+	}
+.EE
+.PP
+With this configuration, one thread is reserved for HIGH priority tasks. As
+currently only liveness checking and stroke message processing is done with
+high priority, one or two threads should be sufficient.
+.PP
+The MEDIUM class mostly processes non-blocking jobs. Unless your setup is
+experiencing many blocks in locks while accessing shared resources, threads for
+one or two times the number of CPU cores is fine.
+.PP
+It is usually not required to reserve threads for CRITICAL jobs. Jobs in this
+class rarely return and do not release their thread to the pool.
+.PP
+The remaining threads are available for LOW priority jobs. Reserving threads
+does not make sense (until we have an even lower priority).
+.SS Monitoring
+To see what the threads are actually doing, invoke
+.IR "ipsec statusall" .
+Under high load, something like this will show up:
+.PP
+.EX
+	worker threads: 2 or 32 idle, 5/1/2/22 working,
+		job queue: 0/0/1/149, scheduled: 198
+.EE
+.PP
+From 32 worker threads,
+.IP 2
+are currently idle.
+.IP 5
+are running CRITICAL priority jobs (dispatching from sockets, etc.).
+.IP 1
+is currently handling a HIGH priority job. This is actually the thread currently
+providing this information via stroke.
+.IP 2
+are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA
+messages.
+.IP 22
+are handling LOW priority jobs, probably waiting for an EAP-RADIUS response
+while processing IKE_AUTH messages.
+.PP
+The job queue load shows how many jobs are queued for each priority, ready for
+execution. The single MEDIUM priority job will get executed immediately, as
+we have two spare threads reserved for MEDIUM class jobs.
+
+.SH IKE_SA_INIT DROPPING
+If a responder receives more connection requests per seconds than it can handle,
+it does not make sense to accept more IKE_SA_INIT messages. And if they are
+queued but can't get processed in time, an answer might be sent after the
+client has already given up and restarted its connection setup. This
+additionally increases the load on the responder.
+.PP
+To limit the responder load resulting from new connection attempts, the daemon
+can drop IKE_SA_INIT messages just after reception. There are two mechanisms to
+decide if this should happen, configured with the following options:
+.TP
+.BR charon.init_limit_half_open " [0]"
+Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in
+connecting state, but not yet established.
+.TP
+.BR charon.init_limit_job_load " [0]"
+Limit based on the number of jobs currently queued for processing (sum over all
+job priorities).
+.PP
+The second limit includes load from other jobs, such as rekeying. Choosing a
+good value is difficult and depends on the hardware and expected load.
+.PP
+The first limit is simpler to calculate, but includes the load from new
+connections only. If your responder is capable of negotiating 100 tunnels/s, you
+might set this limit to 1000. The daemon will then drop new connection attempts
+if generating a response would require more than 10 seconds. If you are
+allowing for a maximum response time of more than 30 seconds, consider adjusting
+the timeout for connecting IKE_SAs
+.RB ( charon.half_open_timeout ).
+A responder, by default, deletes an IKE_SA if the initiator does not establish
+it within 30 seconds. Under high load, a higher value might be required.
+
+.SH LOAD TESTS
+To do stability testing and performance optimizations, the IKE daemon charon
+provides the \fIload-tester\fR plugin. This plugin allows one to setup thousands
+of tunnels concurrently against the daemon itself or a remote host.
+.PP
+.B WARNING:
+Never enable the load-testing plugin on productive systems. It provides
+preconfigured credentials and allows an attacker to authenticate as any user.
+.PP
+.SS Configuration details
+For public key authentication, the responder uses the
+.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
+identity. For the initiator, each connection attempt uses a different identity
+in the form
+.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" ,
+where the first number inidicates the client number, the second the
+authentication round (if multiple authentication rounds are used).
+.PP
+For PSK authentication, FQDN identities are used. The server uses
+.BR srv.strongswan.org ,
+the client uses an identity in the form
+.BR c1-r1.strongswan.org .
+.PP
+For EAP authentication, the client uses a NAI in the form
+.BR 100000000010001@strongswan.org .
+.PP
+To configure multiple authentication rounds, concatenate multiple methods using,
+e.g.
+.EX
+	initiator_auth = pubkey|psk|eap-md5|eap-aka
+.EE
+.PP
+The responder uses a hardcoded certificate based on a 1024-bit RSA key.
+This certificate additionally serves as CA certificate. A peer uses the same
+private key, but generates client certificates on demand signed by the CA
+certificate. Install the Responder/CA certificate on the remote host to
+authenticate all clients.
+.PP
+To speed up testing, the load tester plugin implements a special Diffie-Hellman
+implementation called \fImodpnull\fR. By setting
+.EX
+	proposal = aes128-sha1-modpnull
+.EE
+this wicked fast DH implementation is used. It does not provide any security
+at all, but allows one to run tests without DH calculation overhead.
+.SS Examples
+.PP
+In the simplest case, the daemon initiates IKE_SAs against itself using the
+loopback interface. This will actually establish double the number of IKE_SAs,
+as the daemon is initiator and responder for each IKE_SA at the same time.
+Installation of IPsec SAs would fail, as each SA gets installed twice. To
+simulate the correct behavior, a fake kernel interface can be enabled which does
+not install the IPsec SAs at the kernel level.
+.PP
+A simple loopback configuration might look like this:
+.PP
+.EX
+	charon {
+		# create new IKE_SAs for each CHILD_SA to simulate
+		# different clients
+		reuse_ikesa = no
+		# turn off denial of service protection
+		dos_protection = no
+
+		plugins {
+			load-tester {
+				# enable the plugin
+				enable = yes
+				# use 4 threads to initiate connections
+				# simultaneously
+				initiators = 4
+				# each thread initiates 1000 connections
+				iterations = 1000
+				# delay each initiation in each thread by 20ms
+				delay = 20
+				# enable the fake kernel interface to
+				# avoid SA conflicts
+				fake_kernel = yes
+			}
+		}
+	}
+.EE
+.PP
+This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay
+value if your box can not handle that much load, or decrease it to put more
+load on it. If the daemon starts retransmitting messages your box probably can
+not handle all connection attempts.
+.PP
+The plugin also allows one to test against a remote host. This might help to
+test against a real world configuration. A connection setup to do stress
+testing of a gateway might look like this:
+.PP
+.EX
+	charon {
+		reuse_ikesa = no
+		threads = 32
+
+		plugins {
+			load-tester {
+				enable = yes
+				# 10000 connections, ten in parallel
+				initiators = 10
+				iterations = 1000
+				# use a delay of 100ms, overall time is:
+				# iterations * delay = 100s
+				delay = 100
+				# address of the gateway
+				remote = 1.2.3.4
+				# IKE-proposal to use
+				proposal = aes128-sha1-modp1024
+				# use faster PSK authentication instead
+				# of 1024bit RSA
+				initiator_auth = psk
+				responder_auth = psk
+				# request a virtual IP using configuration
+				# payloads
+				request_virtual_ip = yes
+				# enable CHILD_SA every 60s
+				child_rekey = 60
+			}
+		}
+	}
+.EE
+
+.SH IKEv2 RETRANSMISSION
+Retransmission timeouts in the IKEv2 daemon charon can be configured globally
+using the three keys listed below:
+.PP
+.RS
+.nf
+.BR charon.retransmit_base " [1.8]"
+.BR charon.retransmit_timeout " [4.0]"
+.BR charon.retransmit_tries " [5]"
+.fi
+.RE
+.PP
+The following algorithm is used to calculate the timeout:
+.PP
+.EX
+	relative timeout = retransmit_timeout * retransmit_base ^ (n-1)
+.EE
+.PP
+Where
+.I n
+is the current retransmission count.
+.PP
+Using the default values, packets are retransmitted in:
+
+.TS
+l r r
+---
+lB r r.
+Retransmission	Relative Timeout	Absolute Timeout
+1	4s	4s
+2	7s	11s
+3	13s	24s
+4	23s	47s
+5	42s	89s
+giving up	76s	165s
+.TE
+.
+.SH VARIABLES
+.
+The variables used above are configured as follows:
+
+.nf
+.na
+${piddir}               @piddir@
+${prefix}               @prefix@
+${random_device}        @random_device@
+${urandom_device}       @urandom_device@
+.ad
+.fi
+.
+.SH FILES
+.
+.nf
+.na
+/etc/strongswan.conf       configuration file
+/etc/strongswan.d/         directory containing included config snippets
+/etc/strongswan.d/charon/  plugin specific config snippets
+.ad
+.fi
+.
+.SH SEE ALSO
+\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
+
+.SH HISTORY
+Written for the
+.UR http://www.strongswan.org
+strongSwan project
+.UE
+by Tobias Brunner, Andreas Steffen and Martin Willi.
diff --git a/config.h.in b/config.h.in
index cce6dd148..bfcb4e2ec 100644
--- a/config.h.in
+++ b/config.h.in
@@ -124,6 +124,12 @@
 /* Define to 1 if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H
 
+/* Define to 1 if you have the `memrchr' function. */
+#undef HAVE_MEMRCHR
+
+/* Define to 1 if you have the `mmap' function. */
+#undef HAVE_MMAP
+
 /* have mpz_mown_sec() */
 #undef HAVE_MPZ_POWM_SEC
 
@@ -169,6 +175,15 @@
 /* Define to 1 if you have the `pthread_spin_init' function. */
 #undef HAVE_PTHREAD_SPIN_INIT
 
+/* have qsort_r() */
+#undef HAVE_QSORT_R
+
+/* have BSD-style qsort_r() */
+#undef HAVE_QSORT_R_BSD
+
+/* have GNU-style qsort_r() */
+#undef HAVE_QSORT_R_GNU
+
 /* Define to 1 if you have the `rb_errinfo' function. */
 #undef HAVE_RB_ERRINFO
 
@@ -293,7 +308,7 @@
 /* support for IKEv2 protocol */
 #undef USE_IKEV2
 
-/* use vstring library for printf hooks */
+/* use Vstr string library for printf hooks */
 #undef USE_VSTR
 
 /* Version number of package */
diff --git a/configure b/configure
index 818379bbc..652a5d06f 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.1.1.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.1.2.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.1.1'
-PACKAGE_STRING='strongSwan 5.1.1'
+PACKAGE_VERSION='5.1.2'
+PACKAGE_STRING='strongSwan 5.1.2'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -632,14 +632,13 @@ ac_subst_vars='am__EXEEXT_FALSE
 am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
+strongswan_options
 USE_CMD_FALSE
 USE_CMD_TRUE
 USE_TKM_FALSE
 USE_TKM_TRUE
 COVERAGE_FALSE
 COVERAGE_TRUE
-UNITTESTS_FALSE
-UNITTESTS_TRUE
 USE_SILENT_RULES_FALSE
 USE_SILENT_RULES_TRUE
 MONOLITHIC_FALSE
@@ -872,6 +871,8 @@ USE_MEDSRV_FALSE
 USE_MEDSRV_TRUE
 USE_STROKE_FALSE
 USE_STROKE_TRUE
+USE_NTRU_FALSE
+USE_NTRU_TRUE
 USE_AF_ALG_FALSE
 USE_AF_ALG_TRUE
 USE_GCM_FALSE
@@ -982,8 +983,6 @@ COVERAGE_LDFLAGS
 COVERAGE_CFLAGS
 GENHTML
 LCOV
-CHECK_LIBS
-CHECK_CFLAGS
 GPRBUILD
 dev_headers
 USE_DEV_HEADERS_FALSE
@@ -1018,6 +1017,15 @@ DLLIB
 ALLOCA
 GPERF
 PERL
+pkgpyexecdir
+pyexecdir
+pkgpythondir
+pythondir
+PYTHON_PLATFORM
+PYTHON_EXEC_PREFIX
+PYTHON_PREFIX
+PYTHON_VERSION
+PYTHON
 YFLAGS
 YACC
 LEXLIB
@@ -1314,6 +1322,7 @@ enable_pkcs11
 enable_ctr
 enable_ccm
 enable_gcm
+enable_ntru
 enable_addrblock
 enable_unity
 enable_uci
@@ -1336,7 +1345,6 @@ enable_vstr
 enable_monolithic
 enable_bfd_backtraces
 enable_unwind_backtraces
-enable_unit_tests
 enable_coverage
 enable_tkm
 enable_cmd
@@ -1365,6 +1373,7 @@ CPPFLAGS
 CPP
 YACC
 YFLAGS
+PYTHON
 soup_CFLAGS
 soup_LIBS
 xml_CFLAGS
@@ -1376,9 +1385,7 @@ maemo_LIBS
 pcsclite_CFLAGS
 pcsclite_LIBS
 nm_CFLAGS
-nm_LIBS
-CHECK_CFLAGS
-CHECK_LIBS'
+nm_LIBS'
 
 
 # Initialize some variables set by options.
@@ -1919,7 +1926,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.1.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.1.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1989,7 +1996,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.1.1:";;
+     short | recursive ) echo "Configuration of strongSwan 5.1.2:";;
    esac
   cat <<\_ACEOF
 
@@ -2151,6 +2158,7 @@ Optional Features:
   --enable-ctr            enables the Counter Mode wrapper crypto plugin.
   --enable-ccm            enables the CCM AEAD wrapper crypto plugin.
   --enable-gcm            enables the GCM AEAD wrapper crypto plugin.
+  --enable-ntru           enables the NTRU crypto plugin.
   --enable-addrblock      enables RFC 3779 address block constraint support.
   --enable-unity          enables Cisco Unity extension plugin.
   --enable-uci            enable OpenWRT UCI configuration plugin.
@@ -2186,7 +2194,6 @@ Optional Features:
   --enable-unwind-backtraces
                           use libunwind to create backtraces for memory leaks
                           and segfaults.
-  --enable-unit-tests     enable unit tests using the check test framework.
   --enable-coverage       enable lcov coverage report generation.
   --enable-tkm            enable Trusted Key Manager support.
   --enable-cmd            enable the command line IKE client charon-cmd.
@@ -2292,6 +2299,7 @@ Some influential environment variables:
   YFLAGS      The list of arguments that will be passed by default to $YACC.
               This script will default YFLAGS to the empty string to avoid a
               default value of `-d' given by some make applications.
+  PYTHON      the Python interpreter
   soup_CFLAGS C compiler flags for soup, overriding pkg-config
   soup_LIBS   linker flags for soup, overriding pkg-config
   xml_CFLAGS  C compiler flags for xml, overriding pkg-config
@@ -2307,9 +2315,6 @@ Some influential environment variables:
               linker flags for pcsclite, overriding pkg-config
   nm_CFLAGS   C compiler flags for nm, overriding pkg-config
   nm_LIBS     linker flags for nm, overriding pkg-config
-  CHECK_CFLAGS
-              C compiler flags for CHECK, overriding pkg-config
-  CHECK_LIBS  linker flags for CHECK, overriding pkg-config
 
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
@@ -2377,7 +2382,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.1.1
+strongSwan configure 5.1.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2899,7 +2904,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.1.1, which was
+It was created by strongSwan $as_me 5.1.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3762,7 +3767,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.1.1'
+ VERSION='5.1.2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -6391,6 +6396,21 @@ else
 fi
 
 
+# Check whether --enable-ntru was given.
+if test "${enable_ntru+set}" = set; then :
+  enableval=$enable_ntru; ntru_given=true
+		if test x$enableval = xyes; then
+			ntru=true
+		 else
+			ntru=false
+		fi
+else
+  ntru=false
+		ntru_given=false
+
+fi
+
+
 # Check whether --enable-addrblock was given.
 if test "${enable_addrblock+set}" = set; then :
   enableval=$enable_addrblock; addrblock_given=true
@@ -6721,21 +6741,6 @@ else
 fi
 
 
-# Check whether --enable-unit-tests was given.
-if test "${enable_unit_tests+set}" = set; then :
-  enableval=$enable_unit_tests; unit_tests_given=true
-		if test x$enableval = xyes; then
-			unit_tests=true
-		 else
-			unit_tests=false
-		fi
-else
-  unit_tests=false
-		unit_tests_given=false
-
-fi
-
-
 # Check whether --enable-coverage was given.
 if test "${enable_coverage+set}" = set; then :
   enableval=$enable_coverage; coverage_given=true
@@ -6815,7 +6820,7 @@ fi
 # ===========================
 
 if test -z "$CFLAGS"; then
-	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
+	CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign"
 fi
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
@@ -16249,6 +16254,213 @@ fi
 done
 test -n "$YACC" || YACC="yacc"
 
+
+
+
+
+
+
+        # Find any Python interpreter.
+    if test -z "$PYTHON"; then
+      for ac_prog in python python2 python3 python3.3 python3.2 python3.1 python3.0 python2.7  python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PYTHON+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PYTHON in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PYTHON=$ac_cv_path_PYTHON
+if test -n "$PYTHON"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5
+$as_echo "$PYTHON" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$PYTHON" && break
+done
+test -n "$PYTHON" || PYTHON=":"
+
+    fi
+    am_display_PYTHON=python
+
+
+  if test "$PYTHON" = :; then
+      :
+  else
+
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON version" >&5
+$as_echo_n "checking for $am_display_PYTHON version... " >&6; }
+if ${am_cv_python_version+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"`
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5
+$as_echo "$am_cv_python_version" >&6; }
+  PYTHON_VERSION=$am_cv_python_version
+
+
+
+  PYTHON_PREFIX='${prefix}'
+
+  PYTHON_EXEC_PREFIX='${exec_prefix}'
+
+
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON platform" >&5
+$as_echo_n "checking for $am_display_PYTHON platform... " >&6; }
+if ${am_cv_python_platform+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"`
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_platform" >&5
+$as_echo "$am_cv_python_platform" >&6; }
+  PYTHON_PLATFORM=$am_cv_python_platform
+
+
+  # Just factor out some code duplication.
+  am_python_setup_sysconfig="\
+import sys
+# Prefer sysconfig over distutils.sysconfig, for better compatibility
+# with python 3.x.  See automake bug#10227.
+try:
+    import sysconfig
+except ImportError:
+    can_use_sysconfig = 0
+else:
+    can_use_sysconfig = 1
+# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs:
+# <https://github.com/pypa/virtualenv/issues/118>
+try:
+    from platform import python_implementation
+    if python_implementation() == 'CPython' and sys.version[:3] == '2.7':
+        can_use_sysconfig = 0
+except ImportError:
+    pass"
+
+
+            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON script directory" >&5
+$as_echo_n "checking for $am_display_PYTHON script directory... " >&6; }
+if ${am_cv_python_pythondir+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test "x$prefix" = xNONE
+     then
+       am_py_prefix=$ac_default_prefix
+     else
+       am_py_prefix=$prefix
+     fi
+     am_cv_python_pythondir=`$PYTHON -c "
+$am_python_setup_sysconfig
+if can_use_sysconfig:
+    sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'})
+else:
+    from distutils import sysconfig
+    sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix')
+sys.stdout.write(sitedir)"`
+     case $am_cv_python_pythondir in
+     $am_py_prefix*)
+       am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'`
+       am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"`
+       ;;
+     *)
+       case $am_py_prefix in
+         /usr|/System*) ;;
+         *)
+	  am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages
+	  ;;
+       esac
+       ;;
+     esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pythondir" >&5
+$as_echo "$am_cv_python_pythondir" >&6; }
+  pythondir=$am_cv_python_pythondir
+
+
+
+  pkgpythondir=\${pythondir}/$PACKAGE
+
+
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON extension module directory" >&5
+$as_echo_n "checking for $am_display_PYTHON extension module directory... " >&6; }
+if ${am_cv_python_pyexecdir+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test "x$exec_prefix" = xNONE
+     then
+       am_py_exec_prefix=$am_py_prefix
+     else
+       am_py_exec_prefix=$exec_prefix
+     fi
+     am_cv_python_pyexecdir=`$PYTHON -c "
+$am_python_setup_sysconfig
+if can_use_sysconfig:
+    sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'})
+else:
+    from distutils import sysconfig
+    sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix')
+sys.stdout.write(sitedir)"`
+     case $am_cv_python_pyexecdir in
+     $am_py_exec_prefix*)
+       am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'`
+       am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"`
+       ;;
+     *)
+       case $am_py_exec_prefix in
+         /usr|/System*) ;;
+         *)
+	   am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages
+	   ;;
+       esac
+       ;;
+     esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pyexecdir" >&5
+$as_echo "$am_cv_python_pyexecdir" >&6; }
+  pyexecdir=$am_cv_python_pyexecdir
+
+
+
+  pkgpyexecdir=\${pyexecdir}/$PACKAGE
+
+
+
+  fi
+
+
 # Extract the first word of "perl", so it can be a program name with args.
 set dummy perl; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
@@ -16417,10 +16629,6 @@ if test x$medcli = xtrue; then
 	mediation=true
 fi
 
-if test x$coverage = xtrue; then
-	unit_tests=true
-fi
-
 # ===========================================
 #  check required libraries and header files
 # ===========================================
@@ -17367,6 +17575,80 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 
+ac_fn_c_check_func "$LINENO" "qsort_r" "ac_cv_func_qsort_r"
+if test "x$ac_cv_func_qsort_r" = xyes; then :
+
+
+$as_echo "#define HAVE_QSORT_R /**/" >>confdefs.h
+
+		# set -Werror so that we get an error for "argument ... has
+		# incompatible pointer type" warnings
+		save_CFLAGS="$CFLAGS"
+		CFLAGS="$CFLAGS -Werror"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU-style qsort_r" >&5
+$as_echo_n "checking for GNU-style qsort_r... " >&6; }
+		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#define _GNU_SOURCE
+				  #include <stdlib.h>
+				  int cmp (const void *a, const void *b, void *x) { return 0; }
+int
+main ()
+{
+int arr[] = { 0, 1 };
+				  qsort_r(arr, 2, sizeof(int), cmp, arr);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_QSORT_R_GNU /**/" >>confdefs.h
+
+else
+
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; };
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD-style qsort_r" >&5
+$as_echo_n "checking for BSD-style qsort_r... " >&6; }
+			cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdlib.h>
+					  int cmp (void *x, const void *a, const void *b) { return 0; }
+int
+main ()
+{
+int arr[] = { 0, 1 };
+					  qsort_r(arr, 2, sizeof(int), arr, cmp);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_QSORT_R_BSD /**/" >>confdefs.h
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; };
+			 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "qsort_r has unknown semantics
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+		CFLAGS="$save_CFLAGS"
+
+fi
+
+
 for ac_func in prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
@@ -17379,7 +17661,7 @@ _ACEOF
 fi
 done
 
-for ac_func in fmemopen funopen
+for ac_func in fmemopen funopen mmap memrchr
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -19760,102 +20042,9 @@ $as_echo "no" >&6; }
 fi
 
 
-fi
-
-if test x$unit_tests = xtrue; then
-
-pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CHECK" >&5
-$as_echo_n "checking for CHECK... " >&6; }
-
-if test -n "$CHECK_CFLAGS"; then
-    pkg_cv_CHECK_CFLAGS="$CHECK_CFLAGS"
- elif test -n "$PKG_CONFIG"; then
-    if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"check >= 0.9.4\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "check >= 0.9.4") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
-  pkg_cv_CHECK_CFLAGS=`$PKG_CONFIG --cflags "check >= 0.9.4" 2>/dev/null`
-		      test "x$?" != "x0" && pkg_failed=yes
-else
-  pkg_failed=yes
-fi
- else
-    pkg_failed=untried
-fi
-if test -n "$CHECK_LIBS"; then
-    pkg_cv_CHECK_LIBS="$CHECK_LIBS"
- elif test -n "$PKG_CONFIG"; then
-    if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"check >= 0.9.4\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "check >= 0.9.4") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
-  pkg_cv_CHECK_LIBS=`$PKG_CONFIG --libs "check >= 0.9.4" 2>/dev/null`
-		      test "x$?" != "x0" && pkg_failed=yes
-else
-  pkg_failed=yes
-fi
- else
-    pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        CHECK_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "check >= 0.9.4" 2>&1`
-        else
-	        CHECK_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "check >= 0.9.4" 2>&1`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$CHECK_PKG_ERRORS" >&5
-
-	as_fn_error $? "Package requirements (check >= 0.9.4) were not met:
-
-$CHECK_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables CHECK_CFLAGS
-and CHECK_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details." "$LINENO" 5
-elif test $pkg_failed = untried; then
-     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables CHECK_CFLAGS
-and CHECK_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5; }
-else
-	CHECK_CFLAGS=$pkg_cv_CHECK_CFLAGS
-	CHECK_LIBS=$pkg_cv_CHECK_LIBS
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-
-fi
-
-
+	if test x$GPRBUILD = x; then
+		as_fn_error $? "gprbuild not found" "$LINENO" 5
+	fi
 fi
 
 if test x$coverage = xtrue; then
@@ -20476,6 +20665,15 @@ if test x$gcm = xtrue; then
 
 	fi
 
+if test x$ntru = xtrue; then
+		s_plugins=${s_plugins}" ntru"
+		charon_plugins=${charon_plugins}" ntru"
+		scripts_plugins=${scripts_plugins}" ntru"
+		nm_plugins=${nm_plugins}" ntru"
+		cmd_plugins=${cmd_plugins}" ntru"
+
+	fi
+
 if test x$attr = xtrue; then
 		h_plugins=${h_plugins}" attr"
 		charon_plugins=${charon_plugins}" attr"
@@ -21294,6 +21492,14 @@ else
   USE_AF_ALG_FALSE=
 fi
 
+ if test x$ntru = xtrue; then
+  USE_NTRU_TRUE=
+  USE_NTRU_FALSE='#'
+else
+  USE_NTRU_TRUE='#'
+  USE_NTRU_FALSE=
+fi
+
 
 #  charon plugins
 # ----------------
@@ -22231,14 +22437,6 @@ else
   USE_SILENT_RULES_FALSE=
 fi
 
- if test x$unit_tests = xtrue; then
-  UNITTESTS_TRUE=
-  UNITTESTS_FALSE='#'
-else
-  UNITTESTS_TRUE='#'
-  UNITTESTS_FALSE=
-fi
-
  if test x$coverage = xtrue; then
   COVERAGE_TRUE=
   COVERAGE_FALSE='#'
@@ -22294,18 +22492,57 @@ $as_echo "#define USE_IKEV2 /**/" >>confdefs.h
 
 fi
 
+# ====================================================
+#  options for enabled modules (see conf/Makefile.am)
+# ====================================================
+
+strongswan_options=
+
+if test -z "$USE_ATTR_SQL_TRUE"; then :
+  strongswan_options=${strongswan_options}" pool"
+fi
+if test -z "$USE_CHARON_TRUE"; then :
+  strongswan_options=${strongswan_options}" charon charon-logging"
+fi
+if test -z "$USE_FILE_CONFIG_TRUE"; then :
+  strongswan_options=${strongswan_options}" starter"
+fi
+if test -z "$USE_IMV_ATTESTATION_TRUE"; then :
+  strongswan_options=${strongswan_options}" attest"
+fi
+if test -z "$USE_IMCV_TRUE"; then :
+  strongswan_options=${strongswan_options}" imcv"
+fi
+if test -z "$USE_IMV_OS_TRUE"; then :
+  strongswan_options=${strongswan_options}" pacman"
+fi
+if test -z "$USE_LIBTNCCS_TRUE"; then :
+  strongswan_options=${strongswan_options}" tnc"
+fi
+if test -z "$USE_MANAGER_TRUE"; then :
+  strongswan_options=${strongswan_options}" manager"
+fi
+if test -z "$USE_MEDSRV_TRUE"; then :
+  strongswan_options=${strongswan_options}" medsrv"
+fi
+if test -z "$USE_TOOLS_TRUE"; then :
+  strongswan_options=${strongswan_options}" tools"
+fi
+
+
+
 # =================
 #  build Makefiles
 # =================
 
-ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libpts/plugins/imc_swid/Makefile src/libpts/plugins/imv_swid/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libpts/plugins/imc_swid/Makefile src/libpts/plugins/imv_swid/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile scripts/Makefile testing/Makefile"
 
 
 # =================
 #  build man pages
 # =================
 
-ac_config_files="$ac_config_files man/ipsec.conf.5 man/ipsec.secrets.5 man/strongswan.conf.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1"
+ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1"
 
 
 cat >confcache <<\_ACEOF
@@ -22630,6 +22867,10 @@ if test -z "${USE_AF_ALG_TRUE}" && test -z "${USE_AF_ALG_FALSE}"; then
   as_fn_error $? "conditional \"USE_AF_ALG\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_NTRU_TRUE}" && test -z "${USE_NTRU_FALSE}"; then
+  as_fn_error $? "conditional \"USE_NTRU\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
   as_fn_error $? "conditional \"USE_STROKE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23094,10 +23335,6 @@ if test -z "${USE_SILENT_RULES_TRUE}" && test -z "${USE_SILENT_RULES_FALSE}"; th
   as_fn_error $? "conditional \"USE_SILENT_RULES\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${UNITTESTS_TRUE}" && test -z "${UNITTESTS_FALSE}"; then
-  as_fn_error $? "conditional \"UNITTESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${COVERAGE_TRUE}" && test -z "${COVERAGE_FALSE}"; then
   as_fn_error $? "conditional \"COVERAGE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23507,7 +23744,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.1.1, which was
+This file was extended by strongSwan $as_me 5.1.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -23573,7 +23810,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.1.1
+strongSwan config.status 5.1.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -23983,6 +24220,7 @@ do
     "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
     "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;;
     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "conf/Makefile") CONFIG_FILES="$CONFIG_FILES conf/Makefile" ;;
     "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile" ;;
     "init/Makefile") CONFIG_FILES="$CONFIG_FILES init/Makefile" ;;
     "init/systemd/Makefile") CONFIG_FILES="$CONFIG_FILES init/systemd/Makefile" ;;
@@ -24033,6 +24271,7 @@ do
     "src/libstrongswan/plugins/ccm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ccm/Makefile" ;;
     "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;;
     "src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;;
+    "src/libstrongswan/plugins/ntru/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ntru/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
     "src/libstrongswan/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/tests/Makefile" ;;
     "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
@@ -24150,9 +24389,10 @@ do
     "src/pt-tls-client/Makefile") CONFIG_FILES="$CONFIG_FILES src/pt-tls-client/Makefile" ;;
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
+    "conf/strongswan.conf.5.head") CONFIG_FILES="$CONFIG_FILES conf/strongswan.conf.5.head" ;;
+    "conf/strongswan.conf.5.tail") CONFIG_FILES="$CONFIG_FILES conf/strongswan.conf.5.tail" ;;
     "man/ipsec.conf.5") CONFIG_FILES="$CONFIG_FILES man/ipsec.conf.5" ;;
     "man/ipsec.secrets.5") CONFIG_FILES="$CONFIG_FILES man/ipsec.secrets.5" ;;
-    "man/strongswan.conf.5") CONFIG_FILES="$CONFIG_FILES man/strongswan.conf.5" ;;
     "src/charon-cmd/charon-cmd.8") CONFIG_FILES="$CONFIG_FILES src/charon-cmd/charon-cmd.8" ;;
     "src/pki/man/pki.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki.1" ;;
     "src/pki/man/pki---gen.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---gen.1" ;;
diff --git a/configure.ac b/configure.ac
index df1dc6847..8a925c29a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2007-2013 Tobias Brunner
+# Copyright (C) 2007-2014 Tobias Brunner
 # Copyright (C) 2006-2013 Andreas Steffen
 # Copyright (C) 2006-2013 Martin Willi
 # Hochschule fuer Technik Rapperswil
@@ -19,8 +19,18 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.1.1])
-AM_INIT_AUTOMAKE([tar-ustar subdir-objects])
+AC_INIT([strongSwan],[5.1.2])
+AM_INIT_AUTOMAKE(m4_esyscmd([
+	echo tar-ustar
+	echo subdir-objects
+	case `automake --version | head -n 1` in
+		*" 1.9"*);;
+		*" 1.10"*);;
+		*" 1.11"*);;
+		# don't use parallel test harness in 1.12 and up
+		*) echo serial-tests;;
+	esac
+]))
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
 AC_CONFIG_MACRO_DIR([m4/config])
 AC_CONFIG_HEADERS([config.h])
@@ -229,6 +239,7 @@ ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
 ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
 ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([ntru],           [enables the NTRU crypto plugin.])
 ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([unity],          [enables Cisco Unity extension plugin.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
@@ -251,7 +262,6 @@ ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replac
 ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
 ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
 ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.])
-ARG_ENABL_SET([unit-tests],     [enable unit tests using the check test framework.])
 ARG_ENABL_SET([coverage],       [enable lcov coverage report generation.])
 ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
 ARG_ENABL_SET([cmd],            [enable the command line IKE client charon-cmd.])
@@ -274,7 +284,7 @@ fi
 # ===========================
 
 if test -z "$CFLAGS"; then
-	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
+	CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign"
 fi
 AC_PROG_CC
 AM_PROG_CC_C_O
@@ -292,6 +302,7 @@ AC_PROG_EGREP
 AC_PROG_AWK
 AC_PROG_LEX
 AC_PROG_YACC
+AM_PATH_PYTHON(,,[:])
 AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 
@@ -376,10 +387,6 @@ if test x$medcli = xtrue; then
 	mediation=true
 fi
 
-if test x$coverage = xtrue; then
-	unit_tests=true
-fi
-
 # ===========================================
 #  check required libraries and header files
 # ===========================================
@@ -488,8 +495,45 @@ AC_CHECK_FUNC(
 	)]
 )
 
+AC_CHECK_FUNC(
+	[qsort_r],
+	[
+		AC_DEFINE([HAVE_QSORT_R], [], [have qsort_r()])
+		# set -Werror so that we get an error for "argument ... has
+		# incompatible pointer type" warnings
+		save_CFLAGS="$CFLAGS"
+		CFLAGS="$CFLAGS -Werror"
+		AC_MSG_CHECKING([for GNU-style qsort_r])
+		AC_COMPILE_IFELSE(
+			[AC_LANG_PROGRAM(
+				[[#define _GNU_SOURCE
+				  #include <stdlib.h>
+				  int cmp (const void *a, const void *b, void *x) { return 0; }]],
+				[[int arr[] = { 0, 1 };
+				  qsort_r(arr, 2, sizeof(int), cmp, arr);]])],
+		[AC_MSG_RESULT([yes]);
+		 AC_DEFINE([HAVE_QSORT_R_GNU], [], [have GNU-style qsort_r()])],
+		[
+			AC_MSG_RESULT([no]);
+			AC_MSG_CHECKING([for BSD-style qsort_r])
+			AC_COMPILE_IFELSE(
+				[AC_LANG_PROGRAM(
+					[[#include <stdlib.h>
+					  int cmp (void *x, const void *a, const void *b) { return 0; }]],
+					[[int arr[] = { 0, 1 };
+					  qsort_r(arr, 2, sizeof(int), arr, cmp);]])],
+			[AC_MSG_RESULT([yes]);
+			 AC_DEFINE([HAVE_QSORT_R_BSD], [], [have BSD-style qsort_r()])],
+			[AC_MSG_RESULT([no]);
+			 AC_MSG_FAILURE([qsort_r has unknown semantics])])
+		])
+		CFLAGS="$save_CFLAGS"
+	],
+	[]
+)
+
 AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
-AC_CHECK_FUNCS(fmemopen funopen)
+AC_CHECK_FUNCS(fmemopen funopen mmap memrchr)
 
 AC_CHECK_HEADERS(sys/sockio.h glob.h net/if_tun.h linux/fib_rules.h)
 AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
@@ -633,7 +677,7 @@ AC_CHECK_FUNC(
 
 if test x$vstr = xtrue; then
 	AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
-	AC_DEFINE([USE_VSTR], [], [use vstring library for printf hooks])
+	AC_DEFINE([USE_VSTR], [], [use Vstr string library for printf hooks])
 	builtin_printf=false
 fi
 
@@ -933,12 +977,9 @@ CFLAGS="$CFLAGS -include `pwd`/config.h"
 
 if test x$tkm = xtrue; then
 	AC_PATH_PROG([GPRBUILD], [gprbuild], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-fi
-
-if test x$unit_tests = xtrue; then
-	PKG_CHECK_MODULES(CHECK, [check >= 0.9.4])
-	AC_SUBST(CHECK_CFLAGS)
-	AC_SUBST(CHECK_LIBS)
+	if test x$GPRBUILD = x; then
+		AC_MSG_ERROR([gprbuild not found])
+	fi
 fi
 
 if test x$coverage = xtrue; then
@@ -1034,6 +1075,7 @@ ADD_PLUGIN([hmac],                 [s charon scripts nm cmd])
 ADD_PLUGIN([ctr],                  [s charon scripts nm cmd])
 ADD_PLUGIN([ccm],                  [s charon scripts nm cmd])
 ADD_PLUGIN([gcm],                  [s charon scripts nm cmd])
+ADD_PLUGIN([ntru],                 [s charon scripts nm cmd])
 ADD_PLUGIN([attr],                 [h charon])
 ADD_PLUGIN([attr-sql],             [h charon])
 ADD_PLUGIN([load-tester],          [c charon])
@@ -1171,6 +1213,7 @@ AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
 AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
 AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
 AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
+AM_CONDITIONAL(USE_NTRU, test x$ntru = xtrue)
 
 #  charon plugins
 # ----------------
@@ -1296,7 +1339,6 @@ AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
 AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
 AM_CONDITIONAL(USE_SILENT_RULES, test x$enable_silent_rules = xyes)
-AM_CONDITIONAL(UNITTESTS, test x$unit_tests = xtrue)
 AM_CONDITIONAL(COVERAGE, test x$coverage = xtrue)
 AM_CONDITIONAL(USE_TKM, test x$tkm = xtrue)
 AM_CONDITIONAL(USE_CMD, test x$cmd = xtrue)
@@ -1321,12 +1363,32 @@ if test x$ikev2 = xtrue; then
 	AC_DEFINE([USE_IKEV2], [], [support for IKEv2 protocol])
 fi
 
+# ====================================================
+#  options for enabled modules (see conf/Makefile.am)
+# ====================================================
+
+strongswan_options=
+
+AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"])
+AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"])
+AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"])
+AM_COND_IF([USE_IMV_ATTESTATION], [strongswan_options=${strongswan_options}" attest"])
+AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv"])
+AM_COND_IF([USE_IMV_OS], [strongswan_options=${strongswan_options}" pacman"])
+AM_COND_IF([USE_LIBTNCCS], [strongswan_options=${strongswan_options}" tnc"])
+AM_COND_IF([USE_MANAGER], [strongswan_options=${strongswan_options}" manager"])
+AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"])
+AM_COND_IF([USE_TOOLS], [strongswan_options=${strongswan_options}" tools"])
+
+AC_SUBST(strongswan_options)
+
 # =================
 #  build Makefiles
 # =================
 
 AC_CONFIG_FILES([
 	Makefile
+	conf/Makefile
 	man/Makefile
 	init/Makefile
 	init/systemd/Makefile
@@ -1377,6 +1439,7 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/ccm/Makefile
 	src/libstrongswan/plugins/gcm/Makefile
 	src/libstrongswan/plugins/af_alg/Makefile
+	src/libstrongswan/plugins/ntru/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libstrongswan/tests/Makefile
 	src/libhydra/Makefile
@@ -1501,9 +1564,10 @@ AC_CONFIG_FILES([
 # =================
 
 AC_CONFIG_FILES([
+	conf/strongswan.conf.5.head
+	conf/strongswan.conf.5.tail
 	man/ipsec.conf.5
 	man/ipsec.secrets.5
-	man/strongswan.conf.5
 	src/charon-cmd/charon-cmd.8
 	src/pki/man/pki.1
 	src/pki/man/pki---gen.1
diff --git a/init/Makefile.in b/init/Makefile.in
index 3b2626218..c9ace238e 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -192,8 +192,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -261,6 +259,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -349,12 +352,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -369,6 +376,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index 822aca11f..766402660 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -161,8 +161,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -230,6 +228,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -318,12 +321,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -338,6 +345,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/man/Makefile.am b/man/Makefile.am
index 266ef7d3a..fbc78b9ac 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -1,6 +1,5 @@
 man_MANS = \
 	ipsec.conf.5 \
-	ipsec.secrets.5 \
-	strongswan.conf.5
+	ipsec.secrets.5
 
 CLEANFILES = $(man_MANS)
diff --git a/man/Makefile.in b/man/Makefile.in
index 9c970cdcd..d4a38b10e 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -79,8 +79,7 @@ build_triplet = @build@
 host_triplet = @host@
 subdir = man
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(srcdir)/ipsec.conf.5.in $(srcdir)/ipsec.secrets.5.in \
-	$(srcdir)/strongswan.conf.5.in
+	$(srcdir)/ipsec.conf.5.in $(srcdir)/ipsec.secrets.5.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -96,7 +95,7 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+CONFIG_CLEAN_FILES = ipsec.conf.5 ipsec.secrets.5
 CONFIG_CLEAN_VPATH_FILES =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -164,8 +163,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -233,6 +230,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -321,12 +323,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -341,6 +347,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -353,8 +360,7 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 man_MANS = \
 	ipsec.conf.5 \
-	ipsec.secrets.5 \
-	strongswan.conf.5
+	ipsec.secrets.5
 
 CLEANFILES = $(man_MANS)
 all: all-am
@@ -394,8 +400,6 @@ ipsec.conf.5: $(top_builddir)/config.status $(srcdir)/ipsec.conf.5.in
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
 ipsec.secrets.5: $(top_builddir)/config.status $(srcdir)/ipsec.secrets.5.in
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
-strongswan.conf.5: $(top_builddir)/config.status $(srcdir)/strongswan.conf.5.in
-	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 92be67000..a0be75536 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -386,7 +386,9 @@ retransmission timeout applies, as every exchange is used to detect dead peers.
 .TP
 .BR inactivity " = <time>"
 defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic.
+not send or receive any traffic. The inactivity counter is reset during CHILD_SA
+rekeying. This means that the inactivity timeout must be smaller than the
+rekeying interval to have any effect.
 .TP
 .BR eap_identity " = <id>"
 defines the identity the client uses to reply to an EAP Identity request.
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
deleted file mode 100644
index db63d36f4..000000000
--- a/man/strongswan.conf.5.in
+++ /dev/null
@@ -1,1745 +0,0 @@
-.TH STRONGSWAN.CONF 5 "2013-10-29" "@PACKAGE_VERSION@" "strongSwan"
-.SH NAME
-strongswan.conf \- strongSwan configuration file
-.SH DESCRIPTION
-While the
-.IR ipsec.conf (5)
-configuration file is well suited to define IPsec related configuration
-parameters, it is not useful for other strongSwan applications to read options
-from this file.
-The file is hard to parse and only
-.I ipsec starter
-is capable of doing so. As the number of components of the strongSwan project
-is continually growing, a more flexible configuration file was needed, one that
-is easy to extend and can be used by all components. With strongSwan 4.2.1
-.IR strongswan.conf (5)
-was introduced which meets these requirements.
-
-.SH SYNTAX
-The format of the strongswan.conf file consists of hierarchical
-.B sections
-and a list of
-.B key/value pairs
-in each section. Each section has a name, followed by C-Style curly brackets
-defining the section body. Each section body contains a set of subsections
-and key/value pairs:
-.PP
-.EX
-	settings := (section|keyvalue)*
-	section  := name { settings }
-	keyvalue := key = value\\n
-.EE
-.PP
-Values must be terminated by a newline.
-.PP
-Comments are possible using the \fB#\fP-character, but be careful: The parser
-implementation is currently limited and does not like brackets in comments.
-.PP
-Section names and keys may contain any printable character except:
-.PP
-.EX
-	. { } # \\n \\t space
-.EE
-.PP
-An example file in this format might look like this:
-.PP
-.EX
-	a = b
-	section-one {
-		somevalue = asdf
-		subsection {
-			othervalue = xxx
-		}
-		# yei, a comment
-		yetanother = zz
-	}
-	section-two {
-		x = 12
-	}
-.EE
-.PP
-Indentation is optional, you may use tabs or spaces.
-
-.SH INCLUDING FILES
-Using the
-.B include
-statement it is possible to include other files into strongswan.conf, e.g.
-.PP
-.EX
-	include /some/path/*.conf
-.EE
-.PP
-If the file name is not an absolute path, it is considered to be relative
-to the directory of the file containing the include statement. The file name
-may include shell wildcards (see
-.IR sh (1)).
-Also, such inclusions can be nested.
-.PP
-Sections loaded from included files
-.I extend
-previously loaded sections; already existing values are
-.IR replaced .
-It is important to note that settings are added relative to the section the
-include statement is in.
-.PP
-As an example, the following three files result in the same final
-config as the one given above:
-.PP
-.EX
-	a = b
-	section-one {
-		somevalue = before include
-		include include.conf
-	}
-	include other.conf
-
-include.conf:
-	# settings loaded from this file are added to section-one
-	# the following replaces the previous value
-	somevalue = asdf
-	subsection {
-		othervalue = yyy
-	}
-	yetanother = zz
-
-other.conf:
-	# this extends section-one and subsection
-	section-one {
-		subsection {
-			# this replaces the previous value
-			othervalue = xxx
-		}
-	}
-	section-two {
-		x = 12
-	}
-.EE
-
-.SH READING VALUES
-Values are accessed using a dot-separated section list and a key.
-With reference to the example above, accessing
-.B section-one.subsection.othervalue
-will return
-.BR xxx .
-
-.SH DEFINED KEYS
-The following keys are currently defined (using dot notation). The default
-value (if any) is listed in brackets after the key.
-
-.SS attest section
-.TP
-.BR attest.database
-Path to database with file measurement information
-.TP
-.BR attest.load
-Plugins to load in ipsec attest tool
-
-.SS charon section
-.TP
-.BR Note :
-Many of these options also apply to \fBcharon\-cmd\fR and other
-\fBcharon\fR derivatives. Just use their respective name (e.g.
-\fIcharon\-cmd\fR) instead of  \fIcharon\fR.
-.TP
-.BR charon.block_threshold " [5]"
-Maximum number of half-open IKE_SAs for a single peer IP
-.TP
-.BR charon.cisco_unity " [no]
-Send Cisco Unity vendor ID payload (IKEv1 only)
-.TP
-.BR charon.close_ike_on_child_failure " [no]"
-Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
-.TP
-.BR charon.cookie_threshold " [10]"
-Number of half-open IKE_SAs that activate the cookie mechanism
-.TP
-.BR charon.dns1
-.TQ
-.BR charon.dns2
-DNS servers assigned to peer via configuration payload (CP)
-.TP
-.BR charon.dos_protection " [yes]"
-Enable Denial of Service protection using cookies and aggressiveness checks
-.TP
-.BR charon.filelog
-Section to define file loggers, see LOGGER CONFIGURATION
-.TP
-.BR charon.flush_auth_cfg " [no]"
-If enabled objects used during authentication (certificates, identities etc.)
-are released to free memory once an IKE_SA is established.
-Enabling this might conflict with plugins that later need access to e.g. the
-used certificates.
-.TP
-.BR charon.fragment_size " [512]"
-Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
-fragmentation extension.
-.TP
-.BR charon.group
-Name of the group the daemon changes to after startup
-.TP
-.BR charon.half_open_timeout " [30]"
-Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
-.TP
-.BR charon.hash_and_url " [no]"
-Enable hash and URL support
-.TP
-.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
-If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared
-keys, which is discouraged due to security concerns (offline attacks on the
-openly transmitted hash of the PSK)
-.TP
-.BR charon.ignore_routing_tables
-A space-separated list of routing tables to be excluded from route lookups
-.TP
-.BR charon.ikesa_limit " [0]"
-Maximum number of IKE_SAs that can be established at the same time before new
-connection attempts are blocked
-.TP
-.BR charon.ikesa_table_segments " [1]"
-Number of exclusively locked segments in the hash table
-.TP
-.BR charon.ikesa_table_size " [1]"
-Size of the IKE_SA hash table
-.TP
-.BR charon.inactivity_close_ike " [no]"
-Whether to close IKE_SA if the only CHILD_SA closed due to inactivity
-.TP
-.BR charon.init_limit_half_open " [0]"
-Limit new connections based on the current number of half open IKE_SAs (see
-IKE_SA_INIT DROPPING).
-.TP
-.BR charon.init_limit_job_load " [0]"
-Limit new connections based on the number of jobs currently queued for
-processing (see IKE_SA_INIT DROPPING).
-.TP
-.BR charon.initiator_only " [no]"
-Causes charon daemon to ignore IKE initiation requests.
-.TP
-.BR charon.install_routes " [yes]"
-Install routes into a separate routing table for established IPsec tunnels
-.TP
-.BR charon.install_virtual_ip " [yes]"
-Install virtual IP addresses
-.TP
-.BR charon.install_virtual_ip_on
-The name of the interface on which virtual IP addresses should be installed.
-If not specified the addresses will be installed on the outbound interface.
-.TP
-.BR charon.interfaces_ignore
-A comma-separated list of network interfaces that should be ignored, if
-.B charon.interfaces_use
-is specified this option has no effect.
-.TP
-.BR charon.interfaces_use
-A comma-separated list of network interfaces that should be used by charon.
-All other interfaces are ignored.
-.TP
-.BR charon.keep_alive " [20s]"
-NAT keep alive interval
-.TP
-.BR charon.load
-Plugins to load in the IKEv2 daemon charon
-.TP
-.BR charon.max_packet " [10000]"
-Maximum packet size accepted by charon
-.TP
-.BR charon.multiple_authentication " [yes]"
-Enable multiple authentication exchanges (RFC 4739)
-.TP
-.BR charon.nbns1
-.TQ
-.BR charon.nbns2
-WINS servers assigned to peer via configuration payload (CP)
-.TP
-.BR charon.port " [500]"
-UDP port used locally. If set to 0 a random port will be allocated.
-.TP
-.BR charon.port_nat_t " [4500]"
-UDP port used locally in case of NAT-T. If set to 0 a random port will be
-allocated.  Has to be different from
-.BR charon.port ,
-otherwise a random port will be allocated.
-.TP
-.BR charon.process_route " [yes]"
-Process RTM_NEWROUTE and RTM_DELROUTE events
-.TP
-.BR charon.receive_delay " [0]"
-Delay in ms for receiving packets, to simulate larger RTT
-.TP
-.BR charon.receive_delay_response " [yes]"
-Delay response messages
-.TP
-.BR charon.receive_delay_request " [yes]"
-Delay request messages
-.TP
-.BR charon.receive_delay_type " [0]"
-Specific IKEv2 message type to delay, 0 for any
-.TP
-.BR charon.replay_window " [32]"
-Size of the AH/ESP replay window, in packets.
-.TP
-.BR charon.retransmit_base " [1.8]"
-Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
-.TP
-.BR charon.retransmit_timeout " [4.0]
-Timeout in seconds before sending first retransmit
-.TP
-.BR charon.retransmit_tries " [5]"
-Number of times to retransmit a packet before giving up
-.TP
-.BR charon.retry_initiate_interval " [0]"
-Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
-failed), 0 to disable retries.
-.TP
-.BR charon.reuse_ikesa " [yes]
-Initiate CHILD_SA within existing IKE_SAs
-.TP
-.BR charon.routing_table
-Numerical routing table to install routes to
-.TP
-.BR charon.routing_table_prio
-Priority of the routing table
-.TP
-.BR charon.send_delay " [0]"
-Delay in ms for sending packets, to simulate larger RTT
-.TP
-.BR charon.send_delay_response " [yes]"
-Delay response messages
-.TP
-.BR charon.send_delay_request " [yes]"
-Delay request messages
-.TP
-.BR charon.send_delay_type " [0]"
-Specific IKEv2 message type to delay, 0 for any
-.TP
-.BR charon.send_vendor_id " [no]
-Send strongSwan vendor ID payload
-.TP
-.BR charon.syslog
-Section to define syslog loggers, see LOGGER CONFIGURATION
-.TP
-.BR charon.threads " [16]"
-Number of worker threads in charon. Several of these are reserved for long
-running tasks in internal modules and plugins. Therefore, make sure you don't
-set this value too low. The number of idle worker threads listed in
-.I ipsec statusall
-might be used as indicator on the number of reserved threads.
-.TP
-.BR charon.user
-Name of the user the daemon changes to after startup
-.SS charon.plugins subsection
-.TP
-.BR charon.plugins.android_log.loglevel " [1]"
-Loglevel for logging to Android specific logger
-.TP
-.BR charon.plugins.attr
-Section to specify arbitrary attributes that are assigned to a peer via
-configuration payload (CP)
-.TP
-.BR charon.plugins.certexpire.csv.cron
-Cron style string specifying CSV export times
-.TP
-.BR charon.plugins.certexpire.csv.empty_string
-String to use in empty intermediate CA fields
-.TP
-.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
-Use a fixed intermediate CA field count
-.TP
-.BR charon.plugins.certexpire.csv.force " [yes]"
-Force export of all trustchains we have a private key for
-.TP
-.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
-strftime(3) format string to export expiration dates as
-.TP
-.BR charon.plugins.certexpire.csv.local
-strftime(3) format string for the CSV file name to export local certificates to
-.TP
-.BR charon.plugins.certexpire.csv.remote
-strftime(3) format string for the CSV file name to export remote certificates to
-.TP
-.BR charon.plugins.certexpire.csv.separator " [,]"
-CSV field separator
-.TP
-.BR charon.plugins.coupling.file
-File to store coupling list to
-.TP
-.BR charon.plugins.coupling.hash " [sha1]"
-Hashing algorithm to fingerprint coupled certificates
-.TP
-.BR charon.plugins.coupling.max " [1]"
-Maximum number of coupling entries to create
-.TP
-.BR charon.plugins.dhcp.force_server_address " [no]"
-Always use the configured server address. This might be helpful if the DHCP
-server runs on the same host as strongSwan, and the DHCP daemon does not listen
-on the loopback interface.  In that case the server cannot be reached via
-unicast (or even 255.255.255.255) as that would be routed via loopback.
-Setting this option to yes and configuring the local broadcast address (e.g.
-192.168.0.255) as server address might work.
-.TP
-.BR charon.plugins.dhcp.identity_lease " [no]"
-Derive user-defined MAC address from hash of IKEv2 identity
-.TP
-.BR charon.plugins.dhcp.server " [255.255.255.255]"
-DHCP server unicast or broadcast IP address
-.TP
-.BR charon.plugins.dnscert.enable " [no]"
-Enable fetching of CERT RRs via DNS
-.TP
-.BR charon.plugins.duplicheck.enable " [yes]"
-Enable duplicheck plugin (if loaded)
-.TP
-.BR charon.plugins.duplicheck.socket " [unix://@piddir@/charon.dck]"
-Socket provided by the duplicheck plugin
-.TP
-.BR charon.plugins.eap-aka.request_identity " [yes]"
-
-.TP
-.BR charon.plugins.eap-aka-3ggp2.seq_check
-
-.TP
-.BR charon.plugins.eap-dynamic.preferred
-The preferred EAP method(s) to be used.  If it is not given the first
-registered method will be used initially.  If a comma separated list is given
-the methods are tried in the given order before trying the rest of the
-registered methods.
-.TP
-.BR charon.plugins.eap-dynamic.prefer_user " [no]"
-If enabled the EAP methods proposed in an EAP-Nak message sent by the peer are
-preferred over the methods registered locally.
-.TP
-.BR charon.plugins.eap-gtc.backend " [pam]"
-XAuth backend to be used for credential verification
-.TP
-.BR charon.plugins.eap-peap.fragment_size " [1024]"
-Maximum size of an EAP-PEAP packet
-.TP
-.BR charon.plugins.eap-peap.max_message_count " [32]"
-Maximum number of processed EAP-PEAP packets (0 = no limit)
-.TP
-.BR charon.plugins.eap-peap.include_length " [no]"
-Include length in non-fragmented EAP-PEAP packets
-.TP
-.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
-Phase2 EAP client authentication method
-.TP
-.BR charon.plugins.eap-peap.phase2_piggyback " [no]"
-Phase2 EAP Identity request piggybacked by server onto TLS Finished message
-.TP
-.BR charon.plugins.eap-peap.phase2_tnc " [no]"
-Start phase2 EAP TNC protocol after successful client authentication
-.TP
-.BR charon.plugins.eap-peap.request_peer_auth " [no]"
-Request peer authentication based on a client certificate
-.TP
-.BR charon.plugins.eap-radius.accounting " [no]"
-Send RADIUS accounting information to RADIUS servers.
-.TP
-.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
-If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP
-.TP
-.BR charon.plugins.eap-radius.class_group " [no]"
-Use the
-.I class
-attribute sent in the RADIUS-Accept message as group membership information that
-is compared to the groups specified in the
-.B rightgroups
-option in
-.B ipsec.conf (5).
-.TP
-.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
-Closes all IKE_SAs if communication with the RADIUS server times out. If it is
-not set only the current IKE_SA is closed.
-.TP
-.BR charon.plugins.eap-radius.dae.enable " [no]"
-Enables support for the Dynamic Authorization Extension (RFC 5176)
-.TP
-.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
-Address to listen for DAE messages from the RADIUS server
-.TP
-.BR charon.plugins.eap-radius.dae.port " [3799]"
-Port to listen for DAE requests
-.TP
-.BR charon.plugins.eap-radius.dae.secret
-Shared secret used to verify/sign DAE messages
-.TP
-.BR charon.plugins.eap-radius.eap_start " [no]"
-Send EAP-Start instead of EAP-Identity to start RADIUS conversation
-.TP
-.BR charon.plugins.eap-radius.filter_id " [no]"
-If the RADIUS
-.I tunnel_type
-attribute with value
-.B ESP
-is received, use the
-.I filter_id
-attribute sent in the RADIUS-Accept message as group membership information that
-is compared to the groups specified in the
-.B rightgroups
-option in
-.B ipsec.conf (5).
-.TP
-.BR charon.plugins.eap-radius.forward.ike_to_radius
-RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
-name or attribute number, a colon can be used to specify vendor-specific
-attributes, e.g. Reply-Message, or 11, or 36906:12).
-.TP
-.BR charon.plugins.eap-radius.forward.radius_to_ike
-Same as
-.B charon.plugins.eap-radius.forward.ike_to_radius
-but from RADIUS to
-IKEv2, a strongSwan specific private notify (40969) is used to transmit the
-attributes.
-.TP
-.BR charon.plugins.eap-radius.id_prefix
-Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
-EAP method
-.TP
-.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
-NAS-Identifier to include in RADIUS messages
-.TP
-.BR charon.plugins.eap-radius.port " [1812]"
-Port of RADIUS server (authentication)
-.TP
-.BR charon.plugins.eap-radius.secret
-Shared secret between RADIUS and NAS
-.TP
-.BR charon.plugins.eap-radius.server
-IP/Hostname of RADIUS server
-.TP
-.BR charon.plugins.eap-radius.servers
-Section to specify multiple RADIUS servers. The
-.BR nas_identifier ,
-.BR secret ,
-.B sockets
-and
-.B port
-(or
-.BR auth_port )
-options can be specified for each server. A server's IP/Hostname can be
-configured using the
-.B address
-option. The
-.BR acct_port " [1813]"
-option can be used to specify the port used for RADIUS accounting.
-For each RADIUS server a priority can be specified using the
-.BR preference " [0]"
-option.
-.TP
-.BR charon.plugins.eap-radius.sockets " [1]"
-Number of sockets (ports) to use, increase for high load
-.TP
-.BR charon.plugins.eap-radius.xauth
-Section to configure multiple XAuth authentication rounds via RADIUS. The subsections define so called
-authentication profiles with arbitrary names. In each profile section one or more XAuth types can be
-configured, with an assigned message. For each type a separate XAuth exchange will be initiated and all
-replies get concatenated into the User-Password attribute, which then gets verified over RADIUS.
-
-Available XAuth types are \fBpassword\fR, \fBpasscode\fR, \fBnextpin\fR, and \fBanswer\fR. This type is
-not relevant to strongSwan or the AAA server, but the client may show a different dialog (along with the
-configured message).
-
-To use the configured profiles, they have to be configured in the respective connection in
-.IR ipsec.conf (5)
-by appending the profile name, separated by a colon, to the
-.B xauth-radius
-XAauth backend configuration in
-.I rightauth
-or
-.IR rightauth2 ,
-for instance,
-.IR rightauth2=xauth-radius:profile .
-.TP
-.BR charon.plugins.eap-sim.request_identity " [yes]"
-
-.TP
-.BR charon.plugins.eap-simaka-sql.database
-
-.TP
-.BR charon.plugins.eap-simaka-sql.remove_used " [no]"
-
-.TP
-.BR charon.plugins.eap-tls.fragment_size " [1024]"
-Maximum size of an EAP-TLS packet
-.TP
-.BR charon.plugins.eap-tls.max_message_count " [32]"
-Maximum number of processed EAP-TLS packets (0 = no limit)
-.TP
-.BR charon.plugins.eap-tls.include_length " [yes]"
-Include length in non-fragmented EAP-TLS packets
-.TP
-.BR charon.plugins.eap-tnc.max_message_count " [10]"
-Maximum number of processed EAP-TNC packets (0 = no limit)
-.TP
-.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]"
-IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic)
-.TP
-.BR charon.plugins.eap-ttls.fragment_size " [1024]"
-Maximum size of an EAP-TTLS packet
-.TP
-.BR charon.plugins.eap-ttls.max_message_count " [32]"
-Maximum number of processed EAP-TTLS packets (0 = no limit)
-.TP
-.BR charon.plugins.eap-ttls.include_length " [yes]"
-Include length in non-fragmented EAP-TTLS packets
-.TP
-.BR charon.plugins.eap-ttls.phase2_method " [md5]"
-Phase2 EAP client authentication method
-.TP
-.BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
-Phase2 EAP Identity request piggybacked by server onto TLS Finished message
-.TP
-.BR charon.plugins.eap-ttls.phase2_tnc " [no]"
-Start phase2 EAP TNC protocol after successful client authentication
-.TP
-.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
-Request peer authentication based on a client certificate
-.TP
-.BR charon.plugins.error-notify.socket " [unix://@piddir@/charon.enfy]"
-Socket provided by the error-notify plugin
-.TP
-.BR charon.plugins.ha.autobalance " [0]"
-Interval in seconds to automatically balance handled segments between nodes.
-Set to 0 to disable.
-.TP
-.BR charon.plugins.ha.fifo_interface " [yes]"
-
-.TP
-.BR charon.plugins.ha.heartbeat_delay " [1000]"
-
-.TP
-.BR charon.plugins.ha.heartbeat_timeout " [2100]"
-
-.TP
-.BR charon.plugins.ha.local
-
-.TP
-.BR charon.plugins.ha.monitor " [yes]"
-
-.TP
-.BR charon.plugins.ha.pools
-
-.TP
-.BR charon.plugins.ha.remote
-
-.TP
-.BR charon.plugins.ha.resync " [yes]"
-
-.TP
-.BR charon.plugins.ha.secret
-
-.TP
-.BR charon.plugins.ha.segment_count " [1]"
-
-.TP
-.BR charon.plugins.ipseckey.enable " [no]"
-Enable fetching of IPSECKEY RRs via DNS
-.TP
-.BR charon.plugins.led.activity_led
-
-.TP
-.BR charon.plugins.led.blink_time " [50]"
-
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
-Number of ipsecN devices
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
-Set MTU of ipsecN device
-.TP
-.BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]"
-Allow that the remote traffic selector equals the IKE peer. The route installed
-for such traffic (via TUN device) usually prevents further IKE traffic. The
-fwmark options for the \fIkernel-netlink\fR and \fIsocket-default\fR plugins can
-be used to circumvent that problem.
-.TP
-.BR charon.plugins.kernel-netlink.fwmark
-Firewall mark to set on the routing rule that directs traffic to our own routing
-table. The format is [!]mark[/mask], where the optional exclamation mark inverts
-the meaning (i.e. the rule only applies to packets that don't match the mark).
-.TP
-.BR charon.plugins.kernel-netlink.roam_events " [yes]"
-Whether to trigger roam events when interfaces, addresses or routes change
-.TP
-.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
-Lifetime of XFRM acquire state in kernel. The value gets written to
-/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
-acquire messages sent.
-.TP
-.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
-Time in ms to wait until virtual IP addresses appear/disappear before failing.
-.TP
-.BR charon.plugins.load-tester
-Section to configure the load-tester plugin, see LOAD TESTS
-.TP
-.BR charon.plugins.lookip.socket " [unix://@piddir@/charon.lkp]"
-Socket provided by the lookip plugin
-.TP
-.BR charon.plugins.radattr.dir
-Directory where RADIUS attributes are stored in client-ID specific files.
-.TP
-.BR charon.plugins.radattr.message_id " [-1]"
-Attributes are added to all IKE_AUTH messages by default (-1), or only to the
-IKE_AUTH message with the given IKEv2 message ID.
-.TP
-.BR charon.plugins.resolve.file " [/etc/resolv.conf]"
-File where to add DNS server entries
-.TP
-.BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]"
-Prefix used for interface names sent to resolvconf(8). The nameserver address
-is appended to this prefix to make it unique.  The result has to be a valid
-interface name according to the rules defined by resolvconf.  Also, it should
-have a high priority according to the order defined in interface-order(5).
-.TP
-.BR charon.plugins.socket-default.fwmark
-Firewall mark to set on outbound packets.
-.TP
-.BR charon.plugins.socket-default.set_source " [yes]"
-Set source address on outbound packets, if possible.
-.TP
-.BR charon.plugins.socket-default.use_ipv4 " [yes]"
-Listen on IPv4, if possible.
-.TP
-.BR charon.plugins.socket-default.use_ipv6 " [yes]"
-Listen on IPv6, if possible.
-.TP
-.BR charon.plugins.sql.database
-Database URI for charons SQL plugin
-.TP
-.BR charon.plugins.sql.loglevel " [-1]"
-Loglevel for logging to SQL database
-.TP
-.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
-Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
-certificates even if they don't contain a CA basic constraint.
-.TP
-.BR charon.plugins.stroke.max_concurrent " [4]"
-Maximum number of stroke messages handled concurrently
-.TP
-.BR charon.plugins.stroke.socket " [unix://@piddir@/charon.ctl]"
-Socket provided by the stroke plugin
-.TP
-.BR charon.plugins.stroke.timeout " [0]"
-Timeout in ms for any stroke command. Use 0 to disable the timeout
-.TP
-.BR charon.plugins.systime-fix.interval " [0]"
-Interval in seconds to check system time for validity. 0 disables the check
-.TP
-.BR charon.plugins.systime-fix.reauth " [no]"
-Whether to use reauth or delete if an invalid cert lifetime is detected
-.TP
-.BR charon.plugins.systime-fix.threshold
-Threshold date where system time is considered valid. Disabled if not specified
-.TP
-.BR charon.plugins.systime-fix.threshold_format " [%Y]"
-strptime(3) format used to parse threshold option
-.TP
-.BR charon.plugins.tnc-ifmap.client_cert
-Path to X.509 certificate file of IF-MAP client
-.TP
-.BR charon.plugins.tnc-ifmap.client_key
-Path to private key file of IF-MAP client
-.TP
-.BR charon.plugins.tnc-ifmap.device_name
-Unique name of strongSwan server as a PEP and/or PDP device
-.TP
-.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
-Interval in seconds between periodic IF-MAP RenewSession requests
-.TP
-.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
-URI of the form [https://]servername[:port][/path]
-.TP
-.BR charon.plugins.tnc-ifmap.server_cert
-Path to X.509 certificate file of IF-MAP server
-.TP
-.BR charon.plugins.tnc-ifmap.username_password
-Credentials of IF-MAP client of the form username:password
-.TP
-.BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]"
-Enable PT-TLS protocol on the strongSwan PDP
-.TP
-.BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
-PT-TLS server port the strongSwan PDP is listening on
-.TP
-.BR charon.plugins.tnc-pdp.radius.enable " [yes]"
-Enable RADIUS protocol on the strongSwan PDP
-.TP
-.BR charon.plugins.tnc-pdp.radius.method " [ttls]"
-EAP tunnel method to be used
-.TP
-.BR charon.plugins.tnc-pdp.radius.port " [1812]"
-RADIUS server port the strongSwan PDP is listening on
-.TP
-.BR charon.plugins.tnc-pdp.radius.secret
-Shared RADIUS secret between strongSwan PDP and NAS
-.TP
-.BR charon.plugins.tnc-pdp.server
-Name of the strongSwan PDP as contained in the AAA certificate
-.TP
-.BR charon.plugins.tnc-pdp.timeout
-Timeout in seconds before closing incomplete connections
-.TP
-.BR charon.plugins.updown.dns_handler " [no]"
-Whether the updown script should handle DNS serves assigned via IKEv1 Mode
-Config or IKEv2 Config Payloads (if enabled they can't be handled by other
-plugins, like resolve)
-.TP
-.BR charon.plugins.whitelist.enable " [yes]"
-Enable loaded whitelist plugin
-.TP
-.BR charon.plugins.whitelist.socket " [unix://@piddir@/charon.wlst]"
-Socket provided by the whitelist plugin
-.TP
-.BR charon.plugins.xauth-eap.backend " [radius]"
-EAP plugin to be used as backend for XAuth credential verification
-.TP
-.BR charon.plugins.xauth-pam.pam_service " [login]"
-PAM service to be used for authentication
-.TP
-.BR charon.plugins.xauth-pam.trim_email " [yes]"
-If an email address is given as an XAuth username, trim it to just the
-username part.
-.SS libstrongswan section
-.TP
-.BR libstrongswan.cert_cache " [yes]"
-Whether relations in validated certificate chains should be cached in memory
-.TP
-.BR libstrongswan.crypto_test.bench " [no]"
-
-.TP
-.BR libstrongswan.crypto_test.bench_size " [1024]"
-
-.TP
-.BR libstrongswan.crypto_test.bench_time " [50]"
-
-.TP
-.BR libstrongswan.crypto_test.on_add " [no]"
-Test crypto algorithms during registration
-.TP
-.BR libstrongswan.crypto_test.on_create " [no]"
-Test crypto algorithms on each crypto primitive instantiation
-.TP
-.BR libstrongswan.crypto_test.required " [no]"
-Strictly require at least one test vector to enable an algorithm
-.TP
-.BR libstrongswan.crypto_test.rng_true " [no]"
-Whether to test RNG with TRUE quality; requires a lot of entropy
-.TP
-.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]"
-Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical
-strength
-.TP
-.BR libstrongswan.ecp_x_coordinate_only " [yes]"
-Compliance with the errata for RFC 4753
-.TP
-.BR libstrongswan.host_resolver.max_threads " [3]"
-Maximum number of concurrent resolver threads (they are terminated if unused)
-.TP
-.BR libstrongswan.host_resolver.min_threads " [0]"
-Minimum number of resolver threads to keep around
-.TP
-.BR libstrongswan.integrity_test " [no]"
-Check daemon, libstrongswan and plugin integrity at startup
-.TP
-.BR libstrongswan.leak_detective.detailed " [yes]"
-Includes source file names and line numbers in leak detective output
-.TP
-.BR libstrongswan.leak_detective.usage_threshold " [10240]"
-Threshold in bytes for leaks to be reported (0 to report all)
-.TP
-.BR libstrongswan.leak_detective.usage_threshold_count " [0]"
-Threshold in number of allocations for leaks to be reported (0 to report all)
-.TP
-.BR libstrongswan.processor.priority_threads
-Subsection to configure the number of reserved threads per priority class
-see JOB PRIORITY MANAGEMENT
-.TP
-.BR libstrongswan.x509.enforce_critical " [yes]"
-Discard certificates with unsupported or unknown critical extensions
-.SS libstrongswan.plugins subsection
-.TP
-.BR libstrongswan.plugins.attr-sql.database
-Database URI for attr-sql plugin used by charon
-.TP
-.BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
-Enable logging of SQL IP pool leases
-.TP
-.BR libstrongswan.plugins.gcrypt.quick_random " [no]"
-Use faster random numbers in gcrypt; for testing only, produces weak keys!
-.TP
-.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
-ENGINE ID to use in the OpenSSL plugin
-.TP
-.BR libstrongswan.plugins.openssl.fips_mode " [0]"
-Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2)
-.TP
-.BR libstrongswan.plugins.pkcs11.modules
-List of available PKCS#11 modules
-.TP
-.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
-Whether to load certificates from tokens
-.TP
-.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
-Reload certificates from all tokens if charon receives a SIGHUP
-.TP
-.BR libstrongswan.plugins.pkcs11.use_dh " [no]"
-Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
-.TP
-.BR libstrongswan.plugins.pkcs11.use_ecc " [no]"
-Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
-operations. ECDSA private keys can be used regardless of this option
-.TP
-.BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
-Whether the PKCS#11 modules should be used to hash data
-.TP
-.BR libstrongswan.plugins.pkcs11.use_pubkey " [no]"
-Whether the PKCS#11 modules should be used for public key operations, even for
-keys not stored on tokens
-.TP
-.BR libstrongswan.plugins.pkcs11.use_rng " [no]"
-Whether the PKCS#11 modules should be used as RNG
-.TP
-.BR libstrongswan.plugins.random.random " [@random_device@]"
-File to read random bytes from, instead of @random_device@
-.TP
-.BR libstrongswan.plugins.random.urandom " [@urandom_device@]"
-File to read pseudo random bytes from, instead of @urandom_device@
-.TP
-.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
-File to read DNS resolver configuration from
-.TP
-.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
-File to read DNSSEC trust anchors from (usually root zone KSK). The format of
-the file is the standard DNS Zone file format, anchors can be stored as DS or
-DNSKEY entries in the file.
-.TP
-.BR libstrongswan.plugins.unbound.dlv_anchors
-File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
-the same format as \fItrust_anchors\fR. Only one DLV can be configured, which
-is then used as a root trusted DLV, this means that it is a lookaside for
-the root.
-.SS libtls section
-.TP
-.BR libtls.cipher
-List of TLS encryption ciphers
-.TP
-.BR libtls.key_exchange
-List of TLS key exchange methods
-.TP
-.BR libtls.mac
-List of TLS MAC algorithms
-.TP
-.BR libtls.suites
-List of TLS cipher suites
-.SS libtnccs section
-.TP
-.BR libtnccs.tnc_config " [/etc/tnc_config]"
-TNC IMC/IMV configuration directory
-.PP
-.SS libtnccs plugins section
-.TP
-.BR libtnccs.plugins.tnccs-11.max_message_size " [45000]"
-Maximum size of a PA-TNC message (XML & Base64 encoding)
-.TP
-.BR libtnccs.plugins.tnccs-20.max_batch_size " [65522]"
-Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
-.TP
-.BR libtnccs.plugins.tnccs-20.max_message_size " [65490]"
-Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
-.TP
-.BR libtnccs.plugins.tnc-imc.dlclose " [yes]"
-Unload IMC after use
-.TP
-.BR libtnccs.plugins.tnc-imc.preferred_language " [en]"
-Preferred language for TNC recommendations
-.TP
-.BR libtnccs.plugins.tnc-imv.dlclose " [yes]"
-Unload IMV after use
-.SS libimcv section
-.TP
-.BR libimcv.assessment_result " [yes]"
-Whether IMVs send a standard IETF Assessment Result attribute
-.TP
-.BR libimcv.database
-Global IMV policy database URI
-.TP
-.BR libimcv.debug_level " [1]"
-Debug level for a stand-alone libimcv library
-.TP
-.BR libimcv.load " [random nonce gmp pubkey x509]"
-Plugins to load in IMC/IMVs
-.TP
-.BR libimcv.os_info.name
-Manually set the name of the client OS (e.g. Ubuntu)
-.TP
-.BR libimcv.os_info.version
-Manually set the version of the client OS (e.g. 12.04 i686)
-.TP
-.BR libimcv.policy_script " [ipsec _imv_policy]"
-Script called for each TNC connection to generate IMV policies
-.TP
-.BR libimcv.stderr_quiet " [no]"
-isable output to stderr with a stand-alone libimcv library
-.PP
-.SS libimcv plugins section
-.TP
-.BR libimcv.plugins.imc-attestation.aik_blob
-AIK encrypted private key blob file
-.TP
-.BR libimcv.plugins.imc-attestation.aik_cert
-AIK certificate file
-.TP
-.BR libimcv.plugins.imc-attestation.aik_key
-AIK public key file
-.TP
-.BR libimcv.plugins.imv-attestation.nonce_len " [20]"
-DH nonce length
-.TP
-.BR libimcv.plugins.imv-attestation.use_quote2 " [yes]"
-Use Quote2 AIK signature instead of Quote signature
-.TP
-.BR libimcv.plugins.imv-attestation.cadir
-Path to directory with AIK cacerts
-.TP
-.BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
-Preferred Diffie-Hellman group
-.TP
-.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]"
-Preferred measurement hash algorithm
-.TP
-.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
-DH minimum nonce length
-.TP
-.BR libimcv.plugins.imv-attestation.remediation_uri
-URI pointing to attestation remediation instructions
-.TP
-.BR libimcv.plugins.imc-os.push_info " [yes]"
-Send operating system info without being prompted
-.TP
-.BR libimcv.plugins.imv-os.remediation_uri
-URI pointing to operating system remediation instructions
-.TP
-.BR libimcv.plugins.imc-scanner.push_info " [yes]"
-Send open listening ports without being prompted
-.TP
-.BR libimcv.plugins.imv-scanner.remediation_uri
-URI pointing to scanner remediation instructions
-.TP
-.BR libimcv.plugins.imc-swid.swid_directory " [@prefix@/share]"
-Directory where SWID tags are located
-.TP
-.BR libimcv.plugins.imc-test.additional_ids " [0]"
-Number of additional IMC IDs
-.TP
-.BR libimcv.plugins.imc-test.command " [none]"
-Command to be sent to the Test IMV
-.TP
-.BR libimcv.plugins.imc-test.dummy_size " [0]"
-Size of dummy attribute to be sent to the Test IMV (0 = disabled)
-.TP
-.BR libimcv.plugins.imv-test.remediation_uri
-URI pointing to test remediation instructions
-.TP
-.BR libimcv.plugins.imc-test.retry " [no]"
-Do a handshake retry
-.TP
-.BR libimcv.plugins.imc-test.retry_command
-Command to be sent to the Test IMV in the handshake retry
-.TP
-.BR libimcv.plugins.imv-test.rounds " [0]"
-Number of IMC-IMV retry rounds
-.SS manager section
-.TP
-.BR manager.database
-Credential database URI for manager
-.TP
-.BR manager.debug " [no]"
-Enable debugging in manager
-.TP
-.BR manager.load
-Plugins to load in manager
-.TP
-.BR manager.socket
-FastCGI socket of manager, to run it statically
-.TP
-.BR manager.threads " [10]"
-Threads to use for request handling
-.TP
-.BR manager.timeout " [15m]"
-Session timeout for manager
-.SS mediation client section
-.TP
-.BR medcli.database
-Mediation client database URI
-.TP
-.BR medcli.dpd " [5m]"
-DPD timeout to use in mediation client plugin
-.TP
-.BR medcli.rekey " [20m]"
-Rekeying time on mediation connections in mediation client plugin
-.SS mediation server section
-.TP
-.BR medsrv.database
-Mediation server database URI
-.TP
-.BR medsrv.debug " [no]"
-Debugging in mediation server web application
-.TP
-.BR medsrv.dpd " [5m]"
-DPD timeout to use in mediation server plugin
-.TP
-.BR medsrv.load
-Plugins to load in mediation server plugin
-.TP
-.BR medsrv.password_length " [6]"
-Minimum password length required for mediation server user accounts
-.TP
-.BR medsrv.rekey " [20m]"
-Rekeying time on mediation connections in mediation server plugin
-.TP
-.BR medsrv.socket
-Run Mediation server web application statically on socket
-.TP
-.BR medsrv.threads " [5]"
-Number of thread for mediation service web application
-.TP
-.BR medsrv.timeout " [15m]"
-Session timeout for mediation service
-.SS openac section
-.TP
-.BR openac.load
-Plugins to load in ipsec openac tool
-.SS pacman section
-.TP
-.BR pacman.database
-Database URI for the database that stores the package information
-.SS pki section
-.TP
-.BR pki.load
-Plugins to load in ipsec pki tool
-.SS pool section
-.TP
-.BR pool.load
-Plugins to load in ipsec pool tool
-.SS pt-tls-client section
-.TP
-.BR pt-tls-client.load
-Plugins to load in ipsec pt-tls-client tool
-.SS scepclient section
-.TP
-.BR scepclient.load
-Plugins to load in ipsec scepclient tool
-.SS starter section
-.TP
-.BR starter.load
-Plugins to load in starter
-.TP
-.BR starter.load_warning " [yes]"
-Disable charon plugin load option warning
-
-.SH LOGGER CONFIGURATION
-The options described below provide a much more flexible way to configure
-loggers for the IKEv2 daemon charon than using the
-.B charondebug
-option in
-.BR ipsec.conf (5).
-.PP
-.B Please note
-that if any loggers are specified in strongswan.conf,
-.B charondebug
-does not have any effect.
-.PP
-There are currently two types of loggers defined:
-.TP
-.B File loggers
-Log directly to a file and are defined by specifying the full path to the
-file as subsection in the
-.B charon.filelog
-section. To log to the console the two special filenames
-.BR stdout " and " stderr
-can be used.
-.TP
-.B Syslog loggers
-Log into a syslog facility and are defined by specifying the facility to log to
-as the name of a subsection in the
-.B charon.syslog
-section. The following facilities are currently supported:
-.BR daemon " and " auth .
-.PP
-Multiple loggers can be defined for each type with different log verbosity for
-the different subsystems of the daemon.
-.SS Options
-.TP
-.BR charon.filelog.<filename>.default " [1]"
-.TQ
-.BR charon.syslog.<facility>.default
-Specifies the default loglevel to be used for subsystems for which no specific
-loglevel is defined.
-.TP
-.BR charon.filelog.<filename>.<subsystem> " [<default>]"
-.TQ
-.BR charon.syslog.<facility>.<subsystem>
-Specifies the loglevel for the given subsystem.
-.TP
-.BR charon.filelog.<filename>.append " [yes]"
-If this option is enabled log entries are appended to the existing file.
-.TP
-.BR charon.filelog.<filename>.flush_line " [no]"
-Enabling this option disables block buffering and enables line buffering.
-.TP
-.BR charon.filelog.<filename>.ike_name " [no]"
-.TQ
-.BR charon.syslog.<facility>.ike_name
-Prefix each log entry with the connection name and a unique numerical
-identifier for each IKE_SA.
-.TP
-.BR charon.filelog.<filename>.time_format
-Prefix each log entry with a timestamp. The option accepts a format string as
-passed to
-.BR strftime (3).
-.TP
-.BR charon.syslog.identifier
-Global identifier used for an
-.BR openlog (3)
-call, prepended to each log message by syslog.  If not configured,
-.BR openlog (3)
-is not called, so the value will depend on system defaults (often the program
-name).
-
-.SS Subsystems
-.TP
-.B dmn
-Main daemon setup/cleanup/signal handling
-.TP
-.B mgr
-IKE_SA manager, handling synchronization for IKE_SA access
-.TP
-.B ike
-IKE_SA
-.TP
-.B chd
-CHILD_SA
-.TP
-.B job
-Jobs queueing/processing and thread pool management
-.TP
-.B cfg
-Configuration management and plugins
-.TP
-.B knl
-IPsec/Networking kernel interface
-.TP
-.B net
-IKE network communication
-.TP
-.B asn
-Low-level encoding/decoding (ASN.1, X.509 etc.)
-.TP
-.B enc
-Packet encoding/decoding encryption/decryption operations
-.TP
-.B tls
-libtls library messages
-.TP
-.B esp
-libipsec library messages
-.TP
-.B lib
-libstrongwan library messages
-.TP
-.B tnc
-Trusted Network Connect
-.TP
-.B imc
-Integrity Measurement Collector
-.TP
-.B imv
-Integrity Measurement Verifier
-.TP
-.B pts
-Platform Trust Service
-.SS Loglevels
-.TP
-.B -1
-Absolutely silent
-.TP
-.B 0
-Very basic auditing logs, (e.g. SA up/SA down)
-.TP
-.B 1
-Generic control flow with errors, a good default to see whats going on
-.TP
-.B 2
-More detailed debugging control flow
-.TP
-.B 3
-Including RAW data dumps in Hex
-.TP
-.B 4
-Also include sensitive material in dumps, e.g. keys
-.SS Example
-.PP
-.EX
-	charon {
-		filelog {
-			/var/log/charon.log {
-				time_format = %b %e %T
-				append = no
-				default = 1
-			}
-			stderr {
-				ike = 2
-				knl = 3
-				ike_name = yes
-			}
-		}
-		syslog {
-			# enable logging to LOG_DAEMON, use defaults
-			daemon {
-			}
-			# minimalistic IKE auditing logging to LOG_AUTHPRIV
-			auth {
-				default = -1
-				ike = 0
-			}
-		}
-	}
-.EE
-
-.SH JOB PRIORITY MANAGEMENT
-Some operations in the IKEv2 daemon charon are currently implemented
-synchronously and blocking. Two examples for such operations are communication
-with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during
-certificate chain verification. Under high load conditions, the thread pool may
-run out of available threads, and some more important jobs, such as liveness
-checking, may not get executed in time.
-.PP
-To prevent thread starvation in such situations job priorities were introduced.
-The job processor will reserve some threads for higher priority jobs, these
-threads are not available for lower priority, locking jobs.
-.SS Implementation
-Currently 4 priorities have been defined, and they are used in charon as
-follows:
-.TP
-.B CRITICAL
-Priority for long-running dispatcher jobs.
-.TP
-.B HIGH
-INFORMATIONAL exchanges, as used by liveness checking (DPD).
-.TP
-.B MEDIUM
-Everything not HIGH/LOW, including IKE_SA_INIT processing.
-.TP
-.B LOW
-IKE_AUTH message processing. RADIUS and CRL fetching block here
-.PP
-Although IKE_SA_INIT processing is computationally expensive, it is explicitly
-assigned to the MEDIUM class. This allows charon to do the DH exchange while
-other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more
-IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING.
-.PP
-The thread pool processes jobs strictly by priority, meaning it will consume all
-higher priority jobs before looking for ones with lower priority. Further, it
-reserves threads for certain priorities. A priority class having reserved
-.I n
-threads will always have
-.I n
-threads available for this class (either currently processing a job, or waiting
-for one).
-.SS Configuration
-To ensure that there are always enough threads available for higher priority
-tasks, threads must be reserved for each priority class.
-.TP
-.BR libstrongswan.processor.priority_threads.critical " [0]"
-Threads reserved for CRITICAL priority class jobs
-.TP
-.BR libstrongswan.processor.priority_threads.high " [0]"
-Threads reserved for HIGH priority class jobs
-.TP
-.BR libstrongswan.processor.priority_threads.medium " [0]"
-Threads reserved for MEDIUM priority class jobs
-.TP
-.BR libstrongswan.processor.priority_threads.low " [0]"
-Threads reserved for LOW priority class jobs
-.PP
-Let's consider the following configuration:
-.PP
-.EX
-	libstrongswan {
-		processor {
-			priority_threads {
-				high = 1
-				medium = 4
-			}
-		}
-	}
-.EE
-.PP
-With this configuration, one thread is reserved for HIGH priority tasks. As
-currently only liveness checking and stroke message processing is done with
-high priority, one or two threads should be sufficient.
-.PP
-The MEDIUM class mostly processes non-blocking jobs. Unless your setup is
-experiencing many blocks in locks while accessing shared resources, threads for
-one or two times the number of CPU cores is fine.
-.PP
-It is usually not required to reserve threads for CRITICAL jobs. Jobs in this
-class rarely return and do not release their thread to the pool.
-.PP
-The remaining threads are available for LOW priority jobs. Reserving threads
-does not make sense (until we have an even lower priority).
-.SS Monitoring
-To see what the threads are actually doing, invoke
-.IR "ipsec statusall" .
-Under high load, something like this will show up:
-.PP
-.EX
-	worker threads: 2 or 32 idle, 5/1/2/22 working,
-		job queue: 0/0/1/149, scheduled: 198
-.EE
-.PP
-From 32 worker threads,
-.IP 2
-are currently idle.
-.IP 5
-are running CRITICAL priority jobs (dispatching from sockets, etc.).
-.IP 1
-is currently handling a HIGH priority job. This is actually the thread currently
-providing this information via stroke.
-.IP 2
-are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA
-messages.
-.IP 22
-are handling LOW priority jobs, probably waiting for an EAP-RADIUS response
-while processing IKE_AUTH messages.
-.PP
-The job queue load shows how many jobs are queued for each priority, ready for
-execution. The single MEDIUM priority job will get executed immediately, as
-we have two spare threads reserved for MEDIUM class jobs.
-
-.SH IKE_SA_INIT DROPPING
-If a responder receives more connection requests per seconds than it can handle,
-it does not make sense to accept more IKE_SA_INIT messages. And if they are
-queued but can't get processed in time, an answer might be sent after the
-client has already given up and restarted its connection setup. This
-additionally increases the load on the responder.
-.PP
-To limit the responder load resulting from new connection attempts, the daemon
-can drop IKE_SA_INIT messages just after reception. There are two mechanisms to
-decide if this should happen, configured with the following options:
-.TP
-.BR charon.init_limit_half_open " [0]"
-Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in
-connecting state, but not yet established.
-.TP
-.BR charon.init_limit_job_load " [0]"
-Limit based on the number of jobs currently queued for processing (sum over all
-job priorities).
-.PP
-The second limit includes load from other jobs, such as rekeying. Choosing a
-good value is difficult and depends on the hardware and expected load.
-.PP
-The first limit is simpler to calculate, but includes the load from new
-connections only. If your responder is capable of negotiating 100 tunnels/s, you
-might set this limit to 1000. The daemon will then drop new connection attempts
-if generating a response would require more than 10 seconds. If you are
-allowing for a maximum response time of more than 30 seconds, consider adjusting
-the timeout for connecting IKE_SAs
-.RB ( charon.half_open_timeout ).
-A responder, by default, deletes an IKE_SA if the initiator does not establish
-it within 30 seconds. Under high load, a higher value might be required.
-
-.SH LOAD TESTS
-To do stability testing and performance optimizations, the IKEv2 daemon charon
-provides the load-tester plugin. This plugin allows one to setup thousands of
-tunnels concurrently against the daemon itself or a remote host.
-.PP
-.B WARNING:
-Never enable the load-testing plugin on productive systems. It provides
-preconfigured credentials and allows an attacker to authenticate as any user.
-.SS Options
-.TP
-.BR charon.plugins.load-tester.addrs
-Subsection that contains key/value pairs with address pools (in CIDR notation)
-to use for a specific network interface e.g. eth0 = 10.10.0.0/16
-.TP
-.BR charon.plugins.load-tester.addrs_keep " [no]"
-Whether to keep dynamic addresses even after the associated SA got terminated
-.TP
-.BR charon.plugins.load-tester.addrs_prefix " [16]"
-Network prefix length to use when installing dynamic addresses. If set to -1 the
-full address is used (i.e. 32 or 128)
-.TP
-.BR charon.plugins.load-tester.ca_dir
-Directory to load (intermediate) CA certificates from
-.TP
-.BR charon.plugins.load-tester.child_rekey " [600]"
-Seconds to start CHILD_SA rekeying after setup
-.TP
-.BR charon.plugins.load-tester.delay " [0]"
-Delay between initiatons for each thread
-.TP
-.BR charon.plugins.load-tester.delete_after_established " [no]"
-Delete an IKE_SA as soon as it has been established
-.TP
-.BR charon.plugins.load-tester.digest " [sha1]"
-Digest algorithm used when issuing certificates
-.TP
-.BR charon.plugins.load-tester.dpd_delay " [0]"
-DPD delay to use in load test
-.TP
-.BR charon.plugins.load-tester.dynamic_port " [0]"
-Base port to be used for requests (each client uses a different port)
-.TP
-.BR charon.plugins.load-tester.eap_password " [default-pwd]"
-EAP secret to use in load test
-.TP
-.BR charon.plugins.load-tester.enable " [no]"
-Enable the load testing plugin
-.TP
-.BR charon.plugins.load-tester.esp " [aes128-sha1]"
-CHILD_SA proposal to use for load tests
-.TP
-.BR charon.plugins.load-tester.fake_kernel " [no]"
-Fake the kernel interface to allow load-testing against self
-.TP
-.BR charon.plugins.load-tester.ike_rekey " [0]"
-Seconds to start IKE_SA rekeying after setup
-.TP
-.BR charon.plugins.load-tester.init_limit " [0]"
-Global limit of concurrently established SAs during load test
-.TP
-.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
-Address to initiate from
-.TP
-.BR charon.plugins.load-tester.initiators " [0]"
-Number of concurrent initiator threads to use in load test
-.TP
-.BR charon.plugins.load-tester.initiator_auth " [pubkey]"
-Authentication method(s) the intiator uses
-.TP
-.BR charon.plugins.load-tester.initiator_id
-Initiator ID used in load test
-.TP
-.BR charon.plugins.load-tester.initiator_match
-Initiator ID to match against as responder
-.TP
-.BR charon.plugins.load-tester.initiator_tsi
-Traffic selector on initiator side, as proposed by initiator
-.TP
-.BR charon.plugins.load-tester.initiator_tsr
-Traffic selector on responder side, as proposed by initiator
-.TP
-.BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initiate by each initiator in load test
-.TP
-.BR charon.plugins.load-tester.issuer_cert
-Path to the issuer certificate (if not configured a hard-coded value is used)
-.TP
-.BR charon.plugins.load-tester.issuer_key
-Path to private key that is used to issue certificates (if not configured a
-hard-coded value is used)
-.TP
-.BR charon.plugins.load-tester.mode " [tunnel]"
-IPsec mode to use, one of \fBtunnel\fR, \fBtransport\fR, or \fBbeet\fR.
-.TP
-.BR charon.plugins.load-tester.pool
-Provide INTERNAL_IPV4_ADDRs from a named pool
-.TP
-.BR charon.plugins.load-tester.preshared_key " [default-psk]"
-Preshared key to use in load test
-.TP
-.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
-IKE proposal to use in load test
-.TP
-.BR charon.plugins.load-tester.responder " [127.0.0.1]"
-Address to initiation connections to
-.TP
-.BR charon.plugins.load-tester.responder_auth " [pubkey]"
-Authentication method(s) the responder uses
-.TP
-.BR charon.plugins.load-tester.responder_id
-Responder ID used in load test
-.TP
-.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
-Traffic selector on initiator side, as narrowed by responder
-.TP
-.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
-Traffic selector on responder side, as narrowed by responder
-.TP
-.BR charon.plugins.load-tester.request_virtual_ip " [no]"
-Request an INTERNAL_IPV4_ADDR from the server
-.TP
-.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
-Shutdown the daemon after all IKE_SAs have been established
-.TP
-.BR charon.plugins.load-tester.socket " [unix://@piddir@/charon.ldt]"
-Socket provided by the load-tester plugin
-.TP
-.BR charon.plugins.load-tester.version " [0]"
-IKE version to use (0 means use IKEv2 as initiator and accept any version as
-responder)
-.PP
-.SS Configuration details
-For public key authentication, the responder uses the
-.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
-identity. For the initiator, each connection attempt uses a different identity
-in the form
-.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" ,
-where the first number inidicates the client number, the second the
-authentication round (if multiple authentication is used).
-.PP
-For PSK authentication, FQDN identities are used. The server uses
-.BR srv.strongswan.org ,
-the client uses an identity in the form
-.BR c1-r1.strongswan.org .
-.PP
-For EAP authentication, the client uses a NAI in the form
-.BR 100000000010001@strongswan.org .
-.PP
-To configure multiple authentication, concatenate multiple methods using, e.g.
-.EX
-	initiator_auth = pubkey|psk|eap-md5|eap-aka
-.EE
-.PP
-The responder uses a hardcoded certificate based on a 1024-bit RSA key.
-This certificate additionally serves as CA certificate. A peer uses the same
-private key, but generates client certificates on demand signed by the CA
-certificate. Install the Responder/CA certificate on the remote host to
-authenticate all clients.
-.PP
-To speed up testing, the load tester plugin implements a special Diffie-Hellman
-implementation called modpnull. By setting
-.EX
-	proposal = aes128-sha1-modpnull
-.EE
-this wicked fast DH implementation is used. It does not provide any security
-at all, but allows one to run tests without DH calculation overhead.
-.SS Examples
-.PP
-In the simplest case, the daemon initiates IKE_SAs against itself using the
-loopback interface. This will actually establish double the number of IKE_SAs,
-as the daemon is initiator and responder for each IKE_SA at the same time.
-Installation of IPsec SAs would fails, as each SA gets installed twice. To
-simulate the correct behavior, a fake kernel interface can be enabled which does
-not install the IPsec SAs at the kernel level.
-.PP
-A simple loopback configuration might look like this:
-.PP
-.EX
-	charon {
-		# create new IKE_SAs for each CHILD_SA to simulate
-		# different clients
-		reuse_ikesa = no
-		# turn off denial of service protection
-		dos_protection = no
-
-		plugins {
-			load-tester {
-				# enable the plugin
-				enable = yes
-				# use 4 threads to initiate connections
-				# simultaneously
-				initiators = 4
-				# each thread initiates 1000 connections
-				iterations = 1000
-				# delay each initiation in each thread by 20ms
-				delay = 20
-				# enable the fake kernel interface to
-				# avoid SA conflicts
-				fake_kernel = yes
-			}
-		}
-	}
-.EE
-.PP
-This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay
-value if your box can not handle that much load, or decrease it to put more
-load on it. If the daemon starts retransmitting messages your box probably can
-not handle all connection attempts.
-.PP
-The plugin also allows one to test against a remote host. This might help to
-test against a real world configuration. A connection setup to do stress
-testing of a gateway might look like this:
-.PP
-.EX
-	charon {
-		reuse_ikesa = no
-		threads = 32
-
-		plugins {
-			load-tester {
-				enable = yes
-				# 10000 connections, ten in parallel
-				initiators = 10
-				iterations = 1000
-				# use a delay of 100ms, overall time is:
-				# iterations * delay = 100s
-				delay = 100
-				# address of the gateway
-				remote = 1.2.3.4
-				# IKE-proposal to use
-				proposal = aes128-sha1-modp1024
-				# use faster PSK authentication instead
-				# of 1024bit RSA
-				initiator_auth = psk
-				responder_auth = psk
-				# request a virtual IP using configuration
-				# payloads
-				request_virtual_ip = yes
-				# enable CHILD_SA every 60s
-				child_rekey = 60
-			}
-		}
-	}
-.EE
-
-.SH IKEv2 RETRANSMISSION
-Retransmission timeouts in the IKEv2 daemon charon can be configured globally
-using the three keys listed below:
-.PP
-.RS
-.nf
-.BR charon.retransmit_base " [1.8]"
-.BR charon.retransmit_timeout " [4.0]"
-.BR charon.retransmit_tries " [5]"
-.fi
-.RE
-.PP
-The following algorithm is used to calculate the timeout:
-.PP
-.EX
-	relative timeout = retransmit_timeout * retransmit_base ^ (n-1)
-.EE
-.PP
-Where
-.I n
-is the current retransmission count.
-.PP
-Using the default values, packets are retransmitted in:
-
-.TS
-l r r
----
-lB r r.
-Retransmission	Relative Timeout	Absolute Timeout
-1	4s	4s
-2	7s	11s
-3	13s	24s
-4	23s	47s
-5	42s	89s
-giving up	76s	165s
-.TE
-
-.SH FILES
-/etc/strongswan.conf
-
-.SH SEE ALSO
-\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
-
-.SH HISTORY
-Written for the
-.UR http://www.strongswan.org
-strongSwan project
-.UE
-by Tobias Brunner, Andreas Steffen and Martin Willi.
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 08a726041..40001f848 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -264,8 +264,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -333,6 +331,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -421,12 +424,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -441,6 +448,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/scripts/aes-test.c b/scripts/aes-test.c
index ddf4a5ded..eb94180f8 100644
--- a/scripts/aes-test.c
+++ b/scripts/aes-test.c
@@ -167,7 +167,7 @@ static bool get_next_test_vector(test_vector_t *test)
 	while (fgets(line, sizeof(line), ctx.in))
 	{
 		enumerator_t *enumerator;
-		chunk_t value;
+		chunk_t value = chunk_empty;
 		char *token;
 		int i;
 
@@ -556,7 +556,7 @@ int main(int argc, char *argv[])
 	ctx.in = stdin;
 	ctx.out = stdout;
 
-	library_init(NULL);
+	library_init(NULL, "aes-test");
 	atexit(library_deinit);
 
 	while (true)
diff --git a/scripts/crypt_burn.c b/scripts/crypt_burn.c
index 8101f9cbd..729472e7d 100644
--- a/scripts/crypt_burn.c
+++ b/scripts/crypt_burn.c
@@ -26,7 +26,7 @@ int main(int argc, char *argv[])
 	int i = 0, limit = 0;
 
 
-	library_init(NULL);
+	library_init(NULL, "crypt_burn");
 	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index dc0a2870f..8a782d80b 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -118,7 +118,7 @@ int main(int argc, char *argv[])
 		usage();
 	}
 
-	library_init(NULL);
+	library_init(NULL, "dh_speed");
 	lib->plugins->load(lib->plugins, argv[1]);
 	atexit(library_deinit);
 
diff --git a/scripts/dnssec.c b/scripts/dnssec.c
index 0cddfc47e..9d35c7cda 100644
--- a/scripts/dnssec.c
+++ b/scripts/dnssec.c
@@ -45,7 +45,7 @@ int main(int argc, char *argv[])
 	rr_set_t *rrset;
 	rr_t *rr;
 
-	library_init(NULL);
+	library_init(NULL, "dnssec");
 	atexit(library_deinit);
 
 	dbg = dbg_dnssec;
diff --git a/scripts/fetch.c b/scripts/fetch.c
index f58b37f89..a7d98c946 100644
--- a/scripts/fetch.c
+++ b/scripts/fetch.c
@@ -35,7 +35,7 @@ int main(int argc, char *argv[])
 {
 	chunk_t res;
 
-	library_init(NULL);
+	library_init(NULL, "fetch");
 	atexit(library_deinit);
 	lib->plugins->load(lib->plugins, PLUGINS);
 
diff --git a/scripts/hash_burn.c b/scripts/hash_burn.c
index 20e5642d4..97eab0d84 100644
--- a/scripts/hash_burn.c
+++ b/scripts/hash_burn.c
@@ -25,7 +25,7 @@ int main(int argc, char *argv[])
 	char buffer[1024];
 	int limit = 0, i = 0;
 
-	library_init(NULL);
+	library_init(NULL, "hash_burn");
 	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
index 31f3bee82..e9a4ee692 100644
--- a/scripts/key2keyid.c
+++ b/scripts/key2keyid.c
@@ -30,7 +30,7 @@ int main(int argc, char *argv[])
 	char buf[8096];
 	int read;
 
-	library_init(NULL);
+	library_init(NULL, "key2keyid");
 	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
diff --git a/scripts/keyid2sql.c b/scripts/keyid2sql.c
index 6e9a1334e..46257891c 100644
--- a/scripts/keyid2sql.c
+++ b/scripts/keyid2sql.c
@@ -30,7 +30,7 @@ int main(int argc, char *argv[])
 	char buf[8096];
 	int read, n;
 
-	library_init(NULL);
+	library_init(NULL, "keyid2sql");
 	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
diff --git a/scripts/malloc_speed.c b/scripts/malloc_speed.c
index 85d51a281..2038098db 100644
--- a/scripts/malloc_speed.c
+++ b/scripts/malloc_speed.c
@@ -58,7 +58,7 @@ int main(int argc, char *argv[])
 	int sizes[16] = { 1, 13, 100, 1000, 16, 10000, 50, 17,
 					  123, 32, 8, 64, 8096, 1024, 123, 9 };
 
-	library_init(NULL);
+	library_init(NULL, "malloc_speed");
 	atexit(library_deinit);
 
 	print_mallinfo();
diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c
index f7e75162a..66279ada3 100644
--- a/scripts/pubkey_speed.c
+++ b/scripts/pubkey_speed.c
@@ -71,7 +71,7 @@ int main(int argc, char *argv[])
 		usage();
 	}
 
-	library_init(NULL);
+	library_init(NULL, "pubkey_speed");
 	lib->plugins->load(lib->plugins, argv[1]);
 	atexit(library_deinit);
 
diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index e1e8ca82b..7ec477aae 100644
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -251,7 +251,7 @@ static void cleanup()
  */
 static void init()
 {
-	library_init(NULL);
+	library_init(NULL, "tls_test");
 
 	dbg = dbg_tls;
 
diff --git a/src/Makefile.am b/src/Makefile.am
index 218c9434c..7d11893d1 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -96,12 +96,12 @@ if USE_MEDSRV
   SUBDIRS += medsrv
 endif
 
-if USE_INTEGRITY_TEST
-  SUBDIRS += checksum
-endif
-
 if USE_ATTR_SQL
   SUBDIRS += pool
+else
+if USE_SQL
+  SUBDIRS += pool
+endif
 endif
 
 if USE_TKM
@@ -116,8 +116,6 @@ if USE_LIBPTTLS
   SUBDIRS += pt-tls-client
 endif
 
-EXTRA_DIST = strongswan.conf
-
-install-exec-local :
-		test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
-		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+if USE_INTEGRITY_TEST
+  SUBDIRS += checksum
+endif
diff --git a/src/Makefile.in b/src/Makefile.in
index 42dfba38e..1c2a427f7 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -101,11 +101,12 @@ host_triplet = @host@
 @USE_FAST_TRUE@am__append_22 = libfast
 @USE_MANAGER_TRUE@am__append_23 = manager
 @USE_MEDSRV_TRUE@am__append_24 = medsrv
-@USE_INTEGRITY_TEST_TRUE@am__append_25 = checksum
-@USE_ATTR_SQL_TRUE@am__append_26 = pool
+@USE_ATTR_SQL_TRUE@am__append_25 = pool
+@USE_ATTR_SQL_FALSE@@USE_SQL_TRUE@am__append_26 = pool
 @USE_TKM_TRUE@am__append_27 = charon-tkm
 @USE_CMD_TRUE@am__append_28 = charon-cmd
 @USE_LIBPTTLS_TRUE@am__append_29 = pt-tls-client
+@USE_INTEGRITY_TEST_TRUE@am__append_30 = checksum
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -183,8 +184,8 @@ DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
 	libtls libradius libtncif libtnccs libpttls libimcv libpts \
 	libcharon starter ipsec _copyright charon charon-nm stroke \
 	_updown _updown_espmark openac scepclient pki conftest dumm \
-	libfast manager medsrv checksum pool charon-tkm charon-cmd \
-	pt-tls-client
+	libfast manager medsrv pool charon-tkm charon-cmd \
+	pt-tls-client checksum
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -225,8 +226,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -294,6 +293,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -382,12 +386,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -402,6 +410,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -421,8 +430,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_19) $(am__append_20) $(am__append_21) \
 	$(am__append_22) $(am__append_23) $(am__append_24) \
 	$(am__append_25) $(am__append_26) $(am__append_27) \
-	$(am__append_28) $(am__append_29)
-EXTRA_DIST = strongswan.conf
+	$(am__append_28) $(am__append_29) $(am__append_30)
 all: all-recursive
 
 .SUFFIXES:
@@ -678,7 +686,7 @@ install-dvi: install-dvi-recursive
 
 install-dvi-am:
 
-install-exec-am: install-exec-local
+install-exec-am:
 
 install-html: install-html-recursive
 
@@ -725,19 +733,14 @@ uninstall-am:
 	ctags-am distclean distclean-generic distclean-libtool \
 	distclean-tags distdir dvi dvi-am html html-am info info-am \
 	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-exec-local \
-	install-html install-html-am install-info install-info-am \
-	install-man install-pdf install-pdf-am install-ps \
-	install-ps-am install-strip installcheck installcheck-am \
-	installdirs installdirs-am maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
-	uninstall-am
-
-
-install-exec-local :
-		test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
-		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	installdirs-am maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+	ps ps-am tags tags-am uninstall uninstall-am
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 8a57e13bc..0783f9e7b 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -184,8 +184,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -253,6 +251,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -341,12 +344,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -361,6 +368,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c
index b20b17256..806f78062 100644
--- a/src/_copyright/_copyright.c
+++ b/src/_copyright/_copyright.c
@@ -24,7 +24,7 @@
 #include <library.h>
 
 static const char *copyright[] = {
-	"Copyright (C) 1999-2012",
+	"Copyright (C) 1999-2013",
 	"    Henry Spencer, D. Hugh Redelmeier, Michael Richardson, Ken Bantoft,",
 	"    Stephen J. Bevan, JuanJo Ciarlante, Thomas Egerer, Heiko Hund,",
 	"    Mathieu Lafon, Stephane Laroche, Kai Martius, Stephan Scholz,",
@@ -36,10 +36,12 @@ static const char *copyright[] = {
 	"    Roger Wegmann, Simon Zwahlen,",
 	"    ZHW Zuercher Hochschule Winterthur (Switzerland).",
 	"",
-	"    Philip Boetschi, Tobias Brunner, Sansar Choinyambuu, Adrian Doerig,",
-	"    Andreas Eigenmann, Giuliano Grassi, Reto Guadagnini, Fabian Hartmann,",
-	"    Noah Heusser, Jan Hutter, Thomas Kallenberg, Daniel Roethlisberger,",
-	"    Ralf Sager, Joel Stillhart, Daniel Wydler, Andreas Steffen,",
+	"    Philip Boetschi, Tobias Brunner, Christoph Buehler, Reto Buerki,",
+	"    Sansar Choinyambuu, Adrian Doerig, Andreas Eigenmann, Giuliano Grassi,",
+	"    Reto Guadagnini, Fabian Hartmann, Noah Heusser, Jan Hutter,",
+	"    Thomas Kallenberg, Patrick Loetscher, Daniel Roethlisberger,",
+	"    Adrian-Ken Rueegsegger, Ralf Sager, Joel Stillhart, Daniel Wydler,",
+	"    Andreas Steffen,",
 	"    HSR Hochschule fuer Technik Rapperswil (Switzerland).",
 	"",
 	"    Martin Willi (revosec AG), Clavister (Sweden).",
@@ -74,7 +76,7 @@ main(int argc, char *argv[])
 	const char **notice = copyright;
 	const char **co;
 
-	library_init(NULL);
+	library_init(NULL, "_copyright");
 	atexit(library_deinit);
 
 	while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 30f32b2b7..e77049543 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -165,8 +165,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -234,6 +232,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -322,12 +325,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -342,6 +349,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index c68c23d8a..532bd2437 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -50,6 +50,9 @@
 #       PLUTO_PROTO
 #              is the negotiated IPsec protocol, ah|esp
 #
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
+#
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
 #
@@ -411,6 +414,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -435,6 +446,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -474,6 +492,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -517,6 +544,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 42522f5e8..918bd6a89 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -165,8 +165,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -234,6 +232,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -322,12 +325,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -342,6 +349,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index d484f6463..62d6cd725 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon-cmd/charon-cmd.8.in b/src/charon-cmd/charon-cmd.8.in
index 25d706995..a2d424e9a 100644
--- a/src/charon-cmd/charon-cmd.8.in
+++ b/src/charon-cmd/charon-cmd.8.in
@@ -116,6 +116,24 @@ address will always be proposed.
 .BI "\-\-remote\-ts " subnet
 Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
 .TP
+.BI "\-\-ike\-proposal " proposal
+IKE proposal to offer instead of default. For IKEv1, a single proposal consists
+of one encryption algorithm, an integrity/PRF algorithm and a DH group. IKEv2
+can propose multiple algorithms of the same kind. To specify multiple proposals,
+repeat the option.
+.TP
+.BI "\-\-esp\-proposal " proposal
+ESP proposal to offer instead of default. For IKEv1, a single proposal consists
+of one encryption algorithm, an integrity algorithm and an optional DH group for
+Perfect Forward Secrecy rekeying. IKEv2 can propose multiple algorithms of the
+same kind. To specify multiple proposals, repeat the option.
+.TP
+.BI "\-\-ah\-proposal " proposal
+AH proposal to offer instead of ESP. For IKEv1, a single proposal consists
+of an integrity algorithm and an optional DH group for Perfect Forward Secrecy
+rekeying. IKEv2 can propose multiple algorithms of the same kind. To specify
+multiple proposals, repeat the option.
+.TP
 .BI "\-\-profile " name
 Authentication profile to use, the list of supported profiles can be found
 in the
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index 5f4787b58..a70d314af 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -322,7 +322,7 @@ int main(int argc, char *argv[])
 
 	dbg = dbg_stderr;
 	atexit(library_deinit);
-	if (!library_init(NULL))
+	if (!library_init(NULL, "charon-cmd"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
@@ -334,12 +334,12 @@ int main(int argc, char *argv[])
 		}
 	}
 	atexit(libhydra_deinit);
-	if (!libhydra_init("charon-cmd"))
+	if (!libhydra_init())
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 	atexit(libcharon_deinit);
-	if (!libcharon_init("charon-cmd"))
+	if (!libcharon_init())
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
@@ -389,6 +389,7 @@ int main(int argc, char *argv[])
 	sigaddset(&action.sa_mask, SIGINT);
 	sigaddset(&action.sa_mask, SIGTERM);
 	sigaddset(&action.sa_mask, SIGHUP);
+	sigaddset(&action.sa_mask, SIGUSR1);
 	sigaction(SIGSEGV, &action, NULL);
 	sigaction(SIGILL, &action, NULL);
 	sigaction(SIGBUS, &action, NULL);
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
index 180e8da98..ac085e131 100644
--- a/src/charon-cmd/cmd/cmd_connection.c
+++ b/src/charon-cmd/cmd/cmd_connection.c
@@ -87,6 +87,16 @@ struct private_cmd_connection_t {
 	linked_list_t *remote_ts;
 
 	/**
+	 * List of IKE proposals
+	 */
+	linked_list_t *ike_proposals;
+
+	/**
+	 * List of CHILD proposals
+	 */
+	linked_list_t *child_proposals;
+
+	/**
 	 * Hostname to connect to
 	 */
 	char *host;
@@ -135,6 +145,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 	u_int16_t local_port, remote_port = IKEV2_UDP_PORT;
 	ike_version_t version = IKE_ANY;
 	bool aggressive = FALSE;
+	proposal_t *proposal;
 
 	switch (this->profile)
 	{
@@ -165,7 +176,18 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 	}
 	ike_cfg = ike_cfg_create(version, TRUE, FALSE, "0.0.0.0", local_port,
 					this->host, remote_port, FRAGMENTATION_NO, 0);
-	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	if (this->ike_proposals->get_count(this->ike_proposals))
+	{
+		while (this->ike_proposals->remove_first(this->ike_proposals,
+												 (void**)&proposal) == SUCCESS)
+		{
+			ike_cfg->add_proposal(ike_cfg, proposal);
+		}
+	}
+	else
+	{
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	}
 	peer_cfg = peer_cfg_create("cmd", ike_cfg,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
 					36000, 0, /* rekey 10h, reauth none */
@@ -173,7 +195,6 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 					TRUE, aggressive, TRUE, /* mobike, aggressive, pull */
 					30, 0, /* DPD delay, timeout */
 					FALSE, NULL, NULL); /* mediation */
-	peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
 
 	return peer_cfg;
 }
@@ -306,10 +327,13 @@ static bool add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg)
 /**
  * Attach child config to peer config
  */
-static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
+static child_cfg_t* create_child_cfg(private_cmd_connection_t *this,
+									 peer_cfg_t *peer_cfg)
 {
 	child_cfg_t *child_cfg;
 	traffic_selector_t *ts;
+	proposal_t *proposal;
+	bool has_v4 = FALSE, has_v6 = FALSE;
 	lifetime_cfg_t lifetime = {
 		.time = {
 			.life = 10800 /* 3h */,
@@ -322,7 +346,18 @@ static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
 								 NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
 								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
 								 0, 0, NULL, NULL, 0);
-	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	if (this->child_proposals->get_count(this->child_proposals))
+	{
+		while (this->child_proposals->remove_first(this->child_proposals,
+												(void**)&proposal) == SUCCESS)
+		{
+			child_cfg->add_proposal(child_cfg, proposal);
+		}
+	}
+	else
+	{
+		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	}
 	while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS)
 	{
 		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@@ -333,12 +368,31 @@ static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
 		ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
 									"0.0.0.0", 0, "255.255.255.255", 65535);
 		this->remote_ts->insert_last(this->remote_ts, ts);
+		has_v4 = TRUE;
 	}
 	while (this->remote_ts->remove_first(this->remote_ts,
 										 (void**)&ts) == SUCCESS)
 	{
+		switch (ts->get_type(ts))
+		{
+			case TS_IPV4_ADDR_RANGE:
+				has_v4 = TRUE;
+				break;
+			case TS_IPV6_ADDR_RANGE:
+				has_v6 = TRUE;
+				break;
+		}
 		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 	}
+	if (has_v4)
+	{
+		peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
+	}
+	if (has_v6)
+	{
+		peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("::", 0));
+	}
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
 
 	return child_cfg;
 }
@@ -374,8 +428,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
 		return JOB_REQUEUE_NONE;
 	}
 
-	child_cfg = create_child_cfg(this);
-	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
+	child_cfg = create_child_cfg(this, peer_cfg);
 
 	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
 									 controller_cb_empty, NULL, 0) != SUCCESS)
@@ -421,6 +474,8 @@ static void set_profile(private_cmd_connection_t *this, char *name)
 METHOD(cmd_connection_t, handle, bool,
 	private_cmd_connection_t *this, cmd_option_type_t opt, char *arg)
 {
+	proposal_t *proposal;
+
 	switch (opt)
 	{
 		case CMD_OPT_HOST:
@@ -447,6 +502,30 @@ METHOD(cmd_connection_t, handle, bool,
 		case CMD_OPT_REMOTE_TS:
 			add_ts(this, this->remote_ts, arg);
 			break;
+		case CMD_OPT_IKE_PROPOSAL:
+			proposal = proposal_create_from_string(PROTO_IKE, arg);
+			if (!proposal)
+			{
+				exit(1);
+			}
+			this->ike_proposals->insert_last(this->ike_proposals, proposal);
+			break;
+		case CMD_OPT_ESP_PROPOSAL:
+			proposal = proposal_create_from_string(PROTO_ESP, arg);
+			if (!proposal)
+			{
+				exit(1);
+			}
+			this->child_proposals->insert_last(this->child_proposals, proposal);
+			break;
+		case CMD_OPT_AH_PROPOSAL:
+			proposal = proposal_create_from_string(PROTO_AH, arg);
+			if (!proposal)
+			{
+				exit(1);
+			}
+			this->child_proposals->insert_last(this->child_proposals, proposal);
+			break;
 		case CMD_OPT_PROFILE:
 			set_profile(this, arg);
 			break;
@@ -459,6 +538,10 @@ METHOD(cmd_connection_t, handle, bool,
 METHOD(cmd_connection_t, destroy, void,
 	private_cmd_connection_t *this)
 {
+	this->ike_proposals->destroy_offset(this->ike_proposals,
+								offsetof(proposal_t, destroy));
+	this->child_proposals->destroy_offset(this->child_proposals,
+								offsetof(proposal_t, destroy));
 	this->local_ts->destroy_offset(this->local_ts,
 								offsetof(traffic_selector_t, destroy));
 	this->remote_ts->destroy_offset(this->remote_ts,
@@ -481,6 +564,8 @@ cmd_connection_t *cmd_connection_create()
 		.pid = getpid(),
 		.local_ts = linked_list_create(),
 		.remote_ts = linked_list_create(),
+		.ike_proposals = linked_list_create(),
+		.child_proposals = linked_list_create(),
 		.profile = PROF_UNDEF,
 	);
 
diff --git a/src/charon-cmd/cmd/cmd_options.c b/src/charon-cmd/cmd/cmd_options.c
index 597ccda1f..5428941ff 100644
--- a/src/charon-cmd/cmd/cmd_options.c
+++ b/src/charon-cmd/cmd/cmd_options.c
@@ -56,6 +56,12 @@ cmd_option_t cmd_options[CMD_OPT_COUNT] = {
 	  "additional traffic selector to propose for our side", {}},
 	{ CMD_OPT_REMOTE_TS, "remote-ts", required_argument, "subnet",
 	  "traffic selector to propose for remote side", {}},
+	{ CMD_OPT_IKE_PROPOSAL, "ike-proposal", required_argument, "proposal",
+	  "a single IKE proposal to offer instead of the default", {}},
+	{ CMD_OPT_ESP_PROPOSAL, "esp-proposal", required_argument, "proposal",
+	  "a single ESP proposal to offer instead of the default", {}},
+	{ CMD_OPT_AH_PROPOSAL, "ah-proposal", required_argument, "proposal",
+	  "a single AH proposal to offer instead of the default", {}},
 	{ CMD_OPT_PROFILE, "profile", required_argument, "name",
 	  "authentication profile to use, where name is one of:", {
 		"  ikev2-pub, ikev2-eap, ikev2-pub-eap",
diff --git a/src/charon-cmd/cmd/cmd_options.h b/src/charon-cmd/cmd/cmd_options.h
index 6b8b04cdf..c7441e795 100644
--- a/src/charon-cmd/cmd/cmd_options.h
+++ b/src/charon-cmd/cmd/cmd_options.h
@@ -45,6 +45,9 @@ enum cmd_option_type_t {
 	CMD_OPT_AGENT,
 	CMD_OPT_LOCAL_TS,
 	CMD_OPT_REMOTE_TS,
+	CMD_OPT_IKE_PROPOSAL,
+	CMD_OPT_AH_PROPOSAL,
+	CMD_OPT_ESP_PROPOSAL,
 	CMD_OPT_PROFILE,
 
 	CMD_OPT_COUNT
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index c204c8c3a..955d15313 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -192,8 +192,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -261,6 +259,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -349,12 +352,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -369,6 +376,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index 9ce6dbaeb..32cec36ec 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -161,7 +161,7 @@ int main(int argc, char *argv[])
 	dbg = dbg_syslog;
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "charon-nm"))
 	{
 		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
@@ -175,7 +175,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
 
-	if (!libhydra_init("charon-nm"))
+	if (!libhydra_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
 		libhydra_deinit();
@@ -183,7 +183,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 
-	if (!libcharon_init("charon-nm"))
+	if (!libcharon_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
 		goto deinit;
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index f474dad60..ebebde2c0 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -22,10 +22,6 @@
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 
-#ifndef CAP_DAC_OVERRIDE
-#define CAP_DAC_OVERRIDE 1
-#endif
-
 typedef struct nm_backend_t nm_backend_t;
 
 /**
@@ -143,14 +139,6 @@ static bool nm_backend_init()
 		return FALSE;
 	}
 
-	/* bypass file permissions to read from users ssh-agent */
-	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
-	{
-		DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
-		nm_backend_deinit();
-		return FALSE;
-	}
-
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
 				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index f37367532..f0daff61e 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -412,9 +412,10 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		loose_gateway_id = TRUE;
 	}
 
-	if (auth_class == AUTH_CLASS_EAP)
+	if (auth_class == AUTH_CLASS_EAP ||
+		auth_class == AUTH_CLASS_PSK)
 	{
-		/* username/password authentication ... */
+		/* username/password or PSK authentication ... */
 		str = nm_setting_vpn_get_data_item(vpn, "user");
 		if (str)
 		{
@@ -548,7 +549,14 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	auth->add(auth, AUTH_RULE_IDENTITY, user);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
 	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	if (auth_class == AUTH_CLASS_PSK)
+	{
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+	}
+	else
+	{
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	}
 	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
 	auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
@@ -623,7 +631,7 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 	method = nm_setting_vpn_get_data_item(settings, "method");
 	if (method)
 	{
-		if (streq(method, "eap"))
+		if (streq(method, "eap") || streq(method, "psk"))
 		{
 			if (nm_setting_vpn_get_secret(settings, "password"))
 			{
diff --git a/src/charon-tkm/Makefile.am b/src/charon-tkm/Makefile.am
index 0fef1f62d..d2b81a3ea 100644
--- a/src/charon-tkm/Makefile.am
+++ b/src/charon-tkm/Makefile.am
@@ -1,26 +1,30 @@
-SRC = $(top_builddir)/src
+SRC = $(abs_top_srcdir)/src
+OBJ = $(abs_top_builddir)/src
 
-# includes relative to obj directory
 AM_CPPFLAGS = \
-	-include $(top_builddir)/config.h \
-	-I../$(SRC)/libstrongswan \
-	-I../$(SRC)/libhydra \
-	-I../$(SRC)/libcharon
+	-include $(abs_top_builddir)/config.h \
+	-I$(SRC)/libstrongswan \
+	-I$(SRC)/libhydra \
+	-I$(SRC)/libcharon
 
 LIBLD = \
-	-L$(SRC)/libstrongswan/.libs \
-	-L$(SRC)/libhydra/.libs \
-	-L$(SRC)/libcharon/.libs
-LIBPT = $(SRC)/libstrongswan/.libs:$(SRC)/libhydra/.libs:$(SRC)/libcharon/.libs
+	-L$(OBJ)/libstrongswan/.libs \
+	-L$(OBJ)/libhydra/.libs \
+	-L$(OBJ)/libcharon/.libs
+LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libhydra/.libs:$(OBJ)/libcharon/.libs
 LIBFL = -lstrongswan -lhydra -lcharon
 
 DEFS += -DPLUGINS=\""$(PLUGINS)\"" -DIPSEC_PIDDIR=\"${piddir}\"
 
 BUILD_OPTS = \
-	-XOBJ_DIR=$(CURDIR)/obj \
+	-XOBJ_DIR=$(abs_builddir)/obj \
 	-cargs $(AM_CPPFLAGS) $(DEFS) \
 	-largs $(LIBLD) $(LIBFL)
 
+TEST_OPTS = \
+	-cargs -DBUILDDIR=\"${abs_top_builddir}\" \
+	-largs -L$(OBJ)/libstrongswan/tests/.libs -ltest
+
 # plugins to enable
 PLUGINS = \
 	kernel-netlink \
@@ -35,15 +39,15 @@ build_charon: build_charon.gpr src/charon-tkm.c
 	@$(GPRBUILD) -p $< $(BUILD_OPTS)
 
 build_tests: build_tests.gpr
-	@$(GPRBUILD) -p $< $(BUILD_OPTS) -cargs @CHECK_CFLAGS@ -largs @CHECK_LIBS@
+	@$(GPRBUILD) -p $< $(BUILD_OPTS) $(TEST_OPTS)
+
+check-tkm: build_tests
+	@LD_LIBRARY_PATH=$(LIBPT) obj/tests
 
-if UNITTESTS
-check: build_tests
-	@LD_LIBRARY_PATH=$(LIBPT) obj/test_runner
-else
 check:
-	@echo "reconfigure with --enable-unit-tests"
-endif
+	@echo "TKM tests are not run automatically because they have to be run as root" >&2
+	@echo "and require a properly configured TKM daemon to be running." >&2
+	@echo "They can be run from '$(abs_builddir)' with 'make check-tkm'" >&2
 
 install: build_charon
 	$(INSTALL) -m 755 obj/charon-tkm $(DESTDIR)$(ipsecdir)
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index 5f878acf9..15e654d00 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -131,8 +131,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -200,6 +198,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -288,12 +291,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -308,6 +315,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -318,27 +326,30 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-SRC = $(top_builddir)/src
-
-# includes relative to obj directory
+SRC = $(abs_top_srcdir)/src
+OBJ = $(abs_top_builddir)/src
 AM_CPPFLAGS = \
-	-include $(top_builddir)/config.h \
-	-I../$(SRC)/libstrongswan \
-	-I../$(SRC)/libhydra \
-	-I../$(SRC)/libcharon
+	-include $(abs_top_builddir)/config.h \
+	-I$(SRC)/libstrongswan \
+	-I$(SRC)/libhydra \
+	-I$(SRC)/libcharon
 
 LIBLD = \
-	-L$(SRC)/libstrongswan/.libs \
-	-L$(SRC)/libhydra/.libs \
-	-L$(SRC)/libcharon/.libs
+	-L$(OBJ)/libstrongswan/.libs \
+	-L$(OBJ)/libhydra/.libs \
+	-L$(OBJ)/libcharon/.libs
 
-LIBPT = $(SRC)/libstrongswan/.libs:$(SRC)/libhydra/.libs:$(SRC)/libcharon/.libs
+LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libhydra/.libs:$(OBJ)/libcharon/.libs
 LIBFL = -lstrongswan -lhydra -lcharon
 BUILD_OPTS = \
-	-XOBJ_DIR=$(CURDIR)/obj \
+	-XOBJ_DIR=$(abs_builddir)/obj \
 	-cargs $(AM_CPPFLAGS) $(DEFS) \
 	-largs $(LIBLD) $(LIBFL)
 
+TEST_OPTS = \
+	-cargs -DBUILDDIR=\"${abs_top_builddir}\" \
+	-largs -L$(OBJ)/libstrongswan/tests/.libs -ltest
+
 
 # plugins to enable
 PLUGINS = \
@@ -543,12 +554,15 @@ build_charon: build_charon.gpr src/charon-tkm.c
 	@$(GPRBUILD) -p $< $(BUILD_OPTS)
 
 build_tests: build_tests.gpr
-	@$(GPRBUILD) -p $< $(BUILD_OPTS) -cargs @CHECK_CFLAGS@ -largs @CHECK_LIBS@
+	@$(GPRBUILD) -p $< $(BUILD_OPTS) $(TEST_OPTS)
+
+check-tkm: build_tests
+	@LD_LIBRARY_PATH=$(LIBPT) obj/tests
 
-@UNITTESTS_TRUE@check: build_tests
-@UNITTESTS_TRUE@	@LD_LIBRARY_PATH=$(LIBPT) obj/test_runner
-@UNITTESTS_FALSE@check:
-@UNITTESTS_FALSE@	@echo "reconfigure with --enable-unit-tests"
+check:
+	@echo "TKM tests are not run automatically because they have to be run as root" >&2
+	@echo "and require a properly configured TKM daemon to be running." >&2
+	@echo "They can be run from '$(abs_builddir)' with 'make check-tkm'" >&2
 
 install: build_charon
 	$(INSTALL) -m 755 obj/charon-tkm $(DESTDIR)$(ipsecdir)
diff --git a/src/charon-tkm/build_common.gpr b/src/charon-tkm/build_common.gpr
index ac322d713..102f6b7a2 100644
--- a/src/charon-tkm/build_common.gpr
+++ b/src/charon-tkm/build_common.gpr
@@ -5,7 +5,7 @@ project Build_Common is
 
    for Source_Dirs use ();
 
-   Obj_Dir := "obj";
+   Obj_Dir := external ("OBJ_DIR", "obj");
 
    C_Compiler_Switches   := ("-W",
                              "-Wall",
diff --git a/src/charon-tkm/build_tests.gpr b/src/charon-tkm/build_tests.gpr
index 032c7969e..2bdc99650 100644
--- a/src/charon-tkm/build_tests.gpr
+++ b/src/charon-tkm/build_tests.gpr
@@ -4,11 +4,15 @@ project Build_Tests is
 
    for Languages use ("Ada", "C");
    for Source_Dirs use ("src/ees", "src/ehandler", "src/tkm", "tests");
-   for Main use ("test_runner");
+   for Main use ("tests");
    for Object_Dir use Build_Common.Obj_Dir;
 
    package Compiler is
       for Default_Switches ("c") use Build_Common.C_Compiler_Switches;
    end Compiler;
 
+   package Binder is
+      for Default_Switches ("ada") use Build_Common.Ada_Binder_Switches;
+   end Binder;
+
 end Build_Tests;
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 14a735590..9a22f9ad9 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -250,13 +250,13 @@ int main(int argc, char *argv[])
 	dbg = dbg_syslog;
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, dmn_name))
 	{
 		library_deinit();
 		exit(status);
 	}
 
-	if (!libhydra_init(dmn_name))
+	if (!libhydra_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
 		libhydra_deinit();
@@ -264,7 +264,7 @@ int main(int argc, char *argv[])
 		exit(status);
 	}
 
-	if (!libcharon_init(dmn_name))
+	if (!libcharon_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
 		goto deinit;
@@ -288,10 +288,6 @@ int main(int argc, char *argv[])
 	static plugin_feature_t features[] = {
 		PLUGIN_REGISTER(NONCE_GEN, tkm_nonceg_create),
 			PLUGIN_PROVIDE(NONCE_GEN),
-		PLUGIN_REGISTER(DH, tkm_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
-			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 		PLUGIN_REGISTER(PUBKEY, tkm_public_key_load, TRUE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
 			PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
@@ -302,6 +298,12 @@ int main(int argc, char *argv[])
 	lib->plugins->add_static_features(lib->plugins, "tkm-backend", features,
 			countof(features), TRUE);
 
+	if (!register_dh_mapping())
+	{
+		DBG1(DBG_DMN, "no DH group mapping defined - aborting %s", dmn_name);
+		goto deinit;
+	}
+
 	/* register TKM keymat variant */
 	keymat_register_constructor(IKEV2, (keymat_constructor_t)tkm_keymat_create);
 
@@ -380,6 +382,7 @@ int main(int argc, char *argv[])
 	lib->encoding->remove_encoder(lib->encoding, tkm_encoder_encode);
 
 deinit:
+	destroy_dh_mapping();
 	libcharon_deinit();
 	libhydra_deinit();
 	library_deinit();
diff --git a/src/charon-tkm/src/tkm/tkm.c b/src/charon-tkm/src/tkm/tkm.c
index a39221dc2..61eb6056c 100644
--- a/src/charon-tkm/src/tkm/tkm.c
+++ b/src/charon-tkm/src/tkm/tkm.c
@@ -61,7 +61,7 @@ bool tkm_init()
 	ehandler_init();
 
 	ikesock = lib->settings->get_str(lib->settings, "%s.ike_socket", IKE_SOCKET,
-									 charon->name);
+									 lib->ns);
 	if (ike_init(ikesock) != TKM_OK)
 	{
 		tkmlib_final();
@@ -70,7 +70,7 @@ bool tkm_init()
 	DBG1(DBG_DMN, "connected to TKM via socket '%s'", ikesock);
 
 	eessock = lib->settings->get_str(lib->settings, "%s.ees_socket", EES_SOCKET,
-									 charon->name);
+									 lib->ns);
 	ees_server_init(eessock);
 	DBG1(DBG_DMN, "serving EES requests on socket '%s'", eessock);
 
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
index 19f57de01..a34d0b1d4 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -21,10 +21,13 @@
 #include "tkm_utils.h"
 #include "tkm_diffie_hellman.h"
 
-#include <utils/debug.h>
+#include <daemon.h>
+#include <collections/hashtable.h>
 
 typedef struct private_tkm_diffie_hellman_t private_tkm_diffie_hellman_t;
 
+static hashtable_t *group_map = NULL;
+
 /**
  * Private data of a tkm_diffie_hellman_t object.
  */
@@ -102,6 +105,95 @@ METHOD(tkm_diffie_hellman_t, get_id, dh_id_type,
 	return this->context_id;
 }
 
+static u_int hash(void *key)
+{
+	diffie_hellman_group_t k = *(diffie_hellman_group_t*)key;
+	return chunk_hash(chunk_from_thing(k));
+}
+
+static bool equals(void *key, void *other_key)
+{
+	return *(diffie_hellman_group_t*)key == *(diffie_hellman_group_t*)other_key;
+}
+
+/*
+ * Described in header.
+ */
+int register_dh_mapping()
+{
+	int count, i;
+	char *iana_id_str, *tkm_id_str;
+	diffie_hellman_group_t *iana_id;
+	u_int64_t *tkm_id;
+	hashtable_t *map;
+	enumerator_t *enumerator;
+
+	map = hashtable_create((hashtable_hash_t)hash,
+						   (hashtable_equals_t)equals, 16);
+
+	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
+															"%s.dh_mapping",
+															lib->ns);
+
+	while (enumerator->enumerate(enumerator, &iana_id_str, &tkm_id_str))
+	{
+		iana_id = malloc_thing(diffie_hellman_group_t);
+		*iana_id = settings_value_as_int(iana_id_str, 0);
+		tkm_id = malloc_thing(u_int64_t);
+		*tkm_id = settings_value_as_int(tkm_id_str, 0);
+
+		map->put(map, iana_id, tkm_id);
+	}
+	enumerator->destroy(enumerator);
+
+	count = map->get_count(map);
+	plugin_feature_t f[count + 1];
+	f[0] = PLUGIN_REGISTER(DH, tkm_diffie_hellman_create);
+
+	i = 1;
+	enumerator = map->create_enumerator(map);
+	while (enumerator->enumerate(enumerator, &iana_id, &tkm_id))
+	{
+		f[i] = PLUGIN_PROVIDE(DH, *iana_id);
+		i++;
+	}
+	enumerator->destroy(enumerator);
+
+	lib->plugins->add_static_features(lib->plugins, "tkm-dh", f, countof(f), TRUE);
+
+	if (count > 0)
+	{
+		group_map = map;
+	}
+	else
+	{
+		map->destroy(map);
+	}
+
+	return count;
+}
+
+/*
+ * Described in header.
+ */
+void destroy_dh_mapping()
+{
+	enumerator_t *enumerator;
+	char *key, *value;
+
+	if (group_map)
+	{
+		enumerator = group_map->create_enumerator(group_map);
+		while (enumerator->enumerate(enumerator, &key, &value))
+		{
+			free(key);
+			free(value);
+		}
+		enumerator->destroy(enumerator);
+		group_map->destroy(group_map);
+	}
+}
+
 /*
  * Described in header.
  */
@@ -109,6 +201,11 @@ tkm_diffie_hellman_t *tkm_diffie_hellman_create(diffie_hellman_group_t group)
 {
 	private_tkm_diffie_hellman_t *this;
 
+	if (!group_map)
+	{
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.dh = {
@@ -130,7 +227,14 @@ tkm_diffie_hellman_t *tkm_diffie_hellman_create(diffie_hellman_group_t group)
 		return NULL;
 	}
 
-	if (ike_dh_create(this->context_id, group, &this->pubvalue) != TKM_OK)
+	u_int64_t *dha_id = group_map->get(group_map, &group);
+	if (!dha_id)
+	{
+		free(this);
+		return NULL;
+	}
+
+	if (ike_dh_create(this->context_id, *dha_id, &this->pubvalue) != TKM_OK)
 	{
 		free(this);
 		return NULL;
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.h b/src/charon-tkm/src/tkm/tkm_diffie_hellman.h
index a144303fa..d38a414d8 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.h
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.h
@@ -47,6 +47,19 @@ struct tkm_diffie_hellman_t {
 };
 
 /**
+ * Loads IANA DH group identifier to TKM id mapping from config and registers
+ * the corresponding DH features.
+ *
+ * @return          number of registered mappings
+ */
+int register_dh_mapping();
+
+/**
+ * Destroy IANA DH group identifier to TKM id mapping.
+ */
+void destroy_dh_mapping();
+
+/**
  * Creates a new tkm_diffie_hellman_t object.
  *
  * @param group			Diffie Hellman group number to use
diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c
index 407d0a87f..0fadf1acf 100644
--- a/src/charon-tkm/src/tkm/tkm_id_manager.c
+++ b/src/charon-tkm/src/tkm/tkm_id_manager.c
@@ -17,7 +17,6 @@
 #include "tkm_id_manager.h"
 
 #include <utils/debug.h>
-#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 #define TKM_LIMIT 100
diff --git a/src/charon-tkm/tests/chunk_map_tests.c b/src/charon-tkm/tests/chunk_map_tests.c
index 6deef9a80..1283a787c 100644
--- a/src/charon-tkm/tests/chunk_map_tests.c
+++ b/src/charon-tkm/tests/chunk_map_tests.c
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
 
 #include "tkm_chunk_map.h"
 
@@ -48,11 +48,20 @@ START_TEST(test_chunk_map_handling)
 }
 END_TEST
 
-TCase *make_chunk_map_tests(void)
+Suite *make_chunk_map_tests()
 {
-	TCase *tc = tcase_create("Chunk map tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("chunk map");
+
+	tc = tcase_create("creating");
 	tcase_add_test(tc, test_chunk_map_creation);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("handling");
 	tcase_add_test(tc, test_chunk_map_handling);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/diffie_hellman_tests.c b/src/charon-tkm/tests/diffie_hellman_tests.c
index ffe99614d..89658a770 100644
--- a/src/charon-tkm/tests/diffie_hellman_tests.c
+++ b/src/charon-tkm/tests/diffie_hellman_tests.c
@@ -14,7 +14,8 @@
  * for more details.
  */
 
-#include <check.h>
+#include <daemon.h>
+#include <tests/test_suite.h>
 
 #include "tkm_diffie_hellman.h"
 
@@ -49,11 +50,20 @@ START_TEST(test_dh_get_my_pubvalue)
 }
 END_TEST
 
-TCase *make_diffie_hellman_tests(void)
+Suite *make_diffie_hellman_tests()
 {
-	TCase *tc = tcase_create("Diffie-Hellman tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("Diffie-Hellman");
+
+	tc = tcase_create("creation");
 	tcase_add_test(tc, test_dh_creation);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get_my_pubvalue");
 	tcase_add_test(tc, test_dh_get_my_pubvalue);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/id_manager_tests.c b/src/charon-tkm/tests/id_manager_tests.c
index 15522f118..8157496ca 100644
--- a/src/charon-tkm/tests/id_manager_tests.c
+++ b/src/charon-tkm/tests/id_manager_tests.c
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
 
 #include "tkm_id_manager.h"
 
@@ -135,16 +135,28 @@ START_TEST(test_release_id_nonexistent)
 }
 END_TEST
 
-TCase *make_id_manager_tests(void)
+Suite *make_id_manager_tests()
 {
-	TCase *tc = tcase_create("Context id manager tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("context id manager");
+
+	tc = tcase_create("creation");
 	tcase_add_test(tc, test_id_mgr_creation);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("acquire");
 	tcase_add_test(tc, test_acquire_id);
 	tcase_add_test(tc, test_acquire_id_invalid_kind);
 	tcase_add_test(tc, test_acquire_id_same);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("release");
 	tcase_add_test(tc, test_release_id);
 	tcase_add_test(tc, test_release_id_invalid_kind);
 	tcase_add_test(tc, test_release_id_nonexistent);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c
index 11785602d..6f0b396d3 100644
--- a/src/charon-tkm/tests/kernel_sad_tests.c
+++ b/src/charon-tkm/tests/kernel_sad_tests.c
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
 
 #include "tkm_kernel_sad.h"
 
@@ -107,16 +107,31 @@ START_TEST(test_remove_nonexistent)
 }
 END_TEST
 
-TCase *make_kernel_sad_tests(void)
+Suite *make_kernel_sad_tests()
 {
-	TCase *tc = tcase_create("Kernel SAD tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("kernel SAD tests");
+
+	tc = tcase_create("creation");
 	tcase_add_test(tc, test_sad_creation);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("insert");
 	tcase_add_test(tc, test_insert);
 	tcase_add_test(tc, test_insert_duplicate);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get_esa_id");
 	tcase_add_test(tc, test_get_esa_id);
 	tcase_add_test(tc, test_get_esa_id_nonexistent);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("remove");
 	tcase_add_test(tc, test_remove);
 	tcase_add_test(tc, test_remove_nonexistent);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
index 2a7525d4e..1982671d3 100644
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -14,7 +14,8 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
+
 #include <daemon.h>
 #include <hydra.h>
 #include <config/proposal.h>
@@ -139,11 +140,20 @@ START_TEST(test_derive_child_keys)
 }
 END_TEST
 
-TCase *make_keymat_tests(void)
+Suite *make_keymat_tests()
 {
-	TCase *tc = tcase_create("Keymat tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("keymat");
+
+	tc = tcase_create("derive IKE keys");
 	tcase_add_test(tc, test_derive_ike_keys);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("derive CHILD keys");
 	tcase_add_test(tc, test_derive_child_keys);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/nonceg_tests.c b/src/charon-tkm/tests/nonceg_tests.c
index 3a1effab8..6f524cb22 100644
--- a/src/charon-tkm/tests/nonceg_tests.c
+++ b/src/charon-tkm/tests/nonceg_tests.c
@@ -14,7 +14,8 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
+
 #include <tkm/client.h>
 
 #include "tkm.h"
@@ -82,12 +83,24 @@ START_TEST(test_nonceg_get_nonce)
 }
 END_TEST
 
-TCase *make_nonceg_tests(void)
+Suite *make_nonceg_tests()
 {
-	TCase *tc = tcase_create("Nonce generator tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("nonce generator");
+
+	tc = tcase_create("creation");
 	tcase_add_test(tc, test_nonceg_creation);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("allocate");
 	tcase_add_test(tc, test_nonceg_allocate_nonce);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get");
 	tcase_add_test(tc, test_nonceg_get_nonce);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon-tkm/tests/test_runner.c b/src/charon-tkm/tests/test_runner.c
deleted file mode 100644
index 5ae032935..000000000
--- a/src/charon-tkm/tests/test_runner.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (C) 2012 Reto Buerki
- * Copyright (C) 2012 Adrian-Ken Rueegsegger
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <hydra.h>
-#include <daemon.h>
-
-#include "tkm.h"
-#include "tkm_nonceg.h"
-#include "tkm_diffie_hellman.h"
-#include "tkm_kernel_ipsec.h"
-#include "test_runner.h"
-
-int main(void)
-{
-	library_init(NULL);
-	libhydra_init("test_runner");
-	libcharon_init("test_runner");
-
-	lib->settings->set_int(lib->settings, "test_runner.filelog.stdout.default",
-						   1);
-	charon->load_loggers(charon, NULL, FALSE);
-
-	/* Register TKM specific plugins */
-	static plugin_feature_t features[] = {
-		PLUGIN_REGISTER(NONCE_GEN, tkm_nonceg_create),
-			PLUGIN_PROVIDE(NONCE_GEN),
-		PLUGIN_REGISTER(DH, tkm_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
-			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
-		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
-			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
-	};
-	lib->plugins->add_static_features(lib->plugins, "tkm-tests", features,
-			countof(features), TRUE);
-
-	if (!charon->initialize(charon, PLUGINS))
-	{
-		fprintf(stderr, "Unable to init charon");
-		return EXIT_FAILURE;
-	}
-
-	if (!tkm_init())
-	{
-		fprintf(stderr, "Could not connect to TKM, aborting tests\n");
-		return EXIT_FAILURE;
-	}
-
-	int number_failed;
-	Suite *s = suite_create("TKM tests");
-	suite_add_tcase(s, make_id_manager_tests());
-	suite_add_tcase(s, make_chunk_map_tests());
-	suite_add_tcase(s, make_utility_tests());
-	suite_add_tcase(s, make_nonceg_tests());
-	suite_add_tcase(s, make_diffie_hellman_tests());
-	suite_add_tcase(s, make_keymat_tests());
-	suite_add_tcase(s, make_kernel_sad_tests());
-
-	SRunner *sr = srunner_create(s);
-
-	srunner_run_all(sr, CK_NORMAL);
-	number_failed = srunner_ntests_failed(sr);
-
-	tkm_deinit();
-	libcharon_deinit();
-	libhydra_deinit();
-	library_deinit();
-	srunner_free(sr);
-
-	return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
-}
diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c
new file mode 100644
index 000000000..18754c717
--- /dev/null
+++ b/src/charon-tkm/tests/tests.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <tests/test_runner.h>
+
+#include <library.h>
+#include <hydra.h>
+#include <daemon.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+#include "tkm_diffie_hellman.h"
+#include "tkm_kernel_ipsec.h"
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, args) \
+	{ .suite = x, .feature = PLUGIN_DEPENDS(type, args) },
+#include "tests.h"
+	{ .suite = NULL, }
+};
+
+static bool tkm_initialized = false;
+
+static bool test_runner_init(bool init)
+{
+	bool result = TRUE;
+
+	if (init)
+	{
+		libhydra_init();
+		libcharon_init();
+		lib->settings->set_int(lib->settings,
+							   "test_runner.filelog.stdout.default", 0);
+		charon->load_loggers(charon, NULL, FALSE);
+
+		/* Register TKM specific plugins */
+		static plugin_feature_t features[] = {
+			PLUGIN_REGISTER(NONCE_GEN, tkm_nonceg_create),
+				PLUGIN_PROVIDE(NONCE_GEN),
+			PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
+				PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+		};
+		lib->plugins->add_static_features(lib->plugins, "tkm-tests", features,
+										  countof(features), TRUE);
+
+		lib->settings->set_int(lib->settings, "%s.dh_mapping.%d", 1,
+							   lib->ns, MODP_3072_BIT);
+		lib->settings->set_int(lib->settings, "%s.dh_mapping.%d", 2,
+							   lib->ns, MODP_4096_BIT);
+		register_dh_mapping();
+
+		plugin_loader_add_plugindirs(BUILDDIR "/src/libstrongswan/plugins",
+									 PLUGINS);
+		plugin_loader_add_plugindirs(BUILDDIR "/src/libhydra/plugins",
+									 PLUGINS);
+		plugin_loader_add_plugindirs(BUILDDIR "/src/libcharon/plugins",
+									 PLUGINS);
+		if (charon->initialize(charon, PLUGINS))
+		{
+			if (!tkm_initialized)
+			{
+				if (!tkm_init())
+				{
+					return FALSE;
+				}
+				tkm_initialized = true;
+			}
+			return TRUE;
+		}
+		result = FALSE;
+	}
+
+	destroy_dh_mapping();
+	libcharon_deinit();
+	libhydra_deinit();
+	return result;
+}
+
+int main(int argc, char *argv[])
+{
+	bool result;
+
+	/* disable leak detective because of how tkm_init/deinit is called, which
+	 * does not work otherwise due to limitations of the external libraries */
+	setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
+
+	result = test_runner_run("tkm", tests, test_runner_init);
+	tkm_deinit();
+
+	return result;
+}
diff --git a/src/charon-tkm/tests/test_runner.h b/src/charon-tkm/tests/tests.h
index 236a7f2a6..fb5e96a9c 100644
--- a/src/charon-tkm/tests/test_runner.h
+++ b/src/charon-tkm/tests/tests.h
@@ -14,17 +14,10 @@
  * for more details.
  */
 
-#ifndef TEST_RUNNER_H_
-#define TEST_RUNNER_H_
-
-#include <check.h>
-
-TCase *make_id_manager_tests(void);
-TCase *make_chunk_map_tests(void);
-TCase *make_utility_tests(void);
-TCase *make_nonceg_tests(void);
-TCase *make_diffie_hellman_tests(void);
-TCase *make_keymat_tests(void);
-TCase *make_kernel_sad_tests(void);
-
-#endif /** TEST_RUNNER_H_ */
+TEST_SUITE(make_id_manager_tests)
+TEST_SUITE(make_chunk_map_tests)
+TEST_SUITE(make_utility_tests)
+TEST_SUITE(make_nonceg_tests)
+TEST_SUITE(make_diffie_hellman_tests)
+TEST_SUITE(make_keymat_tests)
+TEST_SUITE(make_kernel_sad_tests)
diff --git a/src/charon-tkm/tests/utils_tests.c b/src/charon-tkm/tests/utils_tests.c
index b3ead7633..0a4d6fbd2 100644
--- a/src/charon-tkm/tests/utils_tests.c
+++ b/src/charon-tkm/tests/utils_tests.c
@@ -14,7 +14,8 @@
  * for more details.
  */
 
-#include <check.h>
+#include <tests/test_suite.h>
+
 #include <tkm/types.h>
 
 #include "tkm_utils.h"
@@ -53,11 +54,17 @@ START_TEST(test_chunk_to_sequence)
 }
 END_TEST
 
-TCase *make_utility_tests(void)
+Suite *make_utility_tests()
 {
-	TCase *tc = tcase_create("Utility tests");
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("utility tests");
+
+	tc = tcase_create("chunk<->sequence");
 	tcase_add_test(tc, test_sequence_to_chunk);
 	tcase_add_test(tc, test_chunk_to_sequence);
+	suite_add_tcase(s, tc);
 
-	return tc;
+	return s;
 }
diff --git a/src/charon/Android.mk b/src/charon/Android.mk
index 1dd27d534..852d73c10 100644
--- a/src/charon/Android.mk
+++ b/src/charon/Android.mk
@@ -8,7 +8,6 @@ charon.c
 # build charon -----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libcharon \
 	$(strongswan_PATH)/src/libstrongswan
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 0bb2e67bf..f3b7cfd56 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -188,8 +188,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -257,6 +255,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -345,12 +348,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -365,6 +372,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 340f852cd..089ac4570 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -289,7 +289,7 @@ int main(int argc, char *argv[])
 	dbg = dbg_stderr;
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "charon"))
 	{
 		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
@@ -303,7 +303,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
 
-	if (!libhydra_init("charon"))
+	if (!libhydra_init())
 	{
 		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
 		libhydra_deinit();
@@ -311,7 +311,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 
-	if (!libcharon_init("charon"))
+	if (!libcharon_init())
 	{
 		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
 		goto deinit;
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index a22e91ed1..d172b1545 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -4,15 +4,16 @@ ipseclib_LTLIBRARIES = $(LIBCHECKSUM_LIBS)
 nodist_libchecksum_la_SOURCES = checksum.c
 libchecksum_la_LDFLAGS = -module -avoid-version -rpath '$(ipseclibdir)'
 
-noinst_PROGRAMS = checksum_builder
+EXTRA_PROGRAMS = checksum_builder
 checksum_builder_SOURCES = checksum_builder.c
 checksum_builder_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(DLLIB)
+checksum_builder_LDFLAGS = -rpath '$(DESTDIR)$(ipseclibdir)'
 
-CLEANFILES = checksum.c
+CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
@@ -88,28 +89,28 @@ endif
 if USE_CHARON
   deps += $(top_builddir)/src/libcharon/libcharon.la
   libs += $(DESTDIR)$(ipseclibdir)/libcharon.so
-  exes += $(top_builddir)/src/charon/.libs/charon
+  exes += $(DESTDIR)$(ipsecdir)/charon
 if !MONOLITHIC
   AM_CPPFLAGS += -DC_PLUGINS=\""${c_plugins}\""
 endif
 endif
 
 if USE_CMD
-  exes += $(top_builddir)/src/charon-cmd/.libs/charon-cmd
+  exes += $(DESTDIR)$(sbindir)/charon-cmd
 endif
 
 if USE_TOOLS
-  exes += $(top_builddir)/src/openac/.libs/openac
-  exes += $(top_builddir)/src/pki/.libs/pki
-  exes += $(top_builddir)/src/scepclient/.libs/scepclient
+  exes += $(DESTDIR)$(ipsecdir)/openac
+  exes += $(DESTDIR)$(ipsecdir)/scepclient
+  exes += $(DESTDIR)$(bindir)/pki
 endif
 
 if USE_ATTR_SQL
-  exes += $(top_builddir)/src/pool/.libs/pool
+  exes += $(DESTDIR)$(ipsecdir)/pool
 endif
 
 if USE_IMV_ATTESTATION
-  exes += $(top_builddir)/src/libpts/plugins/imv_attestation/.libs/attest
+  exes += $(DESTDIR)$(ipsecdir)/attest
 endif
 
 checksum.c : checksum_builder $(deps) $(exes)
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 738133643..cdfbf1016 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -14,7 +14,6 @@
 
 @SET_MAKE@
 
-
 VPATH = @srcdir@
 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
@@ -79,7 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-noinst_PROGRAMS = checksum_builder$(EXEEXT)
+EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
 @MONOLITHIC_FALSE@am__append_1 = -DS_PLUGINS=\""${s_plugins}\""
 @USE_LIBHYDRA_TRUE@am__append_2 = $(top_builddir)/src/libhydra/libhydra.la
 @USE_LIBHYDRA_TRUE@am__append_3 = $(DESTDIR)$(ipseclibdir)/libhydra.so
@@ -103,15 +102,14 @@ noinst_PROGRAMS = checksum_builder$(EXEEXT)
 @USE_PTS_TRUE@am__append_21 = $(DESTDIR)$(ipseclibdir)/libpts.so
 @USE_CHARON_TRUE@am__append_22 = $(top_builddir)/src/libcharon/libcharon.la
 @USE_CHARON_TRUE@am__append_23 = $(DESTDIR)$(ipseclibdir)/libcharon.so
-@USE_CHARON_TRUE@am__append_24 = $(top_builddir)/src/charon/.libs/charon
+@USE_CHARON_TRUE@am__append_24 = $(DESTDIR)$(ipsecdir)/charon
 @MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_25 = -DC_PLUGINS=\""${c_plugins}\""
-@USE_CMD_TRUE@am__append_26 = $(top_builddir)/src/charon-cmd/.libs/charon-cmd
-@USE_TOOLS_TRUE@am__append_27 =  \
-@USE_TOOLS_TRUE@	$(top_builddir)/src/openac/.libs/openac \
-@USE_TOOLS_TRUE@	$(top_builddir)/src/pki/.libs/pki \
-@USE_TOOLS_TRUE@	$(top_builddir)/src/scepclient/.libs/scepclient
-@USE_ATTR_SQL_TRUE@am__append_28 = $(top_builddir)/src/pool/.libs/pool
-@USE_IMV_ATTESTATION_TRUE@am__append_29 = $(top_builddir)/src/libpts/plugins/imv_attestation/.libs/attest
+@USE_CMD_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/charon-cmd
+@USE_TOOLS_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/openac \
+@USE_TOOLS_TRUE@	$(DESTDIR)$(ipsecdir)/scepclient \
+@USE_TOOLS_TRUE@	$(DESTDIR)$(bindir)/pki
+@USE_ATTR_SQL_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/pool
+@USE_IMV_ATTESTATION_TRUE@am__append_29 = $(DESTDIR)$(ipsecdir)/attest
 subdir = src/checksum
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -172,7 +170,6 @@ libchecksum_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libchecksum_la_LDFLAGS) $(LDFLAGS) -o \
 	$@
-PROGRAMS = $(noinst_PROGRAMS)
 am_checksum_builder_OBJECTS = checksum_builder.$(OBJEXT)
 checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS)
 am__DEPENDENCIES_1 =
@@ -181,6 +178,10 @@ checksum_builder_DEPENDENCIES =  \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1)
+checksum_builder_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(checksum_builder_LDFLAGS) $(LDFLAGS) \
+	-o $@
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -256,8 +257,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -325,6 +324,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -413,12 +417,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -433,6 +441,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -456,7 +465,8 @@ checksum_builder_LDADD = \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(DLLIB)
 
-CLEANFILES = checksum.c
+checksum_builder_LDFLAGS = -rpath '$(DESTDIR)$(ipseclibdir)'
+CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
@@ -552,18 +562,9 @@ clean-ipseclibLTLIBRARIES:
 libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) $(EXTRA_libchecksum_la_DEPENDENCIES) 
 	$(AM_V_CCLD)$(libchecksum_la_LINK)  $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
 
-clean-noinstPROGRAMS:
-	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-
 checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) $(EXTRA_checksum_builder_DEPENDENCIES) 
 	@rm -f checksum_builder$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(checksum_builder_LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -688,7 +689,7 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+all-am: Makefile $(LTLIBRARIES)
 installdirs:
 	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
@@ -727,7 +728,7 @@ maintainer-clean-generic:
 clean: clean-am
 
 clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
-	clean-local clean-noinstPROGRAMS mostlyclean-am
+	clean-local mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -801,19 +802,19 @@ uninstall-am: uninstall-ipseclibLTLIBRARIES
 
 .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
 	clean-ipseclibLTLIBRARIES clean-libtool clean-local \
-	clean-noinstPROGRAMS cscopelist-am ctags ctags-am distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am \
-	install-data-hook install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipseclibLTLIBRARIES install-man \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
-	uninstall-hook uninstall-ipseclibLTLIBRARIES
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipseclibLTLIBRARIES install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am uninstall-hook \
+	uninstall-ipseclibLTLIBRARIES
 
 
 checksum.c : checksum_builder $(deps) $(exes)
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index bccd269cf..cc8185ecd 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -23,9 +23,6 @@
 #include <daemon.h>
 #include <collections/enumerator.h>
 
-/* we need to fake the pluto symbol to dlopen() the xauth plugin */
-void *pluto;
-
 /**
  * Integrity checker
  */
@@ -139,7 +136,7 @@ int main(int argc, char* argv[])
 	/* avoid confusing leak reports in build process */
 	setenv("LEAK_DETECTIVE_DISABLE", "1", 0);
 	/* don't use a strongswan.conf, forces integrity check to disabled */
-	library_init("");
+	library_init("", "checksum_builder");
 	atexit(library_deinit);
 
 	integrity = integrity_checker_create(NULL);
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 73bf7240c..ee6bf57f5 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -202,8 +202,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -271,6 +269,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -359,12 +362,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -379,6 +386,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index faf9df91f..584a2698a 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -81,7 +81,7 @@ static bool load_configs(char *suite_file, char *test_file)
 	}
 	conftest->test = settings_create(suite_file);
 	conftest->test->load_files(conftest->test, test_file, TRUE);
-	conftest->suite_dir = strdup(dirname(suite_file));
+	conftest->suite_dir = path_dirname(suite_file);
 	return TRUE;
 }
 
@@ -435,18 +435,18 @@ int main(int argc, char *argv[])
 	char *suite_file = "suite.conf", *test_file = NULL, *preload, *plugins;
 	file_logger_t *logger;
 
-	if (!library_init(NULL))
+	if (!library_init(NULL, "conftest"))
 	{
 		library_deinit();
 		return SS_RC_LIBSTRONGSWAN_INTEGRITY;
 	}
-	if (!libhydra_init("conftest"))
+	if (!libhydra_init())
 	{
 		libhydra_deinit();
 		library_deinit();
 		return SS_RC_INITIALIZATION_FAILED;
 	}
-	if (!libcharon_init("conftest"))
+	if (!libcharon_init())
 	{
 		libcharon_deinit();
 		libhydra_deinit();
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index ab818f1be..f1628ef69 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -223,8 +223,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -292,6 +290,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -380,12 +383,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -400,6 +407,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/dumm/cowfs.h b/src/dumm/cowfs.h
index b9334dc96..6869e3563 100644
--- a/src/dumm/cowfs.h
+++ b/src/dumm/cowfs.h
@@ -64,7 +64,7 @@ struct cowfs_t {
  * @param master		read only master file system directory
  * @param host			copy on write host directory
  * @param mount			mountpoint where union is mounted
- * @return				instance, or NULL if FUSE initalization failed
+ * @return				instance, or NULL if FUSE initialization failed
  */
 cowfs_t *cowfs_create(char *master, char *host, char *mount);
 
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index 5acda3a9c..03ecbe40d 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -774,7 +774,7 @@ void Init_dumm()
 	/* there are too many to report, rubyruby... */
 	setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
 
-	library_init(NULL);
+	library_init(NULL, "dumm");
 
 	dumm = dumm_create(NULL);
 
diff --git a/src/dumm/main.c b/src/dumm/main.c
index 4cdf4682f..a53e1f67c 100644
--- a/src/dumm/main.c
+++ b/src/dumm/main.c
@@ -479,7 +479,7 @@ int main(int argc, char *argv[])
 	enumerator_t *enumerator;
 	guest_t *guest;
 
-	library_init(NULL);
+	library_init(NULL, "dumm");
 	gtk_init(&argc, &argv);
 
 	pages = linked_list_create();
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 1e301feb0..1987dbde5 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -131,8 +131,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -200,6 +198,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -288,12 +291,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -308,6 +315,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 091519292..69b736a7a 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -165,8 +165,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -234,6 +232,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -322,12 +325,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -342,6 +349,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 9548f9b15..b7d820e21 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.1.1" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.1.2rc2" "strongSwan"
 .
 .SH NAME
 .
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 0fe88efb4..cc5220973 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -217,7 +217,6 @@ endif
 # build libcharon --------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/include \
 	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libstrongswan
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 4413d69c0..5f8453616 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -715,8 +715,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -784,6 +782,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -872,12 +875,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -892,6 +899,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index cb6f6ca0e..c74daa0cc 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -14,12 +14,12 @@
  * for more details.
  */
 
-#include "ike_cfg.h"
-
+#define _GNU_SOURCE /* for stdndup() */
 #include <string.h>
 
-#include <daemon.h>
+#include "ike_cfg.h"
 
+#include <daemon.h>
 
 ENUM(ike_version_names, IKE_ANY, IKEV2,
 	"IKEv1/2",
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 1f3f2ba8b..891d1be84 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -741,6 +741,10 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 			case ECP_256_BP:
 			case ECP_384_BP:
 			case ECP_512_BP:
+			case NTRU_112_BIT:
+			case NTRU_128_BIT:
+			case NTRU_192_BIT:
+			case NTRU_256_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;
 			default:
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 5e3ae72b9..0cecd1d3b 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -181,7 +181,7 @@ static void handle_syslog_identifier(private_daemon_t *this)
 	char *identifier;
 
 	identifier = lib->settings->get_str(lib->settings, "%s.syslog.identifier",
-										NULL, charon->name);
+										NULL, lib->ns);
 	if (identifier)
 	{	/* set identifier, which is prepended to each log line */
 		if (!this->syslog_identifier ||
@@ -292,15 +292,15 @@ static void load_sys_logger(private_daemon_t *this, char *facility,
 	sys_logger = add_sys_logger(this, facility, current_loggers);
 	sys_logger->set_options(sys_logger,
 				lib->settings->get_bool(lib->settings, "%s.syslog.%s.ike_name",
-										FALSE, charon->name, facility));
+										FALSE, lib->ns, facility));
 
 	def = lib->settings->get_int(lib->settings, "%s.syslog.%s.default", 1,
-								 charon->name, facility);
+								 lib->ns, facility);
 	for (group = 0; group < DBG_MAX; group++)
 	{
 		sys_logger->set_level(sys_logger, group,
 				lib->settings->get_int(lib->settings, "%s.syslog.%s.%N", def,
-							charon->name, facility, debug_lower_names, group));
+							lib->ns, facility, debug_lower_names, group));
 	}
 	charon->bus->add_logger(charon->bus, &sys_logger->logger);
 }
@@ -318,25 +318,25 @@ static void load_file_logger(private_daemon_t *this, char *filename,
 	char *time_format;
 
 	time_format = lib->settings->get_str(lib->settings,
-					"%s.filelog.%s.time_format", NULL, charon->name, filename);
+						"%s.filelog.%s.time_format", NULL, lib->ns, filename);
 	ike_name = lib->settings->get_bool(lib->settings,
-					"%s.filelog.%s.ike_name", FALSE, charon->name, filename);
+						"%s.filelog.%s.ike_name", FALSE, lib->ns, filename);
 	flush_line = lib->settings->get_bool(lib->settings,
-					"%s.filelog.%s.flush_line", FALSE, charon->name, filename);
+						"%s.filelog.%s.flush_line", FALSE, lib->ns, filename);
 	append = lib->settings->get_bool(lib->settings,
-					"%s.filelog.%s.append", TRUE, charon->name, filename);
+						"%s.filelog.%s.append", TRUE, lib->ns, filename);
 
 	file_logger = add_file_logger(this, filename, current_loggers);
 	file_logger->set_options(file_logger, time_format, ike_name);
 	file_logger->open(file_logger, flush_line, append);
 
 	def = lib->settings->get_int(lib->settings, "%s.filelog.%s.default", 1,
-								 charon->name, filename);
+								 lib->ns, filename);
 	for (group = 0; group < DBG_MAX; group++)
 	{
 		file_logger->set_level(file_logger, group,
 				lib->settings->get_int(lib->settings, "%s.filelog.%s.%N", def,
-							charon->name, filename, debug_lower_names, group));
+							lib->ns, filename, debug_lower_names, group));
 	}
 	charon->bus->add_logger(charon->bus, &file_logger->logger);
 }
@@ -353,7 +353,7 @@ METHOD(daemon_t, load_loggers, void,
 	current_loggers = this->loggers;
 	this->loggers = linked_list_create();
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
-													"%s.syslog", charon->name);
+														"%s.syslog", lib->ns);
 	while (enumerator->enumerate(enumerator, &target))
 	{
 		load_sys_logger(this, target, current_loggers);
@@ -361,7 +361,7 @@ METHOD(daemon_t, load_loggers, void,
 	enumerator->destroy(enumerator);
 
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
-													"%s.filelog", charon->name);
+														"%s.filelog", lib->ns);
 	while (enumerator->enumerate(enumerator, &target))
 	{
 		load_file_logger(this, target, current_loggers);
@@ -473,7 +473,6 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.bus);
 	this->loggers->destroy_function(this->loggers, (void*)logger_entry_destroy);
 	this->mutex->destroy(this->mutex);
-	free((void*)this->public.name);
 	free(this);
 }
 
@@ -483,7 +482,7 @@ METHOD(daemon_t, start, void,
 	/* start the engine, go multithreaded */
 	lib->processor->set_threads(lib->processor,
 						lib->settings->get_int(lib->settings, "%s.threads",
-											   DEFAULT_THREADS, charon->name));
+											   DEFAULT_THREADS, lib->ns));
 }
 
 
@@ -525,7 +524,7 @@ METHOD(daemon_t, initialize, bool,
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 				PLUGIN_DEPENDS(CUSTOM, "socket"),
 	};
-	lib->plugins->add_static_features(lib->plugins, charon->name, features,
+	lib->plugins->add_static_features(lib->plugins, lib->ns, features,
 									  countof(features), TRUE);
 
 	/* load plugins, further infrastructure may need it */
@@ -558,7 +557,7 @@ METHOD(daemon_t, initialize, bool,
 /**
  * Create the daemon.
  */
-private_daemon_t *daemon_create(const char *name)
+private_daemon_t *daemon_create()
 {
 	private_daemon_t *this;
 
@@ -569,7 +568,6 @@ private_daemon_t *daemon_create(const char *name)
 			.load_loggers = _load_loggers,
 			.set_level = _set_level,
 			.bus = bus_create(),
-			.name = strdup(name ?: "libcharon"),
 		},
 		.loggers = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
@@ -607,7 +605,7 @@ void libcharon_deinit()
 /**
  * Described in header.
  */
-bool libcharon_init(const char *name)
+bool libcharon_init()
 {
 	private_daemon_t *this;
 
@@ -618,7 +616,7 @@ bool libcharon_init(const char *name)
 		return !this->integrity_failed;
 	}
 
-	this = daemon_create(name);
+	this = daemon_create();
 
 	/* for uncritical pseudo random numbers */
 	srandom(time(NULL) + getpid());
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 24e623c44..36242bb04 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -272,11 +272,6 @@ struct daemon_t {
 #endif /* ME */
 
 	/**
-	 * Name of the binary that uses the library (used for settings etc.)
-	 */
-	const char *name;
-
-	/**
 	 * Initialize the daemon.
 	 *
 	 * @param plugins	list of plugins to load
@@ -324,12 +319,11 @@ extern daemon_t *charon;
  * calling initialize().
  *
  * libcharon_init() may be called multiple times in a single process, but each
- * caller should call libcharon_deinit() for each call to libcharon_init().
+ * caller must call libcharon_deinit() for each call to libcharon_init().
  *
- * @param name	name of the binary that uses the library
  * @return		FALSE if integrity check failed
  */
-bool libcharon_init(const char *name);
+bool libcharon_init();
 
 /**
  * Deinitialize libcharon and destroy the "charon" instance of daemon_t.
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index f7a13d728..889ad6358 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -65,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_
 	"ME_CONNECT_FAILED");
 ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_NOTIFY_STATUS");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, IFOM_CAPABILITY, MS_NOTIFY_STATUS,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -109,8 +109,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
 	"SECURE PASSWORD_METHOD",
 	"PSK_PERSIST",
 	"PSK_CONFIRM",
-	"ERX_SUPPORTED");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
+	"ERX_SUPPORTED",
+	"IFOM_CAPABILITY");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, IFOM_CAPABILITY,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD_R_U_THERE",
@@ -171,7 +172,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S
 	"ME_CONN_FAIL");
 ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_STATUS");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, IFOM_CAPABILITY, MS_NOTIFY_STATUS,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -215,8 +216,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STA
 	"SEC_PASSWD",
 	"PSK_PST",
 	"PSK_CFM",
-	"ERX_SUP");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
+	"ERX_SUP",
+	"IFOM_CAP");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, IFOM_CAPABILITY,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD",
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 847fddc69..c67644a01 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -145,6 +145,8 @@ enum notify_type_t {
 	PSK_CONFIRM = 16426,
 	/* EAP Re-authentication Extension, RFC 6867 */
 	ERX_SUPPORTED = 16427,
+	/* IFOM capability, 3GPP TS 24.303, annex B.2 */
+	IFOM_CAPABILITY = 16428,
 	/* IKEv1 initial contact */
 	INITIAL_CONTACT_IKEV1 = 24578,
 	/* IKEv1 DPD */
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index 2209f1997..8dfb47b69 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -633,27 +633,27 @@ receiver_t *receiver_create()
 	);
 
 	if (lib->settings->get_bool(lib->settings,
-				"%s.dos_protection", TRUE, charon->name))
+								"%s.dos_protection", TRUE, lib->ns))
 	{
 		this->cookie_threshold = lib->settings->get_int(lib->settings,
-				"%s.cookie_threshold", COOKIE_THRESHOLD_DEFAULT, charon->name);
+					"%s.cookie_threshold", COOKIE_THRESHOLD_DEFAULT, lib->ns);
 		this->block_threshold = lib->settings->get_int(lib->settings,
-				"%s.block_threshold", BLOCK_THRESHOLD_DEFAULT, charon->name);
+					"%s.block_threshold", BLOCK_THRESHOLD_DEFAULT, lib->ns);
 	}
 	this->init_limit_job_load = lib->settings->get_int(lib->settings,
-				"%s.init_limit_job_load", 0, charon->name);
+					"%s.init_limit_job_load", 0, lib->ns);
 	this->init_limit_half_open = lib->settings->get_int(lib->settings,
-				"%s.init_limit_half_open", 0, charon->name);
+					"%s.init_limit_half_open", 0, lib->ns);
 	this->receive_delay = lib->settings->get_int(lib->settings,
-				"%s.receive_delay", 0, charon->name);
+					"%s.receive_delay", 0, lib->ns);
 	this->receive_delay_type = lib->settings->get_int(lib->settings,
-				"%s.receive_delay_type", 0, charon->name),
+					"%s.receive_delay_type", 0, lib->ns),
 	this->receive_delay_request = lib->settings->get_bool(lib->settings,
-				"%s.receive_delay_request", TRUE, charon->name),
+					"%s.receive_delay_request", TRUE, lib->ns),
 	this->receive_delay_response = lib->settings->get_bool(lib->settings,
-				"%s.receive_delay_response", TRUE, charon->name),
+					"%s.receive_delay_response", TRUE, lib->ns),
 	this->initiator_only = lib->settings->get_bool(lib->settings,
-				"%s.initiator_only", FALSE, charon->name),
+					"%s.initiator_only", FALSE, lib->ns),
 
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!this->hasher)
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
index dd8efc1ec..bed4f35ce 100644
--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
@@ -204,13 +204,13 @@ sender_t * sender_create()
 		.got = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.sent = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.send_delay = lib->settings->get_int(lib->settings,
-								"%s.send_delay", 0, charon->name),
+									"%s.send_delay", 0, lib->ns),
 		.send_delay_type = lib->settings->get_int(lib->settings,
-								"%s.send_delay_type", 0, charon->name),
+									"%s.send_delay_type", 0, lib->ns),
 		.send_delay_request = lib->settings->get_bool(lib->settings,
-								"%s.send_delay_request", TRUE, charon->name),
+									"%s.send_delay_request", TRUE, lib->ns),
 		.send_delay_response = lib->settings->get_bool(lib->settings,
-								"%s.send_delay_response", TRUE, charon->name),
+									"%s.send_delay_response", TRUE, lib->ns),
 	);
 
 	lib->processor->queue_job(lib->processor,
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 4a8150291..bc32b5ade 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index f2147f694..6278a6234 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 7d8d12d3b..ae64a8758 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/android_log/android_log_logger.c b/src/libcharon/plugins/android_log/android_log_logger.c
index 48bcaa577..99eb66bb1 100644
--- a/src/libcharon/plugins/android_log/android_log_logger.c
+++ b/src/libcharon/plugins/android_log/android_log_logger.c
@@ -100,7 +100,7 @@ android_log_logger_t *android_log_logger_create()
 		},
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.level = lib->settings->get_int(lib->settings,
-							"%s.plugins.android_log.loglevel", 1, charon->name),
+								"%s.plugins.android_log.loglevel", 1, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 8fcd0f19f..f812770f3 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/certexpire/certexpire_export.c b/src/libcharon/plugins/certexpire/certexpire_export.c
index f1205cfd8..4aa84904b 100644
--- a/src/libcharon/plugins/certexpire/certexpire_export.c
+++ b/src/libcharon/plugins/certexpire/certexpire_export.c
@@ -430,31 +430,31 @@ certexpire_export_t *certexpire_export_create()
 								   (hashtable_equals_t)equals, 32),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.local_path = lib->settings->get_str(lib->settings,
-								"%s.plugins.certexpire.csv.local",
-								NULL, charon->name),
+									"%s.plugins.certexpire.csv.local",
+									NULL, lib->ns),
 		.remote_path = lib->settings->get_str(lib->settings,
-								"%s.plugins.certexpire.csv.remote",
-								NULL, charon->name),
+									"%s.plugins.certexpire.csv.remote",
+									NULL, lib->ns),
 		.separator = lib->settings->get_str(lib->settings,
-								"%s.plugins.certexpire.csv.separator",
-								",", charon->name),
+									"%s.plugins.certexpire.csv.separator",
+									",", lib->ns),
 		.format = lib->settings->get_str(lib->settings,
-								"%s.plugins.certexpire.csv.format",
-								"%d:%m:%Y", charon->name),
+									"%s.plugins.certexpire.csv.format",
+									"%d:%m:%Y", lib->ns),
 		.fixed_fields = lib->settings->get_bool(lib->settings,
-								"%s.plugins.certexpire.csv.fixed_fields",
-								TRUE, charon->name),
+									"%s.plugins.certexpire.csv.fixed_fields",
+									TRUE, lib->ns),
 		.empty_string = lib->settings->get_str(lib->settings,
-								"%s.plugins.certexpire.csv.empty_string",
-								"", charon->name),
+									"%s.plugins.certexpire.csv.empty_string",
+									"", lib->ns),
 		.force = lib->settings->get_bool(lib->settings,
-								"%s.plugins.certexpire.csv.force",
-								TRUE, charon->name),
+									"%s.plugins.certexpire.csv.force",
+									TRUE, lib->ns),
 	);
 
 	cron = lib->settings->get_str(lib->settings,
 								  "%s.plugins.certexpire.csv.cron",
-								  NULL, charon->name);
+								  NULL, lib->ns);
 	if (cron)
 	{
 		this->cron = certexpire_cron_create(cron,
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 48492595d..d8eb802b7 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/coupling/coupling_validator.c b/src/libcharon/plugins/coupling/coupling_validator.c
index 958bd2b6d..fc35462e3 100644
--- a/src/libcharon/plugins/coupling/coupling_validator.c
+++ b/src/libcharon/plugins/coupling/coupling_validator.c
@@ -214,12 +214,11 @@ coupling_validator_t *coupling_validator_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.max_couplings = lib->settings->get_int(lib->settings,
 												"%s.plugins.coupling.max", 1,
-												charon->name),
+												lib->ns),
 	);
 
 	hash = lib->settings->get_str(lib->settings,
-								  "%s.plugins.coupling.hash", "sha1",
-								  charon->name);
+								  "%s.plugins.coupling.hash", "sha1", lib->ns);
 	this->hasher = lib->crypto->create_hasher(lib->crypto,
 							enum_from_name(hash_algorithm_short_names, hash));
 	if (!this->hasher)
@@ -230,8 +229,7 @@ coupling_validator_t *coupling_validator_create()
 	}
 
 	path = lib->settings->get_str(lib->settings,
-								  "%s.plugins.coupling.file", NULL,
-								  charon->name);
+								  "%s.plugins.coupling.file", NULL, lib->ns);
 	if (!path)
 	{
 		DBG1(DBG_CFG, "coupling file path unspecified");
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 4a2ebe7f4..395cd76ea 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index 044c8a819..b8c1b4059 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -643,6 +643,28 @@ METHOD(dhcp_socket_t, destroy, void,
 }
 
 /**
+ * Bind a socket to a particular interface name
+ */
+static bool bind_to_device(int fd, char *iface)
+{
+	struct ifreq ifreq;
+
+	if (strlen(iface) > sizeof(ifreq.ifr_name))
+	{
+		DBG1(DBG_CFG, "name for DHCP interface too long: '%s'", iface);
+		return FALSE;
+	}
+	memcpy(ifreq.ifr_name, iface, sizeof(ifreq.ifr_name));
+	if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &ifreq, sizeof(ifreq)))
+	{
+		DBG1(DBG_CFG, "binding DHCP socket to '%s' failed: %s",
+			 iface, strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
  * See header
  */
 dhcp_socket_t *dhcp_socket_create()
@@ -655,6 +677,7 @@ dhcp_socket_t *dhcp_socket_create()
 			.s_addr = INADDR_ANY,
 		},
 	};
+	char *iface;
 	int on = 1;
 	struct sock_filter dhcp_filter_code[] = {
 		BPF_STMT(BPF_LD+BPF_B+BPF_ABS,
@@ -711,13 +734,15 @@ dhcp_socket_t *dhcp_socket_create()
 	}
 	this->identity_lease = lib->settings->get_bool(lib->settings,
 								"%s.plugins.dhcp.identity_lease", FALSE,
-								charon->name);
+								lib->ns);
 	this->force_dst = lib->settings->get_str(lib->settings,
 								"%s.plugins.dhcp.force_server_address", FALSE,
-								charon->name);
+								lib->ns);
 	this->dst = host_create_from_string(lib->settings->get_str(lib->settings,
 								"%s.plugins.dhcp.server", "255.255.255.255",
-								charon->name), DHCP_SERVER_PORT);
+								lib->ns), DHCP_SERVER_PORT);
+	iface = lib->settings->get_str(lib->settings, "%s.plugins.dhcp.interface",
+								   NULL, lib->ns);
 	if (!this->dst)
 	{
 		DBG1(DBG_CFG, "configured DHCP server address invalid");
@@ -766,6 +791,15 @@ dhcp_socket_t *dhcp_socket_create()
 		destroy(this);
 		return NULL;
 	}
+	if (iface)
+	{
+		if (!bind_to_device(this->send, iface) ||
+			!bind_to_device(this->receive, iface))
+		{
+			destroy(this);
+			return NULL;
+		}
+	}
 
 	lib->watcher->add(lib->watcher, this->receive, WATCHER_READ,
 					  (watcher_cb_t)receive_dhcp, this);
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index c9222c202..4be453ea8 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/dnscert/dnscert_plugin.c b/src/libcharon/plugins/dnscert/dnscert_plugin.c
index 713bc9e3b..1b93480cf 100644
--- a/src/libcharon/plugins/dnscert/dnscert_plugin.c
+++ b/src/libcharon/plugins/dnscert/dnscert_plugin.c
@@ -74,7 +74,7 @@ METHOD(plugin_t, reload, bool,
 	private_dnscert_plugin_t *this)
 {
 	bool enabled = lib->settings->get_bool(lib->settings,
-							"%s.plugins.dnscert.enable", FALSE, charon->name);
+								"%s.plugins.dnscert.enable", FALSE, lib->ns);
 
 	if (enabled != this->enabled)
 	{
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index bac7d846f..e9da68ee8 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -225,8 +225,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -294,6 +292,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -382,12 +385,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -402,6 +409,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
index e3a4e17b7..f77b48b09 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
@@ -130,7 +130,7 @@ duplicheck_notify_t *duplicheck_notify_create()
 
 	uri = lib->settings->get_str(lib->settings,
 					"%s.plugins.duplicheck.socket", "unix://" DUPLICHECK_SOCKET,
-					charon->name);
+					lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 3);
 	if (!this->service)
 	{
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
index 4d018dbef..689c795d8 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -93,7 +93,7 @@ plugin_t *duplicheck_plugin_create()
 	private_duplicheck_plugin_t *this;
 
 	if (!lib->settings->get_bool(lib->settings,
-							"%s.plugins.duplicheck.enable", TRUE, charon->name))
+								 "%s.plugins.duplicheck.enable", TRUE, lib->ns))
 	{
 		return NULL;
 	}
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 139ce1483..67cf66720 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.c b/src/libcharon/plugins/eap_aka/eap_aka_server.c
index b7608382d..eba7af874 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_server.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.c
@@ -721,7 +721,7 @@ eap_aka_server_t *eap_aka_server_create(identification_t *server,
 	this->permanent = peer->clone(peer);
 	this->use_reauth = this->use_pseudonym = this->use_permanent =
 		lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-aka.request_identity", TRUE, charon->name);
+						"%s.plugins.eap-aka.request_identity", TRUE, lib->ns);
 
 	/* generate a non-zero identifier */
 	do {
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 9fb9ef709..7d6ae956c 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
index 1bfc39e5a..a71dae78a 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
@@ -177,7 +177,7 @@ eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f)
 #else /* !SEQ_CHECK */
 									FALSE,
 #endif /* SEQ_CHECK */
-									charon->name),
+									lib->ns),
 	);
 
 	eap_aka_3gpp2_get_sqn(this->sqn, 0);
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 61a9da187..6ff0acb32 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
index d24cbd128..3216446af 100644
--- a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
@@ -377,14 +377,14 @@ eap_dynamic_t *eap_dynamic_create(identification_t *server,
 		.server = server->clone(server),
 		.types = linked_list_create(),
 		.prefer_peer = lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-dynamic.prefer_peer", FALSE, charon->name),
+						"%s.plugins.eap-dynamic.prefer_peer", FALSE, lib->ns),
 	);
 
 	/* get all supported EAP methods */
 	get_supported_eap_types(this);
 	/* move preferred methods to the front */
 	preferred = lib->settings->get_str(lib->settings,
-					"%s.plugins.eap-dynamic.preferred", NULL, charon->name);
+						"%s.plugins.eap-dynamic.preferred", NULL, lib->ns);
 	if (preferred)
 	{
 		handle_preferred_eap_types(this, preferred);
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index c48d95527..99ae94e37 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
index 2f64f325c..e751b51b6 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -149,7 +149,7 @@ METHOD(eap_method_t, process_server, status_t,
 	/* get XAuth backend to use for credential verification. Default to PAM
 	 * to support legacy EAP-GTC configurations */
 	backend = lib->settings->get_str(lib->settings,
-							"%s.plugins.eap-gtc.backend", "pam", charon->name);
+								"%s.plugins.eap-gtc.backend", "pam", lib->ns);
 	xauth = charon->xauth->create_instance(charon->xauth, backend, XAUTH_SERVER,
 										   this->server, this->peer);
 	if (!xauth)
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 01fbe22a5..688879a82 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 6ae97da15..150b131f0 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index bdc6a9d1d..d52f26a9a 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 35ec4db8b..7ac4a6edf 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_peap/eap_peap.c b/src/libcharon/plugins/eap_peap/eap_peap.c
index 8aba703c5..c24dd578c 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap.c
@@ -157,18 +157,18 @@ static eap_peap_t *eap_peap_create(private_eap_peap_t * this,
 
 	if (is_server && !lib->settings->get_bool(lib->settings,
 								"%s.plugins.eap-peap.request_peer_auth", FALSE,
-								charon->name))
+								lib->ns))
 	{
 		peer = NULL;
 	}
 	frag_size = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-peap.fragment_size", MAX_FRAGMENT_LEN,
-					charon->name);
+					lib->ns);
 	max_msg_count = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-peap.max_message_count", MAX_MESSAGE_COUNT,
-					charon->name);
+					lib->ns);
 	include_length = lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-peap.include_length", FALSE, charon->name);
+					"%s.plugins.eap-peap.include_length", FALSE, lib->ns);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP,
 					 application, NULL);
 	this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count,
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c
index 5237cb62c..33b01e95e 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_server.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_server.c
@@ -92,7 +92,7 @@ static status_t start_phase2_auth(private_eap_peap_server_t *this)
 
 	eap_type_str = lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-peap.phase2_method", "mschapv2",
-							charon->name);
+							lib->ns);
 	type = eap_type_from_string(eap_type_str);
 	if (type == 0)
 	{
@@ -129,7 +129,7 @@ static status_t start_phase2_auth(private_eap_peap_server_t *this)
 static status_t start_phase2_tnc(private_eap_peap_server_t *this)
 {
 	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
-						"%s.plugins.eap-peap.phase2_tnc", FALSE, charon->name))
+						"%s.plugins.eap-peap.phase2_tnc", FALSE, lib->ns))
 	{
 		DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
 		this->ph2_method = charon->eap->create_instance(charon->eap, EAP_TNC,
@@ -274,7 +274,7 @@ METHOD(tls_application_t, process, status_t,
 
 		/* Start Phase 2 of EAP-PEAP authentication */
 		if (lib->settings->get_bool(lib->settings,
-				"%s.plugins.eap-peap.request_peer_auth", FALSE, charon->name))
+					"%s.plugins.eap-peap.request_peer_auth", FALSE, lib->ns))
 		{
 			return start_phase2_tnc(this);
 		}
@@ -425,7 +425,7 @@ eap_peap_server_t *eap_peap_server_create(identification_t *server,
 		.start_phase2_tnc = TRUE,
 		.start_phase2_id = lib->settings->get_bool(lib->settings,
 										"%s.plugins.eap-peap.phase2_piggyback",
-										FALSE, charon->name),
+										FALSE, lib->ns),
 		.phase2_result = EAP_FAILURE,
 		.avp = eap_peap_avp_create(TRUE),
 	);
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 3064ceadb..3e2bf046d 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 6087a528f..6719497d3 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -188,7 +188,7 @@ void eap_radius_build_attributes(radius_message_t *request)
 		}
 		if (lib->settings->get_bool(lib->settings,
 									"%s.plugins.eap-radius.station_id_with_port",
-									TRUE, charon->name))
+									TRUE, lib->ns))
 		{
 			station_id_fmt = "%#H";
 		}
@@ -573,12 +573,12 @@ static void process_cfg_attributes(radius_message_t *msg)
 void eap_radius_process_attributes(radius_message_t *message)
 {
 	if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.class_group", FALSE, charon->name))
+						"%s.plugins.eap-radius.class_group", FALSE, lib->ns))
 	{
 		process_class(message);
 	}
 	if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.filter_id", FALSE, charon->name))
+						"%s.plugins.eap-radius.filter_id", FALSE, lib->ns))
 	{
 		process_filter_id(message);
 	}
@@ -720,10 +720,10 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 		.type = EAP_RADIUS,
 		.eap_start = lib->settings->get_bool(lib->settings,
 									"%s.plugins.eap-radius.eap_start", FALSE,
-									charon->name),
+									lib->ns),
 		.id_prefix = lib->settings->get_str(lib->settings,
 									"%s.plugins.eap-radius.id_prefix", "",
-									charon->name),
+									lib->ns),
 	);
 	this->client = eap_radius_create_client();
 	if (!this->client)
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index afb661e19..8c780e78d 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -712,7 +712,7 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 	if (lib->settings->get_bool(lib->settings,
-			"%s.plugins.eap-radius.station_id_with_port", TRUE, charon->name))
+				"%s.plugins.eap-radius.station_id_with_port", TRUE, lib->ns))
 	{
 		this->station_id_fmt = "%#H";
 	}
@@ -721,14 +721,14 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 		this->station_id_fmt = "%H";
 	}
 	if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.accounting", FALSE, charon->name))
+							"%s.plugins.eap-radius.accounting", FALSE, lib->ns))
 	{
 		singleton = this;
 		charon->bus->add_listener(charon->bus, &this->public.listener);
 	}
 	this->acct_req_vip = lib->settings->get_bool(lib->settings,
 							"%s.plugins.eap-radius.accounting_requires_vip",
-							FALSE, charon->name);
+							FALSE, lib->ns);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_dae.c b/src/libcharon/plugins/eap_radius/eap_radius_dae.c
index f22ddc56f..a0bf99efd 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_dae.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_dae.c
@@ -452,11 +452,11 @@ static bool open_socket(private_eap_radius_dae_t *this)
 
 	host = host_create_from_string(
 				lib->settings->get_str(lib->settings,
-						"%s.plugins.eap-radius.dae.listen", "0.0.0.0",
-						charon->name),
+							"%s.plugins.eap-radius.dae.listen", "0.0.0.0",
+							lib->ns),
 				lib->settings->get_int(lib->settings,
-						"%s.plugins.eap-radius.dae.port", RADIUS_DAE_PORT,
-						charon->name));
+							"%s.plugins.eap-radius.dae.port", RADIUS_DAE_PORT,
+							lib->ns));
 	if (!host)
 	{
 		DBG1(DBG_CFG, "invalid RADIUS DAE listen address");
@@ -504,7 +504,7 @@ eap_radius_dae_t *eap_radius_dae_create(eap_radius_accounting_t *accounting)
 		.secret = {
 			.ptr = lib->settings->get_str(lib->settings,
 									"%s.plugins.eap-radius.dae.secret", NULL,
-									charon->name),
+									lib->ns),
 		},
 		.hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5),
 		.signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128),
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
index 3e80e8918..b873e1d69 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
@@ -438,10 +438,10 @@ eap_radius_forward_t *eap_radius_forward_create()
 		},
 		.from_attr = parse_selector(lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-radius.forward.ike_to_radius", "",
-							charon->name)),
+							lib->ns)),
 		.to_attr = parse_selector(lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-radius.forward.radius_to_ike", "",
-							charon->name)),
+							lib->ns)),
 		.from = hashtable_create((hashtable_hash_t)hash,
 						(hashtable_equals_t)equals, 8),
 		.to = hashtable_create((hashtable_hash_t)hash,
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 90a4ef6de..1a48c07e5 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -100,23 +100,23 @@ static void load_configs(private_eap_radius_plugin_t *this)
 	int auth_port, acct_port, sockets, preference;
 
 	address = lib->settings->get_str(lib->settings,
-					"%s.plugins.eap-radius.server", NULL, charon->name);
+								"%s.plugins.eap-radius.server", NULL, lib->ns);
 	if (address)
 	{	/* legacy configuration */
 		secret = lib->settings->get_str(lib->settings,
-					"%s.plugins.eap-radius.secret", NULL, charon->name);
+								"%s.plugins.eap-radius.secret", NULL, lib->ns);
 		if (!secret)
 		{
 			DBG1(DBG_CFG, "no RADIUS secret defined");
 			return;
 		}
 		nas_identifier = lib->settings->get_str(lib->settings,
-					"%s.plugins.eap-radius.nas_identifier", "strongSwan",
-					charon->name);
+						"%s.plugins.eap-radius.nas_identifier", "strongSwan",
+						lib->ns);
 		auth_port = lib->settings->get_int(lib->settings,
-					"%s.plugins.eap-radius.port", AUTH_PORT, charon->name);
+						"%s.plugins.eap-radius.port", AUTH_PORT, lib->ns);
 		sockets = lib->settings->get_int(lib->settings,
-					"%s.plugins.eap-radius.sockets", 1, charon->name);
+						"%s.plugins.eap-radius.sockets", 1, lib->ns);
 		config = radius_config_create(address, address, auth_port, ACCT_PORT,
 									  nas_identifier, secret, sockets, 0);
 		if (!config)
@@ -129,12 +129,12 @@ static void load_configs(private_eap_radius_plugin_t *this)
 	}
 
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
-								"%s.plugins.eap-radius.servers", charon->name);
+									"%s.plugins.eap-radius.servers", lib->ns);
 	while (enumerator->enumerate(enumerator, &section))
 	{
 		address = lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-radius.servers.%s.address", NULL,
-							charon->name, section);
+							lib->ns, section);
 		if (!address)
 		{
 			DBG1(DBG_CFG, "RADIUS server '%s' misses address, skipped", section);
@@ -142,7 +142,7 @@ static void load_configs(private_eap_radius_plugin_t *this)
 		}
 		secret = lib->settings->get_str(lib->settings,
 							"%s.plugins.eap-radius.servers.%s.secret", NULL,
-							charon->name, section);
+							lib->ns, section);
 		if (!secret)
 		{
 			DBG1(DBG_CFG, "RADIUS server '%s' misses secret, skipped", section);
@@ -150,22 +150,22 @@ static void load_configs(private_eap_radius_plugin_t *this)
 		}
 		nas_identifier = lib->settings->get_str(lib->settings,
 				"%s.plugins.eap-radius.servers.%s.nas_identifier", "strongSwan",
-				charon->name, section);
+				lib->ns, section);
 		auth_port = lib->settings->get_int(lib->settings,
 			"%s.plugins.eap-radius.servers.%s.auth_port",
 				lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-radius.servers.%s.port",
-					AUTH_PORT, charon->name, section),
-			charon->name, section);
+					AUTH_PORT, lib->ns, section),
+			lib->ns, section);
 		acct_port = lib->settings->get_int(lib->settings,
 				"%s.plugins.eap-radius.servers.%s.acct_port", ACCT_PORT,
-				charon->name, section);
+				lib->ns, section);
 		sockets = lib->settings->get_int(lib->settings,
 				"%s.plugins.eap-radius.servers.%s.sockets", 1,
-				charon->name, section);
+				lib->ns, section);
 		preference = lib->settings->get_int(lib->settings,
 				"%s.plugins.eap-radius.servers.%s.preference", 0,
-				charon->name, section);
+				lib->ns, section);
 		config = radius_config_create(section, address, auth_port, acct_port,
 								nas_identifier, secret, sockets, preference);
 		if (!config)
@@ -203,7 +203,7 @@ static bool plugin_cb(private_eap_radius_plugin_t *this,
 		load_configs(this);
 
 		if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.dae.enable", FALSE, charon->name))
+						"%s.plugins.eap-radius.dae.enable", FALSE, lib->ns))
 		{
 			this->dae = eap_radius_dae_create(this->accounting);
 		}
@@ -368,7 +368,7 @@ void eap_radius_handle_timeout(ike_sa_id_t *id)
 
 	if (lib->settings->get_bool(lib->settings,
 								"%s.plugins.eap-radius.close_all_on_timeout",
-								FALSE, charon->name))
+								FALSE, lib->ns))
 	{
 		DBG1(DBG_CFG, "deleting all IKE_SAs after RADIUS timeout");
 		lib->processor->queue_job(lib->processor,
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
index e66bbf38f..d00f6bb2c 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
@@ -256,7 +256,7 @@ static bool parse_rounds(private_eap_radius_xauth_t *this, char *profile)
 	}
 
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-					"%s.plugins.eap-radius.xauth.%s", charon->name, profile);
+							"%s.plugins.eap-radius.xauth.%s", lib->ns, profile);
 	while (enumerator->enumerate(enumerator, &type, &message))
 	{
 		bool invalid = TRUE;
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index c9d80681a..3707f64f3 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.c b/src/libcharon/plugins/eap_sim/eap_sim_server.c
index 334e2df1d..f22266bda 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_server.c
+++ b/src/libcharon/plugins/eap_sim/eap_sim_server.c
@@ -635,7 +635,7 @@ eap_sim_server_t *eap_sim_server_create(identification_t *server,
 	this->use_reauth = this->use_pseudonym = this->use_permanent =
 		lib->settings->get_bool(lib->settings,
 								"%s.plugins.eap-sim.request_identity", TRUE,
-								charon->name);
+								lib->ns);
 
 	/* generate a non-zero identifier */
 	do {
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 39995495e..05bbc3129 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 2723f4059..a22a5c355 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 27a9f0c09..189baacbc 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 5c136cec4..33443a1d2 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 86cf3a752..02cf1532c 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
index 6bcc58e66..176321833 100644
--- a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
@@ -66,7 +66,7 @@ static bool load_db(private_eap_simaka_sql_t *this,
 
 		uri = lib->settings->get_str(lib->settings,
 									 "%s.plugins.eap-simaka-sql.database", NULL,
-									 charon->name);
+									 lib->ns);
 		if (!uri)
 		{
 			DBG1(DBG_CFG, "eap-simaka-sql database URI missing");
@@ -80,7 +80,7 @@ static bool load_db(private_eap_simaka_sql_t *this,
 		}
 		remove_used = lib->settings->get_bool(lib->settings,
 								"%s.plugins.eap-simaka-sql.remove_used", FALSE,
-								charon->name);
+								lib->ns);
 
 		this->provider = eap_simaka_sql_provider_create(this->db, remove_used);
 		this->card = eap_simaka_sql_card_create(this->db, remove_used);
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index 7be65990c..ec189f895 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
index 48e38755d..dffbaf266 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -145,12 +145,12 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 
 	frag_size = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN,
-					charon->name);
+					lib->ns);
 	max_msg_count = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT,
-					charon->name);
+					lib->ns);
 	include_length = lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-tls.include_length", TRUE, charon->name);
+					"%s.plugins.eap-tls.include_length", TRUE, lib->ns);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL);
 	this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count,
 												 include_length);
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index e482a7148..6d4ff8756 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index f9ab74258..2147c0482 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -273,10 +273,10 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 	);
 
 	max_msg_count = lib->settings->get_int(lib->settings,
-					"%s.plugins.eap-tnc.max_message_count",
-					EAP_TNC_MAX_MESSAGE_COUNT, charon->name);
+						"%s.plugins.eap-tnc.max_message_count",
+						EAP_TNC_MAX_MESSAGE_COUNT, lib->ns);
 	protocol = lib->settings->get_str(lib->settings,
-					"%s.plugins.eap-tnc.protocol", "tnccs-1.1", charon->name);
+						"%s.plugins.eap-tnc.protocol", "tnccs-1.1", lib->ns);
 	if (strcaseeq(protocol, "tnccs-2.0"))
 	{
 		type = TNCCS_2_0;
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index a774ad609..a22b1e220 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index ebd1c5479..703cd3f29 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -147,18 +147,18 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 	);
 	if (is_server && !lib->settings->get_bool(lib->settings,
 								"%s.plugins.eap-ttls.request_peer_auth", FALSE,
-								charon->name))
+								lib->ns))
 	{
 		peer = NULL;
 	}
 	frag_size = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN,
-					charon->name);
+					lib->ns);
 	max_msg_count = lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-ttls.max_message_count", MAX_MESSAGE_COUNT,
-					charon->name);
+					lib->ns);
 	include_length = lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-ttls.include_length", TRUE, charon->name);
+					"%s.plugins.eap-ttls.include_length", TRUE, lib->ns);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS,
 					 application, NULL);
 	this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count,
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
index eef8d6682..88c2b88c6 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
@@ -80,7 +80,7 @@ static status_t start_phase2_auth(private_eap_ttls_server_t *this)
 
 	eap_type_str = lib->settings->get_str(lib->settings,
 									"%s.plugins.eap-ttls.phase2_method", "md5",
-									charon->name);
+									lib->ns);
 	type = eap_type_from_string(eap_type_str);
 	if (type == 0)
 	{
@@ -115,7 +115,7 @@ static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
 	eap_inner_method_t *inner_method;
 
 	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
-						"%s.plugins.eap-ttls.phase2_tnc", FALSE, charon->name))
+							"%s.plugins.eap-ttls.phase2_tnc", FALSE, lib->ns))
 	{
 		DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
 		this->method = charon->eap->create_instance(charon->eap, EAP_TNC,
@@ -242,7 +242,7 @@ METHOD(tls_application_t, process, status_t,
 
 		/* Start Phase 2 of EAP-TTLS authentication */
 		if (lib->settings->get_bool(lib->settings,
-				"%s.plugins.eap-ttls.request_peer_auth", FALSE, charon->name))
+					"%s.plugins.eap-ttls.request_peer_auth", FALSE, lib->ns))
 		{
 			return start_phase2_tnc(this, EAP_TLS);
 		}
@@ -301,7 +301,7 @@ METHOD(tls_application_t, build, status_t,
 
 	if (this->method == NULL && this->start_phase2 &&
 		lib->settings->get_bool(lib->settings,
-				"%s.plugins.eap-ttls.phase2_piggyback", FALSE, charon->name))
+					"%s.plugins.eap-ttls.phase2_piggyback", FALSE, lib->ns))
 	{
 		/* generate an EAP Identity request which will be piggybacked right
 		 * onto the TLS Finished message thus initiating EAP-TTLS phase2
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index ad8aba11e..d8a135cc1 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -226,8 +226,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -295,6 +293,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -383,12 +386,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -403,6 +410,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c
index aafd0a4cd..959c4c67d 100644
--- a/src/libcharon/plugins/error_notify/error_notify_socket.c
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.c
@@ -142,7 +142,7 @@ error_notify_socket_t *error_notify_socket_create()
 
 	uri = lib->settings->get_str(lib->settings,
 				"%s.plugins.error-notify.socket", "unix://" ERROR_NOTIFY_SOCKET,
-				charon->name);
+				lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 10);
 	if (!this->service)
 	{
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 4d2a32e6f..60c55f01e 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 9948ab3db..2f3263064 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index d26c38325..dd55fae8b 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -309,7 +309,7 @@ static void load_pools(private_ha_attribute_t *this)
 	pool_t *pool;
 
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-										"%s.plugins.ha.pools", charon->name);
+												"%s.plugins.ha.pools", lib->ns);
 	while (enumerator->enumerate(enumerator, &name, &net))
 	{
 		net = strdup(net);
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index 5d4cc6184..493cad5ec 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -160,19 +160,19 @@ plugin_t *ha_plugin_create()
 	bool fifo, monitor, resync;
 
 	local = lib->settings->get_str(lib->settings,
-							"%s.plugins.ha.local", NULL, charon->name);
+								"%s.plugins.ha.local", NULL, lib->ns);
 	remote = lib->settings->get_str(lib->settings,
-							"%s.plugins.ha.remote", NULL, charon->name);
+								"%s.plugins.ha.remote", NULL, lib->ns);
 	secret = lib->settings->get_str(lib->settings,
-							"%s.plugins.ha.secret", NULL, charon->name);
+								"%s.plugins.ha.secret", NULL, lib->ns);
 	fifo = lib->settings->get_bool(lib->settings,
-							"%s.plugins.ha.fifo_interface", TRUE, charon->name);
+								"%s.plugins.ha.fifo_interface", TRUE, lib->ns);
 	monitor = lib->settings->get_bool(lib->settings,
-							"%s.plugins.ha.monitor", TRUE, charon->name);
+								"%s.plugins.ha.monitor", TRUE, lib->ns);
 	resync = lib->settings->get_bool(lib->settings,
-							"%s.plugins.ha.resync", TRUE, charon->name);
+								"%s.plugins.ha.resync", TRUE, lib->ns);
 	count = min(SEGMENTS_MAX, lib->settings->get_int(lib->settings,
-							"%s.plugins.ha.segment_count", 1, charon->name));
+								"%s.plugins.ha.segment_count", 1, lib->ns));
 	if (!local || !remote)
 	{
 		DBG1(DBG_CFG, "HA config misses local/remote address");
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index cab38c63d..fc7d7a8b4 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -470,12 +470,12 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
 		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.heartbeat_delay = lib->settings->get_int(lib->settings,
 				"%s.plugins.ha.heartbeat_delay", DEFAULT_HEARTBEAT_DELAY,
-				charon->name),
+				lib->ns),
 		.heartbeat_timeout = lib->settings->get_int(lib->settings,
 				"%s.plugins.ha.heartbeat_timeout", DEFAULT_HEARTBEAT_TIMEOUT,
-				charon->name),
+				lib->ns),
 		.autobalance = lib->settings->get_int(lib->settings,
-				"%s.plugins.ha.autobalance", 0, charon->name),
+				"%s.plugins.ha.autobalance", 0, lib->ns),
 	);
 
 	if (monitor)
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index 5c3d01558..2ee5a49f1 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_plugin.c b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
index 9bc49ba28..9f00abe8b 100644
--- a/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
+++ b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
@@ -53,7 +53,7 @@ METHOD(plugin_t, reload, bool,
 	private_ipseckey_plugin_t *this)
 {
 	bool enabled = lib->settings->get_bool(lib->settings,
-							"%s.plugins.ipseckey.enable", FALSE, charon->name);
+								"%s.plugins.ipseckey.enable", FALSE, lib->ns);
 
 	if (enabled != this->enabled)
 	{
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index fa28babe4..1726c689c 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index d0744e300..b33580700 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -695,7 +695,7 @@ kernel_libipsec_ipsec_t *kernel_libipsec_ipsec_create()
 		.policies = linked_list_create(),
 		.excludes = linked_list_create(),
 		.allow_peer_ts = lib->settings->get_bool(lib->settings,
-				"%s.plugins.kernel-libipsec.allow_peer_ts", FALSE, hydra->daemon),
+					"%s.plugins.kernel-libipsec.allow_peer_ts", FALSE, lib->ns),
 	);
 
 	ipsec->events->register_listener(ipsec->events, &this->ipsec_listener);
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
index 56f526217..e3b688dd6 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@@ -144,6 +144,6 @@ plugin_t *kernel_libipsec_plugin_create()
 
 	/* set TUN device as default to install VIPs */
 	lib->settings->set_str(lib->settings, "%s.install_virtual_ip_on",
-						   this->tun->get_name(this->tun), charon->name);
+						   this->tun->get_name(this->tun), lib->ns);
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 9373703a2..48163aff2 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/led/led_listener.c b/src/libcharon/plugins/led/led_listener.c
index be80bcde2..3351f6614 100644
--- a/src/libcharon/plugins/led/led_listener.c
+++ b/src/libcharon/plugins/led/led_listener.c
@@ -230,12 +230,12 @@ led_listener_t *led_listener_create()
 		},
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.blink_time = lib->settings->get_int(lib->settings,
-							"%s.plugins.led.blink_time", 50, charon->name),
+								"%s.plugins.led.blink_time", 50, lib->ns),
 	);
 
 	this->activity = open_led(lib->settings->get_str(lib->settings,
-							"%s.plugins.led.activity_led", NULL, charon->name),
-							&this->activity_max);
+								"%s.plugins.led.activity_led", NULL, lib->ns),
+								&this->activity_max);
 	set_led(this->activity, 0);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 93dd6b486..2369044dd 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -228,8 +228,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -297,6 +295,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -385,12 +388,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -405,6 +412,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index e4e47c1ac..e133190b4 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -236,11 +236,11 @@ static void load_addrs(private_load_tester_config_t *this)
 	mem_pool_t *pool;
 
 	this->keep = lib->settings->get_bool(lib->settings,
-						"%s.plugins.load-tester.addrs_keep", FALSE, charon->name);
+						"%s.plugins.load-tester.addrs_keep", FALSE, lib->ns);
 	this->prefix = lib->settings->get_int(lib->settings,
-						"%s.plugins.load-tester.addrs_prefix", 16, charon->name);
+						"%s.plugins.load-tester.addrs_prefix", 16, lib->ns);
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-						"%s.plugins.load-tester.addrs", charon->name);
+						"%s.plugins.load-tester.addrs", lib->ns);
 	while (enumerator->enumerate(enumerator, &iface, &token))
 	{
 		tokens = enumerator_create_token(token, ",", " ");
@@ -917,72 +917,71 @@ load_tester_config_t *load_tester_config_create()
 	);
 
 	if (lib->settings->get_bool(lib->settings,
-			"%s.plugins.load-tester.request_virtual_ip", FALSE, charon->name))
+				"%s.plugins.load-tester.request_virtual_ip", FALSE, lib->ns))
 	{
 		this->vip = host_create_from_string("0.0.0.0", 0);
 	}
 	this->pool = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.pool", NULL, charon->name);
+					"%s.plugins.load-tester.pool", NULL, lib->ns);
 	this->initiator = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator", "0.0.0.0", charon->name);
+					"%s.plugins.load-tester.initiator", "0.0.0.0", lib->ns);
 	this->responder = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.responder", "127.0.0.1", charon->name);
+					"%s.plugins.load-tester.responder", "127.0.0.1", lib->ns);
 
 	this->proposal = proposal_create_from_string(PROTO_IKE,
 				lib->settings->get_str(lib->settings,
 					"%s.plugins.load-tester.proposal", "aes128-sha1-modp768",
-					charon->name));
+					lib->ns));
 	if (!this->proposal)
 	{	/* fallback */
 		this->proposal = proposal_create_from_string(PROTO_IKE,
 													 "aes128-sha1-modp768");
 	}
 	this->esp = proposal_create_from_string(PROTO_ESP,
-			lib->settings->get_str(lib->settings,
-				"%s.plugins.load-tester.esp", "aes128-sha1",
-				charon->name));
+				lib->settings->get_str(lib->settings,
+					"%s.plugins.load-tester.esp", "aes128-sha1", lib->ns));
 	if (!this->esp)
 	{	/* fallback */
 		this->esp = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
 	}
 
 	this->ike_rekey = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.ike_rekey", 0, charon->name);
+				"%s.plugins.load-tester.ike_rekey", 0, lib->ns);
 	this->child_rekey = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.child_rekey", 600, charon->name);
+				"%s.plugins.load-tester.child_rekey", 600, lib->ns);
 	this->dpd_delay = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.dpd_delay", 0, charon->name);
+				"%s.plugins.load-tester.dpd_delay", 0, lib->ns);
 	this->dpd_timeout = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.dpd_timeout", 0, charon->name);
+				"%s.plugins.load-tester.dpd_timeout", 0, lib->ns);
 
 	this->initiator_auth = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator_auth", "pubkey", charon->name);
+				"%s.plugins.load-tester.initiator_auth", "pubkey", lib->ns);
 	this->responder_auth = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.responder_auth", "pubkey", charon->name);
+				"%s.plugins.load-tester.responder_auth", "pubkey", lib->ns);
 	this->initiator_id = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator_id", NULL, charon->name);
+				"%s.plugins.load-tester.initiator_id", NULL, lib->ns);
 	this->initiator_match = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator_match", NULL, charon->name);
+				"%s.plugins.load-tester.initiator_match", NULL, lib->ns);
 	this->responder_id = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.responder_id", NULL, charon->name);
+				"%s.plugins.load-tester.responder_id", NULL, lib->ns);
 
 	this->mode = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.mode", NULL, charon->name);
+				"%s.plugins.load-tester.mode", NULL, lib->ns);
 	this->initiator_tsi = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator_tsi", NULL, charon->name);
+				"%s.plugins.load-tester.initiator_tsi", NULL, lib->ns);
 	this->responder_tsi =lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.responder_tsi",
-			this->initiator_tsi, charon->name);
+				"%s.plugins.load-tester.responder_tsi",
+				this->initiator_tsi, lib->ns);
 	this->initiator_tsr = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.initiator_tsr", NULL, charon->name);
+				"%s.plugins.load-tester.initiator_tsr", NULL, lib->ns);
 	this->responder_tsr =lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.responder_tsr",
-			this->initiator_tsr, charon->name);
+				"%s.plugins.load-tester.responder_tsr",
+				this->initiator_tsr, lib->ns);
 
 	this->port = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.dynamic_port", 0, charon->name);
+				"%s.plugins.load-tester.dynamic_port", 0, lib->ns);
 	this->version = lib->settings->get_int(lib->settings,
-			"%s.plugins.load-tester.version", IKE_ANY, charon->name);
+				"%s.plugins.load-tester.version", IKE_ANY, lib->ns);
 
 	load_addrs(this);
 
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
index f9ec9142f..5f089f5db 100644
--- a/src/libcharon/plugins/load_tester/load_tester_control.c
+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
@@ -302,7 +302,7 @@ load_tester_control_t *load_tester_control_create()
 
 	uri = lib->settings->get_str(lib->settings,
 				"%s.plugins.load-tester.socket", "unix://" LOAD_TESTER_SOCKET,
-				charon->name);
+				lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 10);
 	if (this->service)
 	{
diff --git a/src/libcharon/plugins/load_tester/load_tester_creds.c b/src/libcharon/plugins/load_tester/load_tester_creds.c
index 028205bd2..f17d41f46 100644
--- a/src/libcharon/plugins/load_tester/load_tester_creds.c
+++ b/src/libcharon/plugins/load_tester/load_tester_creds.c
@@ -202,7 +202,7 @@ static private_key_t *load_issuer_key()
 	char *path;
 
 	path = lib->settings->get_str(lib->settings,
-					"%s.plugins.load-tester.issuer_key", NULL, charon->name);
+						"%s.plugins.load-tester.issuer_key", NULL, lib->ns);
 	if (!path)
 	{
 		return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
@@ -222,7 +222,7 @@ static certificate_t *load_issuer_cert()
 	char *path;
 
 	path = lib->settings->get_str(lib->settings,
-					"%s.plugins.load-tester.issuer_cert", NULL, charon->name);
+						"%s.plugins.load-tester.issuer_cert", NULL, lib->ns);
 	if (!path)
 	{
 		return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
@@ -246,7 +246,7 @@ static void load_ca_certs(private_load_tester_creds_t *this)
 	char *path;
 
 	path = lib->settings->get_str(lib->settings,
-						"%s.plugins.load-tester.ca_dir", NULL, charon->name);
+							"%s.plugins.load-tester.ca_dir", NULL, lib->ns);
 	if (path)
 	{
 		enumerator = enumerator_create_directory(path);
@@ -445,11 +445,11 @@ load_tester_creds_t *load_tester_creds_create()
 	char *pwd, *psk, *digest;
 
 	psk = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.preshared_key", default_psk, charon->name);
+				"%s.plugins.load-tester.preshared_key", default_psk, lib->ns);
 	pwd = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.eap_password", default_pwd, charon->name);
+				"%s.plugins.load-tester.eap_password", default_pwd, lib->ns);
 	digest = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.digest", "sha1", charon->name);
+				"%s.plugins.load-tester.digest", "sha1", lib->ns);
 
 	INIT(this,
 		.public = {
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c
index 7e832ddc0..068020ef7 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.c
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.c
@@ -126,7 +126,7 @@ load_tester_listener_t *load_tester_listener_create(u_int shutdown_on,
 		},
 		.delete_after_established = lib->settings->get_bool(lib->settings,
 					"%s.plugins.load-tester.delete_after_established", FALSE,
-					charon->name),
+					lib->ns),
 		.shutdown_on = shutdown_on,
 		.config = config,
 	);
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 03557a269..e684f22ce 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -193,7 +193,7 @@ static bool register_load_tester(private_load_tester_plugin_t *this,
 		lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
 
 		if (lib->settings->get_bool(lib->settings,
-				"%s.plugins.load-tester.shutdown_when_complete", 0, charon->name))
+				"%s.plugins.load-tester.shutdown_when_complete", 0, lib->ns))
 		{
 			shutdown_on = this->iterations * this->initiators;
 		}
@@ -262,8 +262,8 @@ plugin_t *load_tester_plugin_create()
 {
 	private_load_tester_plugin_t *this;
 
-	if (!lib->settings->get_bool(lib->settings,
-						"%s.plugins.load-tester.enable", FALSE, charon->name))
+	if (!lib->settings->get_bool(lib->settings, "%s.plugins.load-tester.enable",
+								 FALSE, lib->ns))
 	{
 		DBG1(DBG_CFG, "disabling load-tester plugin, not configured");
 		return NULL;
@@ -279,19 +279,19 @@ plugin_t *load_tester_plugin_create()
 			},
 		},
 		.delay = lib->settings->get_int(lib->settings,
-						"%s.plugins.load-tester.delay", 0, charon->name),
+							"%s.plugins.load-tester.delay", 0, lib->ns),
 		.iterations = lib->settings->get_int(lib->settings,
-						"%s.plugins.load-tester.iterations", 1, charon->name),
+							"%s.plugins.load-tester.iterations", 1, lib->ns),
 		.initiators = lib->settings->get_int(lib->settings,
-						"%s.plugins.load-tester.initiators", 0, charon->name),
+							"%s.plugins.load-tester.initiators", 0, lib->ns),
 		.init_limit = lib->settings->get_int(lib->settings,
-						"%s.plugins.load-tester.init_limit", 0, charon->name),
+							"%s.plugins.load-tester.init_limit", 0, lib->ns),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
 	);
 
 	if (lib->settings->get_bool(lib->settings,
-			"%s.plugins.load-tester.fake_kernel", FALSE, charon->name))
+			"%s.plugins.load-tester.fake_kernel", FALSE, lib->ns))
 	{
 		hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index d74ce4668..4b6d214de 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -224,8 +224,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -293,6 +291,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -381,12 +384,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -401,6 +408,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/lookip/lookip_socket.c b/src/libcharon/plugins/lookip/lookip_socket.c
index d25573bf4..4b33e3e31 100644
--- a/src/libcharon/plugins/lookip/lookip_socket.c
+++ b/src/libcharon/plugins/lookip/lookip_socket.c
@@ -87,10 +87,21 @@ static void entry_destroy(entry_t *entry)
 }
 
 /**
- * Disconnect a stream, remove connection entry
+ * Data for async disconnect job
  */
-static void disconnect(private_lookip_socket_t *this, stream_t *stream)
+typedef struct {
+	/** socket ref */
+	private_lookip_socket_t *this;
+	/** stream to disconnect */
+	stream_t *stream;
+} disconnect_data_t;
+
+/**
+ * Disconnect a stream asynchronously, remove connection entry
+ */
+static job_requeue_t disconnect_async(disconnect_data_t *data)
 {
+	private_lookip_socket_t *this = data->this;
 	enumerator_t *enumerator;
 	entry_t *entry;
 
@@ -98,7 +109,7 @@ static void disconnect(private_lookip_socket_t *this, stream_t *stream)
 	enumerator = this->connected->create_enumerator(this->connected);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->stream == stream)
+		if (entry->stream == data->stream)
 		{
 			this->connected->remove_at(this->connected, enumerator);
 			if (entry->up || entry->down)
@@ -111,6 +122,24 @@ static void disconnect(private_lookip_socket_t *this, stream_t *stream)
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Queue async disconnect job
+ */
+static void disconnect(private_lookip_socket_t *this, stream_t *stream)
+{
+	disconnect_data_t *data;
+
+	INIT(data,
+		.this = this,
+		.stream = stream,
+	);
+
+	lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create((void*)disconnect_async, data,
+										free, NULL));
 }
 
 /**
@@ -393,8 +422,8 @@ lookip_socket_t *lookip_socket_create(lookip_listener_t *listener)
 	);
 
 	uri = lib->settings->get_str(lib->settings,
-				"%s.plugins.lookip.socket", "unix://" LOOKIP_SOCKET,
-				charon->name);
+							"%s.plugins.lookip.socket", "unix://" LOOKIP_SOCKET,
+							lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 10);
 	if (!this->service)
 	{
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index a8b793f6f..314088a25 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 76b05c634..8d7ca04e6 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 20e3553e7..7abc23e50 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index 9e794cec3..b891f55f1 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index c8d8fae1c..bf85d5713 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/radattr/radattr_listener.c b/src/libcharon/plugins/radattr/radattr_listener.c
index 5443800e5..aca83aafc 100644
--- a/src/libcharon/plugins/radattr/radattr_listener.c
+++ b/src/libcharon/plugins/radattr/radattr_listener.c
@@ -19,7 +19,6 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <fcntl.h>
-#include <sys/mman.h>
 #include <errno.h>
 
 #include <daemon.h>
@@ -110,10 +109,7 @@ static void add_radius_attribute(private_radattr_listener_t *this,
 		identification_t *id;
 		auth_cfg_t *auth;
 		char path[PATH_MAX];
-		chunk_t data;
-		struct stat sb;
-		void *addr;
-		int fd;
+		chunk_t *data;
 
 		auth = ike_sa->get_auth_cfg(ike_sa, TRUE);
 		id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
@@ -123,44 +119,16 @@ static void add_radius_attribute(private_radattr_listener_t *this,
 		}
 
 		snprintf(path, sizeof(path), "%s/%Y", this->dir, id);
-		fd = open(path, O_RDONLY);
-		if (fd != -1)
+		data = chunk_map(path, FALSE);
+		if (data)
 		{
-			if (fstat(fd, &sb) != -1)
+			if (data->len >= 2)
 			{
-				if (sb.st_size <= MAX_ATTR_SIZE)
-				{
-					addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-					if (addr != MAP_FAILED)
-					{
-						data = chunk_create(addr, sb.st_size);
-						if (data.len >= 2)
-						{
-							DBG1(DBG_CFG, "adding RADIUS %N attribute",
-								 radius_attribute_type_names, data.ptr[0]);
-							message->add_notify(message, FALSE,
-												RADIUS_ATTRIBUTE, data);
-						}
-						munmap(addr, sb.st_size);
-					}
-					else
-					{
-						DBG1(DBG_CFG, "mapping RADIUS attribute '%s' failed: %s",
-							 path, strerror(errno));
-					}
-				}
-				else
-				{
-					DBG1(DBG_CFG, "RADIUS attribute '%s' exceeds size limit",
-						 path);
-				}
-			}
-			else
-			{
-				DBG1(DBG_CFG, "fstat RADIUS attribute '%s' failed: %s",
-					 path, strerror(errno));
+				DBG1(DBG_CFG, "adding RADIUS %N attribute",
+					 radius_attribute_type_names, data->ptr[0]);
+				message->add_notify(message, FALSE, RADIUS_ATTRIBUTE, *data);
 			}
-			close(fd);
+			chunk_unmap(data);
 		}
 		else
 		{
@@ -212,9 +180,9 @@ radattr_listener_t *radattr_listener_create()
 			.destroy = _destroy,
 		},
 		.dir = lib->settings->get_str(lib->settings,
-							"%s.plugins.radattr.dir", NULL, charon->name),
+								"%s.plugins.radattr.dir", NULL, lib->ns),
 		.mid = lib->settings->get_int(lib->settings,
-							"%s.plugins.radattr.message_id", -1, charon->name),
+								"%s.plugins.radattr.message_id", -1, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index f56840410..43f3c6fbf 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index cfcee2f79..155113e48 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index ea976dfe9..081d3efc7 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -617,7 +617,7 @@ static int open_socket(private_socket_default_socket_t *this,
 		mark_t mark;
 
 		fwmark = lib->settings->get_str(lib->settings,
-						"%s.plugins.socket-default.fwmark", NULL, charon->name);
+							"%s.plugins.socket-default.fwmark", NULL, lib->ns);
 		if (fwmark && mark_from_string(fwmark, &mark))
 		{
 			if (setsockopt(skt, SOL_SOCKET, SO_MARK, &mark.value,
@@ -657,10 +657,10 @@ static bool use_family(int family)
 	{
 		case AF_INET:
 			return lib->settings->get_bool(lib->settings,
-					"%s.plugins.socket-default.use_ipv4", TRUE, charon->name);
+						"%s.plugins.socket-default.use_ipv4", TRUE, lib->ns);
 		case AF_INET6:
 			return lib->settings->get_bool(lib->settings,
-					"%s.plugins.socket-default.use_ipv6", TRUE, charon->name);
+						"%s.plugins.socket-default.use_ipv6", TRUE, lib->ns);
 		default:
 			return FALSE;
 	}
@@ -735,14 +735,14 @@ socket_default_socket_t *socket_default_socket_create()
 			},
 		},
 		.port = lib->settings->get_int(lib->settings,
-							"%s.port", CHARON_UDP_PORT, charon->name),
+							"%s.port", CHARON_UDP_PORT, lib->ns),
 		.natt = lib->settings->get_int(lib->settings,
-							"%s.port_nat_t", CHARON_NATT_PORT, charon->name),
+							"%s.port_nat_t", CHARON_NATT_PORT, lib->ns),
 		.max_packet = lib->settings->get_int(lib->settings,
-							"%s.max_packet", MAX_PACKET, charon->name),
+							"%s.max_packet", MAX_PACKET, lib->ns),
 		.set_source = lib->settings->get_bool(lib->settings,
 							"%s.plugins.socket-default.set_source", TRUE,
-							charon->name),
+							lib->ns),
 	);
 
 	if (this->port && this->port == this->natt)
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 1efbdabbc..da40a433b 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index 012f18e31..3161a709f 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -668,7 +668,7 @@ socket_dynamic_socket_t *socket_dynamic_socket_create()
 		},
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.max_packet = lib->settings->get_int(lib->settings,
-									"%s.max_packet", MAX_PACKET, charon->name),
+										"%s.max_packet", MAX_PACKET, lib->ns),
 	);
 
 	if (pipe(this->notify) != 0)
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 18461fa04..963804932 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/sql/sql_logger.c b/src/libcharon/plugins/sql/sql_logger.c
index 547e7691e..9a7a6e0ff 100644
--- a/src/libcharon/plugins/sql/sql_logger.c
+++ b/src/libcharon/plugins/sql/sql_logger.c
@@ -141,7 +141,7 @@ sql_logger_t *sql_logger_create(database_t *db)
 		.db = db,
 		.recursive = thread_value_create(NULL),
 		.level = lib->settings->get_int(lib->settings,
-								"%s.plugins.sql.loglevel", -1, charon->name),
+										"%s.plugins.sql.loglevel", -1, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c
index c1b4461d2..c5dd6e8b3 100644
--- a/src/libcharon/plugins/sql/sql_plugin.c
+++ b/src/libcharon/plugins/sql/sql_plugin.c
@@ -73,7 +73,7 @@ static bool open_database(private_sql_plugin_t *this,
 		char *uri;
 
 		uri = lib->settings->get_str(lib->settings, "%s.plugins.sql.database",
-									 NULL, charon->name);
+									 NULL, lib->ns);
 		if (!uri)
 		{
 			DBG1(DBG_CFG, "sql plugin: database URI not set");
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index a913e063e..11a8771cc 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 2e10f324b..e5e6d9246 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -880,7 +880,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 			else
 			{
 				vip = host_create_from_string(token, 0);
-				if (vip)
+				if (!vip)
 				{
 					DBG1(DBG_CFG, "ignored invalid subnet token: %s", token);
 				}
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index b583bfc53..f770d7c9e 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -778,7 +778,7 @@ stroke_control_t *stroke_control_create()
 			.destroy = _destroy,
 		},
 		.timeout = lib->settings->get_int(lib->settings,
-								"%s.plugins.stroke.timeout", 0, charon->name),
+									"%s.plugins.stroke.timeout", 0, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 8d0001271..f908219ed 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -17,8 +17,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <limits.h>
-#include <libgen.h>
-#include <sys/mman.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <unistd.h>
@@ -521,7 +519,16 @@ METHOD(stroke_cred_t, cache_cert, void,
 
 			if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
 			{
-				chunk_write(chunk, buf, "crl", 022, TRUE);
+				if (chunk_write(chunk, buf, 022, TRUE))
+				{
+					DBG1(DBG_CFG, "  written crl file '%s' (%d bytes)",
+						 buf, chunk.len);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  writing crl file '%s' failed: %s",
+						 buf, strerror(errno));
+				}
 				free(chunk.ptr);
 			}
 		}
@@ -1092,46 +1099,24 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr,
 static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 						 char *file, int level, FILE *prompt)
 {
-	int line_nr = 0, fd;
-	chunk_t src, line;
-	struct stat sb;
-	void *addr;
+	int line_nr = 0;
+	chunk_t *src, line;
 
 	DBG1(DBG_CFG, "loading secrets from '%s'", file);
-	fd = open(file, O_RDONLY);
-	if (fd == -1)
+	src = chunk_map(file, FALSE);
+	if (!src)
 	{
 		DBG1(DBG_CFG, "opening secrets file '%s' failed: %s", file,
 			 strerror(errno));
 		return;
 	}
-	if (fstat(fd, &sb) == -1)
-	{
-		DBG1(DBG_LIB, "getting file size of '%s' failed: %s", file,
-			 strerror(errno));
-		close(fd);
-		return;
-	}
-	if (sb.st_size == 0)
-	{	/* skip empty files, as mmap() complains */
-		close(fd);
-		return;
-	}
-	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		DBG1(DBG_LIB, "mapping '%s' failed: %s", file, strerror(errno));
-		close(fd);
-		return;
-	}
-	src = chunk_create(addr, sb.st_size);
 
 	if (!secrets)
 	{
 		secrets = mem_cred_create();
 	}
 
-	while (fetchline(&src, &line))
+	while (fetchline(src, &line))
 	{
 		chunk_t ids, token;
 		shared_key_type_t type;
@@ -1172,8 +1157,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 			}
 			else
 			{	/* use directory of current file if relative */
-				dir = strdup(file);
-				dir = dirname(dir);
+				dir = path_dirname(file);
 
 				if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern))
 				{
@@ -1272,8 +1256,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 			break;
 		}
 	}
-	munmap(addr, sb.st_size);
-	close(fd);
+	chunk_unmap(src);
 
 	if (level == 0)
 	{	/* replace secrets in active credential set */
@@ -1394,7 +1377,7 @@ stroke_cred_t *stroke_cred_create()
 
 	this->force_ca_cert = lib->settings->get_bool(lib->settings,
 						"%s.plugins.stroke.ignore_missing_ca_basic_constraint",
-						FALSE, charon->name);
+						FALSE, lib->ns);
 
 	load_certs(this);
 	load_secrets(this, NULL, SECRETS_FILE, 0, NULL);
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 3adebb523..169ff2bf6 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Tobias Brunner
+ * Copyright (C) 2011-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -99,6 +99,11 @@ struct private_stroke_socket_t {
 	 * Counter values for IKE events
 	 */
 	stroke_counter_t *counter;
+
+	/**
+	 * TRUE if log level changes are not allowed
+	 */
+	bool prevent_loglevel_changes;
 };
 
 /**
@@ -490,6 +495,25 @@ static void stroke_leases(private_stroke_socket_t *this,
 }
 
 /**
+ * Callback function for usage report
+ */
+static void report_usage(FILE *out, int count, size_t bytes,
+						 backtrace_t *bt, bool detailed)
+{
+	fprintf(out, "%zu bytes total, %d allocations, %zu bytes average:\n",
+			bytes, count, bytes / count);
+	bt->log(bt, out, detailed);
+}
+
+/**
+ * Callback function for memusage summary
+ */
+static void sum_usage(FILE *out, int count, size_t bytes, int whitelisted)
+{
+	fprintf(out, "Total memory usage: %zu\n", bytes);
+}
+
+/**
  * Show memory usage
  */
 static void stroke_memusage(private_stroke_socket_t *this,
@@ -497,7 +521,9 @@ static void stroke_memusage(private_stroke_socket_t *this,
 {
 	if (lib->leak_detective)
 	{
-		lib->leak_detective->usage(lib->leak_detective, out);
+		lib->leak_detective->usage(lib->leak_detective,
+								   (leak_detective_report_cb_t)report_usage,
+								   (leak_detective_summary_cb_t)sum_usage, out);
 	}
 }
 
@@ -546,6 +572,12 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
 		 msg->loglevel.level, msg->loglevel.type);
 
+	if (this->prevent_loglevel_changes)
+	{
+		DBG1(DBG_CFG, "prevented log level change");
+		fprintf(out, "command not allowed!\n");
+		return;
+	}
 	if (strcaseeq(msg->loglevel.type, "any"))
 	{
 		group = DBG_ANY;
@@ -555,7 +587,7 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 		group = enum_from_name(debug_names, msg->loglevel.type);
 		if ((int)group < 0)
 		{
-			fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
+			fprintf(out, "unknown type '%s'!\n", msg->loglevel.type);
 			return;
 		}
 	}
@@ -591,8 +623,8 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
 		return FALSE;
 	}
 
-	/* read message */
-	msg = malloc(len);
+	/* read message (we need an additional byte to terminate the buffer) */
+	msg = malloc(len + 1);
 	msg->length = len;
 	if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len)))
 	{
@@ -603,6 +635,9 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
 		free(msg);
 		return FALSE;
 	}
+	/* make sure even incorrectly unterminated strings don't extend over the
+	 * message boundaries */
+	((char*)msg)[len] = '\0';
 
 	DBG3(DBG_CFG, "stroke message %b", (void*)msg, len);
 
@@ -727,6 +762,8 @@ stroke_socket_t *stroke_socket_create()
 		.public = {
 			.destroy = _destroy,
 		},
+		.prevent_loglevel_changes = lib->settings->get_bool(lib->settings,
+				"%s.plugins.stroke.prevent_loglevel_changes", FALSE, lib->ns),
 	);
 
 	this->cred = stroke_cred_create();
@@ -746,10 +783,10 @@ stroke_socket_t *stroke_socket_create()
 	charon->bus->add_listener(charon->bus, &this->counter->listener);
 
 	max_concurrent = lib->settings->get_int(lib->settings,
-			"%s.plugins.stroke.max_concurrent", MAX_CONCURRENT_DEFAULT,
-			charon->name);
+				"%s.plugins.stroke.max_concurrent", MAX_CONCURRENT_DEFAULT,
+				lib->ns);
 	uri = lib->settings->get_str(lib->settings,
-			"%s.plugins.stroke.socket", "unix://" STROKE_SOCKET, charon->name);
+				"%s.plugins.stroke.socket", "unix://" STROKE_SOCKET, lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 10);
 	if (!this->service)
 	{
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index 8ad5c88ba..63724728a 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
index c8596114c..c1594b0b2 100644
--- a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
+++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
@@ -178,9 +178,9 @@ static bool load_validator(private_systime_fix_plugin_t *this)
 	char *str, *fmt;
 
 	fmt = lib->settings->get_str(lib->settings,
-			"%s.plugins.%s.threshold_format", "%Y", charon->name, get_name(this));
+			"%s.plugins.%s.threshold_format", "%Y", lib->ns, get_name(this));
 	str = lib->settings->get_str(lib->settings,
-			"%s.plugins.%s.threshold", NULL, charon->name, get_name(this));
+			"%s.plugins.%s.threshold", NULL, lib->ns, get_name(this));
 	if (!str)
 	{
 		DBG1(DBG_CFG, "no threshold configured for %s, disabled",
@@ -274,9 +274,9 @@ plugin_t *systime_fix_plugin_create()
 			},
 		},
 		.interval = lib->settings->get_int(lib->settings,
-				"%s.plugins.%s.interval", 0, charon->name, get_name(this)),
+						"%s.plugins.%s.interval", 0, lib->ns, get_name(this)),
 		.reauth = lib->settings->get_bool(lib->settings,
-				"%s.plugins.%s.reauth", FALSE, charon->name, get_name(this)),
+						"%s.plugins.%s.reauth", FALSE, lib->ns, get_name(this)),
 	);
 
 	return &this->public.plugin;
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index ca995b01f..ace18e77c 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
index 4ad19c530..d2ba2e345 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
@@ -191,8 +191,8 @@ tnc_ifmap_listener_t *tnc_ifmap_listener_create(bool reload)
 
 	/* schedule periodic transmission of IF-MAP renewSession request */
 	reschedule =  lib->settings->get_int(lib->settings,
-						"%s.plugins.tnc-ifmap.renew_session_interval",
-						 IFMAP_RENEW_SESSION_INTERVAL, charon->name);
+								"%s.plugins.tnc-ifmap.renew_session_interval",
+								 IFMAP_RENEW_SESSION_INTERVAL, lib->ns);
 
 	job = (job_t*)tnc_ifmap_renew_session_job_create(
 						this->ifmap->get_ref(this->ifmap), reschedule);
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index df7d2e2a1..8f24daea3 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -134,8 +134,8 @@ METHOD(tnc_ifmap_soap_t, newSession, bool,
 
 	/* set PEP and PDP device name (defaults to IF-MAP Publisher ID) */
 	this->device_name = lib->settings->get_str(lib->settings,
-									"%s.plugins.tnc-ifmap.device_name",
-									 this->ifmap_publisher_id, charon->name);
+										"%s.plugins.tnc-ifmap.device_name",
+										 this->ifmap_publisher_id, lib->ns);
 	this->device_name = strdup(this->device_name);
 
     return this->session_id && this->ifmap_publisher_id;
@@ -731,15 +731,15 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 
 	/* getting configuration parameters from strongswan.conf */
 	server_uri =  lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.server_uri", IFMAP_URI, charon->name);
+					"%s.plugins.tnc-ifmap.server_uri", IFMAP_URI, lib->ns);
 	server_cert = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.server_cert", NULL, charon->name);
+					"%s.plugins.tnc-ifmap.server_cert", NULL, lib->ns);
 	client_cert = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.client_cert", NULL, charon->name);
+					"%s.plugins.tnc-ifmap.client_cert", NULL, lib->ns);
 	client_key =  lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.client_key", NULL, charon->name);
+					"%s.plugins.tnc-ifmap.client_key", NULL, lib->ns);
 	user_pass =   lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.username_password", NULL, charon->name);
+					"%s.plugins.tnc-ifmap.username_password", NULL, lib->ns);
 
 	/* load [self-signed] MAP server certificate */
 	if (!server_cert)
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index d263bdec4..b2958efdb 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -222,8 +222,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -291,6 +289,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -379,12 +382,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -399,6 +406,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 31cee9e2b..89237f564 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -758,19 +758,19 @@ tnc_pdp_t *tnc_pdp_create(void)
 	bool radius_enable, pt_tls_enable;
 
 	server = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-pdp.server", NULL, charon->name);
+						"%s.plugins.tnc-pdp.server", NULL, lib->ns);
 	pt_tls_enable = lib->settings->get_bool(lib->settings,
-					"%s.plugins.tnc-pdp.pt_tls.enable", TRUE, charon->name);
+						"%s.plugins.tnc-pdp.pt_tls.enable", TRUE, lib->ns);
 	pt_tls_port = lib->settings->get_int(lib->settings,
-					"%s.plugins.tnc-pdp.pt_tls.port", PT_TLS_PORT, charon->name);
+						"%s.plugins.tnc-pdp.pt_tls.port", PT_TLS_PORT, lib->ns);
 	radius_enable = lib->settings->get_bool(lib->settings,
-					"%s.plugins.tnc-pdp.radius.enable", TRUE, charon->name);
+						"%s.plugins.tnc-pdp.radius.enable", TRUE, lib->ns);
 	radius_port = lib->settings->get_int(lib->settings,
-					"%s.plugins.tnc-pdp.radius.port", RADIUS_PORT, charon->name);
+						"%s.plugins.tnc-pdp.radius.port", RADIUS_PORT, lib->ns);
 	secret = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-pdp.radius.secret", NULL, charon->name);
+						"%s.plugins.tnc-pdp.radius.secret", NULL, lib->ns);
 	eap_type_str = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-pdp.radius.method", "ttls", charon->name);
+						"%s.plugins.tnc-pdp.radius.method", "ttls", lib->ns);
 
 	if (!pt_tls_enable && !radius_enable)
 	{
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
index f789c31d2..6c7659bb1 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
@@ -298,7 +298,7 @@ tnc_pdp_connections_t *tnc_pdp_connections_create(void)
 		.list = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.timeout = lib->settings->get_int(lib->settings,
-				"%s.plugins.tnc-pdp.timeout", DEFAULT_TIMEOUT, charon->name),
+						"%s.plugins.tnc-pdp.timeout", DEFAULT_TIMEOUT, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index b36a53394..b2b473c32 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 2f8a65c07..2d9f59678 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 11d6091db..65fe14e1d 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
index edff51a08..9f72a80da 100644
--- a/src/libcharon/plugins/unity/unity_narrow.c
+++ b/src/libcharon/plugins/unity/unity_narrow.c
@@ -97,9 +97,9 @@ static void narrow_initiator(private_unity_narrow_t *this, ike_sa_t *ike_sa,
 }
 
 /**
- * As initiator, bump up TS to 0.0.0.0/0 for on-the-wire bits
+ * As initiator and responder, bump up TS to 0.0.0.0/0 for on-the-wire bits
  */
-static void narrow_initiator_pre(linked_list_t *list)
+static void narrow_pre(linked_list_t *list, char *side)
 {
 	traffic_selector_t *ts;
 
@@ -112,7 +112,7 @@ static void narrow_initiator_pre(linked_list_t *list)
 											 "255.255.255.255", 65535);
 	if (ts)
 	{
-		DBG2(DBG_CFG, "changing proposed traffic selectors for other:");
+		DBG2(DBG_CFG, "changing proposed traffic selectors for %s:", side);
 		DBG2(DBG_CFG, " %R", ts);
 		list->insert_last(list, ts);
 	}
@@ -149,12 +149,15 @@ METHOD(listener_t, narrow, bool,
 		switch (type)
 		{
 			case NARROW_INITIATOR_PRE_AUTH:
-				narrow_initiator_pre(remote);
+				narrow_pre(remote, "other");
 				break;
 			case NARROW_INITIATOR_POST_AUTH:
 				narrow_initiator(this, ike_sa,
 								 child_sa->get_config(child_sa), remote);
 				break;
+			case NARROW_RESPONDER:
+				narrow_pre(local, "us");
+				break;
 			case NARROW_RESPONDER_POST:
 				narrow_responder_post(child_sa->get_config(child_sa), local);
 				break;
diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c
index ac6f93d69..86f81fcfb 100644
--- a/src/libcharon/plugins/unity/unity_provider.c
+++ b/src/libcharon/plugins/unity/unity_provider.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
  *
@@ -16,6 +19,7 @@
 #include "unity_provider.h"
 
 #include <daemon.h>
+#include <bio/bio_writer.h>
 
 typedef struct private_unity_provider_t private_unity_provider_t;
 
@@ -31,58 +35,70 @@ struct private_unity_provider_t {
 };
 
 /**
- * Attribute enumerator for traffic selector list
+ * Attribute enumerator for UNITY_SPLIT_INCLUDE attribute
  */
 typedef struct {
 	/** Implements enumerator_t */
 	enumerator_t public;
 	/** list of traffic selectors to enumerate */
 	linked_list_t *list;
-	/** currently enumerating subnet */
-	u_char subnet[4];
-	/** currently enumerating subnet mask */
-	u_char mask[4];
+	/** attribute value */
+	chunk_t attr;
 } attribute_enumerator_t;
 
+/**
+ * Append data from the given traffic selector to the attribute data
+ */
+static void append_ts(bio_writer_t *writer, traffic_selector_t *ts)
+{
+	host_t *net, *mask;
+	chunk_t padding;
+	u_int8_t bits;
+
+	if (!ts->to_subnet(ts, &net, &bits))
+	{
+		return;
+	}
+	mask = host_create_netmask(AF_INET, bits);
+	if (!mask)
+	{
+		net->destroy(net);
+		return;
+	}
+	writer->write_data(writer, net->get_address(net));
+	writer->write_data(writer, mask->get_address(mask));
+	/* the Cisco client parses the "padding" as protocol, src and dst port, the
+	 * first two in network order the last in host order - no other clients seem
+	 * to support these fields so we don't use them either */
+	padding = writer->skip(writer, 6);
+	memset(padding.ptr, 0, padding.len);
+	mask->destroy(mask);
+	net->destroy(net);
+}
+
 METHOD(enumerator_t, attribute_enumerate, bool,
 	attribute_enumerator_t *this, configuration_attribute_type_t *type,
 	chunk_t *attr)
 {
 	traffic_selector_t *ts;
-	u_int8_t i, mask;
-	host_t *net;
+	bio_writer_t *writer;
 
-	while (TRUE)
+	if (this->list->get_count(this->list) == 0)
 	{
-		if (this->list->remove_first(this->list, (void**)&ts) != SUCCESS)
-		{
-			return FALSE;
-		}
-		if (ts->to_subnet(ts, &net, &mask))
-		{
-			ts->destroy(ts);
-			break;
-		}
-		ts->destroy(ts);
+		return FALSE;
 	}
 
-	memset(this->mask, 0, sizeof(this->mask));
-	for (i = 0; i < sizeof(this->mask); i++)
+	writer = bio_writer_create(14);
+	while (this->list->remove_first(this->list, (void**)&ts) == SUCCESS)
 	{
-		if (mask < 8)
-		{
-			this->mask[i] = 0xFF << (8 - mask);
-			break;
-		}
-		this->mask[i] = 0xFF;
-		mask -= 8;
+		append_ts(writer, ts);
+		ts->destroy(ts);
 	}
-	memcpy(this->subnet, net->get_address(net).ptr, sizeof(this->subnet));
-	net->destroy(net);
 
 	*type = UNITY_SPLIT_INCLUDE;
-	*attr = chunk_create(this->subnet, sizeof(this->subnet) + sizeof(this->mask));
+	*attr = this->attr = writer->extract_buf(writer);
 
+	writer->destroy(writer);
 	return TRUE;
 }
 
@@ -90,6 +106,7 @@ METHOD(enumerator_t, attribute_destroy, void,
 	attribute_enumerator_t *this)
 {
 	this->list->destroy_offset(this->list, offsetof(traffic_selector_t, destroy));
+	chunk_free(&this->attr);
 	free(this);
 }
 
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 697c95917..e2d6d32fb 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
index 3a644380a..0894d2d07 100644
--- a/src/libcharon/plugins/updown/updown_handler.c
+++ b/src/libcharon/plugins/updown/updown_handler.c
@@ -188,7 +188,7 @@ METHOD(updown_handler_t, create_dns_enumerator, enumerator_t*,
 	ike_sa = charon->bus->get_sa(charon->bus);
 	if (!ike_sa)
 	{
-		return FALSE;
+		return enumerator_create_empty();
 	}
 
 	this->lock->read_lock(this->lock);
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 81adfdb13..2c3f93298 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -218,12 +219,12 @@ METHOD(listener_t, child_updown, bool,
 	enumerator = child_sa->create_policy_enumerator(child_sa);
 	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 	{
-		char command[1024];
+		char command[2048];
 		host_t *my_client, *other_client;
 		u_int8_t my_client_mask, other_client_mask;
 		char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns, *xauth;
 		mark_t mark;
-		bool is_host, is_ipv6;
+		bool is_host, is_ipv6, use_ipcomp;
 		FILE *shell;
 
 		my_ts->to_subnet(my_ts, &my_client, &my_client_mask);
@@ -322,6 +323,9 @@ METHOD(listener_t, child_updown, bool,
 
 		dns = make_dns_vars(this, ike_sa);
 
+		/* check for IPComp */
+		use_ipcomp = child_sa->get_ipcomp(child_sa) != IPCOMP_NONE;
+
 		/* determine IPv4/IPv6 and client/host situation */
 		is_host = my_ts->is_host(my_ts, me);
 		is_ipv6 = is_host ? (me->get_family(me) == AF_INET6) :
@@ -355,6 +359,7 @@ METHOD(listener_t, child_updown, bool,
 				"%s"
 				"%s"
 				"%s"
+				"%s"
 				"%s",
 				 up ? "up" : "down",
 				 is_host ? "-host" : "-client",
@@ -377,6 +382,7 @@ METHOD(listener_t, child_updown, bool,
 				 mark_in,
 				 mark_out,
 				 udp_enc,
+				 use_ipcomp ? "PLUTO_IPCOMP='1' " : "",
 				 config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "",
 				 dns,
 				 script);
diff --git a/src/libcharon/plugins/updown/updown_plugin.c b/src/libcharon/plugins/updown/updown_plugin.c
index 3c1aba5cc..d30267dee 100644
--- a/src/libcharon/plugins/updown/updown_plugin.c
+++ b/src/libcharon/plugins/updown/updown_plugin.c
@@ -58,7 +58,7 @@ static bool plugin_cb(private_updown_plugin_t *this,
 	if (reg)
 	{
 		if (lib->settings->get_bool(lib->settings,
-									"charon.plugins.updown.dns_handler", FALSE))
+							"%s.plugins.updown.dns_handler", FALSE, lib->ns))
 		{
 			this->handler = updown_handler_create();
 			hydra->attributes->add_handler(hydra->attributes,
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 218ecaaf7..aa8ad2e10 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -225,8 +225,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -294,6 +292,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -382,12 +385,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -402,6 +409,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/whitelist/whitelist_control.c b/src/libcharon/plugins/whitelist/whitelist_control.c
index 996f263c9..c1b619c3c 100644
--- a/src/libcharon/plugins/whitelist/whitelist_control.c
+++ b/src/libcharon/plugins/whitelist/whitelist_control.c
@@ -157,7 +157,7 @@ whitelist_control_t *whitelist_control_create(whitelist_listener_t *listener)
 
 	uri = lib->settings->get_str(lib->settings,
 				"%s.plugins.whitelist.socket", "unix://" WHITELIST_SOCKET,
-				charon->name);
+				lib->ns);
 	this->service = lib->streams->create_service(lib->streams, uri, 10);
 	if (!this->service)
 	{
diff --git a/src/libcharon/plugins/whitelist/whitelist_listener.c b/src/libcharon/plugins/whitelist/whitelist_listener.c
index 382ee3b8b..d0357b410 100644
--- a/src/libcharon/plugins/whitelist/whitelist_listener.c
+++ b/src/libcharon/plugins/whitelist/whitelist_listener.c
@@ -206,7 +206,7 @@ whitelist_listener_t *whitelist_listener_create()
 		.ids = hashtable_create((hashtable_hash_t)hash,
 								(hashtable_equals_t)equals, 32),
 		.enabled = lib->settings->get_bool(lib->settings,
-								"%s.plugins.whitelist.enable", FALSE, charon->name),
+								"%s.plugins.whitelist.enable", FALSE, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index c5eba1467..cf0c326e3 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap.c b/src/libcharon/plugins/xauth_eap/xauth_eap.c
index 5ac4f10d2..f597bb7ae 100644
--- a/src/libcharon/plugins/xauth_eap/xauth_eap.c
+++ b/src/libcharon/plugins/xauth_eap/xauth_eap.c
@@ -224,7 +224,7 @@ METHOD(xauth_method_t, process, status_t,
 
 	name = lib->settings->get_str(lib->settings,
 								  "%s.plugins.xauth-eap.backend", "radius",
-								  charon->name);
+								  lib->ns);
 	type = eap_type_from_string(name);
 	if (!type)
 	{
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 47c216177..2d18f60df 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index 22244930d..8173631ae 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.am b/src/libcharon/plugins/xauth_pam/Makefile.am
index a7d4f6436..1875f81d3 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.am
+++ b/src/libcharon/plugins/xauth_pam/Makefile.am
@@ -14,6 +14,7 @@ endif
 
 libstrongswan_xauth_pam_la_SOURCES = \
 	xauth_pam_plugin.h xauth_pam_plugin.c \
+	xauth_pam_listener.h xauth_pam_listener.c \
 	xauth_pam.h xauth_pam.c
 
 libstrongswan_xauth_pam_la_LDFLAGS = -module -avoid-version -lpam
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index dbcc4f405..1ee269e04 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -129,7 +129,7 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xauth_pam_la_LIBADD =
 am_libstrongswan_xauth_pam_la_OBJECTS = xauth_pam_plugin.lo \
-	xauth_pam.lo
+	xauth_pam_listener.lo xauth_pam.lo
 libstrongswan_xauth_pam_la_OBJECTS =  \
 	$(am_libstrongswan_xauth_pam_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -417,6 +425,7 @@ AM_CFLAGS = \
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-pam.la
 libstrongswan_xauth_pam_la_SOURCES = \
 	xauth_pam_plugin.h xauth_pam_plugin.c \
+	xauth_pam_listener.h xauth_pam_listener.c \
 	xauth_pam.h xauth_pam.c
 
 libstrongswan_xauth_pam_la_LDFLAGS = -module -avoid-version -lpam
@@ -511,6 +520,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam_listener.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam_plugin.Plo@am__quote@
 
 .c.o:
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam.c b/src/libcharon/plugins/xauth_pam/xauth_pam.c
index 8ba2c764d..71c79ecc0 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam.c
@@ -116,7 +116,11 @@ static void attr2string(char *buf, size_t len, chunk_t chunk)
 {
 	if (chunk.len && chunk.len < len)
 	{
-		snprintf(buf, len, "%.*s", (int)chunk.len, chunk.ptr);
+		chunk_t sane;
+
+		chunk_printable(chunk, &sane, '?');
+		snprintf(buf, len, "%.*s", (int)sane.len, sane.ptr);
+		chunk_clear(&sane);
 	}
 }
 
@@ -138,7 +142,7 @@ METHOD(xauth_method_t, process, status_t,
 				/* trim to username part if email address given */
 				if (lib->settings->get_bool(lib->settings,
 											"%s.plugins.xauth-pam.trim_email",
-											TRUE, charon->name))
+											TRUE, lib->ns))
 				{
 					pos = memchr(chunk.ptr, '@', chunk.len);
 					if (pos)
@@ -171,9 +175,8 @@ METHOD(xauth_method_t, process, status_t,
 	service = lib->settings->get_str(lib->settings,
 				"%s.plugins.xauth-pam.pam_service",
 					lib->settings->get_str(lib->settings,
-						"%s.plugins.eap-gtc.pam_service",
-						"login", charon->name),
-				charon->name);
+						"%s.plugins.eap-gtc.pam_service", "login", lib->ns),
+				lib->ns);
 
 	if (authenticate(service, user, pass))
 	{
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c
new file mode 100644
index 000000000..eb06f54bb
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2013 Endian srl
+ * Author: Andrea Bonomi - <a.bonomi@endian.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#include "xauth_pam_listener.h"
+
+#include <daemon.h>
+#include <library.h>
+
+#include <security/pam_appl.h>
+
+typedef struct private_xauth_pam_listener_t private_xauth_pam_listener_t;
+
+/**
+ * Private data of an xauth_pam_listener_t object.
+ */
+struct private_xauth_pam_listener_t {
+
+	/**
+	 * Public xauth_pam_listener_t interface.
+	 */
+	xauth_pam_listener_t public;
+
+	/**
+	 * PAM service
+	 */
+	char *service;
+};
+
+/**
+ * PAM conv callback function
+ */
+static int conv(int num_msg, const struct pam_message **msg,
+				struct pam_response **resp, void *data)
+{
+	int i;
+
+	for (i = 0; i < num_msg; i++)
+	{
+		/* ignore any text info, but fail on any interaction request */
+		if (msg[i]->msg_style != PAM_TEXT_INFO)
+		{
+			return PAM_CONV_ERR;
+		}
+	}
+	return PAM_SUCCESS;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_xauth_pam_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+	struct pam_conv null_conv = {
+		.conv = conv,
+	};
+	pam_handle_t *pamh = NULL;
+	char *user;
+	int ret;
+
+	if (asprintf(&user, "%Y", ike_sa->get_other_eap_id(ike_sa)) != -1)
+	{
+		ret = pam_start(this->service, user, &null_conv, &pamh);
+		if (ret == PAM_SUCCESS)
+		{
+			if (up)
+			{
+				ret = pam_open_session(pamh, 0);
+				if (ret != PAM_SUCCESS)
+				{
+					DBG1(DBG_IKE, "XAuth pam_open_session for '%s' failed: %s",
+						 user, pam_strerror(pamh, ret));
+				}
+			}
+			else
+			{
+				ret = pam_close_session(pamh, 0);
+				if (ret != PAM_SUCCESS)
+				{
+					DBG1(DBG_IKE, "XAuth pam_close_session for '%s' failed: %s",
+						 user, pam_strerror(pamh, ret));
+				}
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "XAuth pam_start for '%s' failed: %s",
+				 user, pam_strerror(pamh, ret));
+		}
+		pam_end(pamh, ret);
+		free(user);
+	}
+	return TRUE;
+}
+
+METHOD(xauth_pam_listener_t, listener_destroy, void,
+	private_xauth_pam_listener_t *this)
+{
+	free(this);
+}
+
+xauth_pam_listener_t *xauth_pam_listener_create()
+{
+	private_xauth_pam_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_updown = _ike_updown,
+			},
+			.destroy = _listener_destroy,
+		},
+		/* Look for PAM service, with a legacy fallback for the eap-gtc plugin.
+		 * Default to "login". */
+		.service = lib->settings->get_str(lib->settings,
+						"%s.plugins.xauth-pam.pam_service",
+							lib->settings->get_str(lib->settings,
+								"%s.plugins.eap-gtc.pam_service",
+							"login", lib->ns),
+						lib->ns),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h
new file mode 100644
index 000000000..5b15410f4
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2013 Endian srl
+ * Author: Andrea Bonomi - <a.bonomi@endian.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup xauth_pam_i xauth_pam
+ * @{ @ingroup xauth_pam
+ */
+
+#ifndef XAUTH_PAM_LISENER_H_
+#define XAUTH_PAM_LISTENER_H_
+
+typedef struct xauth_pam_listener_t xauth_pam_listener_t;
+
+#include <bus/listeners/listener.h>
+
+/**
+ * Listener
+ */
+struct xauth_pam_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a xauth_pam_listener_t.
+	 */
+	void (*destroy)(xauth_pam_listener_t *this);
+};
+
+/**
+ * Create a xauth_pam_listener instance.
+ */
+xauth_pam_listener_t *xauth_pam_listener_create();
+
+
+#endif /** XAUTH_PAM_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
index 2ef9a6c8f..497ad3dd9 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
@@ -15,6 +15,7 @@
 
 #include "xauth_pam_plugin.h"
 #include "xauth_pam.h"
+#include "xauth_pam_listener.h"
 
 #include <daemon.h>
 
@@ -22,26 +23,73 @@
 #define CAP_AUDIT_WRITE 29
 #endif
 
+typedef struct private_xauth_pam_plugin_t private_xauth_pam_plugin_t;
+
+/**
+ * private data of xauth_pam plugin
+ */
+struct private_xauth_pam_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	xauth_pam_plugin_t public;
+
+	/**
+	 * Listener
+	 */
+	xauth_pam_listener_t *listener;
+
+	/**
+	 * Do PAM session management?
+	 */
+	bool session;
+};
+
+/**
+ * Register XAuth method and listener
+ */
+static bool register_listener(private_xauth_pam_plugin_t *this,
+							  plugin_feature_t *feature, bool reg, void *data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
 METHOD(plugin_t, get_name, char*,
-	xauth_pam_plugin_t *this)
+	private_xauth_pam_plugin_t *this)
 {
 	return "xauth-pam";
 }
 
 METHOD(plugin_t, get_features, int,
-	xauth_pam_plugin_t *this, plugin_feature_t *features[])
+	private_xauth_pam_plugin_t *this, plugin_feature_t *features[])
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(xauth_method_register, xauth_pam_create_server),
 			PLUGIN_PROVIDE(XAUTH_SERVER, "pam"),
+		PLUGIN_CALLBACK((plugin_feature_callback_t)register_listener, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "pam-session"),
 	};
 	*features = f;
+	if (!this->session)
+	{
+		return 2;
+	}
 	return countof(f);
 }
 
 METHOD(plugin_t, destroy, void,
-	xauth_pam_plugin_t *this)
+	private_xauth_pam_plugin_t *this)
 {
+	this->listener->destroy(this->listener),
 	free(this);
 }
 
@@ -50,7 +98,7 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *xauth_pam_plugin_create()
 {
-	xauth_pam_plugin_t *this;
+	private_xauth_pam_plugin_t *this;
 
 	/* required for PAM authentication */
 	if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
@@ -60,12 +108,17 @@ plugin_t *xauth_pam_plugin_create()
 	}
 
 	INIT(this,
-		.plugin = {
-			.get_name = _get_name,
-			.get_features = _get_features,
-			.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
 		},
+		.session = lib->settings->get_str(lib->settings,
+						"%s.plugins.xauth-pam.session", FALSE, lib->ns),
+		.listener = xauth_pam_listener_create(),
 	);
 
-	return &this->plugin;
+	return &this->public.plugin;
 }
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 9ab69b417..197733979 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -73,12 +73,13 @@ METHOD(job_t, execute, job_requeue_t,
 		{
 			if (child_sa->get_reqid(child_sa) == this->reqid)
 			{
-				time_t in, out, diff;
+				time_t in, out, install, diff;
 
 				child_sa->get_usestats(child_sa, TRUE, &in, NULL, NULL);
 				child_sa->get_usestats(child_sa, FALSE, &out, NULL, NULL);
+				install = child_sa->get_installtime(child_sa);
 
-				diff = time_monotonic(NULL) - max(in, out);
+				diff = time_monotonic(NULL) - max(max(in, out), install);
 
 				if (diff >= this->timeout)
 				{
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 9c3876a94..720a58553 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -120,6 +120,11 @@ struct private_child_sa_t {
 	time_t expire_time;
 
 	/**
+	 * absolute time when SA has been installed
+	 */
+	time_t install_time;
+
+	/**
 	 * state of the CHILD_SA
 	 */
 	child_sa_state_t state;
@@ -586,6 +591,12 @@ METHOD(child_sa_t, get_lifetime, time_t,
 	return hard ? this->expire_time : this->rekey_time;
 }
 
+METHOD(child_sa_t, get_installtime, time_t,
+	private_child_sa_t *this)
+{
+	return this->install_time;
+}
+
 METHOD(child_sa_t, alloc_spi, u_int32_t,
 	   private_child_sa_t *this, protocol_id_t protocol)
 {
@@ -1140,6 +1151,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 			.get_proposal = _get_proposal,
 			.set_proposal = _set_proposal,
 			.get_lifetime = _get_lifetime,
+			.get_installtime = _get_installtime,
 			.get_usestats = _get_usestats,
 			.get_mark = _get_mark,
 			.has_encap = _has_encap,
@@ -1170,6 +1182,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		.reqid = config->get_reqid(config),
 		.mark_in = config->get_mark(config, TRUE),
 		.mark_out = config->get_mark(config, FALSE),
+		.install_time = time_monotonic(NULL),
 	);
 
 	this->config = config;
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index ed52d60b1..a0c6c357f 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -265,6 +265,13 @@ struct child_sa_t {
 	time_t (*get_lifetime)(child_sa_t *this, bool hard);
 
 	/**
+	 * Get the absolute time when this SA has been installed.
+	 *
+	 * @return			monotonic absolute install time
+	 */
+	time_t (*get_installtime)(child_sa_t *this);
+
+	/**
 	 * Get last use time and the number of bytes processed.
 	 *
 	 * @param inbound		TRUE for inbound traffic, FALSE for outbound
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 028208782..2c15dc5eb 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -687,6 +687,14 @@ METHOD(ike_sa_t, set_state, void,
 					DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
 				}
 				trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
+				if (trigger_dpd)
+				{
+					/* Some peers delay the DELETE after rekeying an IKE_SA.
+					 * If this delay is longer than our DPD delay, we would
+					 * send a DPD request here. The IKE_SA is not ready to do
+					 * so yet, so prevent that. */
+					this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
+				}
 			}
 			break;
 		}
@@ -1162,26 +1170,13 @@ METHOD(ike_sa_t, initiate, status_t,
 #endif /* ME */
 			)
 		{
-			bool is_anyaddr;
-			host_t *host;
 			char *addr;
 
-			addr = this->ike_cfg->get_my_addr(this->ike_cfg);
-			host = this->ike_cfg->resolve_other(this->ike_cfg, AF_UNSPEC);
-			is_anyaddr = host && host->is_anyaddr(host);
-			DESTROY_IF(host);
-
-			if (is_anyaddr || !this->retry_initiate_interval)
+			addr = this->ike_cfg->get_other_addr(this->ike_cfg);
+			if (!this->retry_initiate_interval)
 			{
-				if (is_anyaddr)
-				{
-					DBG1(DBG_IKE, "unable to initiate to %s", addr);
-				}
-				else
-				{
-					DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
-						 addr);
-				}
+				DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
+					 addr);
 				DESTROY_IF(child_cfg);
 				charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
 				return DESTROY_ME;
@@ -2130,7 +2125,10 @@ METHOD(ike_sa_t, destroy, void,
 	charon->bus->set_sa(charon->bus, &this->public);
 
 	set_state(this, IKE_DESTROYING);
-	DESTROY_IF(this->task_manager);
+	if (this->task_manager)
+	{
+		this->task_manager->flush(this->task_manager);
+	}
 
 	/* remove attributes first, as we pass the IKE_SA to the handler */
 	while (array_remove(this->attributes, ARRAY_TAIL, &entry))
@@ -2174,6 +2172,7 @@ METHOD(ike_sa_t, destroy, void,
 	charon->bus->set_sa(charon->bus, NULL);
 
 	array_destroy(this->child_sas);
+	DESTROY_IF(this->task_manager);
 	DESTROY_IF(this->keymat);
 	array_destroy(this->attributes);
 	array_destroy(this->my_vips);
@@ -2330,11 +2329,11 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 		.attributes = array_create(sizeof(attribute_entry_t), 0),
 		.unique_id = ref_get(&unique_id),
 		.keepalive_interval = lib->settings->get_time(lib->settings,
-							"%s.keep_alive", KEEPALIVE_INTERVAL, charon->name),
+								"%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
 		.retry_initiate_interval = lib->settings->get_time(lib->settings,
-							"%s.retry_initiate_interval", 0, charon->name),
+								"%s.retry_initiate_interval", 0, lib->ns),
 		.flush_auth_cfg = lib->settings->get_bool(lib->settings,
-							"%s.flush_auth_cfg", FALSE, charon->name),
+								"%s.flush_auth_cfg", FALSE, lib->ns),
 	);
 
 	if (version == IKEV2)
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 5768803aa..f2f81cf33 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -2150,17 +2150,17 @@ ike_sa_manager_t *ike_sa_manager_create()
 	}
 
 	this->ikesa_limit = lib->settings->get_int(lib->settings,
-									"%s.ikesa_limit", 0, charon->name);
+											   "%s.ikesa_limit", 0, lib->ns);
 
 	this->table_size = get_nearest_powerof2(lib->settings->get_int(
 									lib->settings, "%s.ikesa_table_size",
-									DEFAULT_HASHTABLE_SIZE, charon->name));
+									DEFAULT_HASHTABLE_SIZE, lib->ns));
 	this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
 	this->table_mask = this->table_size - 1;
 
 	this->segment_count = get_nearest_powerof2(lib->settings->get_int(
 									lib->settings, "%s.ikesa_table_segments",
-									DEFAULT_SEGMENT_COUNT, charon->name));
+									DEFAULT_SEGMENT_COUNT, lib->ns));
 	this->segment_count = max(1, min(this->segment_count, this->table_size));
 	this->segment_mask = this->segment_count - 1;
 
@@ -2200,6 +2200,6 @@ ike_sa_manager_t *ike_sa_manager_create()
 	}
 
 	this->reuse_ikesa = lib->settings->get_bool(lib->settings,
-										"%s.reuse_ikesa", TRUE, charon->name);
+											"%s.reuse_ikesa", TRUE, lib->ns);
 	return &this->public;
 }
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 597416e36..8fc158bba 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -339,10 +339,8 @@ METHOD(task_manager_t, flush_queue, void,
 	}
 }
 
-/**
- * flush all tasks in the task manager
- */
-static void flush(private_task_manager_t *this)
+METHOD(task_manager_t, flush, void,
+	private_task_manager_t *this)
 {
 	flush_queue(this, TASK_QUEUE_QUEUED);
 	flush_queue(this, TASK_QUEUE_PASSIVE);
@@ -1581,7 +1579,7 @@ METHOD(task_manager_t, process_message, status_t,
 			lib->scheduler->schedule_job(lib->scheduler, job,
 					lib->settings->get_int(lib->settings,
 							"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
-							charon->name));
+							lib->ns));
 		}
 		this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
 		charon->bus->message(charon->bus, msg, TRUE, TRUE);
@@ -2070,6 +2068,7 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 				.adopt_child_tasks = _adopt_child_tasks,
 				.busy = _busy,
 				.create_task_enumerator = _create_task_enumerator,
+				.flush = _flush,
 				.flush_queue = _flush_queue,
 				.destroy = _destroy,
 			},
@@ -2083,9 +2082,9 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 		.frag = {
 			.exchange = ID_PROT,
 			.max_packet = lib->settings->get_int(lib->settings,
-					"%s.max_packet", MAX_PACKET, charon->name),
+						"%s.max_packet", MAX_PACKET, lib->ns),
 			.size = lib->settings->get_int(lib->settings,
-					"%s.fragment_size", MAX_FRAGMENT_SIZE, charon->name),
+						"%s.fragment_size", MAX_FRAGMENT_SIZE, lib->ns),
 		},
 		.ike_sa = ike_sa,
 		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
@@ -2093,11 +2092,11 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 		.active_tasks = linked_list_create(),
 		.passive_tasks = linked_list_create(),
 		.retransmit_tries = lib->settings->get_int(lib->settings,
-					"%s.retransmit_tries", RETRANSMIT_TRIES, charon->name),
+						"%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
 		.retransmit_timeout = lib->settings->get_double(lib->settings,
-					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, charon->name),
+						"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
 		.retransmit_base = lib->settings->get_double(lib->settings,
-					"%s.retransmit_base", RETRANSMIT_BASE, charon->name),
+						"%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
 	);
 
 	if (!this->rng)
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 46cbb879b..6cc3e04b3 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -421,7 +421,7 @@ METHOD(task_t, process_r, status_t,
 				case AUTH_PSK:
 					if (!lib->settings->get_bool(lib->settings, "%s.i_dont_care"
 						"_about_security_and_use_aggressive_mode_psk",
-						FALSE, charon->name))
+						FALSE, lib->ns))
 					{
 						DBG1(DBG_IKE, "Aggressive Mode PSK disabled for "
 							 "security reasons");
@@ -478,7 +478,7 @@ METHOD(task_t, process_r, status_t,
 			while (TRUE)
 			{
 				if (this->ph1->verify_auth(this->ph1, this->method, message,
-										   this->id_data))
+										   chunk_clone(this->id_data)))
 				{
 					break;
 				}
@@ -487,12 +487,10 @@ METHOD(task_t, process_r, status_t,
 													this->method, TRUE, NULL);
 				if (!this->peer_cfg)
 				{
-					this->id_data = chunk_empty;
 					return send_delete(this);
 				}
 				this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
 			}
-			this->id_data = chunk_empty;
 
 			if (!charon->bus->authorize(charon->bus, FALSE))
 			{
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 11155b287..e07ac0ab4 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -191,9 +191,9 @@ static void build(private_isakmp_vendor_t *this, message_t *message)
 	int i;
 
 	strongswan = lib->settings->get_bool(lib->settings,
-								"%s.send_vendor_id", FALSE, charon->name);
+										 "%s.send_vendor_id", FALSE, lib->ns);
 	cisco_unity = lib->settings->get_bool(lib->settings,
-								"%s.cisco_unity", FALSE, charon->name);
+										 "%s.cisco_unity", FALSE, lib->ns);
 	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 	fragmentation = ike_cfg->fragmentation(ike_cfg) != FRAGMENTATION_NO;
 	if (!this->initiator && fragmentation)
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 12ee594b9..6e7da9852 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -194,7 +194,7 @@ static void schedule_inactivity_timeout(private_quick_mode_t *this)
 	if (timeout)
 	{
 		close_ike = lib->settings->get_bool(lib->settings,
-								"%s.inactivity_close_ike", FALSE, charon->name);
+									"%s.inactivity_close_ike", FALSE, lib->ns);
 		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
 				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
 									  timeout, close_ike), timeout);
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 4d0683f0a..8c7ba8d55 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -278,6 +278,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 	{
 		DBG1(DBG_IKE, "no %N selected",
 			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
+		chunk_clear(&secret);
 		return FALSE;
 	}
 	this->prf_alg = alg;
@@ -287,6 +288,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 		DBG1(DBG_IKE, "%N %N not supported!",
 			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
 			 pseudo_random_function_names, alg);
+		chunk_clear(&secret);
 		return FALSE;
 	}
 	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
@@ -339,6 +341,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 		{
 			DBG1(DBG_IKE, "PRF of old SA %N not supported!",
 				 pseudo_random_function_names, rekey_function);
+			chunk_clear(&secret);
 			chunk_free(&full_nonce);
 			chunk_free(&fixed_nonce);
 			chunk_clear(&prf_plus_seed);
@@ -450,17 +453,6 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
 	chunk_t seed, secret = chunk_empty;
 	prf_plus_t *prf_plus;
 
-	if (dh)
-	{
-		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
-		{
-			return FALSE;
-		}
-		DBG4(DBG_CHD, "DH secret %B", &secret);
-	}
-	seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
-	DBG4(DBG_CHD, "seed %B", &seed);
-
 	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
 								&enc_alg, &enc_size))
 	{
@@ -527,7 +519,21 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
 	{
 		return FALSE;
 	}
+
+	if (dh)
+	{
+		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+		{
+			return FALSE;
+		}
+		DBG4(DBG_CHD, "DH secret %B", &secret);
+	}
+	seed = chunk_cata("scc", secret, nonce_i, nonce_r);
+	DBG4(DBG_CHD, "seed %B", &seed);
+
 	prf_plus = prf_plus_create(this->prf, TRUE, seed);
+	memwipe(seed.ptr, seed.len);
+
 	if (!prf_plus)
 	{
 		return FALSE;
@@ -590,7 +596,7 @@ METHOD(keymat_v2_t, get_auth_octets, bool,
 	idx = chunk_cata("cc", chunk, id->get_encoding(id));
 
 	DBG3(DBG_IKE, "IDx' %B", &idx);
-	DBG3(DBG_IKE, "SK_p %B", &skp);
+	DBG4(DBG_IKE, "SK_p %B", &skp);
 	if (!this->prf->set_key(this->prf, skp) ||
 		!this->prf->allocate_bytes(this->prf, idx, &chunk))
 	{
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 8e6da1609..ac3be900f 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -184,10 +184,8 @@ METHOD(task_manager_t, flush_queue, void,
 	}
 }
 
-/**
- * flush all tasks in the task manager
- */
-static void flush(private_task_manager_t *this)
+METHOD(task_manager_t, flush, void,
+	private_task_manager_t *this)
 {
 	flush_queue(this, TASK_QUEUE_QUEUED);
 	flush_queue(this, TASK_QUEUE_PASSIVE);
@@ -1231,7 +1229,7 @@ METHOD(task_manager_t, process_message, status_t,
 		lib->scheduler->schedule_job(lib->scheduler, job,
 				lib->settings->get_int(lib->settings,
 						"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
-						charon->name));
+						lib->ns));
 	}
 	return SUCCESS;
 }
@@ -1569,6 +1567,7 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 				.adopt_child_tasks = _adopt_child_tasks,
 				.busy = _busy,
 				.create_task_enumerator = _create_task_enumerator,
+				.flush = _flush,
 				.flush_queue = _flush_queue,
 				.destroy = _destroy,
 			},
@@ -1579,11 +1578,11 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 		.active_tasks = array_create(0, 0),
 		.passive_tasks = array_create(0, 0),
 		.retransmit_tries = lib->settings->get_int(lib->settings,
-					"%s.retransmit_tries", RETRANSMIT_TRIES, charon->name),
+					"%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
 		.retransmit_timeout = lib->settings->get_double(lib->settings,
-					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, charon->name),
+					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
 		.retransmit_base = lib->settings->get_double(lib->settings,
-					"%s.retransmit_base", RETRANSMIT_BASE, charon->name),
+					"%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 7cfa537a9..df7bc96d6 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -293,7 +293,7 @@ static void schedule_inactivity_timeout(private_child_create_t *this)
 	if (timeout)
 	{
 		close_ike = lib->settings->get_bool(lib->settings,
-								"%s.inactivity_close_ike", FALSE, charon->name);
+									"%s.inactivity_close_ike", FALSE, lib->ns);
 		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
 				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
 									  timeout, close_ike), timeout);
@@ -1072,7 +1072,7 @@ static void handle_child_sa_failure(private_child_create_t *this,
 {
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		lib->settings->get_bool(lib->settings,
-								"%s.close_ike_on_child_failure", FALSE, charon->name))
+								"%s.close_ike_on_child_failure", FALSE, lib->ns))
 	{
 		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
 		 * first */
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 8f83c4884..800dab07e 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -120,7 +120,7 @@ struct private_ike_auth_t {
 static bool multiple_auth_enabled()
 {
 	return lib->settings->get_bool(lib->settings,
-							"%s.multiple_authentication", TRUE, charon->name);
+								   "%s.multiple_authentication", TRUE, lib->ns);
 }
 
 /**
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index 2cbe8f8c5..bd28b29d7 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -428,7 +428,7 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
 		message->add_payload(message, (payload_t*)req);
 
 		if (lib->settings->get_bool(lib->settings,
-									"%s.hash_and_url", FALSE, charon->name))
+									"%s.hash_and_url", FALSE, lib->ns))
 		{
 			message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
 								chunk_empty);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
index 2730f5876..16ac16673 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
@@ -42,24 +42,60 @@ struct private_ike_vendor_t {
 };
 
 /**
- * strongSwan specific vendor ID without version, MD5("strongSwan")
+ * Vendor ID database entry
  */
-static chunk_t strongswan_vid = chunk_from_chars(
-	0x88,0x2f,0xe5,0x6d,0x6f,0xd2,0x0d,0xbc,
-	0x22,0x51,0x61,0x3b,0x2e,0xbe,0x5b,0xeb
-);
+typedef struct {
+	/* Description */
+	char *desc;
+	/* extension flag negotiated with vendor ID, if any */
+	ike_extension_t extension;
+	/* length of vendor ID string, 0 for NULL terminated */
+	int len;
+	/* vendor ID string */
+	char *id;
+} vid_data_t;
+
+/**
+ * Get the data of a vendor ID as a chunk
+ */
+static chunk_t get_vid_data(vid_data_t *data)
+{
+	return chunk_create(data->id, data->len ?: strlen(data->id));
+}
+
+/**
+ * IKEv2 Vendor ID database entry
+ */
+static vid_data_t vids[] = {
+	/* strongSwan MD5("strongSwan") */
+	{ "strongSwan", EXT_STRONGSWAN, 16,
+	  "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
+	{ "Cisco Delete Reason", 0, 0,
+	  "CISCO-DELETE-REASON" },
+	{ "Cisco Copyright (c) 2009", 0, 0,
+	  "CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." },
+	{ "FRAGMENTATION", 0, 16,
+	  "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3"},
+};
 
 METHOD(task_t, build, status_t,
 	private_ike_vendor_t *this, message_t *message)
 {
-	if (lib->settings->get_bool(lib->settings,
-								"%s.send_vendor_id", FALSE, charon->name))
-	{
-		vendor_id_payload_t *vid;
+	vendor_id_payload_t *vid;
+	bool strongswan;
+	int i;
 
-		vid = vendor_id_payload_create_data(VENDOR_ID,
-											chunk_clone(strongswan_vid));
-		message->add_payload(message, &vid->payload_interface);
+	strongswan = lib->settings->get_bool(lib->settings,
+							"%s.send_vendor_id", FALSE, lib->ns);
+	for (i = 0; i < countof(vids); i++)
+	{
+		if (vids[i].extension == EXT_STRONGSWAN && strongswan)
+		{
+			DBG2(DBG_IKE, "sending %s vendor ID", vids[i].desc);
+			vid = vendor_id_payload_create_data(VENDOR_ID,
+										chunk_clone(get_vid_data(&vids[i])));
+			message->add_payload(message, &vid->payload_interface);
+		}
 	}
 
 	return this->initiator ? NEED_MORE : SUCCESS;
@@ -70,6 +106,7 @@ METHOD(task_t, process, status_t,
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
+	int i;
 
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
@@ -78,16 +115,26 @@ METHOD(task_t, process, status_t,
 		{
 			vendor_id_payload_t *vid;
 			chunk_t data;
+			bool found = FALSE;
 
 			vid = (vendor_id_payload_t*)payload;
 			data = vid->get_data(vid);
 
-			if (chunk_equals(data, strongswan_vid))
+			for (i = 0; i < countof(vids); i++)
 			{
-				DBG1(DBG_IKE, "received strongSwan vendor ID");
-				this->ike_sa->enable_extension(this->ike_sa, EXT_STRONGSWAN);
+				if (chunk_equals(get_vid_data(&vids[i]), data))
+				{
+					DBG1(DBG_IKE, "received %s vendor ID", vids[i].desc);
+					if (vids[i].extension)
+					{
+						this->ike_sa->enable_extension(this->ike_sa,
+													   vids[i].extension);
+					}
+					found = TRUE;
+					break;
+				}
 			}
-			else
+			if (!found)
 			{
 				DBG1(DBG_ENC, "received unknown vendor ID: %#B", &data);
 			}
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index a1ebb4117..e7a6bf463 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -261,6 +261,11 @@ struct task_manager_t {
 											task_queue_t queue);
 
 	/**
+	 * Flush all tasks, regardless of the queue.
+	 */
+	void (*flush)(task_manager_t *this);
+
+	/**
 	 * Flush a queue, cancelling all tasks.
 	 *
 	 * @param queue			queue to flush
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 1f66d6ceb..7e55d6b0f 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -19,7 +19,6 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
-#include <threading/thread_value.h>
 #include <collections/linked_list.h>
 
 
@@ -63,11 +62,6 @@ struct private_trap_manager_t {
 	rwlock_t *lock;
 
 	/**
-	 * track if the current thread is installing a trap policy
-	 */
-	thread_value_t *installing;
-
-	/**
 	 * listener to track acquiring IKE_SAs
 	 */
 	trap_listener_t listener;
@@ -77,6 +71,8 @@ struct private_trap_manager_t {
  * A installed trap entry
  */
 typedef struct {
+	/** name of the trapped CHILD_SA */
+	char *name;
 	/** ref to peer_cfg to initiate */
 	peer_cfg_t *peer_cfg;
 	/** ref to instanciated CHILD_SA */
@@ -94,6 +90,7 @@ static void destroy_entry(entry_t *entry)
 {
 	entry->child_sa->destroy(entry->child_sa);
 	entry->peer_cfg->destroy(entry->peer_cfg);
+	free(entry->name);
 	free(entry);
 }
 
@@ -137,27 +134,42 @@ METHOD(trap_manager_t, install, u_int32_t,
 	}
 
 	this->lock->write_lock(this->lock);
-	this->installing->set(this->installing, this);
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (streq(entry->child_sa->get_name(entry->child_sa),
-				  child->get_name(child)))
+		if (streq(entry->name, child->get_name(child)))
 		{
-			this->traps->remove_at(this->traps, enumerator);
 			found = entry;
+			if (entry->child_sa)
+			{	/* replace it with an updated version, if already installed */
+				this->traps->remove_at(this->traps, enumerator);
+			}
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 
 	if (found)
-	{	/* config might have changed so update everything */
-		DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'",
-			 child->get_name(child));
+	{
+		if (!found->child_sa)
+		{
+			DBG1(DBG_CFG, "CHILD_SA '%s' is already being routed", found->name);
+			this->lock->unlock(this->lock);
+			return 0;
+		}
+		/* config might have changed so update everything */
+		DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'", found->name);
 		reqid = found->child_sa->get_reqid(found->child_sa);
 	}
 
+	INIT(entry,
+		.name = strdup(child->get_name(child)),
+		.peer_cfg = peer->get_ref(peer),
+	);
+	this->traps->insert_first(this->traps, entry);
+	/* don't hold lock while creating CHILD_SA and installing policies */
+	this->lock->unlock(this->lock);
+
 	/* create and route CHILD_SA */
 	child_sa = child_sa_create(me, other, child, reqid, FALSE);
 
@@ -185,24 +197,19 @@ METHOD(trap_manager_t, install, u_int32_t,
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_CFG, "installing trap failed");
+		this->lock->write_lock(this->lock);
+		this->traps->remove(this->traps, entry, NULL);
+		this->lock->unlock(this->lock);
+		entry->child_sa = child_sa;
+		destroy_entry(entry);
 		reqid = 0;
-		/* hold off destroying the CHILD_SA until we released the lock */
 	}
 	else
 	{
-		INIT(entry,
-			.child_sa = child_sa,
-			.peer_cfg = peer->get_ref(peer),
-		);
-		this->traps->insert_last(this->traps, entry);
 		reqid = child_sa->get_reqid(child_sa);
-	}
-	this->installing->set(this->installing, NULL);
-	this->lock->unlock(this->lock);
-
-	if (status != SUCCESS)
-	{
-		child_sa->destroy(child_sa);
+		this->lock->write_lock(this->lock);
+		entry->child_sa = child_sa;
+		this->lock->unlock(this->lock);
 	}
 	if (found)
 	{
@@ -221,7 +228,8 @@ METHOD(trap_manager_t, uninstall, bool,
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
+		if (entry->child_sa &&
+			entry->child_sa->get_reqid(entry->child_sa) == reqid)
 		{
 			this->traps->remove_at(this->traps, enumerator);
 			found = entry;
@@ -236,7 +244,6 @@ METHOD(trap_manager_t, uninstall, bool,
 		DBG1(DBG_CFG, "trap %d not found to uninstall", reqid);
 		return FALSE;
 	}
-
 	destroy_entry(found);
 	return TRUE;
 }
@@ -247,6 +254,10 @@ METHOD(trap_manager_t, uninstall, bool,
 static bool trap_filter(rwlock_t *lock, entry_t **entry, peer_cfg_t **peer_cfg,
 						void *none, child_sa_t **child_sa)
 {
+	if (!(*entry)->child_sa)
+	{	/* skip entries that are currently being installed */
+		return FALSE;
+	}
 	if (peer_cfg)
 	{
 		*peer_cfg = (*entry)->peer_cfg;
@@ -271,28 +282,24 @@ METHOD(trap_manager_t, find_reqid, u_int32_t,
 	private_trap_manager_t *this, child_cfg_t *child)
 {
 	enumerator_t *enumerator;
-	child_cfg_t *current;
 	entry_t *entry;
 	u_int32_t reqid = 0;
 
-	if (this->installing->get(this->installing))
-	{	/* current thread holds the lock */
-		return reqid;
-	}
 	this->lock->read_lock(this->lock);
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		current = entry->child_sa->get_config(entry->child_sa);
-		if (streq(current->get_name(current), child->get_name(child)))
+		if (streq(entry->name, child->get_name(child)))
 		{
-			reqid = entry->child_sa->get_reqid(entry->child_sa);
+			if (entry->child_sa)
+			{
+				reqid = entry->child_sa->get_reqid(entry->child_sa);
+			}
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
-
 	return reqid;
 }
 
@@ -310,7 +317,8 @@ METHOD(trap_manager_t, acquire, void,
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
+		if (entry->child_sa &&
+			entry->child_sa->get_reqid(entry->child_sa) == reqid)
 		{
 			found = entry;
 			break;
@@ -365,6 +373,7 @@ METHOD(trap_manager_t, acquire, void,
 		else
 		{
 			ike_sa->destroy(ike_sa);
+			charon->bus->set_sa(charon->bus, NULL);
 		}
 	}
 	peer->destroy(peer);
@@ -445,7 +454,6 @@ METHOD(trap_manager_t, destroy, void,
 {
 	charon->bus->remove_listener(charon->bus, &this->listener.listener);
 	this->traps->destroy_function(this->traps, (void*)destroy_entry);
-	this->installing->destroy(this->installing);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -476,7 +484,6 @@ trap_manager_t *trap_manager_create(void)
 		},
 		.traps = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-		.installing = thread_value_create(NULL),
 	);
 	charon->bus->add_listener(charon->bus, &this->listener.listener);
 
diff --git a/src/libcharon/sa/xauth/xauth_manager.c b/src/libcharon/sa/xauth/xauth_manager.c
index 17eecc2c9..3aabe7eae 100644
--- a/src/libcharon/sa/xauth/xauth_manager.c
+++ b/src/libcharon/sa/xauth/xauth_manager.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "xauth_manager.h"
 
 #include <collections/linked_list.h>
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 032385431..dbfb9889b 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libfast/fast_request.c b/src/libfast/fast_request.c
index 0673750b7..a56a59167 100644
--- a/src/libfast/fast_request.c
+++ b/src/libfast/fast_request.c
@@ -23,7 +23,6 @@
 #include <pthread.h>
 #include <string.h>
 #include <unistd.h>
-#include <sys/mman.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 
@@ -294,31 +293,17 @@ METHOD(fast_request_t, serve, void,
 METHOD(fast_request_t, sendfile, bool,
 	private_fast_request_t *this, char *path, char *mime)
 {
-	struct stat sb;
-	chunk_t data;
-	void *addr;
-	int fd, written;
+	chunk_t *data;
+	int written;
 	char buf[24];
 
-	fd = open(path, O_RDONLY);
-	if (fd == -1)
+	data = chunk_map(path, FALSE);
+	if (!data)
 	{
 		return FALSE;
 	}
-	if (fstat(fd, &sb) == -1)
-	{
-		close(fd);
-		return FALSE;
-	}
-	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		close(fd);
-		return FALSE;
-	}
-
 	/* FCGX does not like large integers, print to a buffer using libc */
-	snprintf(buf, sizeof(buf), "%lld", (int64_t)sb.st_size);
+	snprintf(buf, sizeof(buf), "%lld", (int64_t)data->len);
 	FCGX_FPrintF(this->req.out, "Content-Length: %s\n", buf);
 	if (mime)
 	{
@@ -326,22 +311,18 @@ METHOD(fast_request_t, sendfile, bool,
 	}
 	FCGX_FPrintF(this->req.out, "\n");
 
-	data = chunk_create(addr, sb.st_size);
-
-	while (data.len)
+	while (data->len)
 	{
-		written = FCGX_PutStr(data.ptr, data.len, this->req.out);
+		written = FCGX_PutStr(data->ptr, data->len, this->req.out);
 		if (written == -1)
 		{
-			munmap(addr, sb.st_size);
-			close(fd);
+			chunk_unmap(data);
 			return FALSE;
 		}
-		data = chunk_skip(data, written);
+		*data = chunk_skip(*data, written);
 	}
 
-	munmap(addr, sb.st_size);
-	close(fd);
+	chunk_unmap(data);
 	return TRUE;
 }
 
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
index 429feed55..ff134da7b 100644
--- a/src/libhydra/Android.mk
+++ b/src/libhydra/Android.mk
@@ -26,7 +26,6 @@ LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
 # build libhydra ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/include \
 	$(strongswan_PATH)/src/libstrongswan
 
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index d3c3ed459..5e0bf3f17 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -275,8 +275,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -344,6 +342,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -432,12 +435,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -452,6 +459,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
index 77567ce48..cc45e5629 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libhydra/attributes/mem_pool.c
@@ -573,7 +573,7 @@ static private_mem_pool_t *create_generic(char *name)
 								   (hashtable_equals_t)id_equals, 16),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.reassign_online = lib->settings->get_bool(lib->settings,
-							"%s.mem-pool.reassign_online", FALSE, hydra->daemon),
+								"%s.mem-pool.reassign_online", FALSE, lib->ns),
 	);
 
 	return this;
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index f531bd5f4..1b5065081 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -59,7 +59,6 @@ void libhydra_deinit()
 
 	this->public.attributes->destroy(this->public.attributes);
 	this->public.kernel_interface->destroy(this->public.kernel_interface);
-	free((void*)this->public.daemon);
 	free(this);
 	hydra = NULL;
 }
@@ -67,7 +66,7 @@ void libhydra_deinit()
 /**
  * Described in header.
  */
-bool libhydra_init(const char *daemon)
+bool libhydra_init()
 {
 	private_hydra_t *this;
 
@@ -81,7 +80,6 @@ bool libhydra_init(const char *daemon)
 	INIT(this,
 		.public = {
 			.attributes = attribute_manager_create(),
-			.daemon = strdup(daemon ?: "libhydra"),
 		},
 		.ref = 1,
 	);
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
index 2a8709d72..94209ff59 100644
--- a/src/libhydra/hydra.h
+++ b/src/libhydra/hydra.h
@@ -53,11 +53,6 @@ struct hydra_t {
 	 * kernel interface to communicate with kernel
 	 */
 	kernel_interface_t *kernel_interface;
-
-	/**
-	 * name of the daemon that initialized the library
-	 */
-	const char *daemon;
 };
 
 /**
@@ -70,15 +65,12 @@ extern hydra_t *hydra;
 /**
  * Initialize libhydra.
  *
- * The daemon's name is used to load daemon-specific settings.
- *
  * libhydra_init() may be called multiple times in a single process, but each
- * caller should call libhydra_deinit() for each call to libhydra_init().
+ * caller must call libhydra_deinit() for each call to libhydra_init().
  *
- * @param daemon		name of the daemon that initializes the library
  * @return				FALSE if integrity check failed
  */
-bool libhydra_init(const char *daemon);
+bool libhydra_init();
 
 /**
  * Deinitialize libhydra.
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index cbfddd03b..3e34d20a6 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -796,12 +796,12 @@ kernel_interface_t *kernel_interface_create()
 	);
 
 	ifaces = lib->settings->get_str(lib->settings,
-					"%s.interfaces_use", NULL, hydra->daemon);
+									"%s.interfaces_use", NULL, lib->ns);
 	if (!ifaces)
 	{
 		this->ifaces_exclude = TRUE;
 		ifaces = lib->settings->get_str(lib->settings,
-					"%s.interfaces_ignore", NULL, hydra->daemon);
+									"%s.interfaces_ignore", NULL, lib->ns);
 	}
 	if (ifaces)
 	{
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index af0a77fe3..e762b7757 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index 1a2fa7f28..a27fd57b1 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -109,7 +109,7 @@ static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
 	host_t *host;
 	char *str;
 
-	str = lib->settings->get_str(lib->settings, "%s.%s%d", NULL, hydra->daemon,
+	str = lib->settings->get_str(lib->settings, "%s.%s%d", NULL, lib->ns,
 								 key, nr);
 	if (str)
 	{
@@ -179,7 +179,7 @@ static void load_entries(private_attr_provider_t *this)
 	}
 
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-											"%s.plugins.attr", hydra->daemon);
+													"%s.plugins.attr", lib->ns);
 	while (enumerator->enumerate(enumerator, &key, &value))
 	{
 		configuration_attribute_type_t type;
@@ -190,6 +190,10 @@ static void load_entries(private_attr_provider_t *this)
 		char *pos;
 		int i, mask = -1, family;
 
+		if (streq(key, "load"))
+		{
+			continue;
+		}
 		type = atoi(key);
 		if (!type)
 		{
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 7b7b5de05..1d258f2fb 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
index 702872c57..dde90051a 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
+++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
@@ -61,7 +61,7 @@ static bool open_database(private_attr_sql_plugin_t *this,
 		char *uri;
 
 		uri = lib->settings->get_str(lib->settings,
-								"libhydra.plugins.attr-sql.database", NULL);
+								"%s.plugins.attr-sql.database", NULL, lib->ns);
 		if (!uri)
 		{
 			DBG1(DBG_CFG, "attr-sql plugin: database URI not set");
@@ -122,6 +122,8 @@ plugin_t *attr_sql_plugin_create()
 			},
 		},
 	);
+	lib->settings->add_fallback(lib->settings, "%s.plugins.attr-sql",
+								"libhydra.plugins.attr-sql", lib->ns);
 
 	return &this->public.plugin;
 }
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c
index 0a06c419f..d527c3fba 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.c
+++ b/src/libhydra/plugins/attr_sql/sql_attribute.c
@@ -457,7 +457,7 @@ sql_attribute_t *sql_attribute_create(database_t *db)
 		},
 		.db = db,
 		.history = lib->settings->get_bool(lib->settings,
-							"libhydra.plugins.attr-sql.lease_history", TRUE),
+							"%s.plugins.attr-sql.lease_history", TRUE, lib->ns),
 	);
 
 	/* close any "online" leases in the case we crashed */
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index a639ef6c3..c804c8e81 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index a226162c3..a75ccf3b6 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -311,8 +311,8 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 	}
 
 	mtu = lib->settings->get_int(lib->settings,
-						"%s.plugins.kernel-klips.ipsec_dev_mtu", 0,
-						hydra->daemon);
+								 "%s.plugins.kernel-klips.ipsec_dev_mtu", 0,
+								 lib->ns);
 	if (mtu <= 0)
 	{
 		/* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
@@ -2505,8 +2505,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
 {
 	int i, count = lib->settings->get_int(lib->settings,
-						"%s.plugins.kernel-klips.ipsec_dev_count",
-						DEFAULT_IPSEC_DEV_COUNT, hydra->daemon);
+									"%s.plugins.kernel-klips.ipsec_dev_count",
+									DEFAULT_IPSEC_DEV_COUNT, lib->ns);
 
 	for (i = 0; i < count; ++i)
 	{
@@ -2611,7 +2611,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
 		.install_routes = lib->settings->get_bool(lib->settings,
 												  "%s.install_routes", TRUE,
-												  hydra->daemon),
+												  lib->ns),
 	);
 
 	/* initialize ipsec devices */
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index 5f85da653..5910cfd92 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 8352b9311..c864a92f4 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1203,6 +1203,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	struct nlmsghdr *hdr;
 	struct xfrm_usersa_info *sa;
 	u_int16_t icv_size = 64;
+	ipsec_mode_t original_mode = mode;
 	status_t status = FAILED;
 
 	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
@@ -1213,7 +1214,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
 			   tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
 			   chunk_empty, mode, ipcomp, 0, initiator, FALSE, FALSE, inbound,
-			   NULL, NULL);
+			   src_ts, dst_ts);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
 		mode = MODE_TRANSPORT;
@@ -1243,7 +1244,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			break;
 		case MODE_BEET:
 		case MODE_TRANSPORT:
-			if(src_ts && dst_ts)
+			if (original_mode == MODE_TUNNEL)
+			{	/* don't install selectors for switched SAs.  because only one
+				 * selector can be installed other traffic would get dropped */
+				break;
+			}
+			if (src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
 				/* don't install proto/port on SA. This would break
@@ -1459,8 +1465,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		goto failed;
 	}
 
-	if (tfc)
-	{
+	if (tfc && protocol == IPPROTO_ESP && mode == MODE_TUNNEL)
+	{	/* the kernel supports TFC padding only for tunnel mode ESP SAs */
 		u_int32_t *tfcpad;
 
 		tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD,
@@ -2679,15 +2685,15 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.policy_history = TRUE,
 		.install_routes = lib->settings->get_bool(lib->settings,
-					"%s.install_routes", TRUE, hydra->daemon),
+							"%s.install_routes", TRUE, lib->ns),
 		.replay_window = lib->settings->get_int(lib->settings,
-					"%s.replay_window", DEFAULT_REPLAY_WINDOW, hydra->daemon),
+							"%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
 	);
 
 	this->replay_bmp = (this->replay_window + sizeof(u_int32_t) * 8 - 1) /
 													(sizeof(u_int32_t) * 8);
 
-	if (streq(hydra->daemon, "starter"))
+	if (streq(lib->ns, "starter"))
 	{	/* starter has no threads, so we do not register for kernel events */
 		register_for_events = FALSE;
 	}
@@ -2697,7 +2703,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	{
 		fprintf(f, "%u", lib->settings->get_int(lib->settings,
 								"%s.plugins.kernel-netlink.xfrm_acq_expires",
-								DEFAULT_ACQUIRE_LIFETIME, hydra->daemon));
+								DEFAULT_ACQUIRE_LIFETIME, lib->ns));
 		fclose(f);
 	}
 
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index d27075082..3cf317634 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1962,10 +1962,13 @@ METHOD(kernel_net_t, add_route, status_t,
 		this->routes_lock->unlock(this->routes_lock);
 		return ALREADY_DONE;
 	}
-	found = route_entry_clone(&route);
-	this->routes->put(this->routes, found, found);
 	status = manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
 							 dst_net, prefixlen, gateway, src_ip, if_name);
+	if (status == SUCCESS)
+	{
+		found = route_entry_clone(&route);
+		this->routes->put(this->routes, found, found);
+	}
 	this->routes_lock->unlock(this->routes_lock);
 	return status;
 }
@@ -2122,7 +2125,7 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
 	netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
 
 	fwmark = lib->settings->get_str(lib->settings,
-					"%s.plugins.kernel-netlink.fwmark", NULL, hydra->daemon);
+							"%s.plugins.kernel-netlink.fwmark", NULL, lib->ns);
 	if (fwmark)
 	{
 #ifdef HAVE_LINUX_FIB_RULES_H
@@ -2282,30 +2285,30 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 		.condvar = rwlock_condvar_create(),
 		.roam_lock = spinlock_create(),
 		.routing_table = lib->settings->get_int(lib->settings,
-				"%s.routing_table", ROUTING_TABLE, hydra->daemon),
+						"%s.routing_table", ROUTING_TABLE, lib->ns),
 		.routing_table_prio = lib->settings->get_int(lib->settings,
-				"%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon),
+						"%s.routing_table_prio", ROUTING_TABLE_PRIO, lib->ns),
 		.process_route = lib->settings->get_bool(lib->settings,
-				"%s.process_route", TRUE, hydra->daemon),
+						"%s.process_route", TRUE, lib->ns),
 		.install_virtual_ip = lib->settings->get_bool(lib->settings,
-				"%s.install_virtual_ip", TRUE, hydra->daemon),
+						"%s.install_virtual_ip", TRUE, lib->ns),
 		.install_virtual_ip_on = lib->settings->get_str(lib->settings,
-				"%s.install_virtual_ip_on", NULL, hydra->daemon),
+						"%s.install_virtual_ip_on", NULL, lib->ns),
 		.roam_events = lib->settings->get_bool(lib->settings,
-				"%s.plugins.kernel-netlink.roam_events", TRUE, hydra->daemon),
+						"%s.plugins.kernel-netlink.roam_events", TRUE, lib->ns),
 	);
 	timerclear(&this->last_route_reinstall);
 	timerclear(&this->next_roam);
 
 	check_kernel_features(this);
 
-	if (streq(hydra->daemon, "starter"))
+	if (streq(lib->ns, "starter"))
 	{	/* starter has no threads, so we do not register for kernel events */
 		register_for_events = FALSE;
 	}
 
 	exclude = lib->settings->get_str(lib->settings,
-					"%s.ignore_routing_tables", NULL, hydra->daemon);
+									 "%s.ignore_routing_tables", NULL, lib->ns);
 	if (exclude)
 	{
 		char *token;
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 8903a460e..5d0e927de 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 98a6f81d5..4704d419f 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2861,10 +2861,10 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
 		.install_routes = lib->settings->get_bool(lib->settings,
 												  "%s.install_routes", TRUE,
-												  hydra->daemon),
+												  lib->ns),
 	);
 
-	if (streq(hydra->daemon, "starter"))
+	if (streq(lib->ns, "starter"))
 	{	/* starter has no threads, so we do not register for kernel events */
 		register_for_events = FALSE;
 	}
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 29a70799f..8e01d2992 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index bc10610cd..a8a57a5a2 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -1420,9 +1420,12 @@ METHOD(kernel_net_t, add_route, status_t,
 		this->routes_lock->unlock(this->routes_lock);
 		return ALREADY_DONE;
 	}
-	found = route_entry_clone(&route);
-	this->routes->put(this->routes, found, found);
 	status = manage_route(this, RTM_ADD, dst_net, prefixlen, gateway, if_name);
+	if (status == SUCCESS)
+	{
+		found = route_entry_clone(&route);
+		this->routes->put(this->routes, found, found);
+	}
 	this->routes_lock->unlock(this->routes_lock);
 	return status;
 }
@@ -1782,7 +1785,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 		.net_changes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
 		.roam_lock = spinlock_create(),
 		.vip_wait = lib->settings->get_int(lib->settings,
-					"%s.plugins.kernel-pfroute.vip_wait", 1000, hydra->daemon),
+						"%s.plugins.kernel-pfroute.vip_wait", 1000, lib->ns),
 	);
 	timerclear(&this->last_route_reinstall);
 	timerclear(&this->next_roam);
@@ -1796,7 +1799,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 		return NULL;
 	}
 
-	if (streq(hydra->daemon, "starter"))
+	if (streq(lib->ns, "starter"))
 	{
 		/* starter has no threads, so we do not register for kernel events */
 		if (shutdown(this->socket, SHUT_RD) != 0)
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index 28b4b8fcf..0e520f126 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c
index 2eee854a9..069466ab5 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.c
+++ b/src/libhydra/plugins/resolve/resolve_handler.c
@@ -361,7 +361,7 @@ resolve_handler_t *resolve_handler_create()
 		},
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.file = lib->settings->get_str(lib->settings, "%s.plugins.resolve.file",
-									   RESOLV_CONF, hydra->daemon),
+									   RESOLV_CONF, lib->ns),
 	);
 
 	if (stat(RESOLVCONF_EXEC, &st) == 0)
@@ -369,7 +369,7 @@ resolve_handler_t *resolve_handler_create()
 		this->use_resolvconf = TRUE;
 		this->iface_prefix = lib->settings->get_str(lib->settings,
 								"%s.plugins.resolve.resolvconf.iface_prefix",
-								RESOLVCONF_PREFIX, hydra->daemon);
+								RESOLVCONF_PREFIX, lib->ns);
 	}
 
 	return &this->public;
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index 86f172dd8..96e759724 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -24,7 +24,6 @@ libimcv_la_SOURCES = \
 	imv/imv_remediation_string.h imv/imv_remediation_string.c \
 	imv/imv_session.h imv/imv_session.c \
 	imv/imv_workitem.h imv/imv_workitem.c \
-	imv/tables.sql imv/data.sql \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
 	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
 	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
@@ -53,6 +52,9 @@ libimcv_la_SOURCES = \
 ipsec_SCRIPTS = imv/_imv_policy
 EXTRA_DIST = imv/_imv_policy
 
+templatesdir = $(pkgdatadir)/templates/database/imv
+dist_templates_DATA = imv/tables.sql imv/data.sql
+
 ipsec_PROGRAMS = imv_policy_manager
 imv_policy_manager_SOURCES = \
 	imv/imv_policy_manager.c \
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 2d488eabb..4c8287b70 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -16,6 +16,7 @@
 
 
 
+
 VPATH = @srcdir@
 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
@@ -89,7 +90,7 @@ ipsec_PROGRAMS = imv_policy_manager$(EXEEXT)
 @USE_IMV_OS_TRUE@am__append_6 = plugins/imv_os
 subdir = src/libimcv
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
+	$(top_srcdir)/depcomp $(dist_templates_DATA)
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -135,7 +136,7 @@ am__uninstall_files_from_dir = { \
          $(am__cd) "$$dir" && rm -f $$files; }; \
   }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" \
-	"$(DESTDIR)$(ipsecdir)"
+	"$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(templatesdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libimcv_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
@@ -224,6 +225,7 @@ am__can_run_installinfo = \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
+DATA = $(dist_templates_DATA)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 am__recursive_targets = \
@@ -293,8 +295,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -362,6 +362,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -450,12 +455,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -470,6 +479,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -505,7 +515,6 @@ libimcv_la_SOURCES = \
 	imv/imv_remediation_string.h imv/imv_remediation_string.c \
 	imv/imv_session.h imv/imv_session.c \
 	imv/imv_workitem.h imv/imv_workitem.c \
-	imv/tables.sql imv/data.sql \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
 	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
 	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
@@ -533,6 +542,8 @@ libimcv_la_SOURCES = \
 
 ipsec_SCRIPTS = imv/_imv_policy
 EXTRA_DIST = imv/_imv_policy
+templatesdir = $(pkgdatadir)/templates/database/imv
+dist_templates_DATA = imv/tables.sql imv/data.sql
 imv_policy_manager_SOURCES = \
 	imv/imv_policy_manager.c \
 	imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
@@ -891,6 +902,27 @@ clean-libtool:
 	-rm -rf ita/.libs ita/_libs
 	-rm -rf os_info/.libs os_info/_libs
 	-rm -rf pa_tnc/.libs pa_tnc/_libs
+install-dist_templatesDATA: $(dist_templates_DATA)
+	@$(NORMAL_INSTALL)
+	@list='$(dist_templates_DATA)'; test -n "$(templatesdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(templatesdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(templatesdir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(templatesdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(templatesdir)" || exit $$?; \
+	done
+
+uninstall-dist_templatesDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_templates_DATA)'; test -n "$(templatesdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(templatesdir)'; $(am__uninstall_files_from_dir)
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run 'make' without going through this Makefile.
@@ -1048,10 +1080,10 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-recursive
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) $(DATA)
 installdirs: installdirs-recursive
 installdirs-am:
-	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(ipsecdir)"; do \
+	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(templatesdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-recursive
@@ -1119,8 +1151,8 @@ info: info-recursive
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS install-ipsecSCRIPTS \
-	install-ipseclibLTLIBRARIES
+install-data-am: install-dist_templatesDATA install-ipsecPROGRAMS \
+	install-ipsecSCRIPTS install-ipseclibLTLIBRARIES
 
 install-dvi: install-dvi-recursive
 
@@ -1166,8 +1198,8 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-ipsecPROGRAMS uninstall-ipsecSCRIPTS \
-	uninstall-ipseclibLTLIBRARIES
+uninstall-am: uninstall-dist_templatesDATA uninstall-ipsecPROGRAMS \
+	uninstall-ipsecSCRIPTS uninstall-ipseclibLTLIBRARIES
 
 .MAKE: $(am__recursive_targets) install-am install-strip
 
@@ -1177,17 +1209,18 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-ipsecSCRIPTS \
 	ctags-am distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-ipsecSCRIPTS \
+	install-data-am install-dist_templatesDATA install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipsecPROGRAMS install-ipsecSCRIPTS \
 	install-ipseclibLTLIBRARIES install-man install-pdf \
 	install-pdf-am install-ps install-ps-am install-strip \
 	installcheck installcheck-am installdirs installdirs-am \
 	maintainer-clean maintainer-clean-generic mostlyclean \
 	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
-	uninstall-ipsecPROGRAMS uninstall-ipsecSCRIPTS \
-	uninstall-ipseclibLTLIBRARIES
+	uninstall-dist_templatesDATA uninstall-ipsecPROGRAMS \
+	uninstall-ipsecSCRIPTS uninstall-ipseclibLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c
index b5862daee..2a4fd33df 100644
--- a/src/libimcv/imcv.c
+++ b/src/libimcv/imcv.c
@@ -109,7 +109,7 @@ bool libimcv_init(bool is_imv)
 	else
 	{
 		/* we are the first to initialize libstrongswan */
-		if (!library_init(NULL))
+		if (!library_init(NULL, "libimcv"))
 		{
 			return FALSE;
 		}
@@ -134,6 +134,10 @@ bool libimcv_init(bool is_imv)
 	}
 	ref_get(&libstrongswan_ref);
 
+	lib->settings->add_fallback(lib->settings, "%s.imcv", "libimcv", lib->ns);
+	lib->settings->add_fallback(lib->settings, "%s.plugins", "libimcv.plugins",
+								lib->ns);
+
 	if (libimcv_ref == 0)
 	{
 		char *uri, *script;
@@ -149,9 +153,10 @@ bool libimcv_init(bool is_imv)
 		if (is_imv)
 		{
 			uri = lib->settings->get_str(lib->settings,
-						"libimcv.database", NULL);
+						"%s.imcv.database", NULL, lib->ns);
 			script = lib->settings->get_str(lib->settings,
-						"libimcv.policy_script", IMCV_DEFAULT_POLICY_SCRIPT);
+						"%s.imcv.policy_script", IMCV_DEFAULT_POLICY_SCRIPT,
+						lib->ns);
 			if (uri)
 			{
 				imcv_db = imv_database_create(uri, script);
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 241a99645..9d938b9b8 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -168,6 +168,42 @@ INSERT INTO products (			/* 28 */
  'Debian 7.2 x86_64'
 );
 
+INSERT INTO products (			/* 29 */
+  name
+) VALUES (
+ 'Android 4.1.2'
+);
+
+INSERT INTO products (			/* 30 */
+  name
+) VALUES (
+ 'Android 4.2.2'
+);
+
+INSERT INTO products (			/* 31 */
+  name
+) VALUES (
+ 'Android 4.3.1'
+);
+
+INSERT INTO products (			/* 32 */
+  name
+) VALUES (
+ 'Android 4.4'
+);
+
+INSERT INTO products (			/* 33 */
+  name
+) VALUES (
+ 'Android 4.4.1'
+);
+
+INSERT INTO products (			/* 34 */
+  name
+) VALUES (
+ 'Android 4.4.2'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -568,6 +604,24 @@ INSERT INTO groups (			/* 10 */
   'Ref. Linux', 8
 );
 
+INSERT INTO groups (            /* 11 */
+  name
+) VALUES (
+  'TPM BIOS'
+);
+
+INSERT INTO groups (            /* 12 */
+  name
+) VALUES (
+  'TPM IMA'
+);
+
+INSERT INTO groups (            /* 13 */
+  name
+) VALUES (
+  'TPM BIOS/IMA'
+);
+
 /* Default Product Groups */
 
 INSERT INTO groups_product_defaults (
@@ -732,6 +786,42 @@ INSERT INTO groups_product_defaults (
   3, 22
 );
 
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 29
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 30
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 31
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 32
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 33
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 34
+);
+
 /* Policies */
 
 INSERT INTO policies (			/*  1 */
@@ -842,6 +932,24 @@ INSERT INTO policies (			/* 18 */
   15, 'SWID Tags', '', 2, 2
 );
 
+INSERT INTO policies (          /* 19 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  16, 'TPM BIOS Measurements', 'B', 2, 2
+);
+
+INSERT INTO policies (          /* 20 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  16, 'TPM IMA Measurements', 'I', 2, 2
+);
+
+INSERT INTO policies (          /* 21 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  16, 'TPM BIOS/IMA Measurements', 'BI', 2, 2
+);
+
 /* Enforcements */
 
 INSERT INTO enforcements (		/*  1 */
@@ -928,6 +1036,24 @@ INSERT INTO enforcements (		/* 14 */
   15, 9, 0
 );
 
+INSERT INTO enforcements (      /* 15 */
+  policy, group_id, max_age
+) VALUES (
+  19, 11, 60
+);
+
+INSERT INTO enforcements (      /* 16 */
+  policy, group_id, max_age
+) VALUES (
+  20, 12, 60
+);
+
+INSERT INTO enforcements (      /* 17 */
+  policy, group_id, max_age
+) VALUES (
+  21, 13, 60
+);
+
 /* regids */
 
 INSERT INTO regids (			/*  1 */
@@ -1058,3 +1184,9 @@ INSERT INTO tags (
   10, 'strongSwan-5-1-1'
 );
 
+INSERT INTO tags (
+  regid, unique_sw_id
+) VALUES (
+  10, 'strongSwan-5-1-2'
+);
+
diff --git a/src/libimcv/imv/imv_msg.c b/src/libimcv/imv/imv_msg.c
index 642b47935..e7181750c 100644
--- a/src/libimcv/imv/imv_msg.c
+++ b/src/libimcv/imv/imv_msg.c
@@ -208,8 +208,8 @@ METHOD(imv_msg_t, send_assessment, TNC_Result,
 	}
 
 	/* Send an IETF Assessment Result attribute if enabled */
-	if (lib->settings->get_bool(lib->settings, "libimcv.assessment_result",
-								TRUE))
+	if (lib->settings->get_bool(lib->settings, "%s.imcv.assessment_result",
+								TRUE, lib->ns))
 	{
 		this->state->get_recommendation(this->state, &rec, &eval);
 		attr = ietf_attr_assess_result_create(eval);
diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
index 61e0cd05b..028721af3 100644
--- a/src/libimcv/imv/imv_policy_manager.c
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -188,7 +188,7 @@ static bool policy_start(database_t *db, int session_id)
 	e->destroy(e);
 
 	/* if a device ID with a creation date exists, get all group memberships */
-	if (device_id & created)
+	if (device_id && created)
 	{
 		e = db->query(db,
 				"SELECT group_id FROM groups_members WHERE device_id = ?",
@@ -288,7 +288,7 @@ int main(int argc, char *argv[])
 	atexit(library_deinit);
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "imv_policy_manager"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
@@ -328,7 +328,12 @@ int main(int argc, char *argv[])
 	session_id = atoi(tnc_session_id);
 
 	/* attach IMV database */
-	uri = lib->settings->get_str(lib->settings, "libimcv.database", NULL);
+	uri = lib->settings->get_str(lib->settings,
+			"imv_policy_manager.database",
+			lib->settings->get_str(lib->settings,
+				"charon.imcv.database",
+				lib->settings->get_str(lib->settings,
+					"libimcv.database", NULL)));
 	if (!uri)
 	{
 		fprintf(stderr, "database uri not defined.\n");
diff --git a/src/libimcv/imv/imv_reason_string.c b/src/libimcv/imv/imv_reason_string.c
index d1447ec35..c09b7bdba 100644
--- a/src/libimcv/imv/imv_reason_string.c
+++ b/src/libimcv/imv/imv_reason_string.c
@@ -35,6 +35,11 @@ struct private_imv_reason_string_t {
 	char *lang;
 
 	/**
+	 * Separator concatenating multiple reasons
+	 */
+	char *separator;
+
+	/**
 	 * Contains the concatenated reasons
 	 */
 	chunk_t reasons;
@@ -51,7 +56,8 @@ METHOD(imv_reason_string_t, add_reason, void,
 	if (this->reasons.len)
 	{
 		/* append any further reasons */
-		this->reasons = chunk_cat("mcc", this->reasons, chunk_from_chars('\n'),
+		this->reasons = chunk_cat("mcc", this->reasons,
+								  chunk_from_str(this->separator),
 								  chunk_create(s_reason, strlen(s_reason)));
 	}
 	else
@@ -77,7 +83,7 @@ METHOD(imv_reason_string_t, destroy, void,
 /**
  * Described in header.
  */
-imv_reason_string_t *imv_reason_string_create(char *lang)
+imv_reason_string_t *imv_reason_string_create(char *lang, char *separator)
 {
 	private_imv_reason_string_t *this;
 
@@ -88,6 +94,7 @@ imv_reason_string_t *imv_reason_string_create(char *lang)
 			.destroy = _destroy,
 		},
 		.lang = lang,
+		.separator = separator,
 	);
 
 	return &this->public;
diff --git a/src/libimcv/imv/imv_reason_string.h b/src/libimcv/imv/imv_reason_string.h
index cb4c27f93..c35ec36cc 100644
--- a/src/libimcv/imv/imv_reason_string.h
+++ b/src/libimcv/imv/imv_reason_string.h
@@ -58,7 +58,8 @@ struct imv_reason_string_t {
  * Creates an Reason String object
  *
  * @param lang				Preferred language
+ * @param separator			String separating multiple reasons
  */
- imv_reason_string_t* imv_reason_string_create(char *lang);
+ imv_reason_string_t* imv_reason_string_create(char *lang, char *separator);
 
 #endif /** IMV_REASON_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_workitem.c b/src/libimcv/imv/imv_workitem.c
index 2141f73e6..8784a0ccf 100644
--- a/src/libimcv/imv/imv_workitem.c
+++ b/src/libimcv/imv/imv_workitem.c
@@ -20,7 +20,7 @@
 
 typedef struct private_imv_workitem_t private_imv_workitem_t;
 
-ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_SWID_TAGS,
+ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_TPM_ATTEST,
 	"PCKGS",
 	"UNSRC",
 	"FWDEN",
@@ -35,7 +35,8 @@ ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_SWID_TAGS,
 	"TCPBL",
 	"UDPOP",
 	"UDPBL",
-	"SWIDT"
+	"SWIDT",
+	"TPMRA"
 );
 
 /**
diff --git a/src/libimcv/imv/imv_workitem.h b/src/libimcv/imv/imv_workitem.h
index 868997797..93a4b5874 100644
--- a/src/libimcv/imv/imv_workitem.h
+++ b/src/libimcv/imv/imv_workitem.h
@@ -44,7 +44,8 @@ enum imv_workitem_type_t {
 	IMV_WORKITEM_TCP_PORT_BLOCK = 12,
 	IMV_WORKITEM_UDP_PORT_OPEN =  13,
 	IMV_WORKITEM_UDP_PORT_BLOCK = 14,
-	IMV_WORKITEM_SWID_TAGS =      15
+	IMV_WORKITEM_SWID_TAGS =      15,
+	IMV_WORKITEM_TPM_ATTEST =     16
 };
 
 extern enum_name_t *imv_workitem_type_names;
diff --git a/src/libimcv/ita/ita_attr_command.c b/src/libimcv/ita/ita_attr_command.c
index f32ab2bfe..9692e1ffd 100644
--- a/src/libimcv/ita/ita_attr_command.c
+++ b/src/libimcv/ita/ita_attr_command.c
@@ -13,14 +13,15 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "ita_attr.h"
 #include "ita_attr_command.h"
 
 #include <pen/pen.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_ita_attr_command_t private_ita_attr_command_t;
 
 /**
diff --git a/src/libimcv/ita/ita_attr_get_settings.c b/src/libimcv/ita/ita_attr_get_settings.c
index 196613153..d0bc31d32 100644
--- a/src/libimcv/ita/ita_attr_get_settings.c
+++ b/src/libimcv/ita/ita_attr_get_settings.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "ita_attr.h"
 #include "ita_attr_get_settings.h"
 
@@ -22,8 +25,6 @@
 #include <pen/pen.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_ita_attr_get_settings_t private_ita_attr_get_settings_t;
 
 /**
@@ -166,7 +167,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	status = SUCCESS;
 
 end:
-	reader->destroy(reader);	
+	reader->destroy(reader);
 	return status;
 }
 
@@ -182,7 +183,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->list->destroy_function(this->list, free);	
+		this->list->destroy_function(this->list, free);
 		free(this->value.ptr);
 		free(this);
 	}
diff --git a/src/libimcv/ita/ita_attr_settings.c b/src/libimcv/ita/ita_attr_settings.c
index 9ce253d28..0d2967e66 100644
--- a/src/libimcv/ita/ita_attr_settings.c
+++ b/src/libimcv/ita/ita_attr_settings.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "ita_attr.h"
 #include "ita_attr_settings.h"
 
@@ -22,8 +25,6 @@
 #include <pen/pen.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_ita_attr_settings_t private_ita_attr_settings_t;
 typedef struct entry_t entry_t;
 
@@ -211,7 +212,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	status = SUCCESS;
 
 end:
-	reader->destroy(reader);	
+	reader->destroy(reader);
 	return status;
 }
 
@@ -227,7 +228,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->list->destroy_function(this->list, (void*)free_entry);	
+		this->list->destroy_function(this->list, (void*)free_entry);
 		free(this->value.ptr);
 		free(this);
 	}
diff --git a/src/libimcv/os_info/os_info.c b/src/libimcv/os_info/os_info.c
index 17000cd27..06427575c 100644
--- a/src/libimcv/os_info/os_info.c
+++ b/src/libimcv/os_info/os_info.c
@@ -560,9 +560,9 @@ os_info_t *os_info_create(void)
 
 	/* As an option OS name and OS version can be configured manually */
 	name.ptr = lib->settings->get_str(lib->settings,
-									  "libimcv.os_info.name", NULL);
+									  "%s.imcv.os_info.name", NULL, lib->ns);
 	version.ptr = lib->settings->get_str(lib->settings,
-									  "libimcv.os_info.version", NULL);
+									  "%s.imcv.os_info.version", NULL, lib->ns);
 	if (name.ptr && version.ptr)
 	{
 		name.len = strlen(name.ptr);
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index a44721b04..bfb3f0022 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -213,8 +213,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -282,6 +280,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -370,12 +373,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -390,6 +397,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c
index 2558be9f8..647a44957 100644
--- a/src/libimcv/plugins/imc_os/imc_os.c
+++ b/src/libimcv/plugins/imc_os/imc_os.c
@@ -387,7 +387,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 		return TNC_RESULT_FATAL;
 	}
 	if (lib->settings->get_bool(lib->settings,
-								"libimcv.plugins.imc-os.push_info", TRUE))
+								"%s.plugins.imc-os.push_info", TRUE, lib->ns))
 	{
 		out_msg = imc_msg_create(imc_os, state, connection_id, imc_id,
 								 TNC_IMVID_ANY, msg_types[0]);
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 44b50e69b..3db0f2ba2 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -214,8 +214,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -283,6 +281,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,12 +374,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -391,6 +398,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner.c b/src/libimcv/plugins/imc_scanner/imc_scanner.c
index c87e827cd..2be6a87df 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner.c
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner.c
@@ -274,7 +274,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 		return TNC_RESULT_FATAL;
 	}
 	if (lib->settings->get_bool(lib->settings,
-								"libimcv.plugins.imc-scanner.push_info", TRUE))
+							"%s.plugins.imc-scanner.push_info", TRUE, lib->ns))
 	{
 		out_msg = imc_msg_create(imc_scanner, state, connection_id, imc_id,
 								 TNC_IMVID_ANY, msg_types[0]);
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index afbd244c9..64e1c271c 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -213,8 +213,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -282,6 +280,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -370,12 +373,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -390,6 +397,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imc_test/imc_test.c b/src/libimcv/plugins/imc_test/imc_test.c
index c97d41628..ee982d93b 100644
--- a/src/libimcv/plugins/imc_test/imc_test.c
+++ b/src/libimcv/plugins/imc_test/imc_test.c
@@ -91,11 +91,11 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 	{
 		case TNC_CONNECTION_STATE_CREATE:
 			command = lib->settings->get_str(lib->settings,
-						 		"libimcv.plugins.imc-test.command", "none");
+								"%s.plugins.imc-test.command", "none", lib->ns);
 			dummy_size = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imc-test.dummy_size", 0);
+								"%s.plugins.imc-test.dummy_size", 0, lib->ns);
 			retry = lib->settings->get_bool(lib->settings,
-								"libimcv.plugins.imc-test.retry", FALSE);
+								"%s.plugins.imc-test.retry", FALSE, lib->ns);
 			state = imc_test_state_create(connection_id, command, dummy_size,
 										  retry);
 
@@ -107,7 +107,7 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 
 			/* Optionally reserve additional IMC IDs */
 			additional_ids = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imc-test.additional_ids", 0);
+							"%s.plugins.imc-test.additional_ids", 0, lib->ns);
 			imc_test->reserve_additional_ids(imc_test, additional_ids -
 								imc_test->count_additional_ids(imc_test));
 
@@ -127,8 +127,8 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 			if (!test_state->is_first_handshake(test_state))
 			{
 				command = lib->settings->get_str(lib->settings,
-								"libimcv.plugins.imc-test.retry_command",
-								test_state->get_command(test_state));
+								"%s.plugins.imc-test.retry_command",
+								test_state->get_command(test_state), lib->ns);
 				test_state->set_command(test_state, command);
 			}
 
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index ed3fbb285..856ced897 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c
index d2a08b0fa..12cf207d8 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.c
+++ b/src/libimcv/plugins/imv_os/imv_os_database.c
@@ -13,12 +13,13 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "imv_os_database.h"
 
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_imv_os_database_t private_imv_os_database_t;
 
 /**
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c
index f6d904c3c..4f5a4b039 100644
--- a/src/libimcv/plugins/imv_os/imv_os_state.c
+++ b/src/libimcv/plugins/imv_os/imv_os_state.c
@@ -421,7 +421,7 @@ METHOD(imv_state_t, get_reason_string, bool,
 
 	/* Instantiate a TNC Reason String object */
 	DESTROY_IF(this->reason_string);
-	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string = imv_reason_string_create(*reason_language, "\n");
 
 	if (this->count_update || this->count_blacklist)
 	{
@@ -494,7 +494,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
 
 	*string = this->remediation_string->get_encoding(this->remediation_string);
 	*uri = lib->settings->get_str(lib->settings,
-							"libimcv.plugins.imv-os.remediation_uri", NULL);
+							"%s.plugins.imv-os.remediation_uri", NULL, lib->ns);
 
 	return TRUE;
 }
diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c
index 57cc62a08..019e2adb8 100644
--- a/src/libimcv/plugins/imv_os/pacman.c
+++ b/src/libimcv/plugins/imv_os/pacman.c
@@ -466,12 +466,12 @@ int main(int argc, char *argv[])
 	atexit(cleanup);
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "pacman"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
 	if (!lib->plugins->load(lib->plugins,
-			lib->settings->get_str(lib->settings, "attest.load", "sqlite")))
+			lib->settings->get_str(lib->settings, "pacman.load", "sqlite")))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh
index 621905edf..3dfea3905 100755
--- a/src/libimcv/plugins/imv_os/pacman.sh
+++ b/src/libimcv/plugins/imv_os/pacman.sh
@@ -13,6 +13,7 @@ DEBIAN_ARCH="binary-amd64 binary-i386"
 PACMAN=/usr/libexec/ipsec/pacman
 PACMAN_LOG="$DIR/$DATE-pacman.log"
 
+mkdir -p $DIR/dists
 cd $DIR/dists
 
 for v in $UBUNTU_VERSIONS
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 52ac0144f..748b9a72d 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
index 4c570c46a..90475d34d 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
@@ -281,7 +281,7 @@ METHOD(imv_state_t, get_reason_string, bool,
 
 	/* Instantiate a TNC Reason String object */
 	DESTROY_IF(this->reason_string);
-	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string = imv_reason_string_create(*reason_language, "\n");
 	if (this->rec != TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
 	{
 		this->reason_string->add_reason(this->reason_string, reasons);
@@ -314,7 +314,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
 									this->violating_ports);
 	*string = this->remediation_string->get_encoding(this->remediation_string);
 	*uri = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-scanner.remediation_uri", NULL);
+					"%s.plugins.imv-scanner.remediation_uri", NULL, lib->ns);
 
 	return TRUE;
 }
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index ec5bb8332..3c73e8f95 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -214,8 +214,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -283,6 +281,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,12 +374,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -391,6 +398,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libimcv/plugins/imv_test/imv_test_agent.c b/src/libimcv/plugins/imv_test/imv_test_agent.c
index cdf0e18cd..42630003b 100644
--- a/src/libimcv/plugins/imv_test/imv_test_agent.c
+++ b/src/libimcv/plugins/imv_test/imv_test_agent.c
@@ -103,7 +103,7 @@ static TNC_Result receive_msg(private_imv_test_agent_t *this, imv_state_t *state
 
 	/* add any new IMC and set its number of rounds */
 	rounds = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imv-test.rounds", 0);
+									"%s.plugins.imv-test.rounds", 0, lib->ns);
 	test_state = (imv_test_state_t*)state;
 	test_state->add_imc(test_state, in_msg->get_src_id(in_msg), rounds);
 
@@ -178,7 +178,7 @@ static TNC_Result receive_msg(private_imv_test_agent_t *this, imv_state_t *state
 		if (result != TNC_RESULT_SUCCESS)
 		{
 			return result;
-		}  
+		}
 		return this->agent->provide_recommendation(this->agent, state);
 	}
 
@@ -200,7 +200,7 @@ static TNC_Result receive_msg(private_imv_test_agent_t *this, imv_state_t *state
 		out_msg->add_attribute(out_msg, attr);
 
 		/* send PA-TNC message with excl flag set */
-		result = out_msg->send(out_msg, TRUE);	
+		result = out_msg->send(out_msg, TRUE);
 		out_msg->destroy(out_msg);
 
 		return result;
@@ -214,11 +214,11 @@ static TNC_Result receive_msg(private_imv_test_agent_t *this, imv_state_t *state
 		if (result != TNC_RESULT_SUCCESS)
 		{
 			return result;
-		}  
+		}
 		return this->agent->provide_recommendation(this->agent, state);
 	}
 	else
-	{	
+	{
 		return TNC_RESULT_SUCCESS;
 	}
  }
diff --git a/src/libimcv/plugins/imv_test/imv_test_state.c b/src/libimcv/plugins/imv_test/imv_test_state.c
index 0da09df67..f05db8027 100644
--- a/src/libimcv/plugins/imv_test/imv_test_state.c
+++ b/src/libimcv/plugins/imv_test/imv_test_state.c
@@ -228,7 +228,7 @@ METHOD(imv_state_t, get_reason_string, bool,
 
 	/* Instantiate a TNC Reason String object */
 	DESTROY_IF(this->reason_string);
-	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string = imv_reason_string_create(*reason_language, "\n");
 	this->reason_string->add_reason(this->reason_string, reasons);
 	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
diff --git a/src/libipsec/Android.mk b/src/libipsec/Android.mk
index 37f400fc3..c5d987977 100644
--- a/src/libipsec/Android.mk
+++ b/src/libipsec/Android.mk
@@ -20,7 +20,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(libipsec_la_SOURCES))
 # build libipsec ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/include \
 	$(strongswan_PATH)/src/libstrongswan
 
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index cf44fc6f8..737edad3f 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -255,8 +255,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -324,6 +322,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -412,12 +415,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -432,6 +439,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index a9b3f19ef..05c27d9cb 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -293,8 +293,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -362,6 +360,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -450,12 +453,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -470,6 +477,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index 2d9279119..7a539ef22 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.c b/src/libpts/plugins/imc_attestation/imc_attestation_process.c
index 92e2e3abe..fbe81ee48 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_process.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.c
@@ -109,8 +109,8 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 			int nonce_len, min_nonce_len;
 
 			nonce_len = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imc-attestation.nonce_len",
-								 DEFAULT_NONCE_LEN);
+								"%s.plugins.imc-attestation.nonce_len",
+								 DEFAULT_NONCE_LEN, lib->ns);
 
 			attr_cast = (tcg_pts_attr_dh_nonce_params_req_t*)attr;
 			min_nonce_len = attr_cast->get_min_nonce_len(attr_cast);
@@ -165,8 +165,8 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 			initiator_nonce = attr_cast->get_initiator_nonce(attr_cast);
 
 			nonce_len = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imc-attestation.nonce_len",
-								 DEFAULT_NONCE_LEN);
+								"%s.plugins.imc-attestation.nonce_len",
+								 DEFAULT_NONCE_LEN, lib->ns);
 			if (nonce_len != initiator_nonce.len)
 			{
 				DBG1(DBG_IMC, "initiator and responder DH nonces "
@@ -428,7 +428,8 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 			}
 
 			use_quote2 = lib->settings->get_bool(lib->settings,
-							"libimcv.plugins.imc-attestation.use_quote2", TRUE);
+							"%s.plugins.imc-attestation.use_quote2", TRUE,
+							lib->ns);
 			if (!pts->quote_tpm(pts, use_quote2, &pcr_composite, &quote_sig))
 			{
 				DBG1(DBG_IMC, "error occurred during TPM quote operation");
diff --git a/src/libpts/plugins/imc_swid/Makefile.in b/src/libpts/plugins/imc_swid/Makefile.in
index f62c05a3e..e1c932e45 100644
--- a/src/libpts/plugins/imc_swid/Makefile.in
+++ b/src/libpts/plugins/imc_swid/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/plugins/imc_swid/imc_swid.c b/src/libpts/plugins/imc_swid/imc_swid.c
index e1305805a..d4aaeff4d 100644
--- a/src/libpts/plugins/imc_swid/imc_swid.c
+++ b/src/libpts/plugins/imc_swid/imc_swid.c
@@ -181,8 +181,8 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
 		full_tags = (flags & TCG_SWID_ATTR_REQ_FLAG_R) == 0;
 
 		swid_directory = lib->settings->get_str(lib->settings,
-								"libimcv.plugins.imc-swid.swid_directory",
-								 SWID_DIRECTORY);
+								"%s.plugins.imc-swid.swid_directory",
+								 SWID_DIRECTORY, lib->ns);
 		swid_inventory = swid_inventory_create(full_tags);
 		if (!swid_inventory->collect(swid_inventory, swid_directory, targets))
 		{
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index 032d07a38..c1c14d476 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -227,8 +227,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -296,6 +294,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -384,12 +387,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -404,6 +411,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index 4d25df3f4..b8a6854cb 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -266,19 +266,20 @@ static void do_args(int argc, char *argv[])
 				continue;
 			case 'F':
 			{
-				char *path = strdup(optarg);
-				char *dir = dirname(path);
-				char *file = basename(optarg);
+				char *dir = path_dirname(optarg);
+				char *file = path_basename(optarg);
 
 				if (*dir != '.')
 				{
 					if (!attest->set_directory(attest, dir, op == OP_ADD))
 					{
-						free(path);
+						free(file);
+						free(dir);
 						exit(EXIT_FAILURE);
 					}
 				}
-				free(path);
+				free(file);
+				free(dir);
 				if (!attest->set_file(attest, file, op == OP_ADD))
 				{
 					exit(EXIT_FAILURE);
@@ -439,7 +440,7 @@ int main(int argc, char *argv[])
 	atexit(library_deinit);
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "attest"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index d7654ab43..7a8a1135a 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -1555,7 +1555,7 @@ METHOD(attest_db_t, list_sessions, void,
 			device_len = min(strlen(device), DEVICE_MAX_LEN);
 			identity = identity.len ? identity : chunk_from_str("-");
 			printf("%4d: %T %2d %-20s %.*s%*s%.*s - %N\n", session_id, &created,
-				   FALSE, conn_id, product, device_len, device,
+				   this->utc, conn_id, product, device_len, device,
 				   DEVICE_MAX_LEN - device_len + 1, " ", (int)identity.len,
 				   identity.ptr, TNC_IMV_Action_Recommendation_names, rec);
 		}
diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c
index 324fcafc3..8f4afdbad 100644
--- a/src/libpts/plugins/imv_attestation/attest_usage.c
+++ b/src/libpts/plugins/imv_attestation/attest_usage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -24,7 +24,7 @@ void usage(void)
 {
 	printf("\
 Usage:\n\
-  ipsec attest --components|--devices|--files|--hashes|--keys [options]\n\
+  ipsec attest --components|--devices|--sessions|--files|--hashes|--keys [options]\n\
   \n\
   ipsec attest --measurements|--packages|--products|--add|--del [options]\n\
   \n\
@@ -35,6 +35,9 @@ Usage:\n\
   ipsec attest --devices [--utc]\n\
     Show a list of registered devices and associated collected information\n\
   \n\
+  ipsec attest --sessions [--utc]\n\
+    Show a chronologically sorted list of all TNC sessions\n\
+  \n\
   ipsec attest --files [--product <name>|--pid <id>]\n\
     Show a list of files with a software product name or\n\
     its primary key as an optional selector.\n\
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
index 978c74001..e8c3c5e40 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
@@ -14,6 +14,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "imv_attestation_agent.h"
 #include "imv_attestation_state.h"
 #include "imv_attestation_process.h"
@@ -33,8 +36,11 @@
 #include <pts/pts.h>
 #include <pts/pts_database.h>
 #include <pts/pts_creds.h>
+#include <pts/components/ita/ita_comp_func_name.h>
 
 #include <tcg/tcg_attr.h>
+#include <tcg/pts/tcg_pts_attr_meas_algo.h>
+#include <tcg/pts/tcg_pts_attr_proto_caps.h>
 #include <tcg/pts/tcg_pts_attr_req_file_meas.h>
 #include <tcg/pts/tcg_pts_attr_req_file_meta.h>
 
@@ -289,10 +295,15 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	imv_state_t *state;
 	imv_session_t *session;
 	imv_attestation_state_t *attestation_state;
+	imv_attestation_handshake_state_t handshake_state;
+	imv_workitem_t *workitem;
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
 	TNC_IMVID imv_id;
 	TNC_Result result = TNC_RESULT_SUCCESS;
 	pts_t *pts;
 	char *platform_info;
+	enumerator_t *enumerator;
 
 	if (!this->agent->get_state(this->agent, id, &state))
 	{
@@ -300,6 +311,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	}
 	attestation_state = (imv_attestation_state_t*)state;
 	pts = attestation_state->get_pts(attestation_state);
+	handshake_state = attestation_state->get_handshake_state(attestation_state);
 	platform_info = pts->get_platform_info(pts);
 	session = state->get_session(state);
 	imv_id = this->agent->get_id(this->agent);
@@ -336,21 +348,57 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 		state->set_action_flags(state, IMV_ATTESTATION_FLAG_ATTR_REQ);
 	}
 
+	if (handshake_state == IMV_ATTESTATION_STATE_INIT)
+	{
+		pa_tnc_attr_t *attr;
+		pts_proto_caps_flag_t flags;
+
+		out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+								 msg_types[0]);
+
+		/* Send Request Protocol Capabilities attribute */
+		flags = pts->get_proto_caps(pts);
+		attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
+		attr->set_noskip_flag(attr, TRUE);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* Send Measurement Algorithms attribute */
+		attr = tcg_pts_attr_meas_algo_create(this->supported_algorithms, FALSE);
+		attr->set_noskip_flag(attr, TRUE);
+		out_msg->add_attribute(out_msg, attr);
+
+		attestation_state->set_handshake_state(attestation_state,
+										IMV_ATTESTATION_STATE_DISCOVERY);
+
+		/* send these initial PTS attributes and exit */
+		result = out_msg->send(out_msg, FALSE);
+		out_msg->destroy(out_msg);
+
+		return result;
+	}
+
+	/* exit if we are not ready yet for PTS measurements */
+	if (!platform_info || !session ||
+	    !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO))
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+
 	/* create an empty out message - we might need it */
 	out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
 							 msg_types[0]);
 
-	if (platform_info && session &&
-	   (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO) &&
-	  !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS))
+	/* establish the PTS measurements to be taken */
+	if (!(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS))
 	{
-		imv_workitem_t *workitem;
 		bool is_dir, no_workitems = TRUE;
 		u_int32_t delimiter = SOLIDUS_UTF;
 		u_int16_t request_id;
 		pa_tnc_attr_t *attr;
 		char *pathname;
-		enumerator_t *enumerator;
+
+		attestation_state->set_handshake_state(attestation_state,
+											   IMV_ATTESTATION_STATE_END);
 
 		enumerator = session->create_workitem_enumerator(session);
 		if (enumerator)
@@ -374,10 +422,75 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 					case IMV_WORKITEM_DIR_META:
 						is_dir = TRUE;
 						break;
+					case IMV_WORKITEM_TPM_ATTEST:
+					{
+						pts_component_t *comp;
+						pts_comp_func_name_t *comp_name;
+						bool no_d_flag, no_t_flag;
+						char result_str[BUF_LEN];
+
+						workitem->set_imv_id(workitem, imv_id);
+						no_workitems = FALSE;
+						no_d_flag = !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D);
+						no_t_flag = !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T);
+						if (no_d_flag || no_t_flag)
+						{
+							snprintf(result_str, BUF_LEN, "%s%s%s",
+									(no_t_flag) ? "no TPM available" : "",
+									(no_t_flag && no_d_flag) ? ", " : "",
+									(no_d_flag) ? "no DH nonce negotiation" : "");
+							eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+							session->remove_workitem(session, enumerator);
+							rec = workitem->set_result(workitem, result_str, eval);
+							state->update_recommendation(state, rec, eval);
+							imcv_db->finalize_workitem(imcv_db, workitem);
+							workitem->destroy(workitem);
+							continue;
+						}
+
+						/* do TPM BIOS measurements */
+						if (strchr(workitem->get_arg_str(workitem), 'B'))
+						{
+							comp_name = pts_comp_func_name_create(PEN_ITA,
+											PTS_ITA_COMP_FUNC_NAME_IMA,
+											PTS_ITA_QUALIFIER_FLAG_KERNEL |
+											PTS_ITA_QUALIFIER_TYPE_TRUSTED);
+							comp = attestation_state->create_component(
+											attestation_state, comp_name,
+											0, this->pts_db);
+							if (!comp)
+							{
+								comp_name->log(comp_name, "unregistered ");
+								comp_name->destroy(comp_name);
+							}
+						}
+
+						/* do TPM IMA measurements */
+						if (strchr(workitem->get_arg_str(workitem), 'I'))
+						{
+							comp_name = pts_comp_func_name_create(PEN_ITA,
+											PTS_ITA_COMP_FUNC_NAME_IMA,
+											PTS_ITA_QUALIFIER_FLAG_KERNEL |
+											PTS_ITA_QUALIFIER_TYPE_OS);
+							comp = attestation_state->create_component(
+											attestation_state, comp_name,
+											0, this->pts_db);
+							if (!comp)
+							{
+								comp_name->log(comp_name, "unregistered ");
+								comp_name->destroy(comp_name);
+							}
+						}
+
+						attestation_state->set_handshake_state(attestation_state,
+											IMV_ATTESTATION_STATE_NONCE_REQ);
+						continue;
+					}
 					default:
 						continue;
 				}
 
+				/* initiate file and directory measurements */
 				pathname = this->pts_db->get_pathname(this->pts_db, is_dir,
 											workitem->get_arg_int(workitem));
 				if (!pathname)
@@ -440,22 +553,35 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	}
 
 	/* check the IMV state for the next PA-TNC attributes to send */
-	if (!imv_attestation_build(out_msg, state, this->supported_algorithms,
-							   this->supported_dh_groups, this->pts_db))
+	enumerator = session->create_workitem_enumerator(session);
+	while (enumerator->enumerate(enumerator, &workitem))
 	{
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-		result = out_msg->send_assessment(out_msg);
-		out_msg->destroy(out_msg);
-		state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC);
-
-		if (result != TNC_RESULT_SUCCESS)
+		if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
 		{
-			return result;
+			if (!imv_attestation_build(out_msg, state,
+									   this->supported_dh_groups, this->pts_db))
+			{
+				imv_reason_string_t *reason_string;
+				chunk_t result;
+				char *result_str;
+
+				reason_string = imv_reason_string_create("en", ", ");
+				attestation_state->add_comp_evid_reasons(attestation_state,
+													 reason_string);
+				result = reason_string->get_encoding(reason_string);
+				result_str = strndup(result.ptr, result.len);
+				reason_string->destroy(reason_string);
+
+				eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+				session->remove_workitem(session, enumerator);
+				rec = workitem->set_result(workitem, result_str, eval);
+				state->update_recommendation(state, rec, eval);
+				imcv_db->finalize_workitem(imcv_db, workitem);
+			}
+			break;
 		}
-		return this->agent->provide_recommendation(this->agent, state);
 	}
+	enumerator->destroy(enumerator);
 
 	/* finalized all workitems? */
 	if (session && session->get_policy_started(session) &&
@@ -524,18 +650,22 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
 					case IMV_WORKITEM_FILE_MEAS:
 					case IMV_WORKITEM_DIR_REF_MEAS:
 					case IMV_WORKITEM_DIR_MEAS:
-						session->remove_workitem(session, enumerator);
-						result_str = "pending file measurements";
-						eval = TNC_IMV_EVALUATION_RESULT_ERROR;
-						rec = workitem->set_result(workitem, result_str, eval);
-						state->update_recommendation(state, rec, eval);
-						imcv_db->finalize_workitem(imcv_db, workitem);
-						workitem->destroy(workitem);
+						result_str = "Pending file measurements";
 						pending_file_meas++;
 						break;
-					default:
+					case IMV_WORKITEM_TPM_ATTEST:
+						attestation_state->finalize_components(attestation_state);
+						result_str = "Pending component evidence";
 						break;
+					default:
+						continue;
 				}
+				session->remove_workitem(session, enumerator);
+				eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+				rec = workitem->set_result(workitem, result_str, eval);
+				state->update_recommendation(state, rec, eval);
+				imcv_db->finalize_workitem(imcv_db, workitem);
+				workitem->destroy(workitem);
 			}
 			enumerator->destroy(enumerator);
 
@@ -585,11 +715,11 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
 	}
 
 	hash_alg = lib->settings->get_str(lib->settings,
-					"libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
+				"%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns);
 	dh_group = lib->settings->get_str(lib->settings,
-					"libimcv.plugins.imv-attestation.dh_group", "ecp256");
+				"%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns);
 	cadir = lib->settings->get_str(lib->settings,
-					"libimcv.plugins.imv-attestation.cadir", NULL);
+				"%s.plugins.imv-attestation.cadir", NULL, lib->ns);
 
 	INIT(this,
 		.public = {
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
index 1fbde2c6d..84023c6c6 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
+ * Copyright (C) 2011-2012 Sansar Choinyambuu
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,8 +17,6 @@
 #include "imv_attestation_build.h"
 #include "imv_attestation_state.h"
 
-#include <tcg/pts/tcg_pts_attr_proto_caps.h>
-#include <tcg/pts/tcg_pts_attr_meas_algo.h>
 #include <tcg/pts/tcg_pts_attr_dh_nonce_params_req.h>
 #include <tcg/pts/tcg_pts_attr_dh_nonce_finish.h>
 #include <tcg/pts/tcg_pts_attr_get_tpm_version_info.h>
@@ -27,9 +26,7 @@
 
 #include <utils/debug.h>
 
-bool imv_attestation_build(imv_msg_t *out_msg,
-						   imv_state_t *state,
-						   pts_meas_algorithms_t supported_algorithms,
+bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
 						   pts_dh_group_t supported_dh_groups,
 						   pts_database_t *pts_db)
 {
@@ -42,67 +39,15 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 	handshake_state = attestation_state->get_handshake_state(attestation_state);
 	pts = attestation_state->get_pts(attestation_state);
 
-	/**
-	 * Received a response form the Attestation IMC so we can proceeed
-	 */
-	if (handshake_state == IMV_ATTESTATION_STATE_DISCOVERY &&
-	   (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO))
-	{
-		handshake_state = IMV_ATTESTATION_STATE_NONCE_REQ;
-	}
-
-	/**
-	 * Skip DH Nonce Parameters Request attribute when
-	 *   DH Nonce Exchange is not selected by PTS-IMC side
-	 */
-	if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
-		!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
-	{
-		DBG2(DBG_IMV, "PTS-IMC does not support DH Nonce negotiation");
-		handshake_state = IMV_ATTESTATION_STATE_TPM_INIT;
-	}
-
-	/**
-	 * Skip TPM Version Info and AIK attributes when
-	 *   no TPM is available on the PTS-IMC side
-	 */
-	if (handshake_state == IMV_ATTESTATION_STATE_TPM_INIT &&
-		!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
-	{
-		DBG2(DBG_IMV, "PTS-IMC made no TPM available");
-		handshake_state = IMV_ATTESTATION_STATE_END;
-	}
-
 	switch (handshake_state)
 	{
-		case IMV_ATTESTATION_STATE_INIT:
-		{
-			pts_proto_caps_flag_t flags;
-
-			/* Send Request Protocol Capabilities attribute */
-			flags = pts->get_proto_caps(pts);
-			attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
-			attr->set_noskip_flag(attr, TRUE);
-			out_msg->add_attribute(out_msg, attr);
-
-			/* Send Measurement Algorithms attribute */
-			attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
-			attr->set_noskip_flag(attr, TRUE);
-			out_msg->add_attribute(out_msg, attr);
-
-			attestation_state->set_handshake_state(attestation_state,
-										IMV_ATTESTATION_STATE_DISCOVERY);
-			break;
-		}
-		case IMV_ATTESTATION_STATE_DISCOVERY:
-			break;
 		case IMV_ATTESTATION_STATE_NONCE_REQ:
 		{
 			int min_nonce_len;
 
 			/* Send DH nonce parameters request attribute */
 			min_nonce_len = lib->settings->get_int(lib->settings,
-						"libimcv.plugins.imv-attestation.min_nonce_len", 0);
+						"%s.plugins.imv-attestation.min_nonce_len", 0, lib->ns);
 			attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
 													 supported_dh_groups);
 			attr->set_noskip_flag(attr, TRUE);
@@ -117,16 +62,13 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 			pts_meas_algorithms_t selected_algorithm;
 			chunk_t initiator_value, initiator_nonce;
 
-			if ((pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
-			{
-				/* Send DH nonce finish attribute */
-				selected_algorithm = pts->get_meas_algorithm(pts);
-				pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
-				attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
+			/* Send DH nonce finish attribute */
+			selected_algorithm = pts->get_meas_algorithm(pts);
+			pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
+			attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
 											initiator_value, initiator_nonce);
-				attr->set_noskip_flag(attr, TRUE);
-				out_msg->add_attribute(out_msg, attr);
-			}
+			attr->set_noskip_flag(attr, TRUE);
+			out_msg->add_attribute(out_msg, attr);
 
 			/* Send Get TPM Version attribute */
 			attr = tcg_pts_attr_get_tpm_version_info_create();
@@ -146,73 +88,40 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 		{
 			tcg_pts_attr_req_func_comp_evid_t *attr_cast;
 			enumerator_t *enumerator;
-			pts_component_t *comp;
-			pts_comp_func_name_t *comp_name;
+			pts_comp_func_name_t *name;
 			chunk_t keyid;
-			int kid, vid, name, qualifier;
+			int kid;
 			u_int8_t flags;
 			u_int32_t depth;
-			bool first = TRUE, first_component = TRUE;
+			bool first_component = TRUE;
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_END);
 
-			if (!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T) ||
-				!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
-			{
-				DBG2(DBG_IMV, "PTS-IMC made no TPM available - "
-							  "skipping Component Measurements");
-				break;
-			}
-			if (!pts->get_aik_keyid(pts, &keyid))
-			{
-				DBG1(DBG_IMV, "retrieval of AIK keyid failed");
-				return FALSE;
-			}
-			if (!pts_db)
-			{
-				DBG1(DBG_IMV, "pts database not available");
-				break;
-			}
-			if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
+			if (!pts->get_aik_keyid(pts, &keyid) ||
+				 pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
 			{
+				attestation_state->set_measurement_error(attestation_state,
+									IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
 				return FALSE;
 			}
-			enumerator = pts_db->create_comp_evid_enumerator(pts_db, kid);
-			if (!enumerator)
-			{
-				break;
-			}
-			while (enumerator->enumerate(enumerator, &vid, &name,
-				&qualifier, &depth))
-			{
-				if (first)
-				{
-					DBG2(DBG_IMV, "evidence request by");
-					first = FALSE;
-				}
-				comp_name = pts_comp_func_name_create(vid, name, qualifier);
-				comp_name->log(comp_name, "  ");
 
-				comp = attestation_state->create_component(attestation_state,
-													comp_name, depth, pts_db);
-				if (!comp)
-				{
-					DBG2(DBG_IMV, "    not registered or duplicate"
-								  " - removed from request");
-					comp_name->destroy(comp_name);
-					continue;
-				}
+			enumerator = attestation_state->create_component_enumerator(
+													attestation_state);
+			while (enumerator->enumerate(enumerator, &flags, &depth, &name))
+			{
 				if (first_component)
 				{
 					attr = tcg_pts_attr_req_func_comp_evid_create();
 					attr->set_noskip_flag(attr, TRUE);
 					first_component = FALSE;
+					DBG2(DBG_IMV, "evidence request by");
 				}
-				flags = comp->get_evidence_flags(comp);
+				name->log(name, "  ");
+
 				/* TODO check flags against negotiated_caps */
 				attr_cast = (tcg_pts_attr_req_func_comp_evid_t *)attr;
-				attr_cast->add_component(attr_cast, flags, depth, comp_name);
+				attr_cast->add_component(attr_cast, flags, depth, name);
 			}
 			enumerator->destroy(enumerator);
 
@@ -231,17 +140,9 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 			}
 			break;
 		}
-		case IMV_ATTESTATION_STATE_EVID_FINAL:
-			if (attestation_state->components_finalized(attestation_state))
-			{
-				attestation_state->set_handshake_state(attestation_state,
-										IMV_ATTESTATION_STATE_END);
-			}
-			break;
-		case IMV_ATTESTATION_STATE_END:
-			attestation_state->set_handshake_state(attestation_state,
-										IMV_ATTESTATION_STATE_END);
+		default:
 			break;
 	}
+
 	return TRUE;
 }
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
index 0cee49b34..88538b198 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
@@ -35,14 +35,11 @@
  *
  * @param out_msg				outbound PA-TNC message to be built
  * @param state					state of a given connection
- * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
  * @param pts_db				PTS configuration database
  * @return						TRUE if successful
  */
-bool imv_attestation_build(imv_msg_t *out_msg,
-						   imv_state_t *state,
-						   pts_meas_algorithms_t supported_algorithms,
+bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
 						   pts_dh_group_t supported_dh_groups,
 						   pts_database_t *pts_db);
 
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
index 5137d64fe..e40c92a24 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011-2013 Sansar Choinyambuu, Andreas Steffen
+ * Copyright (C) 2011-2012 Sansar Choinyambuu
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,6 +14,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "imv_attestation_process.h"
 
 #include <imcv.h>
@@ -92,7 +96,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 
 			/* check compliance of responder nonce length */
 			min_nonce_len = lib->settings->get_int(lib->settings,
-						"libimcv.plugins.imv-attestation.min_nonce_len", 0);
+						"%s.plugins.imv-attestation.min_nonce_len", 0, lib->ns);
 			nonce_len = responder_nonce.len;
 			if (nonce_len < PTS_MIN_NONCE_LEN ||
 			   (min_nonce_len > 0 && nonce_len < min_nonce_len))
@@ -162,7 +166,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			if (!aik)
 			{
 				DBG1(DBG_IMV, "AIK unavailable");
-				return FALSE;
+				attestation_state->set_measurement_error(attestation_state,
+									IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
+				break;
 			}
 			if (aik->get_type(aik) == CERT_X509)
 			{
@@ -186,7 +192,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 							   trusted ? "" : "not ");
 				if (!trusted)
 				{
-					return FALSE;
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
+					break;
 				}
 			}
 			pts->set_aik(pts, aik);
@@ -242,7 +250,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 				}
 				type =    found->get_type(found);
 				arg_int = found->get_arg_int(found);
- 
+
 				switch (type)
 				{
 					default:
@@ -295,7 +303,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 						e = measurements->create_enumerator(measurements);
 						while (e->enumerate(e, &filename, &measurement))
 						{
-							if (pts_db->add_file_measurement(pts_db, 
+							if (pts_db->add_file_measurement(pts_db,
 									platform_info, algo, measurement, filename,
 									is_dir, arg_int) != SUCCESS)
 							{
@@ -366,6 +374,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			pts_comp_evidence_t *evidence;
 			pts_component_t *comp;
 			u_int32_t depth;
+			status_t status;
 
 			attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
 			evidence = attr_cast->get_comp_evidence(attr_cast);
@@ -377,12 +386,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 				DBG1(DBG_IMV, "  no entry found for component evidence request");
 				break;
 			}
-			if (comp->verify(comp, name->get_qualifier(name), pts,
-							 evidence) != SUCCESS)
+			status = comp->verify(comp, name->get_qualifier(name), pts, evidence);
+			if (status == VERIFY_ERROR || status == FAILED)
 			{
-				state->update_recommendation(state,
-							TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-							TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
 				attestation_state->set_measurement_error(attestation_state,
 									IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
 				name->log(name, "  measurement mismatch for ");
@@ -396,6 +402,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			pts_meas_algorithms_t comp_hash_algorithm;
 			chunk_t pcr_comp, tpm_quote_sig, evid_sig;
 			chunk_t pcr_composite, quote_info;
+			imv_session_t *session;
+			imv_workitem_t *workitem;
+			enumerator_t *enumerator;
 			bool use_quote2, use_ver_info;
 
 			attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
@@ -420,9 +429,6 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 				{
 					DBG1(DBG_IMV, "received PCR Composite does not match "
 								  "constructed one");
-					state->update_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
 					attestation_state->set_measurement_error(attestation_state,
 										IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
 					goto quote_error;
@@ -431,9 +437,6 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 
 				if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
 				{
-					state->update_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
 					attestation_state->set_measurement_error(attestation_state,
 										IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
 					goto quote_error;
@@ -449,6 +452,52 @@ quote_error:
 				 * if all expected component measurements were received
 				 */
 				attestation_state->finalize_components(attestation_state);
+
+				session = state->get_session(state);
+				enumerator = session->create_workitem_enumerator(session);
+				while (enumerator->enumerate(enumerator, &workitem))
+				{
+					if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
+					{
+						TNC_IMV_Action_Recommendation rec;
+						TNC_IMV_Evaluation_Result eval;
+						char *result_str;
+						u_int32_t error;
+
+						error = attestation_state->get_measurement_error(
+														attestation_state);
+						if (error & (IMV_ATTESTATION_ERROR_COMP_EVID_FAIL |
+									 IMV_ATTESTATION_ERROR_COMP_EVID_PEND |
+									 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL))
+						{
+							imv_reason_string_t *reason_string;
+							chunk_t result;
+
+							reason_string = imv_reason_string_create("en", ", ");
+							attestation_state->add_comp_evid_reasons(
+											attestation_state, reason_string);
+							result = reason_string->get_encoding(reason_string);
+							result_str = strndup(result.ptr, result.len);
+							reason_string->destroy(reason_string);
+							eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
+						}
+						else
+						{
+							result_str = strdup("attestation successful");
+							eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+						}
+						session->remove_workitem(session, enumerator);
+						rec = workitem->set_result(workitem, result_str, eval);
+						state->update_recommendation(state, rec, eval);
+						imcv_db->finalize_workitem(imcv_db, workitem);
+						workitem->destroy(workitem);
+						free(result_str);
+						attestation_state->set_handshake_state(attestation_state,
+													IMV_ATTESTATION_STATE_END);
+						break;
+					}
+				}
+				enumerator->destroy(enumerator);
 			}
 
 			if (attr_cast->get_evid_sig(attr_cast, &evid_sig))
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
index 47011751d..9304b9a13 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2011-2012 Sansar Choinyambuu
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -127,7 +127,7 @@ struct private_imv_attestation_state_t {
  */
 struct func_comp_t {
 	pts_component_t *comp;
-	u_int8_t qualifier;
+	pts_comp_func_name_t* name;
 };
 
 /**
@@ -136,6 +136,7 @@ struct func_comp_t {
 static void free_func_comp(func_comp_t *this)
 {
 	this->comp->destroy(this->comp);
+	this->name->destroy(this->name);
 	free(this);
 }
 
@@ -161,6 +162,12 @@ static imv_lang_string_t reason_file_meas_pend[] = {
 	{ NULL, NULL }
 };
 
+static imv_lang_string_t reason_no_trusted_aik[] = {
+	{ "en", "No trusted AIK available" },
+	{ "de", "Kein vetrauenswürdiger AIK verfügbar" },
+	{ NULL, NULL }
+};
+
 static imv_lang_string_t reason_comp_evid_fail[] = {
 	{ "en", "Incorrect component evidence" },
 	{ "de", "Falsche Komponenten-Evidenz" },
@@ -290,42 +297,52 @@ METHOD(imv_state_t, update_recommendation, void,
 	this->eval = tncif_policy_update_evaluation(this->eval, eval);
 }
 
-METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
-	chunk_t *reason_string, char **reason_language)
+METHOD(imv_attestation_state_t, add_file_meas_reasons, void,
+	private_imv_attestation_state_t *this, imv_reason_string_t *reason_string)
 {
-	*reason_language = imv_lang_string_select_lang(language_enumerator,
-											  languages, countof(languages));
-
-	/* Instantiate a TNC Reason String object */
-	DESTROY_IF(this->reason_string);
-	this->reason_string = imv_reason_string_create(*reason_language);
-
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL)
 	{
-		this->reason_string->add_reason(this->reason_string,
-										reason_file_meas_fail);
+		reason_string->add_reason(reason_string, reason_file_meas_fail);
 	}
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_PEND)
 	{
-		this->reason_string->add_reason(this->reason_string,
-										reason_file_meas_pend);
+		reason_string->add_reason(reason_string, reason_file_meas_pend);
+	}
+}
+
+METHOD(imv_attestation_state_t, add_comp_evid_reasons, void,
+	private_imv_attestation_state_t *this, imv_reason_string_t *reason_string)
+{
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK)
+	{
+		reason_string->add_reason(reason_string, reason_no_trusted_aik);
 	}
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL)
 	{
-		this->reason_string->add_reason(this->reason_string,
-										reason_comp_evid_fail);
+		reason_string->add_reason(reason_string, reason_comp_evid_fail);
 	}
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_PEND)
 	{
-		this->reason_string->add_reason(this->reason_string,
-										reason_comp_evid_pend);
+		reason_string->add_reason(reason_string, reason_comp_evid_pend);
 	}
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL)
 	{
-		this->reason_string->add_reason(this->reason_string,
-										reason_tpm_quote_fail);
+		reason_string->add_reason(reason_string, reason_tpm_quote_fail);
 	}
+}
+
+METHOD(imv_state_t, get_reason_string, bool,
+	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
+{
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
+
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language, "\n");
+	add_file_meas_reasons(this, this->reason_string);
+	add_comp_evid_reasons(this, this->reason_string);
 	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
 	return TRUE;
@@ -390,13 +407,13 @@ METHOD(imv_attestation_state_t, create_component, pts_component_t*,
 
 	if (found)
 	{
-		if (name->get_qualifier(name) == entry->qualifier)
+		if (name->equals(name, entry->name))
 		{
 			/* duplicate entry */
 			return NULL;
 		}
 		new_entry = malloc_thing(func_comp_t);
-		new_entry->qualifier = name->get_qualifier(name);
+		new_entry->name = name->clone(name);
 		new_entry->comp = entry->comp->get_ref(entry->comp);
 		this->components->insert_last(this->components, new_entry);
 		return entry->comp;
@@ -410,13 +427,41 @@ METHOD(imv_attestation_state_t, create_component, pts_component_t*,
 			return NULL;
 		}
 		new_entry = malloc_thing(func_comp_t);
-		new_entry->qualifier = name->get_qualifier(name);
+		new_entry->name = name->clone(name);
 		new_entry->comp = component;
 		this->components->insert_last(this->components, new_entry);
 		return component;
 	}
 }
 
+/**
+ * Enumerate file measurement entries
+ */
+static bool entry_filter(void *null, func_comp_t **entry, u_int8_t *flags,
+						 void *i2, u_int32_t *depth,
+						 void *i3, pts_comp_func_name_t **comp_name)
+{
+	pts_component_t *comp;
+	pts_comp_func_name_t *name;
+
+	comp = (*entry)->comp;
+	name = (*entry)->name;
+
+	*flags = comp->get_evidence_flags(comp);
+	*depth = comp->get_depth(comp);
+	*comp_name = name;
+
+	return TRUE;
+}
+
+METHOD(imv_attestation_state_t, create_component_enumerator, enumerator_t*,
+	private_imv_attestation_state_t *this)
+{
+	return enumerator_create_filter(
+				this->components->create_enumerator(this->components),
+				(void*)entry_filter, NULL, NULL);
+}
+
 METHOD(imv_attestation_state_t, get_component, pts_component_t*,
 	private_imv_attestation_state_t *this, pts_comp_func_name_t *name)
 {
@@ -427,8 +472,7 @@ METHOD(imv_attestation_state_t, get_component, pts_component_t*,
 	enumerator = this->components->create_enumerator(this->components);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (name->equals(name, entry->comp->get_comp_func_name(entry->comp)) &&
-			name->get_qualifier(name) == entry->qualifier)
+		if (name->equals(name, entry->name))
 		{
 			found = entry->comp;
 			break;
@@ -458,23 +502,15 @@ METHOD(imv_attestation_state_t, finalize_components, void,
 	while (this->components->remove_last(this->components,
 										(void**)&entry) == SUCCESS)
 	{
-		if (!entry->comp->finalize(entry->comp, entry->qualifier))
+		if (!entry->comp->finalize(entry->comp,
+								   entry->name->get_qualifier(entry->name)))
 		{
 			set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND);
-			update_recommendation(this,
-					 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-					 TNC_IMV_EVALUATION_RESULT_ERROR);
 		}
 		free_func_comp(entry);
 	}
 }
 
-METHOD(imv_attestation_state_t, components_finalized, bool,
-	private_imv_attestation_state_t *this)
-{
-	return this->components->get_count(this->components) == 0;
-}
-
 /**
  * Described in header.
  */
@@ -509,11 +545,13 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 			.set_handshake_state = _set_handshake_state,
 			.get_pts = _get_pts,
 			.create_component = _create_component,
+			.create_component_enumerator = _create_component_enumerator,
 			.get_component = _get_component,
 			.finalize_components = _finalize_components,
-			.components_finalized = _components_finalized,
 			.get_measurement_error = _get_measurement_error,
 			.set_measurement_error = _set_measurement_error,
+			.add_file_meas_reasons = _add_file_meas_reasons,
+			.add_comp_evid_reasons = _add_comp_evid_reasons,
 		},
 		.connection_id = connection_id,
 		.state = TNC_CONNECTION_STATE_CREATE,
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
index 27d1ae8db..9369d30a2 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
@@ -25,6 +25,7 @@
 #define IMV_ATTESTATION_STATE_H_
 
 #include <imv/imv_state.h>
+#include <imv/imv_reason_string.h>
 #include <pts/pts.h>
 #include <pts/pts_database.h>
 #include <pts/components/pts_component.h>
@@ -64,9 +65,10 @@ enum imv_attestation_handshake_state_t {
 enum imv_meas_error_t {
 	IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL =  1,
 	IMV_ATTESTATION_ERROR_FILE_MEAS_PEND =  2,
-	IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  4,
-	IMV_ATTESTATION_ERROR_COMP_EVID_PEND =  8,
-	IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16
+	IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK =  4,
+	IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  8,
+	IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 16,
+	IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 32
 };
 
 /**
@@ -116,6 +118,13 @@ struct imv_attestation_state_t {
 										 pts_database_t *pts_db);
 
 	/**
+	 * Enumerate over all Functional Components
+	 *
+	 * @return					Functional Component enumerator
+	 */
+	enumerator_t* (*create_component_enumerator)(imv_attestation_state_t *this);
+
+	/**
 	 * Get a Functional Component with a given name
 	 *
 	 * @param name				Name of the requested Functional Component
@@ -131,11 +140,6 @@ struct imv_attestation_state_t {
 	void (*finalize_components)(imv_attestation_state_t *this);
 
 	/**
-	 * Have the Functional Component measurements been finalized?
-	 */
-	bool (*components_finalized)(imv_attestation_state_t *this);
-
-	/**
 	 * Indicates the types of measurement errors that occurred
 	 *
 	 * @return					Measurement error flags
@@ -150,6 +154,21 @@ struct imv_attestation_state_t {
 	void (*set_measurement_error)(imv_attestation_state_t *this,
 								  u_int32_t error);
 
+	/**
+	 * Returns a concatenation of File Measurement reason strings
+	 *
+	 * @param reason_string		Concatenated reason strings
+	 */
+	void (*add_file_meas_reasons)(imv_attestation_state_t *this,
+								  imv_reason_string_t *reason_string);
+
+	/**
+	 * Returns a concatenation of Component Evidence reason strings
+	 *
+	 * @param reason_string		Concatenated reason strings
+	 */
+	void (*add_comp_evid_reasons)(imv_attestation_state_t *this,
+								  imv_reason_string_t *reason_string);
 };
 
 /**
diff --git a/src/libpts/plugins/imv_swid/Makefile.in b/src/libpts/plugins/imv_swid/Makefile.in
index 852cd3d04..b92f7d4d0 100644
--- a/src/libpts/plugins/imv_swid/Makefile.in
+++ b/src/libpts/plugins/imv_swid/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libpts/pts/components/ita/ita_comp_ima.c b/src/libpts/pts/components/ita/ita_comp_ima.c
index 02470f5f5..c6b4131bf 100644
--- a/src/libpts/pts/components/ita/ita_comp_ima.c
+++ b/src/libpts/pts/components/ita/ita_comp_ima.c
@@ -683,7 +683,7 @@ METHOD(pts_component_t, verify, status_t,
 					status = this->pts_db->check_comp_measurement(this->pts_db,
 										measurement, this->bios_cid, this->kid,
 										++this->seq_no,	pcr, algo);
-					if (status != SUCCESS)
+					if (status == FAILED)
 					{
 						return status;
 					}
@@ -803,7 +803,7 @@ METHOD(pts_component_t, verify, status_t,
 		}
 		if (pcrs->set(pcrs, pcr, pcr_after))
 		{
-			return SUCCESS;
+			return status;
 		}
 	}
 	else
@@ -811,7 +811,7 @@ METHOD(pts_component_t, verify, status_t,
 		pcr_after = pcrs->extend(pcrs, pcr, measurement);
 		if (pcr_after.ptr)
 		{
-			return SUCCESS;
+			return status;
 		}
 	}
 	return FAILED;
@@ -951,7 +951,7 @@ pts_component_t *pts_ita_comp_ima_create(u_int32_t depth,
 		.bios_list = linked_list_create(),
 		.ima_list = linked_list_create(),
 		.pcr_info = lib->settings->get_bool(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr_info", TRUE),
+						"%s.plugins.imc-attestation.pcr_info", TRUE, lib->ns),
 		.ref = 1,
 	);
 
diff --git a/src/libpts/pts/components/ita/ita_comp_tboot.c b/src/libpts/pts/components/ita/ita_comp_tboot.c
index 8fb5abddf..f4859f801 100644
--- a/src/libpts/pts/components/ita/ita_comp_tboot.c
+++ b/src/libpts/pts/components/ita/ita_comp_tboot.c
@@ -130,21 +130,21 @@ METHOD(pts_component_t, measure, status_t,
 			/* dummy data since currently the TBOOT log is not retrieved */
 			time(&this->measurement_time);
 			meas_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr17_meas", NULL);
+						"%s.plugins.imc-attestation.pcr17_meas", NULL, lib->ns);
 			pcr_before_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr17_before", NULL);
+						"%s.plugins.imc-attestation.pcr17_before", NULL, lib->ns);
 			pcr_after_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr17_after", NULL);
+						"%s.plugins.imc-attestation.pcr17_after", NULL, lib->ns);
 			extended_pcr = PCR_TBOOT_POLICY;
 			break;
 		case 1:
 			/* dummy data since currently the TBOOT log is not retrieved */
 			meas_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr18_meas", NULL);
+						"%s.plugins.imc-attestation.pcr18_meas", NULL, lib->ns);
 			pcr_before_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr18_before", NULL);
+						"%s.plugins.imc-attestation.pcr18_before", NULL, lib->ns);
 			pcr_after_hex = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.pcr18_after", NULL);
+						"%s.plugins.imc-attestation.pcr18_after", NULL, lib->ns);
 			extended_pcr = PCR_TBOOT_MLE;
 			break;
 		default:
diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c
index f646d67e1..8699282f0 100644
--- a/src/libpts/pts/pts.c
+++ b/src/libpts/pts/pts.c
@@ -377,7 +377,7 @@ static void load_aik_blob(private_pts_t *this)
 	u_int32_t aikBlobLen;
 
 	blob_path = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.aik_blob", NULL);
+						"%s.plugins.imc-attestation.aik_blob", NULL, lib->ns);
 
 	if (blob_path)
 	{
@@ -418,9 +418,9 @@ static void load_aik(private_pts_t *this)
 	char *cert_path, *key_path;
 
 	cert_path = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.aik_cert", NULL);
+						"%s.plugins.imc-attestation.aik_cert", NULL, lib->ns);
 	key_path = lib->settings->get_str(lib->settings,
-						"libimcv.plugins.imc-attestation.aik_key", NULL);
+						"%s.plugins.imc-attestation.aik_key", NULL, lib->ns);
 
 	if (cert_path)
 	{
@@ -627,7 +627,7 @@ METHOD(pts_t, get_metadata, pts_file_meta_t*,
 			metadata->destroy(metadata);
 			return NULL;
 		}
-		entry->filename = strdup(basename(pathname));
+		entry->filename = path_basename(pathname);
 		metadata->add(metadata, entry);
 	}
 
diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c
index e5a06cc8d..07e8ae1da 100644
--- a/src/libpts/pts/pts_database.c
+++ b/src/libpts/pts/pts_database.c
@@ -15,6 +15,7 @@
 
 #define _GNU_SOURCE
 #include <stdio.h>
+#include <libgen.h>
 
 #include "pts_database.h"
 
@@ -248,13 +249,62 @@ METHOD(pts_database_t, check_file_measurement, status_t,
 	enumerator_t *e;
 	chunk_t hash;
 	status_t status = NOT_FOUND;
+	char *dir, *file;
+
+	if (strlen(filename) < 1)
+	{
+		return INVALID_ARG;
+	}
+
+	/* separate filename into directory and basename components */
+	dir = path_dirname(filename);
+	file = path_basename(filename);
+
+	if (*dir == '.')
+	{	/* relative pathname */
+		e = this->db->query(this->db,
+				"SELECT fh.hash FROM file_hashes AS fh "
+				"JOIN files AS f ON f.id = fh.file "
+				"JOIN products AS p ON p.id = fh.product "
+				"WHERE p.name = ? AND f.name = ? AND fh.algo = ?",
+		DB_TEXT, product, DB_TEXT, file, DB_INT, algo, DB_BLOB);
+	}
+	else
+	{	/* absolute pathname */
+		bool dir_found;
+		int did;
+
+		/* find directory entry first */
+		e = this->db->query(this->db,
+				"SELECT id FROM directories WHERE path = ?",
+				DB_TEXT, dir, DB_INT);
+		if (!e)
+		{
+			free(file);
+			free(dir);
+			return FAILED;
+		}
+		dir_found = e->enumerate(e, &did);
+		e->destroy(e);
+
+		if (!dir_found)
+		{
+			free(file);
+			free(dir);
+			return NOT_FOUND;
+		}
+
+		e = this->db->query(this->db,
+				"SELECT fh.hash FROM file_hashes AS fh "
+				"JOIN files AS f ON f.id = fh.file "
+				"JOIN products AS p ON p.id = fh.product "
+				"WHERE p.name = ? AND f.dir = ? AND f.name = ? AND fh.algo = ?",
+				DB_TEXT, product, DB_INT, did, DB_TEXT, file, DB_INT, algo,
+				DB_BLOB);
+	}
+	free(file);
+	free(dir);
 
-	e = this->db->query(this->db,
-		"SELECT fh.hash FROM file_hashes AS fh "
-		"JOIN files AS f ON f.id = fh.file "
-		"JOIN products AS p ON p.id = fh.product "
-		"WHERE p.name = ? AND f.path = ? AND fh.algo = ?",
-		DB_TEXT, product, DB_TEXT, filename, DB_INT, algo, DB_BLOB);
 	if (!e)
 	{
 		return FAILED;
diff --git a/src/libpts/pts/pts_file_meas.c b/src/libpts/pts/pts_file_meas.c
index f684087d7..77a0957bb 100644
--- a/src/libpts/pts/pts_file_meas.c
+++ b/src/libpts/pts/pts_file_meas.c
@@ -341,9 +341,10 @@ pts_file_meas_t *pts_file_meas_create_from_path(u_int16_t request_id,
 			success = FALSE;
 			goto end;
 		}
-		filename = use_rel_name ? basename(pathname) : pathname;
+		filename = use_rel_name ? path_basename(pathname) : strdup(pathname);
 		DBG2(DBG_PTS, "  %#B for '%s'", &measurement, filename);
 		add(this, filename, measurement);
+		free(filename);
 	}
 
 end:
diff --git a/src/libpts/swid/swid_inventory.c b/src/libpts/swid/swid_inventory.c
index a689ccdaa..a71682f43 100644
--- a/src/libpts/swid/swid_inventory.c
+++ b/src/libpts/swid/swid_inventory.c
@@ -24,7 +24,6 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <sys/stat.h>
-#include <sys/mman.h>
 #include <libgen.h>
 #include <errno.h>
 
@@ -178,40 +177,19 @@ static bool collect_tags(private_swid_inventory_t *this, char *pathname,
 		if (this->full_tags)
 		{
 			swid_tag_t *tag;
-			chunk_t xml_tag;
-			struct stat sb;
-			void *addr;
-			int fd;
+			chunk_t *xml_tag;
 
-			fd = open(abs_name, O_RDONLY);
-			if (fd == -1)
+			xml_tag = chunk_map(abs_name, FALSE);
+			if (!xml_tag)
 			{
 				DBG1(DBG_IMC, "  opening '%s' failed: %s", abs_name,
 					 strerror(errno));
 				goto end;
 			}
 
-			if (fstat(fd, &sb) == -1)
-			{
-				DBG1(DBG_IMC, "  getting file size of '%s' failed: %s", abs_name,
-			 		 strerror(errno));
-				close(fd);
-				goto end;
-			}
-
-			addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-			if (addr == MAP_FAILED)
-			{
-				DBG1(DBG_IMC, "  mapping '%s' failed: %s", abs_name,
-					 strerror(errno));
-				close(fd);
-				goto end;
-			}
-			xml_tag = chunk_create(addr, sb.st_size);
-			tag = swid_tag_create(xml_tag, unique_seq_id);
+			tag = swid_tag_create(*xml_tag, unique_seq_id);
 			this->list->insert_last(this->list, tag);
-			munmap(addr, sb.st_size);
-			close(fd);
+			chunk_unmap(xml_tag);
 		}
 		else
 		{
@@ -290,5 +268,3 @@ swid_inventory_t *swid_inventory_create(bool full_tags)
 
 	return &this->public;
 }
-
-
diff --git a/src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.c b/src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.c
index f0bc7cf60..c5a2f4b8a 100644
--- a/src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.c
+++ b/src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "tcg_pts_attr_req_file_meas.h"
 
 #include <pa_tnc/pa_tnc_msg.h>
@@ -20,8 +23,6 @@
 #include <bio/bio_reader.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_tcg_pts_attr_req_file_meas_t private_tcg_pts_attr_req_file_meas_t;
 
 /**
diff --git a/src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.c b/src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.c
index e475cd35b..8d703af65 100644
--- a/src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.c
+++ b/src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "tcg_pts_attr_req_file_meta.h"
 
 #include <pa_tnc/pa_tnc_msg.h>
@@ -20,8 +23,6 @@
 #include <bio/bio_reader.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_tcg_pts_attr_req_file_meta_t private_tcg_pts_attr_req_file_meta_t;
 
 /**
diff --git a/src/libpts/tcg/pts/tcg_pts_attr_req_func_comp_evid.c b/src/libpts/tcg/pts/tcg_pts_attr_req_func_comp_evid.c
index 5249fa2ad..e10845bbb 100644
--- a/src/libpts/tcg/pts/tcg_pts_attr_req_func_comp_evid.c
+++ b/src/libpts/tcg/pts/tcg_pts_attr_req_func_comp_evid.c
@@ -286,7 +286,7 @@ METHOD(tcg_pts_attr_req_func_comp_evid_t, add_component, void,
 	entry = malloc_thing(entry_t);
 	entry->flags = flags;
 	entry->depth = depth;
-	entry->name = name;
+	entry->name = name->clone(name);
 	this->list->insert_last(this->list, entry);
 }
 
diff --git a/src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.c b/src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.c
index f96371b8b..eff64c229 100644
--- a/src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.c
+++ b/src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for stdndup() */
+#include <string.h>
+
 #include "tcg_pts_attr_unix_file_meta.h"
 
 #include <pa_tnc/pa_tnc_msg.h>
@@ -21,8 +24,6 @@
 #include <collections/linked_list.h>
 #include <utils/debug.h>
 
-#include <string.h>
-
 typedef struct private_tcg_pts_attr_file_meta_t private_tcg_pts_attr_file_meta_t;
 
 /**
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index c9d6c3935..c827cb598 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -214,8 +214,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -283,6 +281,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,12 +374,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -391,6 +398,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index 8af48522c..d903de883 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -211,8 +211,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -280,6 +278,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,12 +371,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -388,6 +395,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index 8e6050291..ee824abdb 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -211,8 +211,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -280,6 +278,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,12 +371,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -388,6 +395,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 1a13fdd71..440913071 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -36,7 +36,8 @@ selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
 utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \
-utils/printf_hook/printf_hook_vstr.c utils/settings.c
+utils/printf_hook/printf_hook_builtin.c utils/settings.c utils/test.c \
+utils/utils/strerror.c
 
 # adding the plugin source files
 
@@ -96,9 +97,6 @@ LOCAL_SRC_FILES += $(call add_plugin, xcbc)
 
 # build libstrongswan ----------------------------------------------------------
 
-LOCAL_C_INCLUDES += \
-	$(libvstr_PATH)
-
 LOCAL_CFLAGS := $(strongswan_CFLAGS) \
 	-include $(LOCAL_PATH)/AndroidConfigLocal.h
 
@@ -110,6 +108,6 @@ LOCAL_ARM_MODE := arm
 
 LOCAL_PRELINK_MODULE := false
 
-LOCAL_SHARED_LIBRARIES += libdl libvstr
+LOCAL_SHARED_LIBRARIES += libdl
 
 include $(BUILD_SHARED_LIBRARY)
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 3804adb03..b3a4eda99 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -34,7 +34,8 @@ selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
 utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \
-utils/settings.c
+utils/settings.c utils/test.c \
+utils/utils/strerror.c
 
 if USE_DEV_HEADERS
 strongswan_includedir = ${dev_headers}
@@ -82,7 +83,8 @@ utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \
 utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
 utils/leak_detective.h utils/printf_hook/printf_hook.h \
 utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \
-utils/settings.h utils/integrity_checker.h
+utils/settings.h utils/test.h utils/integrity_checker.h \
+utils/utils/strerror.h
 endif
 
 library.lo :	$(top_builddir)/config.status
@@ -481,6 +483,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_NTRU
+  SUBDIRS += plugins/ntru
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/ntru/libstrongswan-ntru.la
+endif
+endif
+
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 if MONOLITHIC
@@ -488,9 +497,7 @@ if MONOLITHIC
 endif
 endif
 
-if UNITTESTS
 if MONOLITHIC
   SUBDIRS += .
 endif
-  SUBDIRS += tests
-endif
+SUBDIRS += tests
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index c9718e659..64396b51f 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -178,10 +178,10 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_97 = plugins/ccm/libstrongswan-ccm.la
 @USE_GCM_TRUE@am__append_98 = plugins/gcm
 @MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_99 = plugins/gcm/libstrongswan-gcm.la
-@USE_TEST_VECTORS_TRUE@am__append_100 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_101 = plugins/test_vectors/libstrongswan-test-vectors.la
-@MONOLITHIC_TRUE@@UNITTESTS_TRUE@am__append_102 = .
-@UNITTESTS_TRUE@am__append_103 = tests
+@USE_NTRU_TRUE@am__append_100 = plugins/ntru
+@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_101 = plugins/ntru/libstrongswan-ntru.la
+@USE_TEST_VECTORS_TRUE@am__append_102 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_103 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp \
@@ -254,7 +254,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_83) $(am__append_85) $(am__append_87) \
 	$(am__append_89) $(am__append_91) $(am__append_93) \
 	$(am__append_95) $(am__append_97) $(am__append_99) \
-	$(am__append_101)
+	$(am__append_101) $(am__append_103)
 am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
 	bio/bio_writer.c collections/blocking_queue.c \
@@ -300,8 +300,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
 	utils/identification.c utils/lexparser.c utils/optionsfrom.c \
 	utils/capabilities.c utils/backtrace.c utils/settings.c \
-	utils/leak_detective.c utils/integrity_checker.c \
-	utils/printf_hook/printf_hook_vstr.c \
+	utils/test.c utils/utils/strerror.c utils/leak_detective.c \
+	utils/integrity_checker.c utils/printf_hook/printf_hook_vstr.c \
 	utils/printf_hook/printf_hook_builtin.c \
 	utils/printf_hook/printf_hook_glibc.c
 am__dirstamp = $(am__leading_dot)dirstamp
@@ -355,9 +355,9 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
 	threading/spinlock.lo utils/utils.lo utils/chunk.lo \
 	utils/debug.lo utils/enum.lo utils/identification.lo \
 	utils/lexparser.lo utils/optionsfrom.lo utils/capabilities.lo \
-	utils/backtrace.lo utils/settings.lo $(am__objects_1) \
-	$(am__objects_2) $(am__objects_3) $(am__objects_4) \
-	$(am__objects_5)
+	utils/backtrace.lo utils/settings.lo utils/test.lo \
+	utils/utils/strerror.lo $(am__objects_1) $(am__objects_2) \
+	$(am__objects_3) $(am__objects_4) $(am__objects_5)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -468,7 +468,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	utils/printf_hook/printf_hook.h \
 	utils/printf_hook/printf_hook_vstr.h \
 	utils/printf_hook/printf_hook_builtin.h utils/settings.h \
-	utils/integrity_checker.h
+	utils/test.h utils/integrity_checker.h utils/utils/strerror.h
 HEADERS = $(nobase_strongswan_include_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
@@ -508,7 +508,8 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
 	plugins/soup plugins/ldap plugins/mysql plugins/sqlite \
 	plugins/padlock plugins/openssl plugins/gcrypt \
 	plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \
-	plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors tests
+	plugins/ctr plugins/ccm plugins/gcm plugins/ntru \
+	plugins/test_vectors tests
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -549,8 +550,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -618,6 +617,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -706,12 +710,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -726,6 +734,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -781,8 +790,9 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
 	utils/identification.c utils/lexparser.c utils/optionsfrom.c \
 	utils/capabilities.c utils/backtrace.c utils/settings.c \
-	$(am__append_2) $(am__append_5) $(am__append_6) \
-	$(am__append_8) $(am__append_10)
+	utils/test.c utils/utils/strerror.c $(am__append_2) \
+	$(am__append_5) $(am__append_6) $(am__append_8) \
+	$(am__append_10)
 @USE_DEV_HEADERS_TRUE@strongswan_includedir = ${dev_headers}
 @USE_DEV_HEADERS_TRUE@nobase_strongswan_include_HEADERS = \
 @USE_DEV_HEADERS_TRUE@library.h \
@@ -828,7 +838,8 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 @USE_DEV_HEADERS_TRUE@utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
 @USE_DEV_HEADERS_TRUE@utils/leak_detective.h utils/printf_hook/printf_hook.h \
 @USE_DEV_HEADERS_TRUE@utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \
-@USE_DEV_HEADERS_TRUE@utils/settings.h utils/integrity_checker.h
+@USE_DEV_HEADERS_TRUE@utils/settings.h utils/test.h utils/integrity_checker.h \
+@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h
 
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(RTLIB) $(BFDLIB) $(UNWINDLIB) $(am__append_7) \
@@ -847,7 +858,7 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_81) $(am__append_83) $(am__append_85) \
 	$(am__append_87) $(am__append_89) $(am__append_91) \
 	$(am__append_93) $(am__append_95) $(am__append_97) \
-	$(am__append_99) $(am__append_101)
+	$(am__append_99) $(am__append_101) $(am__append_103)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
 	-DPLUGINDIR=\"${plugindir}\" \
@@ -894,8 +905,7 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_FALSE@	$(am__append_88) $(am__append_90) \
 @MONOLITHIC_FALSE@	$(am__append_92) $(am__append_94) \
 @MONOLITHIC_FALSE@	$(am__append_96) $(am__append_98) \
-@MONOLITHIC_FALSE@	$(am__append_100) $(am__append_102) \
-@MONOLITHIC_FALSE@	$(am__append_103)
+@MONOLITHIC_FALSE@	$(am__append_100) $(am__append_102) tests
 
 # build plugins with their own Makefile
 #######################################
@@ -921,8 +931,7 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_TRUE@	$(am__append_88) $(am__append_90) \
 @MONOLITHIC_TRUE@	$(am__append_92) $(am__append_94) \
 @MONOLITHIC_TRUE@	$(am__append_96) $(am__append_98) \
-@MONOLITHIC_TRUE@	$(am__append_100) $(am__append_102) \
-@MONOLITHIC_TRUE@	$(am__append_103)
+@MONOLITHIC_TRUE@	$(am__append_100) $(am__append_102) . tests
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -1354,6 +1363,15 @@ utils/backtrace.lo: utils/$(am__dirstamp) \
 	utils/$(DEPDIR)/$(am__dirstamp)
 utils/settings.lo: utils/$(am__dirstamp) \
 	utils/$(DEPDIR)/$(am__dirstamp)
+utils/test.lo: utils/$(am__dirstamp) utils/$(DEPDIR)/$(am__dirstamp)
+utils/utils/$(am__dirstamp):
+	@$(MKDIR_P) utils/utils
+	@: > utils/utils/$(am__dirstamp)
+utils/utils/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) utils/utils/$(DEPDIR)
+	@: > utils/utils/$(DEPDIR)/$(am__dirstamp)
+utils/utils/strerror.lo: utils/utils/$(am__dirstamp) \
+	utils/utils/$(DEPDIR)/$(am__dirstamp)
 utils/leak_detective.lo: utils/$(am__dirstamp) \
 	utils/$(DEPDIR)/$(am__dirstamp)
 utils/integrity_checker.lo: utils/$(am__dirstamp) \
@@ -1443,6 +1461,8 @@ mostlyclean-compile:
 	-rm -f utils/*.lo
 	-rm -f utils/printf_hook/*.$(OBJEXT)
 	-rm -f utils/printf_hook/*.lo
+	-rm -f utils/utils/*.$(OBJEXT)
+	-rm -f utils/utils/*.lo
 
 distclean-compile:
 	-rm -f *.tab.c
@@ -1536,10 +1556,12 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/lexparser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/optionsfrom.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/settings.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/test.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/utils.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_builtin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_glibc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_vstr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/strerror.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -1602,6 +1624,7 @@ clean-libtool:
 	-rm -rf threading/.libs threading/_libs
 	-rm -rf utils/.libs utils/_libs
 	-rm -rf utils/printf_hook/.libs utils/printf_hook/_libs
+	-rm -rf utils/utils/.libs utils/utils/_libs
 install-nobase_strongswan_includeHEADERS: $(nobase_strongswan_include_HEADERS)
 	@$(NORMAL_INSTALL)
 	@list='$(nobase_strongswan_include_HEADERS)'; test -n "$(strongswan_includedir)" || list=; \
@@ -1881,6 +1904,8 @@ distclean-generic:
 	-rm -f utils/$(am__dirstamp)
 	-rm -f utils/printf_hook/$(DEPDIR)/$(am__dirstamp)
 	-rm -f utils/printf_hook/$(am__dirstamp)
+	-rm -f utils/utils/$(DEPDIR)/$(am__dirstamp)
+	-rm -f utils/utils/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -1893,7 +1918,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
 	mostlyclean-am
 
 distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -1940,7 +1965,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index d860ad9a2..38a6ad688 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -88,7 +88,7 @@ int asn1_known_oid(chunk_t object)
 			}
 		}
 	}
-	return -1;
+	return OID_UNKNOWN;
 }
 
 /*
@@ -129,7 +129,8 @@ chunk_t asn1_build_known_oid(int n)
 chunk_t asn1_oid_from_string(char *str)
 {
 	enumerator_t *enumerator;
-	u_char buf[64];
+	size_t buf_len = 64;
+	u_char buf[buf_len];
 	char *end;
 	int i = 0, pos = 0, shift;
 	u_int val, shifted_val, first = 0;
@@ -138,7 +139,7 @@ chunk_t asn1_oid_from_string(char *str)
 	while (enumerator->enumerate(enumerator, &str))
 	{
 		val = strtoul(str, &end, 10);
-		if (end == str || pos > countof(buf))
+		if (end == str || pos > buf_len-4)
 		{
 			pos = 0;
 			break;
@@ -175,8 +176,9 @@ chunk_t asn1_oid_from_string(char *str)
  */
 char *asn1_oid_to_string(chunk_t oid)
 {
-	char buf[64], *pos = buf;
-	int len;
+	size_t len = 64;
+	char buf[len], *pos = buf;
+	int written;
 	u_int val;
 
 	if (!oid.len)
@@ -184,13 +186,14 @@ char *asn1_oid_to_string(chunk_t oid)
 		return NULL;
 	}
 	val = oid.ptr[0] / 40;
-	len = snprintf(buf, sizeof(buf), "%u.%u", val, oid.ptr[0] - val * 40);
+	written = snprintf(buf, len, "%u.%u", val, oid.ptr[0] - val * 40);
 	oid = chunk_skip(oid, 1);
-	if (len < 0 || len >= sizeof(buf))
+	if (written < 0 || written >= len)
 	{
 		return NULL;
 	}
-	pos += len;
+	pos += written;
+	len -= written;
 	val = 0;
 
 	while (oid.len)
@@ -199,12 +202,13 @@ char *asn1_oid_to_string(chunk_t oid)
 
 		if (oid.ptr[0] < 128)
 		{
-			len = snprintf(pos, sizeof(buf) + buf - pos, ".%u", val);
-			if (len < 0 || len >= sizeof(buf) + buf - pos)
+			written = snprintf(pos, len, ".%u", val);
+			if (written < 0 || written >= len)
 			{
 				return NULL;
 			}
-			pos += len;
+			pos += written;
+			len -= written;
 			val = 0;
 		}
 		oid = chunk_skip(oid, 1);
@@ -296,7 +300,7 @@ int asn1_unwrap(chunk_t *blob, chunk_t *inner)
 	else
 	{	/* composite length, determine number of length octets */
 		len &= 0x7f;
-		if (len == 0 || len > sizeof(res.len))
+		if (len == 0 || len > blob->len || len > sizeof(res.len))
 		{
 			return ASN1_INVALID;
 		}
@@ -389,8 +393,8 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 		tm_year += (tm_year < 50) ? 2000 : 1900;
 	}
 
-	/* prevent large 32 bit integer overflows */
-	if (sizeof(time_t) == 4 && tm_year > 2038)
+	/* prevent obvious 32 bit integer overflows */
+	if (sizeof(time_t) == 4 && (tm_year > 2038 || tm_year < 1901))
 	{
 		return TIME_32_BIT_SIGNED_MAX;
 	}
@@ -398,13 +402,24 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	/* representation of months as 0..11*/
 	if (tm_mon < 1 || tm_mon > 12)
 	{
-		return 0; /* error in month format */
+		return 0;
 	}
 	tm_mon--;
 
 	/* representation of days as 0..30 */
+	if (tm_day < 1 || tm_day > 31)
+	{	/* we don't actually validate the day in relation to tm_year/tm_mon */
+		return 0;
+	}
 	tm_day--;
 
+	if (tm_hour < 0 || tm_hour > 23 ||
+		tm_min < 0 || tm_min > 59 ||
+		tm_sec < 0 || tm_sec > 60 /* allow leap seconds */)
+	{
+		return 0;
+	}
+
 	/* number of leap years between last year and 1970? */
 	tm_leap_4 = (tm_year - 1) / 4;
 	tm_leap_100 = tm_leap_4 / 25;
@@ -420,8 +435,20 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	tm_days = 365 * (tm_year - 1970) + days[tm_mon] + tm_day + tm_leap;
 	tm_secs = 60 * (60 * (24 * tm_days + tm_hour) + tm_min) + tm_sec - tz_offset;
 
-	/* has a 32 bit signed integer overflow occurred? */
-	return (tm_secs < 0) ? TIME_32_BIT_SIGNED_MAX : tm_secs;
+	if (sizeof(time_t) == 4)
+	{	/* has a 32 bit signed integer overflow occurred? */
+		if (tm_year > 1970 && tm_secs < 0)
+		{	/* depending on the time zone, the first days in 1970 may result in
+			 * a negative value, but dates after 1970 never will */
+			return TIME_32_BIT_SIGNED_MAX;
+		}
+		if (tm_year < 1969 && tm_secs > 0)
+		{	/* similarly, tm_secs is not positive for dates before 1970, except
+			 * for the last days in 1969, depending on the time zone */
+			return TIME_32_BIT_SIGNED_MAX;
+		}
+	}
+	return tm_secs;
 }
 
 /**
@@ -537,7 +564,7 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level, const c
 
 	len = asn1_length(object);
 
-	if (len == ASN1_INVALID_LENGTH || object->len < len)
+	if (len == ASN1_INVALID_LENGTH)
 	{
 		DBG2(DBG_ASN, "L%d - %s:  length of ASN.1 object invalid or too large",
 			 level, name);
@@ -675,7 +702,9 @@ bool asn1_is_printablestring(chunk_t str)
 	for (i = 0; i < str.len; i++)
 	{
 		if (strchr(printablestring_charset, str.ptr[i]) == NULL)
+		{
 			return FALSE;
+		}
 	}
 	return TRUE;
 }
@@ -781,10 +810,17 @@ chunk_t asn1_integer(const char *mode, chunk_t content)
 	chunk_t object;
 	size_t len;
 	u_char *pos;
+	bool move;
+
 
 	if (content.len == 0)
 	{	/* make sure 0 is encoded properly */
 		content = chunk_from_chars(0x00);
+		move = FALSE;
+	}
+	else
+	{
+		move = (*mode == 'm');
 	}
 
 	/* ASN.1 integers must be positive numbers in two's complement */
@@ -794,11 +830,9 @@ chunk_t asn1_integer(const char *mode, chunk_t content)
 	{
 		*pos++ = 0x00;
 	}
-	if (len)
-	{
-		memcpy(pos, content.ptr, content.len);
-	}
-	if (*mode == 'm')
+	memcpy(pos, content.ptr, content.len);
+
+	if (move)
 	{
 		free(content.ptr);
 	}
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index a1d625380..7a48292af 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -191,6 +191,13 @@ void asn1_debug_simple_object(chunk_t object, asn1_t type, bool private);
 /**
  * Converts an ASN.1 UTCTIME or GENERALIZEDTIME string to time_t
  *
+ * On systems where sizeof(time_t) == 4 there will be an overflow
+ * for dates
+ *   > Tue, 19 Jan 2038 03:14:07 UTC (0x7fffffff)
+ * and
+ *   < Fri, 13 Dec 1901 20:45:52 UTC (0x80000000)
+ * in both cases TIME_32_BIT_SIGNED_MAX is returned.
+ *
  * @param utctime	body of an ASN.1 coded time object
  * @param type		ASN1_UTCTIME or ASN1_GENERALIZEDTIME
  * @return			time_t in UTC
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index c31fb75f0..e7b7a428d 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -160,6 +160,7 @@ METHOD(asn1_parser_t, iterate, bool,
 		DBG1(DBG_ASN, "L%d - %s:  length of ASN.1 object invalid or too large",
 					level, obj.name);
 		this->success = FALSE;
+		goto end;
 	}
 
 	blob1->ptr = blob->ptr;
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index a0e882b2c..6fa8f4e54 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -75,7 +75,7 @@ const oid_t oid_names[] = {
  {    0x36,                    63, 0,  2, "inhibitAnyPolicy"               }, /*  62 */
  {    0x37,                    64, 0,  2, "targetInformation"              }, /*  63 */
  {    0x38,                     0, 0,  2, "noRevAvail"                     }, /*  64 */
- {0x2A,                       188, 1,  0, ""                               }, /*  65 */
+ {0x2A,                       189, 1,  0, ""                               }, /*  65 */
  {  0x83,                      78, 1,  1, ""                               }, /*  66 */
  {    0x08,                     0, 1,  2, "jp"                             }, /*  67 */
  {      0x8C,                   0, 1,  3, ""                               }, /*  68 */
@@ -90,7 +90,7 @@ const oid_t oid_names[] = {
  {                    0x04,     0, 0, 10, "camellia256-cbc"                }, /*  77 */
  {  0x86,                       0, 1,  1, ""                               }, /*  78 */
  {    0x48,                     0, 1,  2, "us"                             }, /*  79 */
- {      0x86,                 147, 1,  3, ""                               }, /*  80 */
+ {      0x86,                 148, 1,  3, ""                               }, /*  80 */
  {        0xF6,                86, 1,  4, ""                               }, /*  81 */
  {          0x7D,               0, 1,  5, "NortelNetworks"                 }, /*  82 */
  {            0x07,             0, 1,  6, "Entrust"                        }, /*  83 */
@@ -98,320 +98,344 @@ const oid_t oid_names[] = {
  {                0x00,         0, 0,  8, "entrustVersInfo"                }, /*  85 */
  {        0xF7,                 0, 1,  4, ""                               }, /*  86 */
  {          0x0D,               0, 1,  5, "RSADSI"                         }, /*  87 */
- {            0x01,           142, 1,  6, "PKCS"                           }, /*  88 */
- {              0x01,         100, 1,  7, "PKCS-1"                         }, /*  89 */
+ {            0x01,           143, 1,  6, "PKCS"                           }, /*  88 */
+ {              0x01,         101, 1,  7, "PKCS-1"                         }, /*  89 */
  {                0x01,        91, 0,  8, "rsaEncryption"                  }, /*  90 */
  {                0x02,        92, 0,  8, "md2WithRSAEncryption"           }, /*  91 */
  {                0x04,        93, 0,  8, "md5WithRSAEncryption"           }, /*  92 */
  {                0x05,        94, 0,  8, "sha-1WithRSAEncryption"         }, /*  93 */
  {                0x07,        95, 0,  8, "id-RSAES-OAEP"                  }, /*  94 */
- {                0x09,        96, 0,  8, "id-pSpecified"                  }, /*  95 */
- {                0x0B,        97, 0,  8, "sha256WithRSAEncryption"        }, /*  96 */
- {                0x0C,        98, 0,  8, "sha384WithRSAEncryption"        }, /*  97 */
- {                0x0D,        99, 0,  8, "sha512WithRSAEncryption"        }, /*  98 */
- {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /*  99 */
- {              0x05,         105, 1,  7, "PKCS-5"                         }, /* 100 */
- {                0x03,       102, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 101 */
- {                0x0A,       103, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 102 */
- {                0x0C,       104, 0,  8, "id-PBKDF2"                      }, /* 103 */
- {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 104 */
- {              0x07,         112, 1,  7, "PKCS-7"                         }, /* 105 */
- {                0x01,       107, 0,  8, "data"                           }, /* 106 */
- {                0x02,       108, 0,  8, "signedData"                     }, /* 107 */
- {                0x03,       109, 0,  8, "envelopedData"                  }, /* 108 */
- {                0x04,       110, 0,  8, "signedAndEnvelopedData"         }, /* 109 */
- {                0x05,       111, 0,  8, "digestedData"                   }, /* 110 */
- {                0x06,         0, 0,  8, "encryptedData"                  }, /* 111 */
- {              0x09,         126, 1,  7, "PKCS-9"                         }, /* 112 */
- {                0x01,       114, 0,  8, "E"                              }, /* 113 */
- {                0x02,       115, 0,  8, "unstructuredName"               }, /* 114 */
- {                0x03,       116, 0,  8, "contentType"                    }, /* 115 */
- {                0x04,       117, 0,  8, "messageDigest"                  }, /* 116 */
- {                0x05,       118, 0,  8, "signingTime"                    }, /* 117 */
- {                0x06,       119, 0,  8, "counterSignature"               }, /* 118 */
- {                0x07,       120, 0,  8, "challengePassword"              }, /* 119 */
- {                0x08,       121, 0,  8, "unstructuredAddress"            }, /* 120 */
- {                0x0E,       122, 0,  8, "extensionRequest"               }, /* 121 */
- {                0x0F,       123, 0,  8, "S/MIME Capabilities"            }, /* 122 */
- {                0x16,         0, 1,  8, "certTypes"                      }, /* 123 */
- {                  0x01,     125, 0,  9, "X.509"                          }, /* 124 */
- {                  0x02,       0, 0,  9, "SDSI"                           }, /* 125 */
- {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 126 */
- {                0x01,       134, 1,  8, "pbeIds"                         }, /* 127 */
- {                  0x01,     129, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 128 */
- {                  0x02,     130, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 129 */
- {                  0x03,     131, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 130 */
- {                  0x04,     132, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 131 */
- {                  0x05,     133, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 132 */
- {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 133 */
- {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 134 */
- {                  0x01,       0, 1,  9, "bagIds"                         }, /* 135 */
- {                    0x01,   137, 0, 10, "keyBag"                         }, /* 136 */
- {                    0x02,   138, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 137 */
- {                    0x03,   139, 0, 10, "certBag"                        }, /* 138 */
- {                    0x04,   140, 0, 10, "crlBag"                         }, /* 139 */
- {                    0x05,   141, 0, 10, "secretBag"                      }, /* 140 */
- {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 141 */
- {            0x02,           145, 1,  6, "digestAlgorithm"                }, /* 142 */
- {              0x02,         144, 0,  7, "md2"                            }, /* 143 */
- {              0x05,           0, 0,  7, "md5"                            }, /* 144 */
- {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 145 */
- {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 146 */
- {      0xCE,                   0, 1,  3, ""                               }, /* 147 */
- {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 148 */
- {          0x02,             151, 1,  5, "id-publicKeyType"               }, /* 149 */
- {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 150 */
- {          0x03,             181, 1,  5, "ellipticCurve"                  }, /* 151 */
- {            0x00,           173, 1,  6, "c-TwoCurve"                     }, /* 152 */
- {              0x01,         154, 0,  7, "c2pnb163v1"                     }, /* 153 */
- {              0x02,         155, 0,  7, "c2pnb163v2"                     }, /* 154 */
- {              0x03,         156, 0,  7, "c2pnb163v3"                     }, /* 155 */
- {              0x04,         157, 0,  7, "c2pnb176w1"                     }, /* 156 */
- {              0x05,         158, 0,  7, "c2tnb191v1"                     }, /* 157 */
- {              0x06,         159, 0,  7, "c2tnb191v2"                     }, /* 158 */
- {              0x07,         160, 0,  7, "c2tnb191v3"                     }, /* 159 */
- {              0x08,         161, 0,  7, "c2onb191v4"                     }, /* 160 */
- {              0x09,         162, 0,  7, "c2onb191v5"                     }, /* 161 */
- {              0x0A,         163, 0,  7, "c2pnb208w1"                     }, /* 162 */
- {              0x0B,         164, 0,  7, "c2tnb239v1"                     }, /* 163 */
- {              0x0C,         165, 0,  7, "c2tnb239v2"                     }, /* 164 */
- {              0x0D,         166, 0,  7, "c2tnb239v3"                     }, /* 165 */
- {              0x0E,         167, 0,  7, "c2onb239v4"                     }, /* 166 */
- {              0x0F,         168, 0,  7, "c2onb239v5"                     }, /* 167 */
- {              0x10,         169, 0,  7, "c2pnb272w1"                     }, /* 168 */
- {              0x11,         170, 0,  7, "c2pnb304w1"                     }, /* 169 */
- {              0x12,         171, 0,  7, "c2tnb359v1"                     }, /* 170 */
- {              0x13,         172, 0,  7, "c2pnb368w1"                     }, /* 171 */
- {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 172 */
- {            0x01,             0, 1,  6, "primeCurve"                     }, /* 173 */
- {              0x01,         175, 0,  7, "prime192v1"                     }, /* 174 */
- {              0x02,         176, 0,  7, "prime192v2"                     }, /* 175 */
- {              0x03,         177, 0,  7, "prime192v3"                     }, /* 176 */
- {              0x04,         178, 0,  7, "prime239v1"                     }, /* 177 */
- {              0x05,         179, 0,  7, "prime239v2"                     }, /* 178 */
- {              0x06,         180, 0,  7, "prime239v3"                     }, /* 179 */
- {              0x07,           0, 0,  7, "prime256v1"                     }, /* 180 */
- {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 181 */
- {            0x01,           183, 0,  6, "ecdsa-with-SHA1"                }, /* 182 */
- {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 183 */
- {              0x01,         185, 0,  7, "ecdsa-with-SHA224"              }, /* 184 */
- {              0x02,         186, 0,  7, "ecdsa-with-SHA256"              }, /* 185 */
- {              0x03,         187, 0,  7, "ecdsa-with-SHA384"              }, /* 186 */
- {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 187 */
- {0x2B,                       348, 1,  0, ""                               }, /* 188 */
- {  0x06,                     262, 1,  1, "dod"                            }, /* 189 */
- {    0x01,                     0, 1,  2, "internet"                       }, /* 190 */
- {      0x04,                 213, 1,  3, "private"                        }, /* 191 */
- {        0x01,                 0, 1,  4, "enterprise"                     }, /* 192 */
- {          0x82,             206, 1,  5, ""                               }, /* 193 */
- {            0x37,           203, 1,  6, "Microsoft"                      }, /* 194 */
- {              0x0A,         199, 1,  7, ""                               }, /* 195 */
- {                0x03,         0, 1,  8, ""                               }, /* 196 */
- {                  0x03,     198, 0,  9, "msSGC"                          }, /* 197 */
- {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 198 */
- {              0x14,           0, 1,  7, "msEnrollmentInfrastructure"     }, /* 199 */
- {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 200 */
- {                  0x02,     202, 0,  9, "msSmartcardLogon"               }, /* 201 */
- {                  0x03,       0, 0,  9, "msUPN"                          }, /* 202 */
- {            0xA0,             0, 1,  6, ""                               }, /* 203 */
- {              0x2A,           0, 1,  7, "ITA"                            }, /* 204 */
- {                0x01,         0, 0,  8, "strongSwan"                     }, /* 205 */
- {          0x89,               0, 1,  5, ""                               }, /* 206 */
- {            0x31,             0, 1,  6, ""                               }, /* 207 */
- {              0x01,           0, 1,  7, ""                               }, /* 208 */
- {                0x01,         0, 1,  8, ""                               }, /* 209 */
- {                  0x02,       0, 1,  9, ""                               }, /* 210 */
- {                    0x02,     0, 1, 10, ""                               }, /* 211 */
- {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 212 */
- {      0x05,                   0, 1,  3, "security"                       }, /* 213 */
- {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 214 */
- {          0x07,             259, 1,  5, "id-pkix"                        }, /* 215 */
- {            0x01,           220, 1,  6, "id-pe"                          }, /* 216 */
- {              0x01,         218, 0,  7, "authorityInfoAccess"            }, /* 217 */
- {              0x03,         219, 0,  7, "qcStatements"                   }, /* 218 */
- {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 219 */
- {            0x02,           223, 1,  6, "id-qt"                          }, /* 220 */
- {              0x01,         222, 0,  7, "cps"                            }, /* 221 */
- {              0x02,           0, 0,  7, "unotice"                        }, /* 222 */
- {            0x03,           233, 1,  6, "id-kp"                          }, /* 223 */
- {              0x01,         225, 0,  7, "serverAuth"                     }, /* 224 */
- {              0x02,         226, 0,  7, "clientAuth"                     }, /* 225 */
- {              0x03,         227, 0,  7, "codeSigning"                    }, /* 226 */
- {              0x04,         228, 0,  7, "emailProtection"                }, /* 227 */
- {              0x05,         229, 0,  7, "ipsecEndSystem"                 }, /* 228 */
- {              0x06,         230, 0,  7, "ipsecTunnel"                    }, /* 229 */
- {              0x07,         231, 0,  7, "ipsecUser"                      }, /* 230 */
- {              0x08,         232, 0,  7, "timeStamping"                   }, /* 231 */
- {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 232 */
- {            0x08,           241, 1,  6, "id-otherNames"                  }, /* 233 */
- {              0x01,         235, 0,  7, "personalData"                   }, /* 234 */
- {              0x02,         236, 0,  7, "userGroup"                      }, /* 235 */
- {              0x03,         237, 0,  7, "id-on-permanentIdentifier"      }, /* 236 */
- {              0x04,         238, 0,  7, "id-on-hardwareModuleName"       }, /* 237 */
- {              0x05,         239, 0,  7, "xmppAddr"                       }, /* 238 */
- {              0x06,         240, 0,  7, "id-on-SIM"                      }, /* 239 */
- {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 240 */
- {            0x0A,           246, 1,  6, "id-aca"                         }, /* 241 */
- {              0x01,         243, 0,  7, "authenticationInfo"             }, /* 242 */
- {              0x02,         244, 0,  7, "accessIdentity"                 }, /* 243 */
- {              0x03,         245, 0,  7, "chargingIdentity"               }, /* 244 */
- {              0x04,           0, 0,  7, "group"                          }, /* 245 */
- {            0x0B,           247, 0,  6, "subjectInfoAccess"              }, /* 246 */
- {            0x30,             0, 1,  6, "id-ad"                          }, /* 247 */
- {              0x01,         256, 1,  7, "ocsp"                           }, /* 248 */
- {                0x01,       250, 0,  8, "basic"                          }, /* 249 */
- {                0x02,       251, 0,  8, "nonce"                          }, /* 250 */
- {                0x03,       252, 0,  8, "crl"                            }, /* 251 */
- {                0x04,       253, 0,  8, "response"                       }, /* 252 */
- {                0x05,       254, 0,  8, "noCheck"                        }, /* 253 */
- {                0x06,       255, 0,  8, "archiveCutoff"                  }, /* 254 */
- {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 255 */
- {              0x02,         257, 0,  7, "caIssuers"                      }, /* 256 */
- {              0x03,         258, 0,  7, "timeStamping"                   }, /* 257 */
- {              0x05,           0, 0,  7, "caRepository"                   }, /* 258 */
- {          0x08,               0, 1,  5, "ipsec"                          }, /* 259 */
- {            0x02,             0, 1,  6, "certificate"                    }, /* 260 */
- {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 261 */
- {  0x0E,                     268, 1,  1, "oiw"                            }, /* 262 */
- {    0x03,                     0, 1,  2, "secsig"                         }, /* 263 */
- {      0x02,                   0, 1,  3, "algorithms"                     }, /* 264 */
- {        0x07,               266, 0,  4, "des-cbc"                        }, /* 265 */
- {        0x1A,               267, 0,  4, "sha-1"                          }, /* 266 */
- {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 267 */
- {  0x24,                     314, 1,  1, "TeleTrusT"                      }, /* 268 */
- {    0x03,                     0, 1,  2, "algorithm"                      }, /* 269 */
- {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 270 */
- {        0x01,               275, 1,  4, "rsaSignature"                   }, /* 271 */
- {          0x02,             273, 0,  5, "rsaSigWithripemd160"            }, /* 272 */
- {          0x03,             274, 0,  5, "rsaSigWithripemd128"            }, /* 273 */
- {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 274 */
- {        0x02,                 0, 1,  4, "ecSign"                         }, /* 275 */
- {          0x01,             277, 0,  5, "ecSignWithsha1"                 }, /* 276 */
- {          0x02,             278, 0,  5, "ecSignWithripemd160"            }, /* 277 */
- {          0x03,             279, 0,  5, "ecSignWithmd2"                  }, /* 278 */
- {          0x04,             280, 0,  5, "ecSignWithmd5"                  }, /* 279 */
- {          0x05,             297, 1,  5, "ttt-ecg"                        }, /* 280 */
- {            0x01,           285, 1,  6, "fieldType"                      }, /* 281 */
- {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 282 */
- {                0x01,         0, 1,  8, "basisType"                      }, /* 283 */
- {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 284 */
- {            0x02,           287, 1,  6, "keyType"                        }, /* 285 */
- {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 286 */
- {            0x03,           288, 0,  6, "curve"                          }, /* 287 */
- {            0x04,           295, 1,  6, "signatures"                     }, /* 288 */
- {              0x01,         290, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 289 */
- {              0x02,         291, 0,  7, "ecgdsa-with-SHA1"               }, /* 290 */
- {              0x03,         292, 0,  7, "ecgdsa-with-SHA224"             }, /* 291 */
- {              0x04,         293, 0,  7, "ecgdsa-with-SHA256"             }, /* 292 */
- {              0x05,         294, 0,  7, "ecgdsa-with-SHA384"             }, /* 293 */
- {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 294 */
- {            0x05,             0, 1,  6, "module"                         }, /* 295 */
- {              0x01,           0, 0,  7, "1"                              }, /* 296 */
- {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 297 */
- {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 298 */
- {              0x01,           0, 1,  7, "versionOne"                     }, /* 299 */
- {                0x01,       301, 0,  8, "brainpoolP160r1"                }, /* 300 */
- {                0x02,       302, 0,  8, "brainpoolP160t1"                }, /* 301 */
- {                0x03,       303, 0,  8, "brainpoolP192r1"                }, /* 302 */
- {                0x04,       304, 0,  8, "brainpoolP192t1"                }, /* 303 */
- {                0x05,       305, 0,  8, "brainpoolP224r1"                }, /* 304 */
- {                0x06,       306, 0,  8, "brainpoolP224t1"                }, /* 305 */
- {                0x07,       307, 0,  8, "brainpoolP256r1"                }, /* 306 */
- {                0x08,       308, 0,  8, "brainpoolP256t1"                }, /* 307 */
- {                0x09,       309, 0,  8, "brainpoolP320r1"                }, /* 308 */
- {                0x0A,       310, 0,  8, "brainpoolP320t1"                }, /* 309 */
- {                0x0B,       311, 0,  8, "brainpoolP384r1"                }, /* 310 */
- {                0x0C,       312, 0,  8, "brainpoolP384t1"                }, /* 311 */
- {                0x0D,       313, 0,  8, "brainpoolP512r1"                }, /* 312 */
- {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 313 */
- {  0x81,                       0, 1,  1, ""                               }, /* 314 */
- {    0x04,                     0, 1,  2, "Certicom"                       }, /* 315 */
- {      0x00,                   0, 1,  3, "curve"                          }, /* 316 */
- {        0x01,               318, 0,  4, "sect163k1"                      }, /* 317 */
- {        0x02,               319, 0,  4, "sect163r1"                      }, /* 318 */
- {        0x03,               320, 0,  4, "sect239k1"                      }, /* 319 */
- {        0x04,               321, 0,  4, "sect113r1"                      }, /* 320 */
- {        0x05,               322, 0,  4, "sect113r2"                      }, /* 321 */
- {        0x06,               323, 0,  4, "secp112r1"                      }, /* 322 */
- {        0x07,               324, 0,  4, "secp112r2"                      }, /* 323 */
- {        0x08,               325, 0,  4, "secp160r1"                      }, /* 324 */
- {        0x09,               326, 0,  4, "secp160k1"                      }, /* 325 */
- {        0x0A,               327, 0,  4, "secp256k1"                      }, /* 326 */
- {        0x0F,               328, 0,  4, "sect163r2"                      }, /* 327 */
- {        0x10,               329, 0,  4, "sect283k1"                      }, /* 328 */
- {        0x11,               330, 0,  4, "sect283r1"                      }, /* 329 */
- {        0x16,               331, 0,  4, "sect131r1"                      }, /* 330 */
- {        0x17,               332, 0,  4, "sect131r2"                      }, /* 331 */
- {        0x18,               333, 0,  4, "sect193r1"                      }, /* 332 */
- {        0x19,               334, 0,  4, "sect193r2"                      }, /* 333 */
- {        0x1A,               335, 0,  4, "sect233k1"                      }, /* 334 */
- {        0x1B,               336, 0,  4, "sect233r1"                      }, /* 335 */
- {        0x1C,               337, 0,  4, "secp128r1"                      }, /* 336 */
- {        0x1D,               338, 0,  4, "secp128r2"                      }, /* 337 */
- {        0x1E,               339, 0,  4, "secp160r2"                      }, /* 338 */
- {        0x1F,               340, 0,  4, "secp192k1"                      }, /* 339 */
- {        0x20,               341, 0,  4, "secp224k1"                      }, /* 340 */
- {        0x21,               342, 0,  4, "secp224r1"                      }, /* 341 */
- {        0x22,               343, 0,  4, "secp384r1"                      }, /* 342 */
- {        0x23,               344, 0,  4, "secp521r1"                      }, /* 343 */
- {        0x24,               345, 0,  4, "sect409k1"                      }, /* 344 */
- {        0x25,               346, 0,  4, "sect409r1"                      }, /* 345 */
- {        0x26,               347, 0,  4, "sect571k1"                      }, /* 346 */
- {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 347 */
- {0x60,                       396, 1,  0, ""                               }, /* 348 */
- {  0x86,                       0, 1,  1, ""                               }, /* 349 */
- {    0x48,                     0, 1,  2, ""                               }, /* 350 */
- {      0x01,                   0, 1,  3, "organization"                   }, /* 351 */
- {        0x65,               372, 1,  4, "gov"                            }, /* 352 */
- {          0x03,               0, 1,  5, "csor"                           }, /* 353 */
- {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 354 */
- {              0x01,         365, 1,  7, "aes"                            }, /* 355 */
- {                0x02,       357, 0,  8, "id-aes128-CBC"                  }, /* 356 */
- {                0x06,       358, 0,  8, "id-aes128-GCM"                  }, /* 357 */
- {                0x07,       359, 0,  8, "id-aes128-CCM"                  }, /* 358 */
- {                0x16,       360, 0,  8, "id-aes192-CBC"                  }, /* 359 */
- {                0x1A,       361, 0,  8, "id-aes192-GCM"                  }, /* 360 */
- {                0x1B,       362, 0,  8, "id-aes192-CCM"                  }, /* 361 */
- {                0x2A,       363, 0,  8, "id-aes256-CBC"                  }, /* 362 */
- {                0x2E,       364, 0,  8, "id-aes256-GCM"                  }, /* 363 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 364 */
- {              0x02,           0, 1,  7, "hashalgs"                       }, /* 365 */
- {                0x01,       367, 0,  8, "id-SHA-256"                     }, /* 366 */
- {                0x02,       368, 0,  8, "id-SHA-384"                     }, /* 367 */
- {                0x03,       369, 0,  8, "id-SHA-512"                     }, /* 368 */
- {                0x04,       370, 0,  8, "id-SHA-224"                     }, /* 369 */
- {                0x05,       371, 0,  8, "id-SHA-512-224"                 }, /* 370 */
- {                0x06,         0, 0,  8, "id-SHA-512-256"                 }, /* 371 */
- {        0x86,                 0, 1,  4, ""                               }, /* 372 */
- {          0xf8,               0, 1,  5, ""                               }, /* 373 */
- {            0x42,           386, 1,  6, "netscape"                       }, /* 374 */
- {              0x01,         381, 1,  7, ""                               }, /* 375 */
- {                0x01,       377, 0,  8, "nsCertType"                     }, /* 376 */
- {                0x03,       378, 0,  8, "nsRevocationUrl"                }, /* 377 */
- {                0x04,       379, 0,  8, "nsCaRevocationUrl"              }, /* 378 */
- {                0x08,       380, 0,  8, "nsCaPolicyUrl"                  }, /* 379 */
- {                0x0d,         0, 0,  8, "nsComment"                      }, /* 380 */
- {              0x03,         384, 1,  7, "directory"                      }, /* 381 */
- {                0x01,         0, 1,  8, ""                               }, /* 382 */
- {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 383 */
- {              0x04,           0, 1,  7, "policy"                         }, /* 384 */
- {                0x01,         0, 0,  8, "nsSGC"                          }, /* 385 */
- {            0x45,             0, 1,  6, "verisign"                       }, /* 386 */
- {              0x01,           0, 1,  7, "pki"                            }, /* 387 */
- {                0x09,         0, 1,  8, "attributes"                     }, /* 388 */
- {                  0x02,     390, 0,  9, "messageType"                    }, /* 389 */
- {                  0x03,     391, 0,  9, "pkiStatus"                      }, /* 390 */
- {                  0x04,     392, 0,  9, "failInfo"                       }, /* 391 */
- {                  0x05,     393, 0,  9, "senderNonce"                    }, /* 392 */
- {                  0x06,     394, 0,  9, "recipientNonce"                 }, /* 393 */
- {                  0x07,     395, 0,  9, "transID"                        }, /* 394 */
- {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 395 */
- {0x67,                         0, 1,  0, ""                               }, /* 396 */
- {  0x81,                       0, 1,  1, ""                               }, /* 397 */
- {    0x05,                     0, 1,  2, ""                               }, /* 398 */
- {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 399 */
- {        0x01,               401, 0,  4, "tcg-at-tpmManufacturer"         }, /* 400 */
- {        0x02,               402, 0,  4, "tcg-at-tpmModel"                }, /* 401 */
- {        0x03,               403, 0,  4, "tcg-at-tpmVersion"              }, /* 402 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 403 */
+ {                0x08,        96, 0,  8, "id-mgf1"                        }, /*  95 */
+ {                0x09,        97, 0,  8, "id-pSpecified"                  }, /*  96 */
+ {                0x0B,        98, 0,  8, "sha256WithRSAEncryption"        }, /*  97 */
+ {                0x0C,        99, 0,  8, "sha384WithRSAEncryption"        }, /*  98 */
+ {                0x0D,       100, 0,  8, "sha512WithRSAEncryption"        }, /*  99 */
+ {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /* 100 */
+ {              0x05,         106, 1,  7, "PKCS-5"                         }, /* 101 */
+ {                0x03,       103, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 102 */
+ {                0x0A,       104, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 103 */
+ {                0x0C,       105, 0,  8, "id-PBKDF2"                      }, /* 104 */
+ {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 105 */
+ {              0x07,         113, 1,  7, "PKCS-7"                         }, /* 106 */
+ {                0x01,       108, 0,  8, "data"                           }, /* 107 */
+ {                0x02,       109, 0,  8, "signedData"                     }, /* 108 */
+ {                0x03,       110, 0,  8, "envelopedData"                  }, /* 109 */
+ {                0x04,       111, 0,  8, "signedAndEnvelopedData"         }, /* 110 */
+ {                0x05,       112, 0,  8, "digestedData"                   }, /* 111 */
+ {                0x06,         0, 0,  8, "encryptedData"                  }, /* 112 */
+ {              0x09,         127, 1,  7, "PKCS-9"                         }, /* 113 */
+ {                0x01,       115, 0,  8, "E"                              }, /* 114 */
+ {                0x02,       116, 0,  8, "unstructuredName"               }, /* 115 */
+ {                0x03,       117, 0,  8, "contentType"                    }, /* 116 */
+ {                0x04,       118, 0,  8, "messageDigest"                  }, /* 117 */
+ {                0x05,       119, 0,  8, "signingTime"                    }, /* 118 */
+ {                0x06,       120, 0,  8, "counterSignature"               }, /* 119 */
+ {                0x07,       121, 0,  8, "challengePassword"              }, /* 120 */
+ {                0x08,       122, 0,  8, "unstructuredAddress"            }, /* 121 */
+ {                0x0E,       123, 0,  8, "extensionRequest"               }, /* 122 */
+ {                0x0F,       124, 0,  8, "S/MIME Capabilities"            }, /* 123 */
+ {                0x16,         0, 1,  8, "certTypes"                      }, /* 124 */
+ {                  0x01,     126, 0,  9, "X.509"                          }, /* 125 */
+ {                  0x02,       0, 0,  9, "SDSI"                           }, /* 126 */
+ {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 127 */
+ {                0x01,       135, 1,  8, "pbeIds"                         }, /* 128 */
+ {                  0x01,     130, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 129 */
+ {                  0x02,     131, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 130 */
+ {                  0x03,     132, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 131 */
+ {                  0x04,     133, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 132 */
+ {                  0x05,     134, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 133 */
+ {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 134 */
+ {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 135 */
+ {                  0x01,       0, 1,  9, "bagIds"                         }, /* 136 */
+ {                    0x01,   138, 0, 10, "keyBag"                         }, /* 137 */
+ {                    0x02,   139, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 138 */
+ {                    0x03,   140, 0, 10, "certBag"                        }, /* 139 */
+ {                    0x04,   141, 0, 10, "crlBag"                         }, /* 140 */
+ {                    0x05,   142, 0, 10, "secretBag"                      }, /* 141 */
+ {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 142 */
+ {            0x02,           146, 1,  6, "digestAlgorithm"                }, /* 143 */
+ {              0x02,         145, 0,  7, "md2"                            }, /* 144 */
+ {              0x05,           0, 0,  7, "md5"                            }, /* 145 */
+ {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 146 */
+ {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 147 */
+ {      0xCE,                   0, 1,  3, ""                               }, /* 148 */
+ {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 149 */
+ {          0x02,             152, 1,  5, "id-publicKeyType"               }, /* 150 */
+ {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 151 */
+ {          0x03,             182, 1,  5, "ellipticCurve"                  }, /* 152 */
+ {            0x00,           174, 1,  6, "c-TwoCurve"                     }, /* 153 */
+ {              0x01,         155, 0,  7, "c2pnb163v1"                     }, /* 154 */
+ {              0x02,         156, 0,  7, "c2pnb163v2"                     }, /* 155 */
+ {              0x03,         157, 0,  7, "c2pnb163v3"                     }, /* 156 */
+ {              0x04,         158, 0,  7, "c2pnb176w1"                     }, /* 157 */
+ {              0x05,         159, 0,  7, "c2tnb191v1"                     }, /* 158 */
+ {              0x06,         160, 0,  7, "c2tnb191v2"                     }, /* 159 */
+ {              0x07,         161, 0,  7, "c2tnb191v3"                     }, /* 160 */
+ {              0x08,         162, 0,  7, "c2onb191v4"                     }, /* 161 */
+ {              0x09,         163, 0,  7, "c2onb191v5"                     }, /* 162 */
+ {              0x0A,         164, 0,  7, "c2pnb208w1"                     }, /* 163 */
+ {              0x0B,         165, 0,  7, "c2tnb239v1"                     }, /* 164 */
+ {              0x0C,         166, 0,  7, "c2tnb239v2"                     }, /* 165 */
+ {              0x0D,         167, 0,  7, "c2tnb239v3"                     }, /* 166 */
+ {              0x0E,         168, 0,  7, "c2onb239v4"                     }, /* 167 */
+ {              0x0F,         169, 0,  7, "c2onb239v5"                     }, /* 168 */
+ {              0x10,         170, 0,  7, "c2pnb272w1"                     }, /* 169 */
+ {              0x11,         171, 0,  7, "c2pnb304w1"                     }, /* 170 */
+ {              0x12,         172, 0,  7, "c2tnb359v1"                     }, /* 171 */
+ {              0x13,         173, 0,  7, "c2pnb368w1"                     }, /* 172 */
+ {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 173 */
+ {            0x01,             0, 1,  6, "primeCurve"                     }, /* 174 */
+ {              0x01,         176, 0,  7, "prime192v1"                     }, /* 175 */
+ {              0x02,         177, 0,  7, "prime192v2"                     }, /* 176 */
+ {              0x03,         178, 0,  7, "prime192v3"                     }, /* 177 */
+ {              0x04,         179, 0,  7, "prime239v1"                     }, /* 178 */
+ {              0x05,         180, 0,  7, "prime239v2"                     }, /* 179 */
+ {              0x06,         181, 0,  7, "prime239v3"                     }, /* 180 */
+ {              0x07,           0, 0,  7, "prime256v1"                     }, /* 181 */
+ {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 182 */
+ {            0x01,           184, 0,  6, "ecdsa-with-SHA1"                }, /* 183 */
+ {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 184 */
+ {              0x01,         186, 0,  7, "ecdsa-with-SHA224"              }, /* 185 */
+ {              0x02,         187, 0,  7, "ecdsa-with-SHA256"              }, /* 186 */
+ {              0x03,         188, 0,  7, "ecdsa-with-SHA384"              }, /* 187 */
+ {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 188 */
+ {0x2B,                       372, 1,  0, ""                               }, /* 189 */
+ {  0x06,                     286, 1,  1, "dod"                            }, /* 190 */
+ {    0x01,                     0, 1,  2, "internet"                       }, /* 191 */
+ {      0x04,                 237, 1,  3, "private"                        }, /* 192 */
+ {        0x01,                 0, 1,  4, "enterprise"                     }, /* 193 */
+ {          0x82,             207, 1,  5, ""                               }, /* 194 */
+ {            0x37,           204, 1,  6, "Microsoft"                      }, /* 195 */
+ {              0x0A,         200, 1,  7, ""                               }, /* 196 */
+ {                0x03,         0, 1,  8, ""                               }, /* 197 */
+ {                  0x03,     199, 0,  9, "msSGC"                          }, /* 198 */
+ {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 199 */
+ {              0x14,           0, 1,  7, "msEnrollmentInfrastructure"     }, /* 200 */
+ {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 201 */
+ {                  0x02,     203, 0,  9, "msSmartcardLogon"               }, /* 202 */
+ {                  0x03,       0, 0,  9, "msUPN"                          }, /* 203 */
+ {            0xA0,             0, 1,  6, ""                               }, /* 204 */
+ {              0x2A,           0, 1,  7, "ITA"                            }, /* 205 */
+ {                0x01,         0, 0,  8, "strongSwan"                     }, /* 206 */
+ {          0x89,             214, 1,  5, ""                               }, /* 207 */
+ {            0x31,             0, 1,  6, ""                               }, /* 208 */
+ {              0x01,           0, 1,  7, ""                               }, /* 209 */
+ {                0x01,         0, 1,  8, ""                               }, /* 210 */
+ {                  0x02,       0, 1,  9, ""                               }, /* 211 */
+ {                    0x02,     0, 1, 10, ""                               }, /* 212 */
+ {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 213 */
+ {          0xc1,               0, 1,  5, ""                               }, /* 214 */
+ {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 215 */
+ {              0x01,           0, 1,  7, "eess"                           }, /* 216 */
+ {                0x01,         0, 1,  8, "eess1"                          }, /* 217 */
+ {                  0x01,     222, 1,  9, "eess1-algs"                     }, /* 218 */
+ {                    0x01,   220, 0, 10, "ntru-EESS1v1-SVES"              }, /* 219 */
+ {                    0x02,   221, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 220 */
+ {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 221 */
+ {                  0x02,     236, 1,  9, "eess1-params"                   }, /* 222 */
+ {                    0x01,   224, 0, 10, "ees251ep1"                      }, /* 223 */
+ {                    0x02,   225, 0, 10, "ees347ep1"                      }, /* 224 */
+ {                    0x03,   226, 0, 10, "ees503ep1"                      }, /* 225 */
+ {                    0x07,   227, 0, 10, "ees251sp2"                      }, /* 226 */
+ {                    0x0C,   228, 0, 10, "ees251ep4"                      }, /* 227 */
+ {                    0x0D,   229, 0, 10, "ees251ep5"                      }, /* 228 */
+ {                    0x0E,   230, 0, 10, "ees251sp3"                      }, /* 229 */
+ {                    0x0F,   231, 0, 10, "ees251sp4"                      }, /* 230 */
+ {                    0x10,   232, 0, 10, "ees251sp5"                      }, /* 231 */
+ {                    0x11,   233, 0, 10, "ees251sp6"                      }, /* 232 */
+ {                    0x12,   234, 0, 10, "ees251sp7"                      }, /* 233 */
+ {                    0x13,   235, 0, 10, "ees251sp8"                      }, /* 234 */
+ {                    0x14,     0, 0, 10, "ees251sp9"                      }, /* 235 */
+ {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 236 */
+ {      0x05,                   0, 1,  3, "security"                       }, /* 237 */
+ {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 238 */
+ {          0x07,             283, 1,  5, "id-pkix"                        }, /* 239 */
+ {            0x01,           244, 1,  6, "id-pe"                          }, /* 240 */
+ {              0x01,         242, 0,  7, "authorityInfoAccess"            }, /* 241 */
+ {              0x03,         243, 0,  7, "qcStatements"                   }, /* 242 */
+ {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 243 */
+ {            0x02,           247, 1,  6, "id-qt"                          }, /* 244 */
+ {              0x01,         246, 0,  7, "cps"                            }, /* 245 */
+ {              0x02,           0, 0,  7, "unotice"                        }, /* 246 */
+ {            0x03,           257, 1,  6, "id-kp"                          }, /* 247 */
+ {              0x01,         249, 0,  7, "serverAuth"                     }, /* 248 */
+ {              0x02,         250, 0,  7, "clientAuth"                     }, /* 249 */
+ {              0x03,         251, 0,  7, "codeSigning"                    }, /* 250 */
+ {              0x04,         252, 0,  7, "emailProtection"                }, /* 251 */
+ {              0x05,         253, 0,  7, "ipsecEndSystem"                 }, /* 252 */
+ {              0x06,         254, 0,  7, "ipsecTunnel"                    }, /* 253 */
+ {              0x07,         255, 0,  7, "ipsecUser"                      }, /* 254 */
+ {              0x08,         256, 0,  7, "timeStamping"                   }, /* 255 */
+ {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 256 */
+ {            0x08,           265, 1,  6, "id-otherNames"                  }, /* 257 */
+ {              0x01,         259, 0,  7, "personalData"                   }, /* 258 */
+ {              0x02,         260, 0,  7, "userGroup"                      }, /* 259 */
+ {              0x03,         261, 0,  7, "id-on-permanentIdentifier"      }, /* 260 */
+ {              0x04,         262, 0,  7, "id-on-hardwareModuleName"       }, /* 261 */
+ {              0x05,         263, 0,  7, "xmppAddr"                       }, /* 262 */
+ {              0x06,         264, 0,  7, "id-on-SIM"                      }, /* 263 */
+ {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 264 */
+ {            0x0A,           270, 1,  6, "id-aca"                         }, /* 265 */
+ {              0x01,         267, 0,  7, "authenticationInfo"             }, /* 266 */
+ {              0x02,         268, 0,  7, "accessIdentity"                 }, /* 267 */
+ {              0x03,         269, 0,  7, "chargingIdentity"               }, /* 268 */
+ {              0x04,           0, 0,  7, "group"                          }, /* 269 */
+ {            0x0B,           271, 0,  6, "subjectInfoAccess"              }, /* 270 */
+ {            0x30,             0, 1,  6, "id-ad"                          }, /* 271 */
+ {              0x01,         280, 1,  7, "ocsp"                           }, /* 272 */
+ {                0x01,       274, 0,  8, "basic"                          }, /* 273 */
+ {                0x02,       275, 0,  8, "nonce"                          }, /* 274 */
+ {                0x03,       276, 0,  8, "crl"                            }, /* 275 */
+ {                0x04,       277, 0,  8, "response"                       }, /* 276 */
+ {                0x05,       278, 0,  8, "noCheck"                        }, /* 277 */
+ {                0x06,       279, 0,  8, "archiveCutoff"                  }, /* 278 */
+ {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 279 */
+ {              0x02,         281, 0,  7, "caIssuers"                      }, /* 280 */
+ {              0x03,         282, 0,  7, "timeStamping"                   }, /* 281 */
+ {              0x05,           0, 0,  7, "caRepository"                   }, /* 282 */
+ {          0x08,               0, 1,  5, "ipsec"                          }, /* 283 */
+ {            0x02,             0, 1,  6, "certificate"                    }, /* 284 */
+ {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 285 */
+ {  0x0E,                     292, 1,  1, "oiw"                            }, /* 286 */
+ {    0x03,                     0, 1,  2, "secsig"                         }, /* 287 */
+ {      0x02,                   0, 1,  3, "algorithms"                     }, /* 288 */
+ {        0x07,               290, 0,  4, "des-cbc"                        }, /* 289 */
+ {        0x1A,               291, 0,  4, "sha-1"                          }, /* 290 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 291 */
+ {  0x24,                     338, 1,  1, "TeleTrusT"                      }, /* 292 */
+ {    0x03,                     0, 1,  2, "algorithm"                      }, /* 293 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 294 */
+ {        0x01,               299, 1,  4, "rsaSignature"                   }, /* 295 */
+ {          0x02,             297, 0,  5, "rsaSigWithripemd160"            }, /* 296 */
+ {          0x03,             298, 0,  5, "rsaSigWithripemd128"            }, /* 297 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 298 */
+ {        0x02,                 0, 1,  4, "ecSign"                         }, /* 299 */
+ {          0x01,             301, 0,  5, "ecSignWithsha1"                 }, /* 300 */
+ {          0x02,             302, 0,  5, "ecSignWithripemd160"            }, /* 301 */
+ {          0x03,             303, 0,  5, "ecSignWithmd2"                  }, /* 302 */
+ {          0x04,             304, 0,  5, "ecSignWithmd5"                  }, /* 303 */
+ {          0x05,             321, 1,  5, "ttt-ecg"                        }, /* 304 */
+ {            0x01,           309, 1,  6, "fieldType"                      }, /* 305 */
+ {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 306 */
+ {                0x01,         0, 1,  8, "basisType"                      }, /* 307 */
+ {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 308 */
+ {            0x02,           311, 1,  6, "keyType"                        }, /* 309 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 310 */
+ {            0x03,           312, 0,  6, "curve"                          }, /* 311 */
+ {            0x04,           319, 1,  6, "signatures"                     }, /* 312 */
+ {              0x01,         314, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 313 */
+ {              0x02,         315, 0,  7, "ecgdsa-with-SHA1"               }, /* 314 */
+ {              0x03,         316, 0,  7, "ecgdsa-with-SHA224"             }, /* 315 */
+ {              0x04,         317, 0,  7, "ecgdsa-with-SHA256"             }, /* 316 */
+ {              0x05,         318, 0,  7, "ecgdsa-with-SHA384"             }, /* 317 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 318 */
+ {            0x05,             0, 1,  6, "module"                         }, /* 319 */
+ {              0x01,           0, 0,  7, "1"                              }, /* 320 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 321 */
+ {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 322 */
+ {              0x01,           0, 1,  7, "versionOne"                     }, /* 323 */
+ {                0x01,       325, 0,  8, "brainpoolP160r1"                }, /* 324 */
+ {                0x02,       326, 0,  8, "brainpoolP160t1"                }, /* 325 */
+ {                0x03,       327, 0,  8, "brainpoolP192r1"                }, /* 326 */
+ {                0x04,       328, 0,  8, "brainpoolP192t1"                }, /* 327 */
+ {                0x05,       329, 0,  8, "brainpoolP224r1"                }, /* 328 */
+ {                0x06,       330, 0,  8, "brainpoolP224t1"                }, /* 329 */
+ {                0x07,       331, 0,  8, "brainpoolP256r1"                }, /* 330 */
+ {                0x08,       332, 0,  8, "brainpoolP256t1"                }, /* 331 */
+ {                0x09,       333, 0,  8, "brainpoolP320r1"                }, /* 332 */
+ {                0x0A,       334, 0,  8, "brainpoolP320t1"                }, /* 333 */
+ {                0x0B,       335, 0,  8, "brainpoolP384r1"                }, /* 334 */
+ {                0x0C,       336, 0,  8, "brainpoolP384t1"                }, /* 335 */
+ {                0x0D,       337, 0,  8, "brainpoolP512r1"                }, /* 336 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 337 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 338 */
+ {    0x04,                     0, 1,  2, "Certicom"                       }, /* 339 */
+ {      0x00,                   0, 1,  3, "curve"                          }, /* 340 */
+ {        0x01,               342, 0,  4, "sect163k1"                      }, /* 341 */
+ {        0x02,               343, 0,  4, "sect163r1"                      }, /* 342 */
+ {        0x03,               344, 0,  4, "sect239k1"                      }, /* 343 */
+ {        0x04,               345, 0,  4, "sect113r1"                      }, /* 344 */
+ {        0x05,               346, 0,  4, "sect113r2"                      }, /* 345 */
+ {        0x06,               347, 0,  4, "secp112r1"                      }, /* 346 */
+ {        0x07,               348, 0,  4, "secp112r2"                      }, /* 347 */
+ {        0x08,               349, 0,  4, "secp160r1"                      }, /* 348 */
+ {        0x09,               350, 0,  4, "secp160k1"                      }, /* 349 */
+ {        0x0A,               351, 0,  4, "secp256k1"                      }, /* 350 */
+ {        0x0F,               352, 0,  4, "sect163r2"                      }, /* 351 */
+ {        0x10,               353, 0,  4, "sect283k1"                      }, /* 352 */
+ {        0x11,               354, 0,  4, "sect283r1"                      }, /* 353 */
+ {        0x16,               355, 0,  4, "sect131r1"                      }, /* 354 */
+ {        0x17,               356, 0,  4, "sect131r2"                      }, /* 355 */
+ {        0x18,               357, 0,  4, "sect193r1"                      }, /* 356 */
+ {        0x19,               358, 0,  4, "sect193r2"                      }, /* 357 */
+ {        0x1A,               359, 0,  4, "sect233k1"                      }, /* 358 */
+ {        0x1B,               360, 0,  4, "sect233r1"                      }, /* 359 */
+ {        0x1C,               361, 0,  4, "secp128r1"                      }, /* 360 */
+ {        0x1D,               362, 0,  4, "secp128r2"                      }, /* 361 */
+ {        0x1E,               363, 0,  4, "secp160r2"                      }, /* 362 */
+ {        0x1F,               364, 0,  4, "secp192k1"                      }, /* 363 */
+ {        0x20,               365, 0,  4, "secp224k1"                      }, /* 364 */
+ {        0x21,               366, 0,  4, "secp224r1"                      }, /* 365 */
+ {        0x22,               367, 0,  4, "secp384r1"                      }, /* 366 */
+ {        0x23,               368, 0,  4, "secp521r1"                      }, /* 367 */
+ {        0x24,               369, 0,  4, "sect409k1"                      }, /* 368 */
+ {        0x25,               370, 0,  4, "sect409r1"                      }, /* 369 */
+ {        0x26,               371, 0,  4, "sect571k1"                      }, /* 370 */
+ {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 371 */
+ {0x60,                       420, 1,  0, ""                               }, /* 372 */
+ {  0x86,                       0, 1,  1, ""                               }, /* 373 */
+ {    0x48,                     0, 1,  2, ""                               }, /* 374 */
+ {      0x01,                   0, 1,  3, "organization"                   }, /* 375 */
+ {        0x65,               396, 1,  4, "gov"                            }, /* 376 */
+ {          0x03,               0, 1,  5, "csor"                           }, /* 377 */
+ {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 378 */
+ {              0x01,         389, 1,  7, "aes"                            }, /* 379 */
+ {                0x02,       381, 0,  8, "id-aes128-CBC"                  }, /* 380 */
+ {                0x06,       382, 0,  8, "id-aes128-GCM"                  }, /* 381 */
+ {                0x07,       383, 0,  8, "id-aes128-CCM"                  }, /* 382 */
+ {                0x16,       384, 0,  8, "id-aes192-CBC"                  }, /* 383 */
+ {                0x1A,       385, 0,  8, "id-aes192-GCM"                  }, /* 384 */
+ {                0x1B,       386, 0,  8, "id-aes192-CCM"                  }, /* 385 */
+ {                0x2A,       387, 0,  8, "id-aes256-CBC"                  }, /* 386 */
+ {                0x2E,       388, 0,  8, "id-aes256-GCM"                  }, /* 387 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 388 */
+ {              0x02,           0, 1,  7, "hashalgs"                       }, /* 389 */
+ {                0x01,       391, 0,  8, "id-SHA-256"                     }, /* 390 */
+ {                0x02,       392, 0,  8, "id-SHA-384"                     }, /* 391 */
+ {                0x03,       393, 0,  8, "id-SHA-512"                     }, /* 392 */
+ {                0x04,       394, 0,  8, "id-SHA-224"                     }, /* 393 */
+ {                0x05,       395, 0,  8, "id-SHA-512-224"                 }, /* 394 */
+ {                0x06,         0, 0,  8, "id-SHA-512-256"                 }, /* 395 */
+ {        0x86,                 0, 1,  4, ""                               }, /* 396 */
+ {          0xf8,               0, 1,  5, ""                               }, /* 397 */
+ {            0x42,           410, 1,  6, "netscape"                       }, /* 398 */
+ {              0x01,         405, 1,  7, ""                               }, /* 399 */
+ {                0x01,       401, 0,  8, "nsCertType"                     }, /* 400 */
+ {                0x03,       402, 0,  8, "nsRevocationUrl"                }, /* 401 */
+ {                0x04,       403, 0,  8, "nsCaRevocationUrl"              }, /* 402 */
+ {                0x08,       404, 0,  8, "nsCaPolicyUrl"                  }, /* 403 */
+ {                0x0d,         0, 0,  8, "nsComment"                      }, /* 404 */
+ {              0x03,         408, 1,  7, "directory"                      }, /* 405 */
+ {                0x01,         0, 1,  8, ""                               }, /* 406 */
+ {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 407 */
+ {              0x04,           0, 1,  7, "policy"                         }, /* 408 */
+ {                0x01,         0, 0,  8, "nsSGC"                          }, /* 409 */
+ {            0x45,             0, 1,  6, "verisign"                       }, /* 410 */
+ {              0x01,           0, 1,  7, "pki"                            }, /* 411 */
+ {                0x09,         0, 1,  8, "attributes"                     }, /* 412 */
+ {                  0x02,     414, 0,  9, "messageType"                    }, /* 413 */
+ {                  0x03,     415, 0,  9, "pkiStatus"                      }, /* 414 */
+ {                  0x04,     416, 0,  9, "failInfo"                       }, /* 415 */
+ {                  0x05,     417, 0,  9, "senderNonce"                    }, /* 416 */
+ {                  0x06,     418, 0,  9, "recipientNonce"                 }, /* 417 */
+ {                  0x07,     419, 0,  9, "transID"                        }, /* 418 */
+ {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 419 */
+ {0x67,                         0, 1,  0, ""                               }, /* 420 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 421 */
+ {    0x05,                     0, 1,  2, ""                               }, /* 422 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 423 */
+ {        0x01,               425, 0,  4, "tcg-at-tpmManufacturer"         }, /* 424 */
+ {        0x02,               426, 0,  4, "tcg-at-tpmModel"                }, /* 425 */
+ {        0x03,               427, 0,  4, "tcg-at-tpmVersion"              }, /* 426 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 427 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 236c86737..14f774adb 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -69,170 +69,170 @@ extern const oid_t oid_names[];
 #define OID_MD5_WITH_RSA					92
 #define OID_SHA1_WITH_RSA					93
 #define OID_RSAES_OAEP						94
-#define OID_SHA256_WITH_RSA					96
-#define OID_SHA384_WITH_RSA					97
-#define OID_SHA512_WITH_RSA					98
-#define OID_SHA224_WITH_RSA					99
-#define OID_PBE_MD5_DES_CBC					101
-#define OID_PBE_SHA1_DES_CBC				102
-#define OID_PBKDF2							103
-#define OID_PBES2							104
-#define OID_PKCS7_DATA						106
-#define OID_PKCS7_SIGNED_DATA				107
-#define OID_PKCS7_ENVELOPED_DATA			108
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA		109
-#define OID_PKCS7_DIGESTED_DATA				110
-#define OID_PKCS7_ENCRYPTED_DATA			111
-#define OID_EMAIL_ADDRESS					113
-#define OID_UNSTRUCTURED_NAME				114
-#define OID_PKCS9_CONTENT_TYPE				115
-#define OID_PKCS9_MESSAGE_DIGEST			116
-#define OID_PKCS9_SIGNING_TIME				117
-#define OID_CHALLENGE_PASSWORD				119
-#define OID_UNSTRUCTURED_ADDRESS			120
-#define OID_EXTENSION_REQUEST				121
-#define OID_X509_CERTIFICATE				124
-#define OID_PBE_SHA1_RC4_128				128
-#define OID_PBE_SHA1_RC4_40					129
-#define OID_PBE_SHA1_3DES_CBC				130
-#define OID_PBE_SHA1_3DES_2KEY_CBC			131
-#define OID_PBE_SHA1_RC2_CBC_128			132
-#define OID_PBE_SHA1_RC2_CBC_40				133
-#define OID_P12_KEY_BAG						136
-#define OID_P12_PKCS8_KEY_BAG				137
-#define OID_P12_CERT_BAG					138
-#define OID_P12_CRL_BAG						139
-#define OID_MD2								143
-#define OID_MD5								144
-#define OID_3DES_EDE_CBC					146
-#define OID_EC_PUBLICKEY					150
-#define OID_C2PNB163V1						153
-#define OID_C2PNB163V2						154
-#define OID_C2PNB163V3						155
-#define OID_C2PNB176W1						156
-#define OID_C2PNB191V1						157
-#define OID_C2PNB191V2						158
-#define OID_C2PNB191V3						159
-#define OID_C2PNB191V4						160
-#define OID_C2PNB191V5						161
-#define OID_C2PNB208W1						162
-#define OID_C2PNB239V1						163
-#define OID_C2PNB239V2						164
-#define OID_C2PNB239V3						165
-#define OID_C2PNB239V4						166
-#define OID_C2PNB239V5						167
-#define OID_C2PNB272W1						168
-#define OID_C2PNB304W1						169
-#define OID_C2PNB359V1						170
-#define OID_C2PNB368W1						171
-#define OID_C2PNB431R1						172
-#define OID_PRIME192V1						174
-#define OID_PRIME192V2						175
-#define OID_PRIME192V3						176
-#define OID_PRIME239V1						177
-#define OID_PRIME239V2						178
-#define OID_PRIME239V3						179
-#define OID_PRIME256V1						180
-#define OID_ECDSA_WITH_SHA1					182
-#define OID_ECDSA_WITH_SHA224				184
-#define OID_ECDSA_WITH_SHA256				185
-#define OID_ECDSA_WITH_SHA384				186
-#define OID_ECDSA_WITH_SHA512				187
-#define OID_USER_PRINCIPAL_NAME				202
-#define OID_STRONGSWAN						205
-#define OID_TCGID							212
-#define OID_AUTHORITY_INFO_ACCESS			217
-#define OID_IP_ADDR_BLOCKS					219
-#define OID_POLICY_QUALIFIER_CPS			221
-#define OID_POLICY_QUALIFIER_UNOTICE		222
-#define OID_SERVER_AUTH						224
-#define OID_CLIENT_AUTH						225
-#define OID_OCSP_SIGNING					232
-#define OID_XMPP_ADDR						238
-#define OID_AUTHENTICATION_INFO				242
-#define OID_ACCESS_IDENTITY					243
-#define OID_CHARGING_IDENTITY				244
-#define OID_GROUP							245
-#define OID_OCSP							248
-#define OID_BASIC							249
-#define OID_NONCE							250
-#define OID_CRL								251
-#define OID_RESPONSE						252
-#define OID_NO_CHECK						253
-#define OID_ARCHIVE_CUTOFF					254
-#define OID_SERVICE_LOCATOR					255
-#define OID_CA_ISSUERS						256
-#define OID_IKE_INTERMEDIATE				261
-#define OID_DES_CBC							265
-#define OID_SHA1							266
-#define OID_SHA1_WITH_RSA_OIW				267
-#define OID_ECGDSA_PUBKEY					286
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		289
-#define OID_ECGDSA_SIG_WITH_SHA1			290
-#define OID_ECGDSA_SIG_WITH_SHA224			291
-#define OID_ECGDSA_SIG_WITH_SHA256			292
-#define OID_ECGDSA_SIG_WITH_SHA384			293
-#define OID_ECGDSA_SIG_WITH_SHA512			294
-#define OID_SECT163K1						317
-#define OID_SECT163R1						318
-#define OID_SECT239K1						319
-#define OID_SECT113R1						320
-#define OID_SECT113R2						321
-#define OID_SECT112R1						322
-#define OID_SECT112R2						323
-#define OID_SECT160R1						324
-#define OID_SECT160K1						325
-#define OID_SECT256K1						326
-#define OID_SECT163R2						327
-#define OID_SECT283K1						328
-#define OID_SECT283R1						329
-#define OID_SECT131R1						330
-#define OID_SECT131R2						331
-#define OID_SECT193R1						332
-#define OID_SECT193R2						333
-#define OID_SECT233K1						334
-#define OID_SECT233R1						335
-#define OID_SECT128R1						336
-#define OID_SECT128R2						337
-#define OID_SECT160R2						338
-#define OID_SECT192K1						339
-#define OID_SECT224K1						340
-#define OID_SECT224R1						341
-#define OID_SECT384R1						342
-#define OID_SECT521R1						343
-#define OID_SECT409K1						344
-#define OID_SECT409R1						345
-#define OID_SECT571K1						346
-#define OID_SECT571R1						347
-#define OID_AES128_CBC						356
-#define OID_AES128_GCM						357
-#define OID_AES128_CCM						358
-#define OID_AES192_CBC						359
-#define OID_AES192_GCM						360
-#define OID_AES192_CCM						361
-#define OID_AES256_CBC						362
-#define OID_AES256_GCM						363
-#define OID_AES256_CCM						364
-#define OID_SHA256							366
-#define OID_SHA384							367
-#define OID_SHA512							368
-#define OID_SHA224							369
-#define OID_NS_REVOCATION_URL				377
-#define OID_NS_CA_REVOCATION_URL			378
-#define OID_NS_CA_POLICY_URL				379
-#define OID_NS_COMMENT						380
-#define OID_EMPLOYEE_NUMBER					383
-#define OID_PKI_MESSAGE_TYPE				389
-#define OID_PKI_STATUS						390
-#define OID_PKI_FAIL_INFO					391
-#define OID_PKI_SENDER_NONCE				392
-#define OID_PKI_RECIPIENT_NONCE				393
-#define OID_PKI_TRANS_ID					394
-#define OID_TPM_MANUFACTURER				400
-#define OID_TPM_MODEL						401
-#define OID_TPM_VERSION						402
-#define OID_TPM_ID_LABEL					403
+#define OID_SHA256_WITH_RSA					97
+#define OID_SHA384_WITH_RSA					98
+#define OID_SHA512_WITH_RSA					99
+#define OID_SHA224_WITH_RSA					100
+#define OID_PBE_MD5_DES_CBC					102
+#define OID_PBE_SHA1_DES_CBC				103
+#define OID_PBKDF2							104
+#define OID_PBES2							105
+#define OID_PKCS7_DATA						107
+#define OID_PKCS7_SIGNED_DATA				108
+#define OID_PKCS7_ENVELOPED_DATA			109
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA		110
+#define OID_PKCS7_DIGESTED_DATA				111
+#define OID_PKCS7_ENCRYPTED_DATA			112
+#define OID_EMAIL_ADDRESS					114
+#define OID_UNSTRUCTURED_NAME				115
+#define OID_PKCS9_CONTENT_TYPE				116
+#define OID_PKCS9_MESSAGE_DIGEST			117
+#define OID_PKCS9_SIGNING_TIME				118
+#define OID_CHALLENGE_PASSWORD				120
+#define OID_UNSTRUCTURED_ADDRESS			121
+#define OID_EXTENSION_REQUEST				122
+#define OID_X509_CERTIFICATE				125
+#define OID_PBE_SHA1_RC4_128				129
+#define OID_PBE_SHA1_RC4_40					130
+#define OID_PBE_SHA1_3DES_CBC				131
+#define OID_PBE_SHA1_3DES_2KEY_CBC			132
+#define OID_PBE_SHA1_RC2_CBC_128			133
+#define OID_PBE_SHA1_RC2_CBC_40				134
+#define OID_P12_KEY_BAG						137
+#define OID_P12_PKCS8_KEY_BAG				138
+#define OID_P12_CERT_BAG					139
+#define OID_P12_CRL_BAG						140
+#define OID_MD2								144
+#define OID_MD5								145
+#define OID_3DES_EDE_CBC					147
+#define OID_EC_PUBLICKEY					151
+#define OID_C2PNB163V1						154
+#define OID_C2PNB163V2						155
+#define OID_C2PNB163V3						156
+#define OID_C2PNB176W1						157
+#define OID_C2PNB191V1						158
+#define OID_C2PNB191V2						159
+#define OID_C2PNB191V3						160
+#define OID_C2PNB191V4						161
+#define OID_C2PNB191V5						162
+#define OID_C2PNB208W1						163
+#define OID_C2PNB239V1						164
+#define OID_C2PNB239V2						165
+#define OID_C2PNB239V3						166
+#define OID_C2PNB239V4						167
+#define OID_C2PNB239V5						168
+#define OID_C2PNB272W1						169
+#define OID_C2PNB304W1						170
+#define OID_C2PNB359V1						171
+#define OID_C2PNB368W1						172
+#define OID_C2PNB431R1						173
+#define OID_PRIME192V1						175
+#define OID_PRIME192V2						176
+#define OID_PRIME192V3						177
+#define OID_PRIME239V1						178
+#define OID_PRIME239V2						179
+#define OID_PRIME239V3						180
+#define OID_PRIME256V1						181
+#define OID_ECDSA_WITH_SHA1					183
+#define OID_ECDSA_WITH_SHA224				185
+#define OID_ECDSA_WITH_SHA256				186
+#define OID_ECDSA_WITH_SHA384				187
+#define OID_ECDSA_WITH_SHA512				188
+#define OID_USER_PRINCIPAL_NAME				203
+#define OID_STRONGSWAN						206
+#define OID_TCGID							213
+#define OID_AUTHORITY_INFO_ACCESS			241
+#define OID_IP_ADDR_BLOCKS					243
+#define OID_POLICY_QUALIFIER_CPS			245
+#define OID_POLICY_QUALIFIER_UNOTICE		246
+#define OID_SERVER_AUTH						248
+#define OID_CLIENT_AUTH						249
+#define OID_OCSP_SIGNING					256
+#define OID_XMPP_ADDR						262
+#define OID_AUTHENTICATION_INFO				266
+#define OID_ACCESS_IDENTITY					267
+#define OID_CHARGING_IDENTITY				268
+#define OID_GROUP							269
+#define OID_OCSP							272
+#define OID_BASIC							273
+#define OID_NONCE							274
+#define OID_CRL								275
+#define OID_RESPONSE						276
+#define OID_NO_CHECK						277
+#define OID_ARCHIVE_CUTOFF					278
+#define OID_SERVICE_LOCATOR					279
+#define OID_CA_ISSUERS						280
+#define OID_IKE_INTERMEDIATE				285
+#define OID_DES_CBC							289
+#define OID_SHA1							290
+#define OID_SHA1_WITH_RSA_OIW				291
+#define OID_ECGDSA_PUBKEY					310
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		313
+#define OID_ECGDSA_SIG_WITH_SHA1			314
+#define OID_ECGDSA_SIG_WITH_SHA224			315
+#define OID_ECGDSA_SIG_WITH_SHA256			316
+#define OID_ECGDSA_SIG_WITH_SHA384			317
+#define OID_ECGDSA_SIG_WITH_SHA512			318
+#define OID_SECT163K1						341
+#define OID_SECT163R1						342
+#define OID_SECT239K1						343
+#define OID_SECT113R1						344
+#define OID_SECT113R2						345
+#define OID_SECT112R1						346
+#define OID_SECT112R2						347
+#define OID_SECT160R1						348
+#define OID_SECT160K1						349
+#define OID_SECT256K1						350
+#define OID_SECT163R2						351
+#define OID_SECT283K1						352
+#define OID_SECT283R1						353
+#define OID_SECT131R1						354
+#define OID_SECT131R2						355
+#define OID_SECT193R1						356
+#define OID_SECT193R2						357
+#define OID_SECT233K1						358
+#define OID_SECT233R1						359
+#define OID_SECT128R1						360
+#define OID_SECT128R2						361
+#define OID_SECT160R2						362
+#define OID_SECT192K1						363
+#define OID_SECT224K1						364
+#define OID_SECT224R1						365
+#define OID_SECT384R1						366
+#define OID_SECT521R1						367
+#define OID_SECT409K1						368
+#define OID_SECT409R1						369
+#define OID_SECT571K1						370
+#define OID_SECT571R1						371
+#define OID_AES128_CBC						380
+#define OID_AES128_GCM						381
+#define OID_AES128_CCM						382
+#define OID_AES192_CBC						383
+#define OID_AES192_GCM						384
+#define OID_AES192_CCM						385
+#define OID_AES256_CBC						386
+#define OID_AES256_GCM						387
+#define OID_AES256_CCM						388
+#define OID_SHA256							390
+#define OID_SHA384							391
+#define OID_SHA512							392
+#define OID_SHA224							393
+#define OID_NS_REVOCATION_URL				401
+#define OID_NS_CA_REVOCATION_URL			402
+#define OID_NS_CA_POLICY_URL				403
+#define OID_NS_COMMENT						404
+#define OID_EMPLOYEE_NUMBER					407
+#define OID_PKI_MESSAGE_TYPE				413
+#define OID_PKI_STATUS						414
+#define OID_PKI_FAIL_INFO					415
+#define OID_PKI_SENDER_NONCE				416
+#define OID_PKI_RECIPIENT_NONCE				417
+#define OID_PKI_TRANS_ID					418
+#define OID_TPM_MANUFACTURER				424
+#define OID_TPM_MODEL						425
+#define OID_TPM_VERSION						426
+#define OID_TPM_ID_LABEL					427
 
-#define OID_MAX								404
+#define OID_MAX								428
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 740dc5073..c15a1cc2a 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -93,6 +93,7 @@
                 0x04         "md5WithRSAEncryption"		OID_MD5_WITH_RSA
                 0x05         "sha-1WithRSAEncryption"	OID_SHA1_WITH_RSA
                 0x07         "id-RSAES-OAEP"			OID_RSAES_OAEP
+                0x08         "id-mgf1"
                 0x09         "id-pSpecified"
                 0x0B         "sha256WithRSAEncryption"	OID_SHA256_WITH_RSA
                 0x0C         "sha384WithRSAEncryption"	OID_SHA384_WITH_RSA
@@ -211,6 +212,29 @@
                   0x02       ""
                     0x02     ""
                       0x4B   "TCGID"					OID_TCGID
+          0xc1               ""
+            0x16             "ntruCryptosystems"
+              0x01           "eess"
+                0x01         "eess1"
+                  0x01       "eess1-algs"
+                    0x01     "ntru-EESS1v1-SVES"
+                    0x02     "ntru-EESS1v1-SVSSA"
+                    0x03     "ntru-EESS1v1-NTRUSign"
+                  0x02       "eess1-params"
+                    0x01     "ees251ep1"
+                    0x02     "ees347ep1"
+                    0x03     "ees503ep1"
+                    0x07     "ees251sp2"
+                    0x0C     "ees251ep4"
+                    0x0D     "ees251ep5"
+                    0x0E     "ees251sp3"
+                    0x0F     "ees251sp4"
+                    0x10     "ees251sp5"
+                    0x11     "ees251sp6"
+                    0x12     "ees251sp7"
+                    0x13     "ees251sp8"
+                    0x14     "ees251sp9"
+                  0x03       "eess1-encodingMethods"
       0x05                   "security"
         0x05                 "mechanisms"
           0x07               "id-pkix"
diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
index 387e2a57d..314e8e916 100644
--- a/src/libstrongswan/collections/array.c
+++ b/src/libstrongswan/collections/array.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -13,8 +16,15 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for qsort_r() */
+#include <stdlib.h>
+
 #include "array.h"
 
+#ifndef HAVE_QSORT_R
+#include <threading/thread_value.h>
+#endif
+
 /**
  * Data is an allocated block, with potentially unused head and tail:
  *
@@ -43,6 +53,11 @@ struct array_t {
 	void *data;
 };
 
+#ifndef HAVE_QSORT_R
+	/* store data to replicate qsort_r in thread local storage */
+	static thread_value_t *sort_data;
+#endif
+
 /** maximum number of unused head/tail elements before cleanup */
 #define ARRAY_MAX_UNUSED 32
 
@@ -314,7 +329,7 @@ void array_insert(array_t *array, int idx, void *data)
 	}
 }
 
-bool array_remove(array_t *array, int idx, void *data)
+bool array_get(array_t *array, int idx, void *data)
 {
 	if (!array)
 	{
@@ -337,12 +352,25 @@ bool array_remove(array_t *array, int idx, void *data)
 		memcpy(data, array->data + get_size(array, array->head + idx),
 			   get_size(array, 1));
 	}
+	return TRUE;
+}
+
+bool array_remove(array_t *array, int idx, void *data)
+{
+	if (!array_get(array, idx, data))
+	{
+		return FALSE;
+	}
 	if (idx > array_count(array) / 2)
 	{
 		remove_tail(array, idx);
 	}
 	else
 	{
+		if (idx < 0)
+		{
+			idx = array_count(array) - 1;
+		}
 		remove_head(array, idx);
 	}
 	if (array->head + array->tail > ARRAY_MAX_UNUSED)
@@ -352,6 +380,113 @@ bool array_remove(array_t *array, int idx, void *data)
 	return TRUE;
 }
 
+typedef struct {
+	/** the array */
+	array_t *array;
+	/** comparison function */
+	int (*cmp)(const void*,const void*,void*);
+	/** optional user arg */
+	void *arg;
+} sort_data_t;
+
+#ifdef HAVE_QSORT_R_GNU
+static int compare_elements(const void *a, const void *b, void *arg)
+#elif defined(HAVE_QSORT_R_BSD)
+static int compare_elements(void *arg, const void *a, const void *b)
+#else /* !HAVE_QSORT_R */
+static int compare_elements(const void *a, const void *b)
+#endif
+{
+#ifdef HAVE_QSORT_R
+	sort_data_t *data = (sort_data_t*)arg;
+#else
+	sort_data_t *data = sort_data->get(sort_data);
+#endif
+
+	if (data->array->esize)
+	{
+		return data->cmp(a, b, data->arg);
+	}
+	return data->cmp(*(void**)a, *(void**)b, data->arg);
+}
+
+void array_sort(array_t *array, int (*cmp)(const void*,const void*,void*),
+				void *user)
+{
+	if (array)
+	{
+		sort_data_t data = {
+			.array = array,
+			.cmp = cmp,
+			.arg = user,
+		};
+		void *start;
+
+		start = array->data + get_size(array, array->head);
+
+#ifdef HAVE_QSORT_R_GNU
+		qsort_r(start, array->count, get_size(array, 1), compare_elements,
+				&data);
+#elif defined(HAVE_QSORT_R_BSD)
+		qsort_r(start, array->count, get_size(array, 1), &data,
+				compare_elements);
+#else /* !HAVE_QSORT_R */
+		sort_data->set(sort_data, &data);
+		qsort(start, array->count, get_size(array, 1), compare_elements);
+#endif
+	}
+}
+
+typedef struct {
+	/** the array */
+	array_t *array;
+	/** the key */
+	const void *key;
+	/** comparison function */
+	int (*cmp)(const void*,const void*);
+} bsearch_data_t;
+
+static int search_elements(const void *a, const void *b)
+{
+	bsearch_data_t *data = (bsearch_data_t*)a;
+
+	if (data->array->esize)
+	{
+		return data->cmp(data->key, b);
+	}
+	return data->cmp(data->key, *(void**)b);
+}
+
+int array_bsearch(array_t *array, const void *key,
+				  int (*cmp)(const void*,const void*), void *out)
+{
+	int idx = -1;
+
+	if (array)
+	{
+		bsearch_data_t data = {
+			.array = array,
+			.key = key,
+			.cmp = cmp,
+		};
+		void *start, *item;
+
+		start = array->data + get_size(array, array->head);
+
+		item = bsearch(&data, start, array->count, get_size(array, 1),
+					   search_elements);
+		if (item)
+		{
+			if (out)
+			{
+				memcpy(out, item, get_size(array, 1));
+			}
+			idx = (item - start) / get_size(array, 1);
+		}
+	}
+	return idx;
+}
+
 void array_invoke(array_t *array, array_callback_t cb, void *user)
 {
 	if (array)
@@ -414,3 +549,17 @@ void array_destroy_offset(array_t *array, size_t offset)
 	array_invoke_offset(array, offset);
 	array_destroy(array);
 }
+
+void arrays_init()
+{
+#ifndef HAVE_QSORT_R
+	sort_data =  thread_value_create(NULL);
+#endif
+}
+
+void arrays_deinit()
+{
+#ifndef HAVE_QSORT_R
+	sort_data->destroy(sort_data);
+#endif
+}
diff --git a/src/libstrongswan/collections/array.h b/src/libstrongswan/collections/array.h
index 0dc7b2250..ce702ebfa 100644
--- a/src/libstrongswan/collections/array.h
+++ b/src/libstrongswan/collections/array.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -87,7 +90,7 @@ void array_compress(array_t *array);
  * The enumerater enumerates directly over the array element (pass a pointer to
  * element types), unless the array is pointer based. If zero is passed as
  * element size during construction, the enumerator enumerates over the
- * deferenced pointer values.
+ * dereferenced pointer values.
  *
  * @param array			array to create enumerator for, or NULL
  * @return				enumerator, over elements or pointers
@@ -140,6 +143,18 @@ void array_insert_create(array_t **array, int idx, void *ptr);
 void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator);
 
 /**
+ * Get an element from the array.
+ *
+ * If data is given, the element is copied to that position.
+ *
+ * @param array			array to get element from, or NULL
+ * @param idx			index of the item to get
+ * @param data			data to copy element to, or NULL
+ * @return				TRUE if idx valid and item returned
+ */
+bool array_get(array_t *array, int idx, void *data);
+
+/**
  * Remove an element from the array.
  *
  * If data is given, the element is copied to that position.
@@ -152,6 +167,50 @@ void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator);
 bool array_remove(array_t *array, int idx, void *data);
 
 /**
+ * Sort the array.
+ *
+ * The comparison function must return an integer less than, equal to, or
+ * greater than zero if the first argument is considered to be respectively less
+ * than, equal to, or greater than the second.  If two elements compare as
+ * equal, their order in the sorted array is undefined.
+ *
+ * The comparison function receives pointers to the array elements (esize != 0)
+ * or the actual pointers (esize = 0). The third argument is the user data
+ * supplied to this function.
+ *
+ * @param array			array to sort, or NULL
+ * @param cmp			comparison function
+ * @param user			user data to pass to comparison function
+ */
+void array_sort(array_t *array, int (*cmp)(const void*,const void*,void*),
+				void *user);
+
+/**
+ * Binary search of a sorted array.
+ *
+ * The array should be sorted in ascending order according to the given
+ * comparison function.
+ *
+ * The comparison function must return an integer less than, equal to, or
+ * greater than zero if the first argument (the key) is considered to be
+ * respectively less than, equal to, or greater than the second.
+ *
+ * If there are multiple elements that match the key it is not specified which
+ * element is returned.
+ *
+ * The comparison function receives the key object and a pointer to an array
+ * element (esize != 0) or an actual pointer (esize = 0).
+ *
+ * @param array			array to search, or NULL
+ * @param key			key to search for
+ * @param cmp			comparison function
+ * @param data			data to copy element to, or NULL
+ * @return				index of the element if found, -1 if not
+ */
+int array_bsearch(array_t *array, const void *key,
+				  int (*cmp)(const void*,const void*), void *data);
+
+/**
  * Invoke a callback for all array members.
  *
  * @param array			array to traverse, or NULL
@@ -192,4 +251,16 @@ void array_destroy_function(array_t *array, array_callback_t cb, void *user);
  */
 void array_destroy_offset(array_t *array, size_t offset);
 
+
+/**
+ * Required on some platforms to initialize thread local value to implement
+ * array_sort().
+ */
+void arrays_init();
+
+/**
+ * Destroys the thread local value if required.
+ */
+void arrays_deinit();
+
 #endif /** ARRAY_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index de19c8d96..3ec0714b6 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -1349,7 +1349,7 @@ credential_manager_t *credential_manager_create()
 
 	this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
 	this->exclusive_local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
-	if (lib->settings->get_bool(lib->settings, "libstrongswan.cert_cache", TRUE))
+	if (lib->settings->get_bool(lib->settings, "%s.cert_cache", TRUE, lib->ns))
 	{
 		this->cache = cert_cache_create();
 		this->sets->insert_first(this->sets, this->cache);
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index edcabfe58..dba3f6f6d 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -967,11 +967,11 @@ crypto_factory_t *crypto_factory_create()
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.tester = crypto_tester_create(),
 		.test_on_add = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.on_add", FALSE),
+								"%s.crypto_test.on_add", FALSE, lib->ns),
 		.test_on_create = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.on_create", FALSE),
+								"%s.crypto_test.on_create", FALSE, lib->ns),
 		.bench = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.bench", FALSE),
+								"%s.crypto_test.bench", FALSE, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 5a0dccced..30724b16d 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -1207,13 +1207,13 @@ crypto_tester_t *crypto_tester_create()
 		.rng = linked_list_create(),
 
 		.required = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.required", FALSE),
+								"%s.crypto_test.required", FALSE, lib->ns),
 		.rng_true = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.rng_true", FALSE),
+								"%s.crypto_test.rng_true", FALSE, lib->ns),
 		.bench_time = lib->settings->get_int(lib->settings,
-								"libstrongswan.crypto_test.bench_time", 50),
+								"%s.crypto_test.bench_time", 50, lib->ns),
 		.bench_size = lib->settings->get_int(lib->settings,
-								"libstrongswan.crypto_test.bench_size", 1024),
+								"%s.crypto_test.bench_size", 1024, lib->ns),
 	);
 
 	/* enforce a block size of 16, should be fine for all algorithms */
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 3d319d2d4..5c1d08de2 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -45,7 +45,12 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
 ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP,
 	"MODP_NULL",
 	"MODP_CUSTOM");
-ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
+ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM,
+	"NTRU_112",
+	"NTRU_128",
+	"NTRU_192",
+	"NTRU_256");
+ENUM_END(diffie_hellman_group_names, NTRU_256_BIT);
 
 
 /**
@@ -439,7 +444,7 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
 			{
 				if (!dh_params[i].public.subgroup.len &&
 					lib->settings->get_int(lib->settings,
-								"libstrongswan.dh_exponent_ansi_x9_42", TRUE))
+									"%s.dh_exponent_ansi_x9_42", TRUE, lib->ns))
 				{
 					dh_params[i].public.exp_len = dh_params[i].public.prime.len;
 				}
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index edf6bbd6d..00d700314 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -64,6 +64,11 @@ enum diffie_hellman_group_t {
 	MODP_NULL = 1024,
 	/** MODP group with custom generator/prime */
 	MODP_CUSTOM = 1025,
+	/** Parameters defined by IEEE 1363.1, in PRIVATE USE */
+	NTRU_112_BIT = 1030,
+	NTRU_128_BIT = 1031,
+	NTRU_192_BIT = 1032,
+	NTRU_256_BIT = 1033
 };
 
 /**
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index 4db504eb0..bbb97d088 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -56,6 +56,11 @@ struct private_proposal_keywords_t {
 	linked_list_t * tokens;
 
 	/**
+	 * registered algname parsers, as proposal_algname_parser_t
+	 */
+	linked_list_t *parsers;
+
+	/**
 	 * rwlock to lock access to modules
 	 */
 	rwlock_t *lock;
@@ -85,11 +90,46 @@ static const proposal_token_t* find_token(private_proposal_keywords_t *this,
 	return found;
 }
 
+/**
+ * Parse the given algorithm into a token with user defined parser functions.
+ */
+static const proposal_token_t* parse_token(private_proposal_keywords_t *this,
+										   const char *str)
+{
+	proposal_algname_parser_t parser;
+	enumerator_t *enumerator;
+	proposal_token_t *found = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->parsers->create_enumerator(this->parsers);
+	while (enumerator->enumerate(enumerator, &parser))
+	{
+		found = parser(str);
+		if (found)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return found;
+}
+
 METHOD(proposal_keywords_t, get_token, const proposal_token_t*,
 	private_proposal_keywords_t *this, const char *str)
 {
-	const proposal_token_t *token = proposal_get_token_static(str, strlen(str));
-	return token ?: find_token(this, str);
+	const proposal_token_t *token;
+
+	token = proposal_get_token_static(str, strlen(str));
+	if (!token)
+	{
+		token = find_token(this, str);
+	}
+	if (!token)
+	{
+		token = parse_token(this, str);
+	}
+	return token;
 }
 
 METHOD(proposal_keywords_t, register_token, void,
@@ -110,6 +150,14 @@ METHOD(proposal_keywords_t, register_token, void,
 	this->lock->unlock(this->lock);
 }
 
+METHOD(proposal_keywords_t, register_algname_parser, void,
+	private_proposal_keywords_t *this, proposal_algname_parser_t parser)
+{
+	this->lock->write_lock(this->lock);
+	this->tokens->insert_first(this->parsers, parser);
+	this->lock->unlock(this->lock);
+}
+
 METHOD(proposal_keywords_t, destroy, void,
 	private_proposal_keywords_t *this)
 {
@@ -121,6 +169,7 @@ METHOD(proposal_keywords_t, destroy, void,
 		free(token);
 	}
 	this->tokens->destroy(this->tokens);
+	this->parsers->destroy(this->parsers);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -136,9 +185,11 @@ proposal_keywords_t *proposal_keywords_create()
 		.public = {
 			.get_token = _get_token,
 			.register_token = _register_token,
+			.register_algname_parser = _register_algname_parser,
 			.destroy = _destroy,
 		},
 		.tokens = linked_list_create(),
+		.parsers = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.h b/src/libstrongswan/crypto/proposal/proposal_keywords.h
index d6107abc0..5cdbafc51 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.h
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.h
@@ -46,6 +46,8 @@
 typedef struct proposal_token_t proposal_token_t;
 typedef struct proposal_keywords_t proposal_keywords_t;
 
+typedef proposal_token_t*(*proposal_algname_parser_t)(const char *algname);
+
 #include <library.h>
 #include <crypto/transform.h>
 
@@ -102,6 +104,17 @@ struct proposal_keywords_t {
 						   u_int16_t keysize);
 
 	/**
+	 * Register an algorithm name parser.
+	 *
+	 * It is meant to parse an algorithm name into a proposal token in a
+	 * generic, user defined way.
+	 *
+	 * @param parser	a pointer to the parser function
+	 */
+	void (*register_algname_parser)(proposal_keywords_t *this,
+									proposal_algname_parser_t parser);
+
+	/**
 	 * Destroy a proposal_keywords_t instance.
 	 */
 	void (*destroy)(proposal_keywords_t *this);
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
index a238f640e..1da1421f4 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -1,6 +1,6 @@
 /* C code produced by gperf version 3.0.4 */
 /* Command-line: /usr/bin/gperf -N proposal_get_token_static -m 10 -C -G -c -t -D  */
-/* Computed positions: -k'1,5,7,10,15,$' */
+/* Computed positions: -k'1,5-7,10,15,$' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
       && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
@@ -31,8 +31,8 @@ error "gperf generated tables don't work with this execution character set. Plea
 
 
 /*
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
+ * Copyright (C) 2009-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil, Switzerland
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -59,12 +59,12 @@ struct proposal_token {
 	u_int16_t         keysize;
 };
 
-#define TOTAL_KEYWORDS 134
+#define TOTAL_KEYWORDS 138
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 4
-#define MAX_HASH_VALUE 215
-/* maximum key range = 212, duplicates = 0 */
+#define MIN_HASH_VALUE 20
+#define MAX_HASH_VALUE 295
+/* maximum key range = 276, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -78,34 +78,34 @@ hash (str, len)
      register const char *str;
      register unsigned int len;
 {
-  static const unsigned char asso_values[] =
+  static const unsigned short asso_values[] =
     {
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216,   0,   4,
-        1,  21,  15,  13,   9,  16,   2,   0, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216,  76, 216,   2,  28,  16,
-        0,  39, 112,  42,  31,   0, 216, 216,   0,   9,
-      100,   0,   7,  20,  95,  12,  44,  55, 216, 216,
-        1, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296,  47,   6,
+       15,   8,  64,  24,  12,  14,   7,   5, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 120, 296,   9,   5,  22,
+       48, 114,  28,  76,   6,   5, 296, 296,   5,  20,
+        7,  14,  82,   7,  81,  98,  10,  86, 296, 296,
+        5, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296, 296, 296, 296,
+      296, 296, 296, 296, 296, 296, 296
     };
   register int hval = len;
 
@@ -127,6 +127,8 @@ hash (str, len)
         hval += asso_values[(unsigned char)str[6]];
       /*FALLTHROUGH*/
       case 6:
+        hval += asso_values[(unsigned char)str[5]];
+      /*FALLTHROUGH*/
       case 5:
         hval += asso_values[(unsigned char)str[4]];
       /*FALLTHROUGH*/
@@ -142,166 +144,178 @@ hash (str, len)
 
 static const struct proposal_token wordlist[] =
   {
+    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
     {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
-    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
-    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
-    {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
-    {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
-    {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
-    {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
-    {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
-    {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
-    {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
-    {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
-    {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
-    {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
-    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
-    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
-    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
-    {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
-    {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"noesn",            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0},
+    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
+    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
     {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
-    {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
-    {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
-    {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
-    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
-    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
-    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
+    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
+    {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
+    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
+    {"md5_128",          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0},
     {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
+    {"ntru128",          DIFFIE_HELLMAN_GROUP, NTRU_128_BIT,              0},
+    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
     {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
+    {"ntru192",          DIFFIE_HELLMAN_GROUP, NTRU_192_BIT,              0},
+    {"ntru112",          DIFFIE_HELLMAN_GROUP, NTRU_112_BIT,              0},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
+    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
+    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
     {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
-    {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
-    {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
     {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
+    {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
     {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
     {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
-    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
-    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
-    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
     {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
+    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
     {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
-    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
+    {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
+    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
+    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
+    {"ntru256",          DIFFIE_HELLMAN_GROUP, NTRU_256_BIT,              0},
+    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
     {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
-    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
-    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
     {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
+    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
     {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
-    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
-    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
     {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
+    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
+    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
+    {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
+    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
+    {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
+    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
+    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
+    {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
+    {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
+    {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
+    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
+    {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
+    {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
+    {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
     {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
-    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
-    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
-    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
+    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
     {"aes192gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
-    {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
-    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
     {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
+    {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
-    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
+    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
+    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
+    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
+    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
+    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
+    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
     {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
-    {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
     {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"prfaesxcbc",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0},
+    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
+    {"ecp512bp",         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0},
     {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
-    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
-    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
-    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
-    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
+    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
+    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
+    {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
+    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
     {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
     {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
-    {"md5_128",          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0},
-    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
-    {"prfaescmac",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0},
-    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
-    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
-    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
-    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
-    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
-    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
-    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
-    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
-    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"ecp256bp",         DIFFIE_HELLMAN_GROUP, ECP_256_BP,                0},
+    {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
+    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
+    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
     {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
-    {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
+    {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
     {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
+    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
     {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
-    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
-    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
-    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
-    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
-    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
-    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
-    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
-    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
+    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
     {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
-    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
     {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
-    {"ecp224bp",         DIFFIE_HELLMAN_GROUP, ECP_224_BP,                0},
+    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"ecp384bp",         DIFFIE_HELLMAN_GROUP, ECP_384_BP,                0},
-    {"ecp512bp",         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0},
-    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
-    {"ecp256bp",         DIFFIE_HELLMAN_GROUP, ECP_256_BP,                0},
+    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
     {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
-    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"noesn",            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0},
-    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
-    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0}
+    {"ecp224bp",         DIFFIE_HELLMAN_GROUP, ECP_224_BP,                0},
+    {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
+    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
+    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
+    {"prfaesxcbc",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0},
+    {"prfaescmac",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0}
   };
 
 static const short lookup[] =
   {
-     -1,  -1,  -1,  -1,   0,  -1,  -1,  -1,  -1,  -1,
-      1,  -1,   2,  -1,   3,   4,  -1,  -1,  -1,   5,
-      6,   7,   8,   9,  10,  11,  12,  -1,  -1,  13,
-     14,  15,  16,  17,  18,  19,  20,  21,  22,  23,
-     24,  25,  26,  27,  28,  -1,  -1,  -1,  -1,  29,
-     -1,  -1,  30,  31,  32,  33,  34,  -1,  35,  36,
-     37,  38,  39,  40,  41,  42,  43,  44,  45,  46,
-     47,  48,  49,  50,  51,  52,  53,  54,  -1,  55,
-     56,  57,  -1,  58,  59,  60,  61,  62,  63,  64,
-     65,  66,  67,  -1,  68,  69,  70,  71,  72,  73,
-     74,  75,  76,  77,  -1,  78,  79,  80,  81,  82,
-     83,  84,  85,  86,  87,  88,  89,  90,  91,  92,
-     -1,  93,  94,  95,  96,  97,  98,  99, 100,  -1,
-     -1,  -1, 101, 102, 103, 104,  -1, 105, 106, 107,
-    108, 109, 110,  -1, 111, 112, 113, 114, 115, 116,
-    117, 118, 119, 120, 121, 122, 123, 124,  -1, 125,
-     -1, 126,  -1,  -1,  -1,  -1,  -1,  -1, 127,  -1,
-     -1,  -1,  -1, 128,  -1,  -1,  -1,  -1, 129, 130,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1, 131,  -1,  -1, 132,  -1,
-     -1,  -1,  -1,  -1,  -1, 133
+      0,  -1,   1,   2,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,   3,   4,  -1,  -1,  -1,   5,  -1,
+      6,   7,  -1,  -1,  -1,  -1,   8,  -1,   9,  10,
+     -1,  -1,  11,  -1,  12,  -1,  13,  -1,  14,  15,
+     -1,  16,  17,  18,  19,  20,  -1,  -1,  -1,  21,
+     22,  23,  24,  25,  26,  27,  28,  29,  30,  31,
+     32,  33,  34,  35,  36,  37,  -1,  38,  39,  -1,
+     40,  41,  42,  -1,  43,  44,  45,  46,  47,  48,
+     -1,  49,  50,  51,  -1,  52,  53,  54,  55,  56,
+     57,  58,  59,  -1,  -1,  60,  61,  62,  63,  64,
+     65,  66,  -1,  -1,  67,  68,  69,  70,  71,  72,
+     73,  74,  75,  76,  77,  78,  79,  80,  -1,  81,
+     82,  83,  84,  85,  86,  87,  88,  89,  90,  91,
+     92,  93,  -1,  94,  -1,  95,  -1,  96,  97,  98,
+     99, 100,  -1, 101,  -1, 102, 103, 104,  -1, 105,
+    106, 107, 108, 109,  -1, 110,  -1, 111,  -1, 112,
+     -1, 113, 114, 115, 116,  -1, 117, 118, 119, 120,
+    121,  -1,  -1,  -1, 122,  -1,  -1, 123,  -1,  -1,
+    124,  -1, 125, 126, 127,  -1,  -1,  -1, 128,  -1,
+     -1,  -1,  -1,  -1, 129, 130,  -1, 131,  -1, 132,
+     -1,  -1,  -1,  -1, 133,  -1,  -1,  -1,  -1, 134,
+     -1,  -1,  -1,  -1,  -1, 135,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 136,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1, 137
   };
 
 #ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
index c484320ca..70e79157a 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -1,7 +1,7 @@
 %{
 /*
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
+ * Copyright (C) 2009-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil, Switzerland
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -161,5 +161,9 @@ ecp224bp,         DIFFIE_HELLMAN_GROUP, ECP_224_BP,                0
 ecp256bp,         DIFFIE_HELLMAN_GROUP, ECP_256_BP,                0
 ecp384bp,         DIFFIE_HELLMAN_GROUP, ECP_384_BP,                0
 ecp512bp,         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0
+ntru112,          DIFFIE_HELLMAN_GROUP, NTRU_112_BIT,              0
+ntru128,          DIFFIE_HELLMAN_GROUP, NTRU_128_BIT,              0
+ntru192,          DIFFIE_HELLMAN_GROUP, NTRU_192_BIT,              0
+ntru256,          DIFFIE_HELLMAN_GROUP, NTRU_256_BIT,              0
 noesn,            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0
 esn,              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index 21cd1aff4..2fad486e0 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -43,7 +43,7 @@ struct private_fetcher_manager_t {
 };
 
 typedef struct {
-	/** assocaited fetcher construction function */
+	/** associated fetcher construction function */
 	fetcher_constructor_t create;
 	/** URL this fetcher support */
 	char *url;
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index f2fa3e0aa..8472c30a5 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -22,6 +22,7 @@
 #include <threading/thread.h>
 #include <utils/identification.h>
 #include <networking/host.h>
+#include <collections/array.h>
 #include <collections/hashtable.h>
 #include <utils/backtrace.h>
 #include <selectors/traffic_selector.h>
@@ -61,6 +62,39 @@ struct private_library_t {
  */
 library_t *lib = NULL;
 
+#ifdef LEAK_DETECTIVE
+/**
+ * Default leak report callback
+ */
+static void report_leaks(void *user, int count, size_t bytes,
+						 backtrace_t *bt, bool detailed)
+{
+	fprintf(stderr, "%zu bytes total, %d allocations, %zu bytes average:\n",
+			bytes, count, bytes / count);
+	bt->log(bt, stderr, detailed);
+}
+
+/**
+ * Default leak report summary callback
+ */
+static void sum_leaks(void* user, int count, size_t bytes, int whitelisted)
+{
+	switch (count)
+	{
+		case 0:
+			fprintf(stderr, "No leaks detected");
+			break;
+		case 1:
+			fprintf(stderr, "One leak detected");
+			break;
+		default:
+			fprintf(stderr, "%d leaks detected, %zu bytes", count, bytes);
+			break;
+	}
+	fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted);
+}
+#endif /* LEAK_DETECTIVE */
+
 /**
  * Deinitialize library
  */
@@ -75,7 +109,7 @@ void library_deinit()
 	}
 
 	detailed = lib->settings->get_bool(lib->settings,
-								"libstrongswan.leak_detective.detailed", TRUE);
+								"%s.leak_detective.detailed", TRUE, lib->ns);
 
 	/* make sure the cache is clear before unloading plugins */
 	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
@@ -109,9 +143,11 @@ void library_deinit()
 		lib->leak_detective->destroy(lib->leak_detective);
 	}
 
+	arrays_deinit();
 	threads_deinit();
 	backtrace_deinit();
 
+	free((void*)this->public.ns);
 	free(this);
 	lib = NULL;
 }
@@ -201,7 +237,7 @@ static bool check_memwipe()
 /*
  * see header file
  */
-bool library_init(char *settings)
+bool library_init(char *settings, const char *namespace)
 {
 	private_library_t *this;
 	printf_hook_t *pfh;
@@ -217,6 +253,7 @@ bool library_init(char *settings)
 		.public = {
 			.get = _get,
 			.set = _set,
+			.ns = strdup(namespace ?: "libstrongswan"),
 		},
 		.ref = 1,
 	);
@@ -224,9 +261,12 @@ bool library_init(char *settings)
 
 	backtrace_init();
 	threads_init();
+	arrays_init();
 
 #ifdef LEAK_DETECTIVE
 	lib->leak_detective = leak_detective_create();
+	lib->leak_detective->set_report_cb(lib->leak_detective,
+									   report_leaks, sum_leaks, NULL);
 #endif /* LEAK_DETECTIVE */
 
 	pfh = printf_hook_create();
@@ -256,6 +296,9 @@ bool library_init(char *settings)
 	this->objects = hashtable_create((hashtable_hash_t)hash,
 									 (hashtable_equals_t)equals, 4);
 	this->public.settings = settings_create(settings);
+	/* all namespace settings may fall back to libstrongswan */
+	lib->settings->add_fallback(lib->settings, lib->ns, "libstrongswan");
+
 	this->public.hosts = host_resolver_create();
 	this->public.proposal = proposal_keywords_create();
 	this->public.caps = capabilities_create();
@@ -278,7 +321,7 @@ bool library_init(char *settings)
 	}
 
 	if (lib->settings->get_bool(lib->settings,
-								"libstrongswan.integrity_test", FALSE))
+								"%s.integrity_test", FALSE, lib->ns))
 	{
 #ifdef INTEGRITY_TEST
 		this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY);
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index e53cf09e2..4125328b7 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2010-2014 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -140,6 +141,12 @@ struct library_t {
 	bool (*set)(library_t *this, char *name, void *object);
 
 	/**
+	 * Namespace used for settings etc. (i.e. the name of the binary that uses
+	 * the library)
+	 */
+	const char *ns;
+
+	/**
 	 * Printf hook registering facility
 	 */
 	printf_hook_t *printf_hook;
@@ -239,12 +246,17 @@ struct library_t {
  * Initialize library, creates "lib" instance.
  *
  * library_init() may be called multiple times in a single process, but each
- * caller should call library_deinit() for each call to library_init().
+ * caller must call library_deinit() for each call to library_init().
+ *
+ * The settings and namespace arguments are only used on the first call.
  *
  * @param settings		file to read settings from, may be NULL for default
+ * @param namespace		name of the binary that uses the library, determines
+ *						the first section name when reading config options.
+ *						Defaults to libstrongswan if NULL.
  * @return				FALSE if integrity check failed
  */
-bool library_init(char *settings);
+bool library_init(char *settings, const char *namespace);
 
 /**
  * Deinitialize library, destroys "lib" instance.
diff --git a/src/libstrongswan/networking/host_resolver.c b/src/libstrongswan/networking/host_resolver.c
index 99a17d17c..10af11a7f 100644
--- a/src/libstrongswan/networking/host_resolver.c
+++ b/src/libstrongswan/networking/host_resolver.c
@@ -355,11 +355,11 @@ host_resolver_t *host_resolver_create()
 	);
 
 	this->min_threads = max(0, lib->settings->get_int(lib->settings,
-									"libstrongswan.host_resolver.min_threads",
-									 MIN_THREADS_DEFAULT));
+												"%s.host_resolver.min_threads",
+												MIN_THREADS_DEFAULT, lib->ns));
 	this->max_threads = max(this->min_threads ?: 1,
 							lib->settings->get_int(lib->settings,
-									"libstrongswan.host_resolver.max_threads",
-									 MAX_THREADS_DEFAULT));
+												"%s.host_resolver.max_threads",
+												MAX_THREADS_DEFAULT, lib->ns));
 	return &this->public;
 }
diff --git a/src/libstrongswan/networking/streams/stream.c b/src/libstrongswan/networking/streams/stream.c
index 8ecb89fc9..f6fec0b4a 100644
--- a/src/libstrongswan/networking/streams/stream.c
+++ b/src/libstrongswan/networking/streams/stream.c
@@ -159,17 +159,6 @@ METHOD(stream_t, write_all, bool,
 }
 
 /**
- * Remove a registered watcher
- */
-static void remove_watcher(private_stream_t *this)
-{
-	if (this->read_cb || this->write_cb)
-	{
-		lib->watcher->remove(lib->watcher, this->fd);
-	}
-}
-
-/**
  * Watcher callback
  */
 static bool watch(private_stream_t *this, int fd, watcher_event_t event)
@@ -228,7 +217,7 @@ static void add_watcher(private_stream_t *this)
 METHOD(stream_t, on_read, void,
 	private_stream_t *this, stream_cb_t cb, void *data)
 {
-	remove_watcher(this);
+	lib->watcher->remove(lib->watcher, this->fd);
 
 	this->read_cb = cb;
 	this->read_data = data;
@@ -239,7 +228,7 @@ METHOD(stream_t, on_read, void,
 METHOD(stream_t, on_write, void,
 	private_stream_t *this, stream_cb_t cb, void *data)
 {
-	remove_watcher(this);
+	lib->watcher->remove(lib->watcher, this->fd);
 
 	this->write_cb = cb;
 	this->write_data = data;
@@ -270,7 +259,7 @@ METHOD(stream_t, get_file, FILE*,
 METHOD(stream_t, destroy, void,
 	private_stream_t *this)
 {
-	remove_watcher(this);
+	lib->watcher->remove(lib->watcher, this->fd);
 	close(this->fd);
 	free(this);
 }
diff --git a/src/libstrongswan/networking/streams/stream.h b/src/libstrongswan/networking/streams/stream.h
index 810514da9..3516d9186 100644
--- a/src/libstrongswan/networking/streams/stream.h
+++ b/src/libstrongswan/networking/streams/stream.h
@@ -39,9 +39,8 @@ typedef stream_t*(*stream_constructor_t)(char *uri);
 /**
  * Callback function prototype, called when stream is ready.
  *
- * It is allowed to destroy the stream during the callback, but only if it has
- * no other active on_read()/on_write() callback and returns FALSE. It is not
- * allowed to to call on_read()/on_write/() during the callback.
+ * It is not allowed to destroy the stream nor to call on_read()/on_write/()
+ * during the callback.
  *
  * As select() may return even if a read()/write() would actually block, it is
  * recommended to use the non-blocking calls and handle return values
diff --git a/src/libstrongswan/networking/tun_device.c b/src/libstrongswan/networking/tun_device.c
index 65268d242..ecefdc233 100644
--- a/src/libstrongswan/networking/tun_device.c
+++ b/src/libstrongswan/networking/tun_device.c
@@ -27,9 +27,11 @@
 #include <unistd.h>
 #include <net/if.h>
 
+#if !defined(__APPLE__) && !defined(__linux__) && !defined(HAVE_NET_IF_TUN_H)
+
 #include "tun_device.h"
 
-#if !defined(__APPLE__) && !defined(__linux__) && !defined(HAVE_NET_IF_TUN_H)
+#include <utils/debug.h>
 
 #warning TUN devices are not supported!
 
@@ -46,12 +48,14 @@ tun_device_t *tun_device_create(const char *name_tmpl)
 #include <netinet/in_var.h>
 #include <sys/kern_control.h>
 #elif defined(__linux__)
+#include <linux/types.h>
 #include <linux/if_tun.h>
 #else
 #include <net/if_tun.h>
 #endif
 
-#include <library.h>
+#include "tun_device.h"
+
 #include <utils/debug.h>
 #include <threading/thread.h>
 
diff --git a/src/libstrongswan/networking/tun_device.h b/src/libstrongswan/networking/tun_device.h
index 1d330f133..543125beb 100644
--- a/src/libstrongswan/networking/tun_device.h
+++ b/src/libstrongswan/networking/tun_device.h
@@ -23,7 +23,6 @@
 #ifndef TUN_DEVICE_H_
 #define TUN_DEVICE_H_
 
-#include <library.h>
 #include <networking/host.h>
 
 typedef struct tun_device_t tun_device_t;
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 5ae5537ad..9e91e8671 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index cdecc5b06..4ea1e8f36 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index b840d0e03..150e8d4d4 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index 322ded48c..dc6adc457 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -63,6 +63,13 @@ plugin_t *agent_plugin_create()
 {
 	private_agent_plugin_t *this;
 
+	/* required to connect to ssh-agent socket */
+	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
+	{
+		DBG1(DBG_DMN, "agent plugin requires CAP_DAC_OVERRIDE capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
@@ -75,4 +82,3 @@ plugin_t *agent_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 8a3fb150a..c2e82a9f1 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -442,4 +442,3 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 	}
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 8b2f7431f..f13a96421 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 486af34ed..ed3f05681 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index b8fe6de06..620d8359f 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 1f791208e..060287d1c 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 3d4f71176..ff34435a2 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index f6625dd48..a756a0a7e 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index a8cca98da..644f27709 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -80,7 +80,7 @@ static size_t curl_cb(void *ptr, size_t size, size_t nmemb, cb_data_t *data)
 METHOD(fetcher_t, fetch, status_t,
 	private_curl_fetcher_t *this, char *uri, void *userdata)
 {
-	char error[CURL_ERROR_SIZE];
+	char error[CURL_ERROR_SIZE], *enc_uri;
 	status_t status;
 	cb_data_t data = {
 		.cb = this->cb,
@@ -92,9 +92,14 @@ METHOD(fetcher_t, fetch, status_t,
 		*(chunk_t*)userdata = chunk_empty;
 	}
 
-	if (curl_easy_setopt(this->curl, CURLOPT_URL, uri) != CURLE_OK)
+	/* the URI has to be URL-encoded, we only replace spaces as replacing other
+	 * characters (e.g. '/' or ':') would render the URI invalid */
+	enc_uri = strreplace(uri, " ", "%20");
+
+	if (curl_easy_setopt(this->curl, CURLOPT_URL, enc_uri) != CURLE_OK)
 	{	/* URL type not supported by curl */
-		return NOT_SUPPORTED;
+		status = NOT_SUPPORTED;
+		goto out;
 	}
 	curl_easy_setopt(this->curl, CURLOPT_ERRORBUFFER, error);
 	curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
@@ -125,6 +130,12 @@ METHOD(fetcher_t, fetch, status_t,
 			status = FAILED;
 			break;
 	}
+
+out:
+	if (enc_uri != uri)
+	{
+		free(enc_uri);
+	}
 	return status;
 }
 
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 81e91bca0..ca79430c9 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index a012700c0..b94b644c0 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 06d9129c7..3bb540d90 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index e499ae1a0..7bce3c983 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 766340548..4ce3cf919 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 160db042b..44f3f84b1 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -194,8 +194,8 @@ plugin_t *gcrypt_plugin_create()
 
 	/* we currently do not use secure memory */
 	gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
-	if (lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.gcrypt.quick_random", FALSE))
+	if (lib->settings->get_bool(lib->settings, "%s.plugins.gcrypt.quick_random",
+								FALSE, lib->ns))
 	{
 		gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
 	}
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index f12827fd5..73e0645b0 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index f1956a9d2..f5e38fa90 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
index 5f7291ca4..42093e413 100644
--- a/src/libstrongswan/plugins/keychain/Makefile.in
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 35af7034a..7f14fbf8e 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 812d98628..bdd446cd3 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 082aebc51..32aac7bfa 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 2daf01c1d..a35f8051b 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 408848366..25437bdb8 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am
new file mode 100644
index 000000000..b33cbc8c9
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/Makefile.am
@@ -0,0 +1,33 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic @COVERAGE_CFLAGS@
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ntru.la
+else
+plugin_LTLIBRARIES = libstrongswan-ntru.la
+endif
+
+libstrongswan_ntru_la_SOURCES = \
+	ntru_plugin.h ntru_plugin.c \
+	ntru_drbg.h ntru_drbg.c \
+	ntru_ke.h ntru_ke.c \
+	ntru_mgf1.h ntru_mgf1.c \
+	ntru_poly.h ntru_poly.c \
+	ntru_trits.h ntru_trits.c \
+	ntru_crypto/ntru_crypto.h \
+	ntru_crypto/ntru_crypto_ntru_convert.h \
+	ntru_crypto/ntru_crypto_ntru_convert.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt_key.h \
+	ntru_crypto/ntru_crypto_ntru_encrypt_key.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \
+	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \
+	ntru_crypto/ntru_crypto_ntru_poly.h \
+	ntru_crypto/ntru_crypto_ntru_poly.c
+
+libstrongswan_ntru_la_LDFLAGS = -module -avoid-version
+
+
diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in
new file mode 100644
index 000000000..af192d203
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/Makefile.in
@@ -0,0 +1,812 @@
+# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/ntru
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ntru_la_LIBADD =
+am__dirstamp = $(am__leading_dot)dirstamp
+am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_drbg.lo \
+	ntru_ke.lo ntru_mgf1.lo ntru_poly.lo ntru_trits.lo \
+	ntru_crypto/ntru_crypto_ntru_convert.lo \
+	ntru_crypto/ntru_crypto_ntru_encrypt.lo \
+	ntru_crypto/ntru_crypto_ntru_encrypt_key.lo \
+	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo \
+	ntru_crypto/ntru_crypto_ntru_poly.lo
+libstrongswan_ntru_la_OBJECTS = $(am_libstrongswan_ntru_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libstrongswan_ntru_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ntru_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ntru_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ntru_la_rpath =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libstrongswan_ntru_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ntru_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic @COVERAGE_CFLAGS@
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ntru.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ntru.la
+libstrongswan_ntru_la_SOURCES = \
+	ntru_plugin.h ntru_plugin.c \
+	ntru_drbg.h ntru_drbg.c \
+	ntru_ke.h ntru_ke.c \
+	ntru_mgf1.h ntru_mgf1.c \
+	ntru_poly.h ntru_poly.c \
+	ntru_trits.h ntru_trits.c \
+	ntru_crypto/ntru_crypto.h \
+	ntru_crypto/ntru_crypto_ntru_convert.h \
+	ntru_crypto/ntru_crypto_ntru_convert.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt_key.h \
+	ntru_crypto/ntru_crypto_ntru_encrypt_key.c \
+	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \
+	ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \
+	ntru_crypto/ntru_crypto_ntru_poly.h \
+	ntru_crypto/ntru_crypto_ntru_poly.c
+
+libstrongswan_ntru_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ntru/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/ntru/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+ntru_crypto/$(am__dirstamp):
+	@$(MKDIR_P) ntru_crypto
+	@: > ntru_crypto/$(am__dirstamp)
+ntru_crypto/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) ntru_crypto/$(DEPDIR)
+	@: > ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+ntru_crypto/ntru_crypto_ntru_convert.lo: ntru_crypto/$(am__dirstamp) \
+	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+ntru_crypto/ntru_crypto_ntru_encrypt.lo: ntru_crypto/$(am__dirstamp) \
+	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+ntru_crypto/ntru_crypto_ntru_encrypt_key.lo:  \
+	ntru_crypto/$(am__dirstamp) \
+	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo:  \
+	ntru_crypto/$(am__dirstamp) \
+	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+ntru_crypto/ntru_crypto_ntru_poly.lo: ntru_crypto/$(am__dirstamp) \
+	ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+
+libstrongswan-ntru.la: $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_DEPENDENCIES) $(EXTRA_libstrongswan_ntru_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_ntru_la_LINK) $(am_libstrongswan_ntru_la_rpath) $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+	-rm -f ntru_crypto/*.$(OBJEXT)
+	-rm -f ntru_crypto/*.lo
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_drbg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_ke.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_mgf1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_poly.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_trits.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_convert.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_param_sets.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_poly.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+	-rm -rf ntru_crypto/.libs ntru_crypto/_libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f ntru_crypto/$(DEPDIR)/$(am__dirstamp)
+	-rm -f ntru_crypto/$(am__dirstamp)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h
new file mode 100644
index 000000000..72f47035e
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h
@@ -0,0 +1,235 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto.h is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto.h
+ *
+ * Contents: Public header file for NTRUEncrypt.
+ *
+ *****************************************************************************/
+
+#ifndef NTRU_CRYPTO_H
+#define NTRU_CRYPTO_H
+
+#include <library.h>
+
+#include "ntru_drbg.h"
+
+#if !defined( NTRUCALL )
+  #if !defined(WIN32) || defined (NTRUCRYPTO_STATIC)
+    // Linux, or a Win32 static library
+    #define NTRUCALL extern uint32_t
+  #elif defined (NTRUCRYPTO_EXPORTS)
+    // Win32 DLL build
+    #define NTRUCALL extern __declspec(dllexport) uint32_t
+  #else
+    // Win32 DLL import
+    #define NTRUCALL extern __declspec(dllimport) uint32_t
+  #endif
+#endif /* NTRUCALL */
+
+/* parameter set ID list */
+
+typedef enum _NTRU_ENCRYPT_PARAM_SET_ID {
+    NTRU_EES401EP1,
+    NTRU_EES449EP1,
+    NTRU_EES677EP1,
+    NTRU_EES1087EP2,
+    NTRU_EES541EP1,
+    NTRU_EES613EP1,
+    NTRU_EES887EP1,
+    NTRU_EES1171EP1,
+    NTRU_EES659EP1,
+    NTRU_EES761EP1,
+    NTRU_EES1087EP1,
+    NTRU_EES1499EP1,
+    NTRU_EES401EP2,
+    NTRU_EES439EP1,
+    NTRU_EES593EP1,
+    NTRU_EES743EP1,
+} NTRU_ENCRYPT_PARAM_SET_ID;
+
+
+/* error codes */
+
+#define NTRU_OK                     0
+#define NTRU_FAIL                   1
+#define NTRU_BAD_PARAMETER          2
+#define NTRU_BAD_LENGTH             3
+#define NTRU_BUFFER_TOO_SMALL       4
+#define NTRU_INVALID_PARAMETER_SET  5
+#define NTRU_BAD_PUBLIC_KEY         6
+#define NTRU_BAD_PRIVATE_KEY        7
+#define NTRU_OUT_OF_MEMORY          8
+#define NTRU_BAD_ENCODING           9
+#define NTRU_OID_NOT_RECOGNIZED    10
+#define NTRU_DRBG_FAIL             11
+#define NTRU_MGF1_FAIL             12
+
+/* function declarations */
+
+/* ntru_crypto_ntru_encrypt
+ *
+ * Implements NTRU encryption (SVES) for the parameter set specified in
+ * the public key blob.
+ *
+ * Before invoking this function, a DRBG must be instantiated using
+ * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
+ * instantiation the requested security strength must be at least as large
+ * as the security strength of the NTRU parameter set being used.
+ * Failure to instantiate the DRBG with the proper security strength will
+ * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH.
+ *
+ * The required minimum size of the output ciphertext buffer (ct) may be
+ * queried by invoking this function with ct = NULL.  In this case, no
+ * encryption is performed, NTRU_OK is returned, and the required minimum
+ * size for ct is returned in ct_len.
+ *
+ * When ct != NULL, at invocation *ct_len must be the size of the ct buffer.
+ * Upon return it is the actual size of the ciphertext.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL.
+ * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is
+ *  zero, or if pt_len exceeds the maximum plaintext length for the parameter set.
+ * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid
+ *  (unknown format, corrupt, bad length).
+ * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ */
+
+NTRUCALL
+ntru_crypto_ntru_encrypt(
+    ntru_drbg_t     *drbg      ,     /*     in - handle for DRBG */
+    uint16_t        pubkey_blob_len, /*     in - no. of octets in public key
+                                                 blob */
+    uint8_t const  *pubkey_blob,     /*     in - pointer to public key */
+    uint16_t        pt_len,          /*     in - no. of octets in plaintext */
+    uint8_t const  *pt,              /*     in - pointer to plaintext */
+    uint16_t       *ct_len,          /* in/out - no. of octets in ct, addr for
+                                                 no. of octets in ciphertext */
+    uint8_t        *ct);             /*    out - address for ciphertext */
+
+
+/* ntru_crypto_ntru_decrypt
+ *
+ * Implements NTRU decryption (SVES) for the parameter set specified in
+ * the private key blob.
+ *
+ * The maximum size of the output plaintext may be queried by invoking
+ * this function with pt = NULL.  In this case, no decryption is performed,
+ * NTRU_OK is returned, and the maximum size the plaintext could be is
+ * returned in pt_len.
+ * Note that until the decryption is performed successfully, the actual size
+ * of the resulting plaintext cannot be known.
+ *
+ * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
+ * Upon return it is the actual size of the plaintext.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
+ * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
+ *  ct_len is invalid for the parameter set.
+ * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
+ *  (unknown format, corrupt, bad length).
+ * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ * Returns NTRU_FAIL if a decryption error occurs.
+ */
+
+NTRUCALL
+ntru_crypto_ntru_decrypt(
+    uint16_t       privkey_blob_len, /*     in - no. of octets in private key
+                                                 blob */
+    uint8_t const *privkey_blob,     /*     in - pointer to private key */
+    uint16_t       ct_len,           /*     in - no. of octets in ciphertext */
+    uint8_t const *ct,               /*     in - pointer to ciphertext */
+    uint16_t      *pt_len,           /* in/out - no. of octets in pt, addr for
+                                                 no. of octets in plaintext */
+    uint8_t       *pt);              /*    out - address for plaintext */
+
+
+/* ntru_crypto_ntru_encrypt_keygen
+ *
+ * Implements key generation for NTRUEncrypt for the parameter set specified.
+ *
+ * Before invoking this function, a DRBG must be instantiated using
+ * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
+ * instantiation the requested security strength must be at least as large
+ * as the security strength of the NTRU parameter set being used.
+ * Failure to instantiate the DRBG with the proper security strength will
+ * result in this function returning NTRU_DRBG_FAIL.
+ *
+ * The required minimum size of the output public-key buffer (pubkey_blob)
+ * may be queried by invoking this function with pubkey_blob = NULL.
+ * In this case, no key generation is performed, NTRU_OK is returned, and
+ * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
+ *
+ * The required minimum size of the output private-key buffer (privkey_blob)
+ * may be queried by invoking this function with privkey_blob = NULL.
+ * In this case, no key generation is performed, NTRU_OK is returned, and
+ * the required minimum size for privkey_blob is returned in privkey_blob_len.
+ *
+ * The required minimum sizes of both pubkey_blob and privkey_blob may be
+ * queried as described above, in a single invocation of this function.
+ *
+ * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
+ * *pubkey_blob_len must be the size of the pubkey_blob buffer and
+ * *privkey_blob_len must be the size of the privkey_blob buffer.
+ * Upon return, *pubkey_blob_len is the actual size of the public-key blob
+ * and *privkey_blob_len is the actual size of the private-key blob.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob
+ * or privkey_blob) is NULL.
+ * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
+ * Returns NTRU_BAD_LENGTH if a length argument is invalid.
+ * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
+ *  privkey_blob buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
+ *  (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
+ *  Should this occur, this function should simply be invoked again.
+ */
+
+NTRUCALL
+ntru_crypto_ntru_encrypt_keygen(
+    ntru_drbg_t               *drbg,             /*     in - handle of DRBG */
+    NTRU_ENCRYPT_PARAM_SET_ID  param_set_id,     /*     in - parameter set ID */
+    uint16_t                  *pubkey_blob_len,  /* in/out - no. of octets in
+                                                             pubkey_blob, addr
+                                                             for no. of octets
+                                                             in pubkey_blob */
+    uint8_t                   *pubkey_blob,      /*    out - address for
+                                                             public key blob */
+    uint16_t                  *privkey_blob_len, /* in/out - no. of octets in
+                                                             privkey_blob, addr
+                                                             for no. of octets
+                                                             in privkey_blob */
+    uint8_t                   *privkey_blob);    /*    out - address for
+                                                             private key blob */
+#endif /* NTRU_CRYPTO_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c
new file mode 100644
index 000000000..3d6dfde41
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c
@@ -0,0 +1,581 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_convert.c is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_convert.c
+ *
+ * Contents: Conversion routines for NTRUEncrypt, including packing, unpacking,
+ *           and others.
+ *
+ *****************************************************************************/
+
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "ntru_crypto_ntru_convert.h"
+
+
+/* 3-bit to 2-trit conversion tables: 2 represents -1 */
+
+static uint8_t const bits_2_trit1[] = {0, 0, 0, 1, 1, 1, 2, 2};
+static uint8_t const bits_2_trit2[] = {0, 1, 2, 0, 1, 2, 0, 1};
+
+
+/* ntru_bits_2_trits
+ *
+ * Each 3 bits in an array of octets is converted to 2 trits in an array
+ * of trits.
+ *
+ * The octet array may overlap the end of the trit array.
+ */
+
+void
+ntru_bits_2_trits(
+    uint8_t const *octets,          /*  in - pointer to array of octets */
+    uint16_t       num_trits,       /*  in - number of trits to produce */
+    uint8_t       *trits)           /* out - address for array of trits */
+{
+    uint32_t bits24;
+    uint32_t bits3;
+    uint32_t shift;
+
+    assert(octets);
+    assert(trits);
+
+    while (num_trits >= 16) {
+
+        /* get next three octets */
+
+        bits24  = ((uint32_t)(*octets++)) << 16;
+        bits24 |= ((uint32_t)(*octets++)) <<  8;
+        bits24 |=  (uint32_t)(*octets++);
+
+        /* for each 3 bits in the three octets, output 2 trits */
+
+        bits3 = (bits24 >> 21) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >> 18) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >> 15) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >> 12) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >>  9) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >>  6) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = (bits24 >>  3) & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        bits3 = bits24 & 0x7;
+        *trits++ = bits_2_trit1[bits3];
+        *trits++ = bits_2_trit2[bits3];
+
+        num_trits -= 16;
+    }
+    if (num_trits == 0)
+        return;
+
+    /* get three octets */
+
+    bits24  = ((uint32_t)(*octets++)) << 16;
+    bits24 |= ((uint32_t)(*octets++)) <<  8;
+    bits24 |=  (uint32_t)(*octets++);
+
+    shift = 21;
+    while (num_trits) {
+
+        /* for each 3 bits in the three octets, output up to 2 trits
+         * until all trits needed are produced
+         */
+
+        bits3 = (bits24 >> shift) & 0x7;
+        shift -= 3;
+        *trits++ = bits_2_trit1[bits3];
+        if (--num_trits) {
+            *trits++ = bits_2_trit2[bits3];
+            --num_trits;
+        }
+    }
+}
+
+
+/* ntru_trits_2_bits
+ *
+ * Each 2 trits in an array of trits is converted to 3 bits, and the bits
+ * are packed in an array of octets.  A multiple of 3 octets is output.
+ * Any bits in the final octets not derived from trits are zero.
+ *
+ * Returns TRUE if all trits were valid.
+ * Returns FALSE if invalid trits were found.
+ */
+
+bool
+ntru_trits_2_bits(
+    uint8_t const *trits,           /*  in - pointer to array of trits */
+    uint32_t       num_trits,       /*  in - number of trits to convert */
+    uint8_t       *octets)          /* out - address for array of octets */
+{
+    bool     all_trits_valid = TRUE;
+    uint32_t bits24;
+    uint32_t bits3;
+    uint32_t shift;
+
+    assert(octets);
+    assert(trits);
+
+    while (num_trits >= 16) {
+
+        /* convert each 2 trits to 3 bits and pack */
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 = (bits3 << 21);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 << 18);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 << 15);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 << 12);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 <<  9);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 <<  6);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 <<  3);
+
+        bits3  = *trits++ * 3;
+        bits3 += *trits++;
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= bits3;
+
+        num_trits -= 16;
+
+        /* output three octets */
+
+        *octets++ = (uint8_t)((bits24 >> 16) & 0xff);
+        *octets++ = (uint8_t)((bits24 >>  8) & 0xff);
+        *octets++ = (uint8_t)(bits24 & 0xff);
+    }
+
+    bits24 = 0;
+    shift = 21;
+    while (num_trits) {
+
+        /* convert each 2 trits to 3 bits and pack */
+
+        bits3 = *trits++ * 3;
+        if (--num_trits) {
+            bits3 += *trits++;
+            --num_trits;
+        }
+        if (bits3 > 7) {
+            bits3 = 7;
+            all_trits_valid = FALSE;
+        }
+        bits24 |= (bits3 << shift);
+        shift -= 3;
+    }
+
+    /* output three octets */
+
+    *octets++ = (uint8_t)((bits24 >> 16) & 0xff);
+    *octets++ = (uint8_t)((bits24 >>  8) & 0xff);
+    *octets++ = (uint8_t)(bits24 & 0xff);
+
+    return all_trits_valid;
+}
+
+
+/* ntru_coeffs_mod4_2_octets
+ *
+ * Takes an array of ring element coefficients mod 4 and packs the
+ * results into an octet string.
+ */
+
+void
+ntru_coeffs_mod4_2_octets(
+    uint16_t        num_coeffs,     /*  in - number of coefficients */
+    uint16_t const *coeffs,         /*  in - pointer to coefficients */
+    uint8_t        *octets)         /* out - address for octets */
+{
+    uint8_t  bits2;
+    int      shift;
+    uint16_t i;
+
+    assert(coeffs);
+    assert(octets);
+
+    *octets = 0;
+    shift = 6;
+    for (i = 0; i < num_coeffs; i++) {
+        bits2 = (uint8_t)(coeffs[i] & 0x3);
+        *octets |= bits2 << shift;
+        shift -= 2;
+        if (shift < 0) {
+            ++octets;
+            *octets = 0;
+            shift = 6;
+        }
+    }
+}
+
+
+/* ntru_trits_2_octet
+ *
+ * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1).
+ */
+
+void
+ntru_trits_2_octet(
+    uint8_t const *trits,           /*  in - pointer to trits */
+    uint8_t *octet)                 /* out - address for octet */
+{
+    int i;
+
+    assert(trits);
+    assert(octet);
+
+    *octet = 0;
+    for (i = 4; i >= 0; i--) {
+        *octet = (*octet * 3) + trits[i];
+    }
+}
+
+
+/* ntru_octet_2_trits
+ *
+ * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1).
+ */
+
+void
+ntru_octet_2_trits(
+    uint8_t  octet,                 /*  in - octet to be unpacked */
+    uint8_t *trits)                 /* out - address for trits */
+{
+    int i;
+
+    assert(trits);
+
+    for (i = 0; i < 5; i++) {
+        trits[i] = octet % 3;
+        octet = (octet - trits[i]) / 3;
+    }
+}
+
+
+/* ntru_indices_2_trits
+ *
+ * Converts a list of the nonzero indices of a polynomial into an array of
+ * trits.
+ */
+
+void
+ntru_indices_2_trits(
+    uint16_t        in_len,         /*  in - no. of indices */
+    uint16_t const *in,             /*  in - pointer to list of indices */
+    bool            plus1,          /*  in - if list is +1 cofficients */
+    uint8_t        *out)            /* out - address of output polynomial */
+{
+    uint8_t     trit = plus1 ? 1 : 2;
+    uint16_t    i;
+
+    assert(in);
+    assert(out);
+
+    for (i = 0; i < in_len; i++) {
+        out[in[i]] = trit;
+    }
+}
+
+
+/* ntru_packed_trits_2_indices
+ *
+ * Unpacks an array of N trits and creates a list of array indices 
+ * corresponding to trits = +1, and list of array indices corresponding to
+ * trits = -1.
+ */
+
+void
+ntru_packed_trits_2_indices(
+    uint8_t const *in,              /*  in - pointer to packed-trit octets */
+    uint16_t       num_trits,       /*  in - no. of packed trits */
+    uint16_t      *indices_plus1,   /* out - address for indices of +1 trits */
+    uint16_t      *indices_minus1)  /* out - address for indices of -1 trits */
+{
+    uint8_t  trits[5];
+    uint16_t i = 0;
+    int      j;
+
+    assert(in);
+    assert(indices_plus1);
+    assert(indices_minus1);
+
+    while (num_trits >= 5) {
+        ntru_octet_2_trits(*in++, trits);
+        num_trits -= 5;
+        for (j = 0; j < 5; j++, i++) {
+            if (trits[j] == 1) {
+                *indices_plus1 = i;
+                ++indices_plus1;
+            } else if (trits[j] == 2) {
+                *indices_minus1 = i;
+                ++indices_minus1;
+            }
+        }
+    }
+    if (num_trits) {
+        ntru_octet_2_trits(*in, trits);
+        for (j = 0; num_trits && (j < 5); j++, i++) {
+            if (trits[j] == 1) {
+                *indices_plus1 = i;
+                ++indices_plus1;
+            } else if (trits[j] == 2) {
+                *indices_minus1 = i;
+                ++indices_minus1;
+            }
+            --num_trits;
+        }
+    }
+}
+
+
+/* ntru_indices_2_packed_trits
+ *
+ * Takes a list of array indices corresponding to elements whose values
+ * are +1 or -1, and packs the N-element array of trits described by these
+ * lists into octets, 5 trits per octet.
+ */
+
+void
+ntru_indices_2_packed_trits(
+    uint16_t const *indices,        /*  in - pointer to indices */
+    uint16_t        num_plus1,      /*  in - no. of indices for +1 trits */
+    uint16_t        num_minus1,     /*  in - no. of indices for -1 trits */
+    uint16_t        num_trits,      /*  in - N, no. of trits in array */
+    uint8_t        *buf,            /*  in - temp buf, N octets */
+    uint8_t        *out)            /* out - address for packed octets */
+{
+    assert(indices);
+    assert(buf);
+    assert(out);
+
+    /* convert indices to an array of trits */
+
+    memset(buf, 0, num_trits);
+    ntru_indices_2_trits(num_plus1, indices, TRUE, buf);
+    ntru_indices_2_trits(num_minus1, indices + num_plus1, FALSE, buf);
+
+    /* pack the array of trits */
+
+    while (num_trits >= 5) {
+        ntru_trits_2_octet(buf, out);
+        num_trits -= 5;
+        buf += 5;
+        ++out;
+    }
+    if (num_trits) {
+        uint8_t trits[5];
+
+        memcpy(trits, buf, num_trits);
+        memset(trits + num_trits, 0, sizeof(trits) - num_trits);
+        ntru_trits_2_octet(trits, out);
+    }
+}
+
+
+/* ntru_elements_2_octets
+ *
+ * Packs an array of n-bit elements into an array of
+ * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16.
+ */
+
+void
+ntru_elements_2_octets(
+    uint16_t        in_len,         /*  in - no. of elements to be packed */
+    uint16_t const *in,             /*  in - ptr to elements to be packed */
+    uint8_t         n_bits,         /*  in - no. of bits in input element */
+    uint8_t        *out)            /* out - addr for output octets */
+{
+    uint16_t  temp;
+    int       shift;
+    uint16_t  i;
+
+    assert(in_len);
+    assert(in);
+    assert((n_bits > 8) && (n_bits < 16));
+    assert(out);
+
+    /* pack */
+
+    temp = 0;
+    shift = n_bits - 8;
+    i = 0;
+    while (i < in_len) {
+
+        /* add bits to temp to fill an octet and output the octet */
+
+        temp |= in[i] >> shift;
+        *out++ = (uint8_t)(temp & 0xff);
+        shift = 8 - shift;
+        if (shift < 1) {
+
+            /* next full octet is in current input word */
+
+            shift += n_bits;
+            temp = 0;
+
+        } else {
+
+            /* put remaining bits of input word in temp as partial octet,
+             * and increment index to next input word
+             */
+            temp = in[i] << (uint16_t)shift;
+
+            ++i;
+        }
+        shift = n_bits - shift;
+    }
+
+    /* output any bits remaining in last input word */
+
+    if (shift != n_bits - 8) {
+        *out++ = (uint8_t)(temp & 0xff);
+    }
+}
+
+
+/* ntru_octets_2_elements
+ *
+ * Unpacks an octet string into an array of ((in_len * 8) / n_bits)
+ * n-bit elements, 8 < n_bits < 16.  Any extra bits are discarded.
+ */
+
+void
+ntru_octets_2_elements(
+    uint16_t        in_len,         /*  in - no. of octets to be unpacked */
+    uint8_t const  *in,             /*  in - ptr to octets to be unpacked */
+    uint8_t         n_bits,         /*  in - no. of bits in output element */
+    uint16_t       *out)            /* out - addr for output elements */
+{
+    uint16_t  temp;
+    uint16_t  mask = (1 << n_bits) - 1;
+    int       shift;
+    uint16_t  i;
+
+    assert(in_len > 1);
+    assert(in);
+    assert((n_bits > 8) && (n_bits < 16));
+    assert(out);
+
+    /* unpack */
+
+    temp = 0;
+    shift = n_bits;
+    i = 0;
+    while (i < in_len) {
+        shift = 8 - shift;
+        if (shift < 0) {
+
+            /* the current octet will not fill the current element */
+
+            shift += n_bits;
+
+        } else {
+
+            /* add bits from the current octet to fill the current element and
+             * output the element
+             */
+
+            temp |= ((uint16_t)in[i]) >> shift;
+            *out++ = temp & mask;
+            temp = 0;
+        }
+
+        /* add the remaining bits of the current octet to start an element */
+
+        shift = n_bits - shift;
+        temp |= ((uint16_t)in[i]) << shift;
+        ++i;
+    }
+}
+
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h
new file mode 100644
index 000000000..1c4b35b24
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h
@@ -0,0 +1,183 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_convert.h is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_convert.h
+ *
+ * Contents: Definitions and declarations for conversion routines
+ *           for NTRUEncrypt, including packing, unpacking and others.
+ *
+ *****************************************************************************/
+
+#ifndef NTRU_CRYPTO_NTRU_CONVERT_H
+#define NTRU_CRYPTO_NTRU_CONVERT_H
+
+#include "ntru_crypto.h"
+
+
+/* function declarations */
+
+/* ntru_bits_2_trits
+ *
+ * Each 3 bits in an array of octets is converted to 2 trits in an array
+ * of trits.
+ */
+
+extern void
+ntru_bits_2_trits(
+    uint8_t const *octets,          /*  in - pointer to array of octets */
+    uint16_t       num_trits,       /*  in - number of trits to produce */
+    uint8_t       *trits);          /* out - address for array of trits */
+
+
+/* ntru_trits_2_bits
+ *
+ * Each 2 trits in an array of trits is converted to 3 bits, and the bits
+ * are packed in an array of octets.  A multiple of 3 octets is output.
+ * Any bits in the final octets not derived from trits are zero.
+ *
+ * Returns TRUE if all trits were valid.
+ * Returns FALSE if invalid trits were found.
+ */
+
+extern bool
+ntru_trits_2_bits(
+    uint8_t const *trits,           /*  in - pointer to array of trits */
+    uint32_t       num_trits,       /*  in - number of trits to convert */
+    uint8_t       *octets);         /* out - address for array of octets */
+
+
+/* ntru_coeffs_mod4_2_octets
+ *
+ * Takes an array of coefficients mod 4 and packs the results into an
+ * octet string.
+ */
+
+extern void
+ntru_coeffs_mod4_2_octets(
+    uint16_t        num_coeffs,     /*  in - number of coefficients */
+    uint16_t const *coeffs,         /*  in - pointer to coefficients */
+    uint8_t        *octets);        /* out - address for octets */
+
+
+/* ntru_trits_2_octet
+ *
+ * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1).
+ */
+
+extern void
+ntru_trits_2_octet(
+    uint8_t const *trits,           /*  in - pointer to trits */
+    uint8_t *octet);                /* out - address for octet */
+
+
+/* ntru_octet_2_trits
+ *
+ * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1).
+ */
+
+extern void
+ntru_octet_2_trits(
+    uint8_t  octet,                 /*  in - octet to be unpacked */
+    uint8_t *trits);                /* out - address for trits */
+
+
+/* ntru_indices_2_trits
+ *
+ * Converts a list of the nonzero indices of a polynomial into an array of
+ * trits.
+ */
+
+extern void
+ntru_indices_2_trits(
+    uint16_t        in_len,         /*  in - no. of indices */
+    uint16_t const *in,             /*  in - pointer to list of indices */
+    bool            plus1,          /*  in - if list is +1 coefficients */
+    uint8_t        *out);           /* out - address of output polynomial */
+
+
+/* ntru_packed_trits_2_indices
+ *
+ * Unpacks an array of N trits and creates a list of array indices 
+ * corresponding to trits = +1, and list of array indices corresponding to
+ * trits = -1.
+ */
+
+extern void
+ntru_packed_trits_2_indices(
+    uint8_t const *in,              /*  in - pointer to packed-trit octets */
+    uint16_t       num_trits,       /*  in - no. of packed trits */
+    uint16_t      *indices_plus1,   /* out - address for indices of +1 trits */
+    uint16_t      *indices_minus1); /* out - address for indices of -1 trits */
+
+
+/* ntru_indices_2_packed_trits
+ *
+ * Takes a list of array indices corresponding to elements whose values
+ * are +1 or -1, and packs the N-element array of trits described by these
+ * lists into octets, 5 trits per octet.
+ */
+
+extern void
+ntru_indices_2_packed_trits(
+    uint16_t const *indices,        /*  in - pointer to indices */
+    uint16_t        num_plus1,      /*  in - no. of indices for +1 trits */
+    uint16_t        num_minus1,     /*  in - no. of indices for -1 trits */
+    uint16_t        num_trits,      /*  in - N, no. of trits in array */
+    uint8_t        *buf,            /*  in - temp buf, N octets */
+    uint8_t        *out);           /* out - address for packed octets */
+
+
+/* ntru_elements_2_octets
+ *
+ * Packs an array of n-bit elements into an array of
+ * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16.
+ */
+
+extern void
+ntru_elements_2_octets(
+    uint16_t        in_len,         /*  in - no. of elements to be packed */
+    uint16_t const *in,             /*  in - ptr to elements to be packed */
+    uint8_t         n_bits,         /*  in - no. of bits in input element */
+    uint8_t        *out);           /* out - addr for output octets */
+
+
+/* ntru_octets_2_elements
+ *
+ * Unpacks an octet string into an array of ((in_len * 8) / n_bits)
+ * n-bit elements, 8 < n < 16.  Any extra bits are discarded.
+ */
+
+extern void
+ntru_octets_2_elements(
+    uint16_t        in_len,         /*  in - no. of octets to be unpacked */
+    uint8_t const  *in,             /*  in - ptr to octets to be unpacked */
+    uint8_t         n_bits,         /*  in - no. of bits in output element */
+    uint16_t       *out);           /* out - addr for output elements */
+
+
+#endif /* NTRU_CRYPTO_NTRU_CONVERT_H */
+
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
new file mode 100644
index 000000000..dba81915a
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
@@ -0,0 +1,1034 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_encrypt.c is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_encrypt.c
+ *
+ * Contents: Routines implementing NTRUEncrypt encryption and decryption and
+ *           key generation.
+ *
+ *****************************************************************************/
+
+
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "ntru_crypto.h"
+#include "ntru_crypto_ntru_encrypt_param_sets.h"
+#include "ntru_crypto_ntru_encrypt_key.h"
+#include "ntru_crypto_ntru_convert.h"
+#include "ntru_crypto_ntru_poly.h"
+#
+#include "ntru_trits.h"
+#include "ntru_poly.h"
+
+/* ntru_crypto_ntru_encrypt
+ *
+ * Implements NTRU encryption (SVES) for the parameter set specified in
+ * the public key blob.
+ *
+ * Before invoking this function, a DRBG must be instantiated using
+ * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
+ * instantiation the requested security strength must be at least as large
+ * as the security strength of the NTRU parameter set being used.
+ * Failure to instantiate the DRBG with the proper security strength will
+ * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH.
+ *
+ * The required minimum size of the output ciphertext buffer (ct) may be
+ * queried by invoking this function with ct = NULL.  In this case, no
+ * encryption is performed, NTRU_OK is returned, and the required minimum
+ * size for ct is returned in ct_len.
+ *
+ * When ct != NULL, at invocation *ct_len must be the size of the ct buffer.
+ * Upon return it is the actual size of the ciphertext.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL.
+ * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is
+  * zero, or if pt_len exceeds the maximum plaintext length for the parameter set.
+ * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid
+ *  (unknown format, corrupt, bad length).
+ * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ */
+
+uint32_t
+ntru_crypto_ntru_encrypt(
+    ntru_drbg_t    *drbg,            /*     in - handle of DRBG */
+    uint16_t        pubkey_blob_len, /*     in - no. of octets in public key
+                                                 blob */
+    uint8_t const  *pubkey_blob,     /*     in - pointer to public key */
+    uint16_t        pt_len,          /*     in - no. of octets in plaintext */
+    uint8_t const  *pt,              /*     in - pointer to plaintext */
+    uint16_t       *ct_len,          /* in/out - no. of octets in ct, addr for
+                                                 no. of octets in ciphertext */
+    uint8_t        *ct)              /*    out - address for ciphertext */
+{
+    NTRU_ENCRYPT_PARAM_SET *params = NULL;
+    uint8_t const          *pubkey_packed = NULL;
+    uint8_t                 pubkey_pack_type = 0x00;
+    uint16_t                packed_ct_len;
+    size_t                  scratch_buf_len;
+    uint32_t                dr;
+    uint32_t                dr1 = 0;
+    uint32_t                dr2 = 0;
+    uint32_t                dr3 = 0;
+    uint16_t                ring_mult_tmp_len;
+    int16_t                 m1 = 0;
+    uint16_t               *scratch_buf = NULL;
+    uint16_t               *ringel_buf = NULL;
+    uint8_t                *b_buf = NULL;
+    uint8_t                *tmp_buf = NULL;
+    bool                    msg_rep_good = FALSE;
+    hash_algorithm_t        hash_algid;
+    uint16_t                mprime_len = 0;
+    uint16_t                mod_q_mask;
+    uint32_t                result = NTRU_OK;
+	ntru_trits_t           *mask;
+	uint8_t                *mask_trits;
+	chunk_t                 seed;
+	ntru_poly_t				*r_poly;
+
+    /* check for bad parameters */
+
+	if (!pubkey_blob || !pt || !ct_len)
+	{
+		return NTRU_BAD_PARAMETER;
+	}
+	if ((pubkey_blob_len == 0) || (pt_len == 0))
+	{
+		return NTRU_BAD_LENGTH;
+	}
+
+    /* get a pointer to the parameter-set parameters, the packing type for
+     * the public key, and a pointer to the packed public key
+     */
+
+    if (!ntru_crypto_ntru_encrypt_key_parse(TRUE /* pubkey */, pubkey_blob_len,
+                                            pubkey_blob, &pubkey_pack_type,
+                                            NULL, &params, &pubkey_packed,
+                                            NULL))
+	{
+		return NTRU_BAD_PUBLIC_KEY;
+	}
+
+    /* return the ciphertext size if requested */
+
+    packed_ct_len = (params->N * params->q_bits + 7) >> 3;
+    if (!ct)
+	{
+        *ct_len = packed_ct_len;
+		return NTRU_OK;
+    }
+
+    /* check the ciphertext buffer size */
+
+    if (*ct_len < packed_ct_len)
+	{
+		return NTRU_BUFFER_TOO_SMALL;
+    }
+
+    /* check the plaintext length */
+
+    if (pt_len > params->m_len_max)
+	{
+		return NTRU_BAD_LENGTH;
+    }
+
+    /* allocate memory for all operations */
+
+    if (params->is_product_form)
+	{
+        ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */
+        dr1 =  params->dF_r & 0xff;
+        dr2 = (params->dF_r >>  8) & 0xff;
+        dr3 = (params->dF_r >> 16) & 0xff;
+        dr = dr1 + dr2 + dr3;
+    }
+	else
+	{
+        ring_mult_tmp_len = params->N;      /* N 16-bit word buffer */
+        dr = params->dF_r;
+    }
+    scratch_buf_len = (ring_mult_tmp_len << 1) +
+                                            /* X-byte temp buf for ring mult and
+                                                other intermediate results */
+                      (params->N << 1) +    /* 2N-byte buffer for ring elements
+                                                and overflow from temp buffer */
+                      (dr << 2) +           /* buffer for r indices */
+                      params->sec_strength_len;
+                                            /* buffer for b */
+    scratch_buf = malloc(scratch_buf_len);
+    if (!scratch_buf)
+	{
+		return NTRU_OUT_OF_MEMORY;
+    }
+    ringel_buf = scratch_buf + ring_mult_tmp_len;
+    b_buf = (uint8_t *)(ringel_buf + params->N);
+    tmp_buf = (uint8_t *)scratch_buf;
+
+	/* set hash algorithm based on security strength */
+	 hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256;
+
+    /* set constants */
+	mod_q_mask = params->q - 1;
+
+    /* loop until a message representative with proper weight is achieved */
+
+    do {
+        uint8_t *ptr = tmp_buf;
+
+        /* get b */
+        if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+                                 params->sec_strength_len, b_buf))
+		{
+			result = NTRU_OK;
+		}
+		else
+		{
+			result = NTRU_FAIL;
+		}
+
+		if (result == NTRU_OK)
+		{
+
+            /* form sData (OID || m || b || hTrunc) */
+            memcpy(ptr, params->OID, 3);
+            ptr += 3;
+            memcpy(ptr, pt, pt_len);
+            ptr += pt_len;
+            memcpy(ptr, b_buf, params->sec_strength_len);
+            ptr += params->sec_strength_len;
+            memcpy(ptr, pubkey_packed, params->sec_strength_len);
+            ptr += params->sec_strength_len;
+
+			DBG2(DBG_LIB, "generate polynomial r");
+
+			seed = chunk_create(tmp_buf, ptr - tmp_buf);
+			r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+												params->N, params->q,
+												params->dF_r, params->dF_r,
+												params->is_product_form);
+			if (!r_poly)
+			{
+			   result = NTRU_MGF1_FAIL;
+			}
+        }
+
+		if (result == NTRU_OK)
+		{
+			uint16_t pubkey_packed_len;
+
+			/* unpack the public key */
+			assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
+			pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
+			ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
+								   params->q_bits, ringel_buf);
+
+			/* form R = h * r */
+			r_poly->ring_mult(r_poly, ringel_buf, ringel_buf);
+			r_poly->destroy(r_poly);
+
+			/* form R mod 4 */
+			ntru_coeffs_mod4_2_octets(params->N, ringel_buf, tmp_buf);
+
+			/* form mask */
+			seed = chunk_create(tmp_buf, (params->N + 3)/4);
+			mask = ntru_trits_create(params->N, hash_algid, seed);
+			if (!mask)
+			{
+				result = NTRU_MGF1_FAIL;
+			}
+		}
+
+		if (result == NTRU_OK)
+		{
+            uint8_t  *Mtrin_buf = tmp_buf + params->N;
+            uint8_t  *M_buf = Mtrin_buf + params->N -
+                              (params->sec_strength_len + params->m_len_len +
+                               params->m_len_max + 2);
+            uint16_t  i;
+
+            /* form the padded message M */
+            ptr = M_buf;
+            memcpy(ptr, b_buf, params->sec_strength_len);
+            ptr += params->sec_strength_len;
+            if (params->m_len_len == 2)
+                *ptr++ = (uint8_t)((pt_len >> 8) & 0xff);
+            *ptr++ = (uint8_t)(pt_len & 0xff);
+            memcpy(ptr, pt, pt_len);
+            ptr += pt_len;
+
+            /* add an extra zero byte in case without it the bit string
+             * is not a multiple of 3 bits and therefore might not be
+             * able to produce enough trits
+             */
+
+            memset(ptr, 0, params->m_len_max - pt_len + 2);
+
+            /* convert M to trits (Mbin to Mtrin) */
+            mprime_len = params->N;
+			if (params->is_product_form)
+			{
+                --mprime_len;
+			}
+
+            ntru_bits_2_trits(M_buf, mprime_len, Mtrin_buf);
+			mask_trits = mask->get_trits(mask);
+
+			/* form the msg representative m' by adding Mtrin to mask, mod p */
+			if (params->is_product_form)
+			{
+				for (i = 0; i < mprime_len; i++)
+				{
+					tmp_buf[i] = mask_trits[i] + Mtrin_buf[i];
+					if (tmp_buf[i] >= 3)
+					{
+						tmp_buf[i] -= 3;
+					}
+					if (tmp_buf[i] == 1)
+					{
+						++m1;
+					}
+					else if (tmp_buf[i] == 2)
+					{
+						--m1;
+					}
+				}
+			}
+			else
+			{
+				for (i = 0; i < mprime_len; i++)
+				{
+					tmp_buf[i] = mask_trits[i] + Mtrin_buf[i];
+					if (tmp_buf[i] >= 3)
+					{
+						tmp_buf[i] -= 3;
+					}
+				}
+			}
+			mask->destroy(mask);
+
+            /* check that message representative meets minimum weight
+             * requirements
+             */
+
+            if (params->is_product_form)
+                msg_rep_good = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : 
+                                        (bool)( m1 <= params->min_msg_rep_wt);
+            else
+                msg_rep_good = ntru_poly_check_min_weight(mprime_len, tmp_buf,
+                                                       params->min_msg_rep_wt);
+            msg_rep_good = TRUE;
+        }
+    } while ((result == NTRU_OK) && !msg_rep_good);
+
+	if (result == NTRU_OK)
+	{
+        uint16_t i;
+
+        /* form ciphertext e by adding m' to R mod q */
+
+        for (i = 0; i < mprime_len; i++) {
+            if (tmp_buf[i] == 1)
+                ringel_buf[i] = (ringel_buf[i] + 1) & mod_q_mask;
+            else if (tmp_buf[i] == 2)
+                ringel_buf[i] = (ringel_buf[i] - 1) & mod_q_mask;
+        }
+        if (params->is_product_form)
+            ringel_buf[i] = (ringel_buf[i] - m1) & mod_q_mask;
+
+        /* pack ciphertext */
+        ntru_elements_2_octets(params->N, ringel_buf, params->q_bits, ct);
+        *ct_len = packed_ct_len;
+    }
+
+    /* cleanup */
+    memset(scratch_buf, 0, scratch_buf_len);
+    free(scratch_buf);
+    
+	return result;
+}
+
+
+/* ntru_crypto_ntru_decrypt
+ *
+ * Implements NTRU decryption (SVES) for the parameter set specified in
+ * the private key blob.
+ *
+ * The maximum size of the output plaintext may be queried by invoking
+ * this function with pt = NULL.  In this case, no decryption is performed,
+ * NTRU_OK is returned, and the maximum size the plaintext could be is
+ * returned in pt_len.
+ * Note that until the decryption is performed successfully, the actual size
+ * of the resulting plaintext cannot be known.
+ *
+ * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
+ * Upon return it is the actual size of the plaintext.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
+ * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
+ *  ct_len is invalid for the parameter set.
+ * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
+ *  (unknown format, corrupt, bad length).
+ * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ * Returns NTRU_FAIL if a decryption error occurs.
+ */
+
+uint32_t
+ntru_crypto_ntru_decrypt(
+    uint16_t       privkey_blob_len, /*     in - no. of octets in private key
+                                                 blob */
+    uint8_t const *privkey_blob,     /*     in - pointer to private key */
+    uint16_t       ct_len,           /*     in - no. of octets in ciphertext */
+    uint8_t const *ct,               /*     in - pointer to ciphertext */
+    uint16_t      *pt_len,           /* in/out - no. of octets in pt, addr for
+                                                 no. of octets in plaintext */
+    uint8_t       *pt)               /*    out - address for plaintext */
+{
+    NTRU_ENCRYPT_PARAM_SET *params = NULL;
+    uint8_t const          *privkey_packed = NULL;
+    uint8_t const          *pubkey_packed = NULL;
+    uint8_t                 privkey_pack_type = 0x00;
+    uint8_t                 pubkey_pack_type = 0x00;
+    size_t                  scratch_buf_len;
+    uint32_t                dF_r;
+    uint32_t                dF_r1 = 0;
+    uint32_t                dF_r2 = 0;
+    uint32_t                dF_r3 = 0;
+    uint16_t                ring_mult_tmp_len;
+    int16_t                 m1 = 0;
+    uint16_t               *scratch_buf = NULL;
+    uint16_t               *ringel_buf1 = NULL;
+    uint16_t               *ringel_buf2 = NULL;
+    uint16_t               *i_buf = NULL;
+    uint8_t                *m_buf = NULL;
+    uint8_t                *tmp_buf = NULL;
+    uint8_t                *Mtrin_buf = NULL;
+    uint8_t                *M_buf = NULL;
+    uint8_t                *ptr = NULL;
+    hash_algorithm_t        hash_algid;
+    uint16_t                cmprime_len;
+    uint16_t                mod_q_mask;
+    uint16_t                q_mod_p;
+    uint16_t                cm_len = 0;
+    uint16_t                num_zeros;
+    uint16_t                i;
+    bool                    decryption_ok = TRUE;
+    uint32_t                result = NTRU_OK;
+	ntru_trits_t           *mask;
+	uint8_t                *mask_trits;
+	chunk_t                 seed;
+	ntru_poly_t			   *F_poly, *r_poly;
+
+	/* check for bad parameters */
+	if (!privkey_blob || !ct || !pt_len)
+	{
+		return NTRU_BAD_PARAMETER;
+	}
+	if ((privkey_blob_len == 0) || (ct_len == 0))
+	{
+		return NTRU_BAD_LENGTH;
+	}
+
+    /* get a pointer to the parameter-set parameters, the packing types for
+     * the public and private keys, and pointers to the packed public and
+     * private keys
+     */
+
+	if (!ntru_crypto_ntru_encrypt_key_parse(FALSE /* privkey */,
+                                            privkey_blob_len,
+                                            privkey_blob, &pubkey_pack_type,
+                                            &privkey_pack_type, &params,
+                                            &pubkey_packed, &privkey_packed))
+	{
+		return NTRU_BAD_PRIVATE_KEY;
+	}
+
+    /* return the max plaintext size if requested */
+
+	if (!pt)
+	{
+        *pt_len = params->m_len_max;
+		return NTRU_OK;
+    }
+
+    /* cannot check the plaintext buffer size until after the plaintext
+     * is derived, if we allow plaintext buffers only as large as the
+     * actual plaintext
+     */
+
+    /* check the ciphertext length */
+
+	if (ct_len != (params->N * params->q_bits + 7) >> 3)
+	{
+		return NTRU_BAD_LENGTH;
+	}
+
+    /* allocate memory for all operations */
+
+	if (params->is_product_form)
+	{
+        ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */
+        dF_r1 =  params->dF_r & 0xff;
+        dF_r2 = (params->dF_r >>  8) & 0xff;
+        dF_r3 = (params->dF_r >> 16) & 0xff;
+        dF_r = dF_r1 + dF_r2 + dF_r3;
+    } else {
+        ring_mult_tmp_len = params->N;      /* N 16-bit word buffer */
+        dF_r = params->dF_r;
+    }
+    scratch_buf_len = (ring_mult_tmp_len << 1) +
+                                            /* X-byte temp buf for ring mult and
+                                                other intermediate results */
+                      (params->N << 2) +    /* 2 2N-byte bufs for ring elements
+                                                and overflow from temp buffer */
+                      (dF_r << 2) +         /* buffer for F, r indices */
+                      params->m_len_max;    /* buffer for plaintext */
+    scratch_buf = malloc(scratch_buf_len);
+	if (!scratch_buf)
+	{
+		return NTRU_OUT_OF_MEMORY;
+    }
+    ringel_buf1 = scratch_buf + ring_mult_tmp_len;
+    ringel_buf2 = ringel_buf1 + params->N;
+    i_buf = ringel_buf2 + params->N;
+    m_buf = (uint8_t *)(i_buf + (dF_r << 1));
+    tmp_buf = (uint8_t *)scratch_buf;
+    Mtrin_buf = (uint8_t *)ringel_buf1;
+    M_buf = Mtrin_buf + params->N;
+
+	/* set hash algorithm based on security strength */
+	hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256;
+
+    /* set constants */
+    mod_q_mask = params->q - 1;
+    q_mod_p = params->q % 3;
+
+    /* unpack the ciphertext */
+    ntru_octets_2_elements(ct_len, ct, params->q_bits, ringel_buf2);
+
+    /* unpack the private key */
+    if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS)
+	{
+        ntru_packed_trits_2_indices(privkey_packed, params->N, i_buf,
+                                    i_buf + dF_r);
+
+    }
+	else if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_INDICES)
+	{
+        ntru_octets_2_elements(
+                (((uint16_t)dF_r << 1) * params->N_bits + 7) >> 3,
+                privkey_packed, params->N_bits, i_buf);
+
+    }
+	else
+	{
+        assert(FALSE);
+    }
+
+    /* form cm':
+     *  F * e
+     *  A = e * (1 + pF) mod q = e + pFe mod q
+     *  a = A in the range [-q/2, q/2)
+     *  cm' = a mod p
+     */
+	F_poly = ntru_poly_create_from_data(i_buf, params->N, params->q,
+										params->dF_r, params->dF_r,
+									    params->is_product_form);
+	F_poly->ring_mult(F_poly, ringel_buf2, ringel_buf1);
+	F_poly->destroy(F_poly);
+
+    cmprime_len = params->N;
+    if (params->is_product_form)
+	{
+         --cmprime_len;
+		for (i = 0; i < cmprime_len; i++)
+		{
+			ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
+			if (ringel_buf1[i] >= (params->q >> 1))
+			{
+				ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
+			}
+			Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
+			if (Mtrin_buf[i] == 1)
+			{
+				++m1;
+			}
+			else if (Mtrin_buf[i] == 2)
+			{
+				--m1;
+			}
+		}
+	}
+	else
+	{
+		for (i = 0; i < cmprime_len; i++)
+		{
+			ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
+			if (ringel_buf1[i] >= (params->q >> 1))
+			{
+				ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
+			}
+			Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
+		}
+	}
+
+    /* check that the candidate message representative meets minimum weight
+     * requirements
+     */
+
+    if (params->is_product_form)
+	{
+	    decryption_ok = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : 
+	                             (bool)( m1 <= params->min_msg_rep_wt);
+	}
+	else
+	{
+        decryption_ok = ntru_poly_check_min_weight(cmprime_len, Mtrin_buf,
+												   params->min_msg_rep_wt);
+	}
+
+	/* form cR = e - cm' mod q */
+	for (i = 0; i < cmprime_len; i++)
+	{
+		if (Mtrin_buf[i] == 1)
+		{
+			ringel_buf2[i] = (ringel_buf2[i] - 1) & mod_q_mask;
+		}
+		else if (Mtrin_buf[i] == 2)
+		{
+			ringel_buf2[i] = (ringel_buf2[i] + 1) & mod_q_mask;
+		}
+	}
+	if (params->is_product_form)
+	{
+		ringel_buf2[i] = (ringel_buf2[i] + m1) & mod_q_mask;
+	}
+
+	/* form cR mod 4 */
+	ntru_coeffs_mod4_2_octets(params->N, ringel_buf2, tmp_buf);
+
+	/* form mask */
+	seed = chunk_create(tmp_buf, (params->N + 3)/4);
+	mask = ntru_trits_create(params->N, hash_algid, seed);
+	if (!mask)
+	{
+		result = NTRU_MGF1_FAIL;
+	}
+	else
+	{
+		mask_trits = mask->get_trits(mask);
+
+		/* form cMtrin by subtracting mask from cm', mod p */
+		for (i = 0; i < cmprime_len; i++)
+		{
+			Mtrin_buf[i] = Mtrin_buf[i] - mask_trits[i];
+			if (Mtrin_buf[i] >= 3)
+			{
+				Mtrin_buf[i] += 3;
+			}
+		}
+		mask->destroy(mask);
+
+        if (params->is_product_form)
+
+            /* set the last trit to zero since that's what it was, and
+             * because it can't be calculated from (cm' - mask) since
+             * we don't have the correct value for the last cm' trit
+             */
+
+            Mtrin_buf[i] = 0;
+
+        /* convert cMtrin to cM (Mtrin to Mbin) */
+
+        if (!ntru_trits_2_bits(Mtrin_buf, params->N, M_buf))
+            decryption_ok = FALSE;
+
+        /* validate the padded message cM and copy cm to m_buf */
+
+        ptr = M_buf + params->sec_strength_len;
+        if (params->m_len_len == 2)
+            cm_len = (uint16_t)(*ptr++) << 16;
+        cm_len |= (uint16_t)(*ptr++);
+        if (cm_len > params->m_len_max) {
+            cm_len = params->m_len_max;
+            decryption_ok = FALSE;
+        }
+        memcpy(m_buf, ptr, cm_len);
+        ptr += cm_len;
+        num_zeros = params->m_len_max - cm_len + 1;
+        for (i = 0; i < num_zeros; i++) {
+            if (ptr[i] != 0)
+                decryption_ok = FALSE;
+        }
+
+        /* form sData (OID || m || b || hTrunc) */
+
+        ptr = tmp_buf;
+        memcpy(ptr, params->OID, 3);
+        ptr += 3;
+        memcpy(ptr, m_buf, cm_len);
+        ptr += cm_len;
+        memcpy(ptr, M_buf, params->sec_strength_len);
+        ptr += params->sec_strength_len;
+        memcpy(ptr, pubkey_packed, params->sec_strength_len);
+        ptr += params->sec_strength_len;
+
+        /* generate cr */
+		DBG2(DBG_LIB, "generate polynomial r");
+
+		seed = chunk_create(tmp_buf, ptr - tmp_buf);
+		r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+											params->N, params->q,
+											params->dF_r, params->dF_r,
+											params->is_product_form);
+		if (!r_poly)
+		{
+		   result = NTRU_MGF1_FAIL;
+		}
+    }
+
+	if (result == NTRU_OK)
+	{
+		/* unpack the public key */
+		{
+            uint16_t pubkey_packed_len;
+
+			assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
+			pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
+			ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
+								   params->q_bits, ringel_buf1);
+		}
+
+		/* form cR' = h * cr */
+		r_poly->ring_mult(r_poly, ringel_buf1, ringel_buf1);
+		r_poly->destroy(r_poly);
+
+		/* compare cR' to cR */
+		for (i = 0; i < params->N; i++)
+		{
+			if (ringel_buf1[i] != ringel_buf2[i])
+			{
+                decryption_ok = FALSE;
+			}
+		}
+
+        /* output plaintext and plaintext length */
+		if (decryption_ok)
+		{
+			if (*pt_len < cm_len)
+			{
+				return NTRU_BUFFER_TOO_SMALL;
+			}
+			memcpy(pt, m_buf, cm_len);
+			*pt_len = cm_len;
+        }
+    }
+
+	/* cleanup */
+	memset(scratch_buf, 0, scratch_buf_len);
+	free(scratch_buf);
+    
+	if (!decryption_ok)
+	{
+		return NTRU_FAIL;
+	}
+
+	return result;
+}
+
+
+/* ntru_crypto_ntru_encrypt_keygen
+ *
+ * Implements key generation for NTRUEncrypt for the parameter set specified.
+ *
+ * The required minimum size of the output public-key buffer (pubkey_blob)
+ * may be queried by invoking this function with pubkey_blob = NULL.
+ * In this case, no key generation is performed, NTRU_OK is returned, and
+ * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
+ *
+ * The required minimum size of the output private-key buffer (privkey_blob)
+ * may be queried by invoking this function with privkey_blob = NULL.
+ * In this case, no key generation is performed, NTRU_OK is returned, and
+ * the required minimum size for privkey_blob is returned in privkey_blob_len.
+ *
+ * The required minimum sizes of both pubkey_blob and privkey_blob may be
+ * queried as described above, in a single invocation of this function.
+ *
+ * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
+ * *pubkey_blob_len must be the size of the pubkey_blob buffer and
+ * *privkey_blob_len must be the size of the privkey_blob buffer.
+ * Upon return, *pubkey_blob_len is the actual size of the public-key blob
+ * and *privkey_blob_len is the actual size of the private-key blob.
+ *
+ * Returns NTRU_OK if successful.
+ * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob or
+ *  privkey_blob) is NULL.
+ * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
+ * Returns NTRU_BAD_LENGTH if a length argument is invalid.
+ * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
+ *  privkey_blob buffer is too small.
+ * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
+ * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
+ *  (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
+ *  Should this occur, this function should simply be invoked again.
+ */
+
+uint32_t
+ntru_crypto_ntru_encrypt_keygen(
+    ntru_drbg_t               *drbg,             /*     in - handle of DRBG */
+    NTRU_ENCRYPT_PARAM_SET_ID  param_set_id,     /*     in - parameter set ID */
+    uint16_t                  *pubkey_blob_len,  /* in/out - no. of octets in
+                                                             pubkey_blob, addr
+                                                             for no. of octets
+                                                             in pubkey_blob */
+    uint8_t                   *pubkey_blob,      /*    out - address for
+                                                             public key blob */
+    uint16_t                  *privkey_blob_len, /* in/out - no. of octets in
+                                                             privkey_blob, addr
+                                                             for no. of octets
+                                                             in privkey_blob */
+    uint8_t                   *privkey_blob)     /*    out - address for
+                                                             private key blob */
+{
+    NTRU_ENCRYPT_PARAM_SET *params = NULL;
+    uint16_t                public_key_blob_len;
+    uint16_t                private_key_blob_len;
+    uint8_t                 pubkey_pack_type;
+    uint8_t                 privkey_pack_type;
+    size_t                  scratch_buf_len;
+    uint32_t                dF;
+    uint32_t                dF1 = 0;
+    uint32_t                dF2 = 0;
+    uint32_t                dF3 = 0;
+    uint16_t               *scratch_buf = NULL;
+    uint16_t               *ringel_buf1 = NULL;
+    uint16_t               *ringel_buf2 = NULL;
+    uint8_t                *tmp_buf = NULL;
+    uint16_t                mod_q_mask;
+    hash_algorithm_t        hash_algid;
+    uint16_t                seed_len;
+	chunk_t					seed;
+    uint32_t                result = NTRU_OK;
+	ntru_poly_t			   *F_poly = NULL;
+	ntru_poly_t            *g_poly = NULL;
+	uint16_t			   *F_indices;
+
+    /* get a pointer to the parameter-set parameters */
+
+    if ((params = ntru_encrypt_get_params_with_id(param_set_id)) == NULL)
+	{
+		return NTRU_INVALID_PARAMETER_SET;
+	}
+
+    /* check for bad parameters */
+
+    if (!pubkey_blob_len || !privkey_blob_len)
+	{
+		return NTRU_BAD_PARAMETER;
+	}
+
+    /* get public and private key packing types and blob lengths */
+
+    ntru_crypto_ntru_encrypt_key_get_blob_params(params, &pubkey_pack_type,
+                                                 &public_key_blob_len,
+                                                 &privkey_pack_type,
+                                                 &private_key_blob_len);
+
+    /* return the pubkey_blob size and/or privkey_blob size if requested */
+
+    if (!pubkey_blob || !privkey_blob)
+	{
+        if (!pubkey_blob)
+            *pubkey_blob_len = public_key_blob_len;
+        if (!privkey_blob)
+            *privkey_blob_len = private_key_blob_len;
+		return NTRU_OK;
+    }
+
+    /* check size of output buffers */
+
+    if ((*pubkey_blob_len < public_key_blob_len) ||
+            (*privkey_blob_len < private_key_blob_len))
+	{
+		return NTRU_BUFFER_TOO_SMALL;
+	}
+
+    /* allocate memory for all operations */
+    if (params->is_product_form) {
+        dF1 =  params->dF_r & 0xff;
+        dF2 = (params->dF_r >> 8) & 0xff;
+        dF3 = (params->dF_r >> 16) & 0xff;
+        dF = dF1 + dF2 + dF3;
+    } else {
+        dF = params->dF_r;
+    }
+
+    scratch_buf_len = (params->N * 8) +     /* 4N-byte temp buffer for ring inv
+                                                and other intermediate results,
+                                               2N-byte buffer for f, g indices
+                                                and overflow from temp buffer,
+                                               2N-byte buffer for f^-1 */
+                      (dF << 2);            /* buffer for F indices */
+    scratch_buf = malloc(scratch_buf_len);
+	if (!scratch_buf)
+	{
+		return NTRU_OUT_OF_MEMORY;
+    }
+    ringel_buf1 = scratch_buf + (params->N << 1);
+    ringel_buf2 = ringel_buf1 + params->N;
+    tmp_buf = (uint8_t *)scratch_buf;
+
+	/* set hash algorithm and seed length based on security strength */
+    if (params->sec_strength_len <= 20)
+	{
+		hash_algid = HASH_SHA1;
+	}
+	else
+	{
+		hash_algid = HASH_SHA256;
+	}
+	seed_len = params->sec_strength_len + 8;
+
+    /* set constants */
+
+    mod_q_mask = params->q - 1;
+
+    /* get random bytes for seed for generating trinary F
+     * as a list of indices
+     */
+
+    if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+							 seed_len, tmp_buf))
+	{
+		result = NTRU_OK;
+	}
+	else
+	{
+		result = NTRU_DRBG_FAIL;
+	}
+
+	if (result == NTRU_OK)
+	{
+		DBG2(DBG_LIB, "generate polynomial F");
+
+		seed = chunk_create(tmp_buf, seed_len);
+		F_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+											params->N, params->q,
+											params->dF_r, params->dF_r,
+											params->is_product_form);
+		if (!F_poly)
+		{
+		   result = NTRU_MGF1_FAIL;
+		}
+    }
+
+	if (result == NTRU_OK)
+	{
+		int i;
+
+		F_poly->get_array(F_poly, ringel_buf1);
+
+		/* form f = 1 + pF */
+		for (i = 0; i < params->N; i++)
+		{
+			ringel_buf1[i] = (ringel_buf1[i] * 3) & mod_q_mask;
+		}
+		ringel_buf1[0] = (ringel_buf1[0] + 1) & mod_q_mask;
+
+		/* find f^-1 in (Z/qZ)[X]/(X^N - 1) */
+		if (!ntru_ring_inv(ringel_buf1, params->N, params->q,
+						   scratch_buf, ringel_buf2))
+		{
+			result = NTRU_FAIL;
+		}
+	}
+
+	if (result == NTRU_OK)
+	{
+
+        /* get random bytes for seed for generating trinary polynomial g
+         * as a list of indices
+         */
+        if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+								  seed_len, tmp_buf))
+		{
+			result = NTRU_DRBG_FAIL;
+		}
+    }
+
+	if (result == NTRU_OK)
+	{
+		DBG2(DBG_LIB, "generate polynomial g");
+
+		seed = chunk_create(tmp_buf, seed_len);
+		g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+											params->N, params->q,
+											params->dg + 1, params->dg, FALSE);
+		if (!g_poly)
+		{
+		   result = NTRU_MGF1_FAIL;
+		}
+   }
+
+	if (result == NTRU_OK)
+	{
+		uint16_t i;
+
+		/* compute h = p * (f^-1 * g) mod q */
+		g_poly->ring_mult(g_poly, ringel_buf2, ringel_buf2);
+		g_poly->destroy(g_poly);
+
+		for (i = 0; i < params->N; i++)
+		{
+			ringel_buf2[i] = (ringel_buf2[i] * 3) & mod_q_mask;
+		}
+
+		/* create public key blob */
+		ntru_crypto_ntru_encrypt_key_create_pubkey_blob(params, ringel_buf2,
+													    pubkey_pack_type,
+														pubkey_blob);
+		*pubkey_blob_len = public_key_blob_len;
+
+		/* create private key blob */
+		F_indices = F_poly->get_indices(F_poly);
+		ntru_crypto_ntru_encrypt_key_create_privkey_blob(params, ringel_buf2,
+														 F_indices,
+														 privkey_pack_type,
+														 tmp_buf, privkey_blob);
+		*privkey_blob_len = private_key_blob_len;
+    }
+
+	/* cleanup */
+	DESTROY_IF(F_poly);
+	memset(scratch_buf, 0, scratch_buf_len);
+	free(scratch_buf);
+  
+	return result;
+}
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c
new file mode 100644
index 000000000..90baaadf3
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c
@@ -0,0 +1,360 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_encrypt_key.c is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_encrypt_key.c
+ *
+ * Contents: Routines for exporting and importing public and private keys
+ *           for NTRUEncrypt.
+ *
+ *****************************************************************************/
+
+
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "ntru_crypto_ntru_encrypt_key.h"
+
+
+/* ntru_crypto_ntru_encrypt_key_parse
+ *
+ * Parses an NTRUEncrypt key blob.
+ * If the blob is not corrupt, returns packing types for public and private
+ * keys, a pointer to the parameter set, a pointer to the public key, and
+ * a pointer to the private key if it exists.
+ *
+ * Returns TRUE if successful.
+ * Returns FALSE if the blob is invalid.
+ */
+
+bool
+ntru_crypto_ntru_encrypt_key_parse(
+    bool                     pubkey_parse,      /*  in - if parsing pubkey
+                                                         blob */
+    uint16_t                 key_blob_len,      /*  in - no. octets in key
+                                                         blob */
+    uint8_t const           *key_blob,          /*  in - pointer to key blob */
+    uint8_t                 *pubkey_pack_type,  /* out - addr for pubkey
+                                                         packing type */
+    uint8_t                 *privkey_pack_type, /* out - addr for privkey
+                                                         packing type */
+    NTRU_ENCRYPT_PARAM_SET **params,            /* out - addr for ptr to
+                                                         parameter set */
+    uint8_t const          **pubkey,            /* out - addr for ptr to
+                                                         packed pubkey */
+    uint8_t const          **privkey)           /* out - addr for ptr to
+                                                         packed privkey */
+{
+    uint8_t tag;
+
+    assert(key_blob_len);
+    assert(key_blob);
+    assert(pubkey_pack_type);
+    assert(params);
+    assert(pubkey);
+
+    /* parse key blob based on tag */
+
+    tag = key_blob[0];
+    switch (tag) {
+        case NTRU_ENCRYPT_PUBKEY_TAG:
+            if (!pubkey_parse)
+                return FALSE;
+            break;
+        case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
+        case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
+        case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
+            assert(privkey_pack_type);
+            assert(privkey);
+            if (pubkey_parse)
+                return FALSE;
+            break;
+        default:
+            return FALSE;
+    }
+
+    switch (tag) {
+        case NTRU_ENCRYPT_PUBKEY_TAG:
+        case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
+        case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
+        case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
+
+            /* Version 0:
+             *  byte  0:   tag
+             *  byte  1:   no. of octets in OID
+             *  bytes 2-4: OID
+             *  bytes 5- : packed pubkey
+             *             [packed privkey]
+             */
+
+        {
+            NTRU_ENCRYPT_PARAM_SET *p = NULL;
+            uint16_t pubkey_packed_len;
+
+            /* check OID length and minimum blob length for tag and OID */
+
+            if ((key_blob_len < 5) || (key_blob[1] != 3))
+                return FALSE;
+
+            /* get a pointer to the parameter set corresponding to the OID */
+
+            if ((p = ntru_encrypt_get_params_with_OID(key_blob + 2)) == NULL)
+                return FALSE;
+
+            /* check blob length and assign pointers to blob fields */
+
+            pubkey_packed_len = (p->N * p->q_bits + 7) / 8;
+            if (pubkey_parse) { /* public-key parsing */
+                if (key_blob_len != 5 + pubkey_packed_len)
+                    return FALSE;
+
+                *pubkey = key_blob + 5;
+
+            } else { /* private-key parsing */
+                uint16_t privkey_packed_len;
+                uint16_t privkey_packed_trits_len = (p->N + 4) / 5;
+                uint16_t privkey_packed_indices_len;
+                uint16_t dF;
+
+                /* check packing type for product-form private keys */
+
+                if (p->is_product_form &&
+                        (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG))
+                    return FALSE;
+
+                /* set packed-key length for packed indices */
+
+                if (p->is_product_form)
+                    dF = (uint16_t)( (p->dF_r & 0xff) +            /* df1 */
+                                    ((p->dF_r >>  8) & 0xff) +     /* df2 */
+                                    ((p->dF_r >> 16) & 0xff));     /* df3 */
+                else
+                    dF = (uint16_t)p->dF_r;
+                privkey_packed_indices_len = ((dF << 1) * p->N_bits + 7) >> 3;
+
+                /* set private-key packing type if defaulted */
+
+                if (tag == NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG) {
+                    if (p->is_product_form ||
+                            (privkey_packed_indices_len <=
+                             privkey_packed_trits_len))
+                        tag = NTRU_ENCRYPT_PRIVKEY_INDICES_TAG;
+                    else
+                        tag = NTRU_ENCRYPT_PRIVKEY_TRITS_TAG;
+                }
+
+                if (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG)
+                    privkey_packed_len = privkey_packed_trits_len;
+                else
+                    privkey_packed_len = privkey_packed_indices_len;
+
+                if (key_blob_len != 5 + pubkey_packed_len + privkey_packed_len)
+                    return FALSE;
+
+                *pubkey = key_blob + 5;
+                *privkey = *pubkey + pubkey_packed_len;
+                *privkey_pack_type = (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) ?
+                    NTRU_ENCRYPT_KEY_PACKED_TRITS :
+                    NTRU_ENCRYPT_KEY_PACKED_INDICES;
+            }
+
+            /* return parameter set pointer */
+
+            *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
+            *params = p;
+        }
+        default:
+            break;  /* can't get here */
+    }
+    return TRUE;
+}
+
+
+/* ntru_crypto_ntru_encrypt_key_get_blob_params
+ *
+ * Returns public and private key packing types and blob lengths given
+ * a packing format.  For now, only a default packing format exists.
+ *
+ * Only public-key params may be returned by setting privkey_pack_type
+ * and privkey_blob_len to NULL.
+ */
+
+void
+ntru_crypto_ntru_encrypt_key_get_blob_params(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint8_t                      *pubkey_pack_type,   /* out - addr for pubkey
+                                                               packing type */
+    uint16_t                     *pubkey_blob_len,    /* out - addr for no. of
+                                                               bytes in
+                                                               pubkey blob */
+    uint8_t                      *privkey_pack_type,  /* out - addr for privkey
+                                                               packing type */
+    uint16_t                     *privkey_blob_len)   /* out - addr for no. of
+                                                               bytes in
+                                                               privkey blob */
+{
+    uint16_t pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
+
+    assert(params);
+    assert(pubkey_pack_type);
+    assert(pubkey_blob_len);
+
+    *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
+    *pubkey_blob_len = 5 + pubkey_packed_len;
+
+    if (privkey_pack_type && privkey_blob_len) {
+        uint16_t privkey_packed_trits_len = (params->N + 4) / 5;
+        uint16_t privkey_packed_indices_len;
+        uint16_t dF;
+
+        if (params->is_product_form)
+            dF = (uint16_t)( (params->dF_r & 0xff) +            /* df1 */
+                            ((params->dF_r >>  8) & 0xff) +     /* df2 */
+                            ((params->dF_r >> 16) & 0xff));     /* df3 */
+        else
+            dF = (uint16_t)params->dF_r;
+        privkey_packed_indices_len = ((dF << 1) * params->N_bits + 7) >> 3;
+
+        if (params->is_product_form ||
+                (privkey_packed_indices_len <= privkey_packed_trits_len)) {
+            *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_INDICES;
+            *privkey_blob_len =
+                5 + pubkey_packed_len + privkey_packed_indices_len;
+        } else {
+            *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_TRITS;
+            *privkey_blob_len =
+                5 + pubkey_packed_len + privkey_packed_trits_len;
+        }
+    }
+}
+
+
+/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
+ *
+ * Returns a public key blob, packed according to the packing type provided.
+ */
+
+void
+ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint16_t const               *pubkey,             /*  in - pointer to the
+                                                               coefficients
+                                                               of the pubkey */
+    uint8_t                       pubkey_pack_type,   /* out - pubkey packing
+                                                               type */
+    uint8_t                      *pubkey_blob)        /* out - addr for the
+                                                               pubkey blob */
+{
+    assert(params);
+    assert(pubkey);
+    assert(pubkey_blob);
+
+    switch (pubkey_pack_type) {
+        case NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS:
+            *pubkey_blob++ = NTRU_ENCRYPT_PUBKEY_TAG;
+            *pubkey_blob++ = (uint8_t)sizeof(params->OID);
+            memcpy(pubkey_blob, params->OID, sizeof(params->OID));
+            pubkey_blob += sizeof(params->OID);
+            ntru_elements_2_octets(params->N, pubkey, params->q_bits,
+                                   pubkey_blob);
+            break;
+        default:
+            assert(FALSE);
+    }
+}
+
+
+/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
+ *
+ * Returns a private key blob, packed according to the packing type provided.
+ */
+
+void
+ntru_crypto_ntru_encrypt_key_create_privkey_blob(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint16_t const               *pubkey,             /*  in - pointer to the
+                                                               coefficients
+                                                               of the pubkey */
+    uint16_t const               *privkey,            /*  in - pointer to the
+                                                               indices of the
+                                                               privkey */
+    uint8_t                       privkey_pack_type,  /*  in - privkey packing
+                                                               type */
+    uint8_t                      *buf,                /*  in - temp, N bytes */
+    uint8_t                      *privkey_blob)       /* out - addr for the
+                                                               privkey blob */
+{
+    assert(params);
+    assert(pubkey);
+    assert(privkey);
+    assert(privkey_blob);
+
+    switch (privkey_pack_type) {
+        case NTRU_ENCRYPT_KEY_PACKED_TRITS:
+        case NTRU_ENCRYPT_KEY_PACKED_INDICES:
+
+            /* format header and packed public key */
+
+            *privkey_blob++ = NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG;
+            *privkey_blob++ = (uint8_t)sizeof(params->OID);
+            memcpy(privkey_blob, params->OID, sizeof(params->OID));
+            privkey_blob += sizeof(params->OID);
+            ntru_elements_2_octets(params->N, pubkey, params->q_bits,
+                                   privkey_blob);
+            privkey_blob += (params->N * params->q_bits + 7) >> 3;
+
+            /* add packed private key */
+
+            if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) {
+                ntru_indices_2_packed_trits(privkey, (uint16_t)params->dF_r,
+                                            (uint16_t)params->dF_r,
+                                            params->N, buf, privkey_blob);
+            } else {
+                uint32_t dF;
+
+                if (params->is_product_form) {
+                    dF =  (params->dF_r & 0xff) +
+                         ((params->dF_r >> 8) & 0xff) +
+                         ((params->dF_r >> 16) & 0xff);
+                } else {
+                    dF = params->dF_r;
+                }
+                ntru_elements_2_octets((uint16_t)dF << 1, privkey,
+                                       params->N_bits, privkey_blob);
+            }
+            break;
+        default:
+            assert(FALSE);
+            break;
+    }
+}
+
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h
new file mode 100644
index 000000000..6734f2a4c
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h
@@ -0,0 +1,167 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_cencrypt_key.h is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+
+
+#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H
+#define NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H
+
+#include "ntru_crypto_ntru_convert.h"
+#include "ntru_crypto_ntru_encrypt_param_sets.h"
+
+
+/* key-blob definitions */
+
+#define NTRU_ENCRYPT_PUBKEY_TAG           0x01
+#define NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG  0x02
+#define NTRU_ENCRYPT_PRIVKEY_TRITS_TAG    0xfe
+#define NTRU_ENCRYPT_PRIVKEY_INDICES_TAG  0xff
+
+/* packing types */
+
+#define NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS    0x01
+#define NTRU_ENCRYPT_KEY_PACKED_INDICES         0x02
+#define NTRU_ENCRYPT_KEY_PACKED_TRITS           0x03
+
+/* function declarations */
+
+
+/* ntru_crypto_ntru_encrypt_key_parse
+ *
+ * Parses an NTRUEncrypt key blob.
+ * If the blob is not corrupt, returns packing types for public and private
+ * keys, a pointer to the parameter set, a pointer to the public key, and
+ * a pointer to the private key if it exists.
+ *
+ * Returns TRUE if successful.
+ * Returns FALSE if the blob is invalid.
+ */
+
+extern bool
+ntru_crypto_ntru_encrypt_key_parse(
+    bool                     pubkey_parse,      /*  in - if parsing pubkey
+                                                         blob */
+    uint16_t                 key_blob_len,      /*  in - no. octets in key
+                                                         blob */
+    uint8_t const           *key_blob,          /*  in - pointer to key blob */
+    uint8_t                 *pubkey_pack_type,  /* out - addr for pubkey
+                                                         packing type */
+    uint8_t                 *privkey_pack_type, /* out - addr for privkey
+                                                         packing type */
+    NTRU_ENCRYPT_PARAM_SET **params,            /* out - addr for ptr to
+                                                         parameter set */
+    uint8_t const          **pubkey,            /* out - addr for ptr to
+                                                         packed pubkey */
+    uint8_t const          **privkey);          /* out - addr for ptr to
+                                                         packed privkey */
+
+
+/* ntru_crypto_ntru_encrypt_key_get_blob_params
+ *
+ * Returns public and private key packing types and blob lengths given
+ * a packing format.  For now, only a default packing format exists.
+ *
+ * Only public-key params may be returned by setting privkey_pack_type
+ * and privkey_blob_len to NULL.
+ */
+
+extern void
+ntru_crypto_ntru_encrypt_key_get_blob_params(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint8_t                      *pubkey_pack_type,   /* out - addr for pubkey
+                                                               packing type */
+    uint16_t                     *pubkey_blob_len,    /* out - addr for no. of
+                                                               bytes in
+                                                               pubkey blob */
+    uint8_t                      *privkey_pack_type,  /* out - addr for privkey
+                                                               packing type */
+    uint16_t                     *privkey_blob_len);  /* out - addr for no. of
+                                                               bytes in
+                                                               privkey blob */
+
+
+/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
+ *
+ * Returns a public key blob, packed according to the packing type provided.
+ */
+
+extern void
+ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint16_t const               *pubkey,             /*  in - pointer to the
+                                                               coefficients
+                                                               of the pubkey */
+    uint8_t                       pubkey_pack_type,   /* out - addr for pubkey
+                                                               packing type */
+    uint8_t                      *pubkey_blob);       /* out - addr for the
+                                                               pubkey blob */
+
+
+/* ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob
+ *
+ * Returns a public key blob, recreated from an already-packed public key.
+ */
+
+extern void
+ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint16_t                      packed_pubkey_len,  /*  in - no. octets in
+                                                               packed pubkey */
+    uint8_t const                *packed_pubkey,      /*  in - pointer to the
+                                                               packed pubkey */
+    uint8_t                       pubkey_pack_type,   /* out - pubkey packing
+                                                               type */
+    uint8_t                      *pubkey_blob);       /* out - addr for the
+                                                               pubkey blob */
+
+
+/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
+ *
+ * Returns a privlic key blob, packed according to the packing type provided.
+ */
+
+extern void
+ntru_crypto_ntru_encrypt_key_create_privkey_blob(
+    NTRU_ENCRYPT_PARAM_SET const *params,             /*  in - pointer to
+                                                               param set
+                                                               parameters */
+    uint16_t const               *pubkey,             /*  in - pointer to the
+                                                               coefficients
+                                                               of the pubkey */
+    uint16_t const               *privkey,            /*  in - pointer to the
+                                                               indices of the
+                                                               privkey */
+    uint8_t                       privkey_pack_type,  /*  in - privkey packing
+                                                               type */
+    uint8_t                      *buf,                /*  in - temp, N bytes */
+    uint8_t                      *privkey_blob);      /* out - addr for the
+                                                               privkey blob */
+
+
+#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c
new file mode 100644
index 000000000..5ddf91d2a
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c
@@ -0,0 +1,384 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_param_sets.c is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_encrypt_param_sets.c
+ *
+ * Contents: Defines the NTRUEncrypt parameter sets.
+ *
+ *****************************************************************************/
+
+#include <stdlib.h>
+#include <string.h>
+#include "ntru_crypto_ntru_encrypt_param_sets.h"
+
+
+/* parameter sets */
+
+static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
+
+    {
+        NTRU_EES401EP1,              /* parameter-set id */
+        {0x00, 0x02, 0x04},          /* OID */
+        0x22,                        /* DER id */
+        9,                           /* no. of bits in N (i.e., in an index) */
+        401,                         /* N */
+        14,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        113,                         /* df, dr */
+        133,                         /* dg */
+        60,                          /* maxMsgLenBytes */
+        113,                         /* dm0 */
+        11,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES449EP1,              /* parameter-set id */
+        {0x00, 0x03, 0x03},          /* OID */
+        0x23,                        /* DER id */
+        9,                           /* no. of bits in N (i.e., in an index) */
+        449,                         /* N */
+        16,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        134,                         /* df, dr */
+        149,                         /* dg */
+        67,                          /* maxMsgLenBytes */
+        134,                         /* dm0 */
+        9,                           /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES677EP1,              /* parameter-set id */
+        {0x00, 0x05, 0x03},          /* OID */
+        0x24,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        677,                         /* N */
+        24,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        157,                         /* df, dr */
+        225,                         /* dg */
+        101,                         /* maxMsgLenBytes */
+        157,                         /* dm0 */
+        11,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES1087EP2,             /* parameter-set id */
+        {0x00, 0x06, 0x03},          /* OID */
+        0x25,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        1087,                        /* N */
+        32,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        120,                         /* df, dr */
+        362,                         /* dg */
+        170,                         /* maxMsgLenBytes */
+        120,                         /* dm0 */
+        13,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES541EP1,              /* parameter-set id */
+        {0x00, 0x02, 0x05},          /* OID */
+        0x26,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        541,                         /* N */
+        14,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        49,                          /* df, dr */
+        180,                         /* dg */
+        86,                          /* maxMsgLenBytes */
+        49,                          /* dm0 */
+        12,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES613EP1,              /* parameter-set id */
+        {0x00, 0x03, 0x04},          /* OID */
+        0x27,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        613,                         /* N */
+        16,                          /* securuity strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        55,                          /* df, dr */
+        204,                         /* dg */
+        97,                          /* maxMsgLenBytes */
+        55,                          /* dm0 */
+        11,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES887EP1,              /* parameter-set id */
+        {0x00, 0x05, 0x04},          /* OID */
+        0x28,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        887,                         /* N */
+        24,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        81,                          /* df, dr */
+        295,                         /* dg */
+        141,                         /* maxMsgLenBytes */
+        81,                          /* dm0 */
+        10,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES1171EP1,             /* parameter-set id */
+        {0x00, 0x06, 0x04},          /* OID */
+        0x29,                        /* DER id */
+        11,                          /* no. of bits in N (i.e., in an index) */
+        1171,                        /* N */
+        32,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        106,                         /* df, dr */
+        390,                         /* dg */
+        186,                         /* maxMsgLenBytes */
+        106,                         /* dm0 */
+        12,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES659EP1,              /* parameter-set id */
+        {0x00, 0x02, 0x06},          /* OID */
+        0x2a,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        659,                         /* N */
+        14,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        38,                          /* df, dr */
+        219,                         /* dg */
+        108,                         /* maxMsgLenBytes */
+        38,                          /* dm0 */
+        11,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES761EP1,              /* parameter-set id */
+        {0x00, 0x03, 0x05},          /* OID */
+        0x2b,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        761,                         /* N */
+        16,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        42,                          /* df, dr */
+        253,                         /* dg */
+        125,                         /* maxMsgLenBytes */
+        42,                          /* dm0 */
+        12,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES1087EP1,             /* parameter-set id */
+        {0x00, 0x05, 0x05},          /* OID */
+        0x2c,                        /* DER id */
+        11,                          /* no. of bits in N (i.e., in an index) */
+        1087,                        /* N */
+        24,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        63,                          /* df, dr */
+        362,                         /* dg */
+        178,                         /* maxMsgLenBytes */
+        63,                          /* dm0 */
+        13,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES1499EP1,             /* parameter-set id */
+        {0x00, 0x06, 0x05},          /* OID */
+        0x2d,                        /* DER id */
+        11,                          /* no. of bits in N (i.e., in an index) */
+        1499,                        /* N */
+        32,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        FALSE,                       /* product form */
+        79,                          /* df, dr */
+        499,                         /* dg */
+        247,                         /* maxMsgLenBytes */
+        79,                          /* dm0 */
+        13,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES401EP2,              /* parameter-set id */
+        {0x00, 0x02, 0x10},          /* OID */
+        0x2e,                        /* DER id */
+        9,                           /* no. of bits in N (i.e., in an index) */
+        401,                         /* N */
+        14,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        TRUE,                        /* product form */
+        8 + (8 << 8) + (6 << 16),    /* df, dr */
+        133,                         /* dg */
+        60,                          /* maxMsgLenBytes */
+        136,                         /* m(1)_max */
+        11,                          /* c */
+        1,                           /* lLen */
+   },
+
+    {
+        NTRU_EES439EP1,              /* parameter-set id */
+        {0x00, 0x03, 0x10},          /* OID */
+        0x2f,                        /* DER id */
+        9,                           /* no. of bits in N (i.e., in an index) */
+        439,                         /* N */
+        16,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        TRUE,                        /* product form */
+        9 + (8 << 8) + (5 << 16),    /* df, dr */
+        146,                         /* dg */
+        65,                          /* maxMsgLenBytes */
+        126,                         /* m(1)_max */
+        9,                           /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES593EP1,              /* parameter-set id */
+        {0x00, 0x05, 0x10},          /* OID */
+        0x30,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        593,                         /* N */
+        24,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        TRUE,                        /* product form */
+        10 + (10 << 8) + (8 << 16),  /* df, dr */
+        197,                         /* dg */
+        86,                          /* maxMsgLenBytes */
+        90,                          /* m(1)_max */
+        11,                          /* c */
+        1,                           /* lLen */
+    },
+
+    {
+        NTRU_EES743EP1,              /* parameter-set id */
+        {0x00, 0x06, 0x10},          /* OID */
+        0x31,                        /* DER id */
+        10,                          /* no. of bits in N (i.e., in an index) */
+        743,                         /* N */
+        32,                          /* security strength in octets */
+        2048,                        /* q */
+        11,                          /* no. of bits in q (i.e., in a coeff) */
+        TRUE,                        /* product form */
+        11 + (11 << 8) + (15 << 16), /* df, dr */
+        247,                         /* dg */
+        106,                         /* maxMsgLenBytes */
+        60,                          /* m(1)_max */
+        13,                          /* c */
+        1,                           /* lLen */
+    },
+
+};
+
+static size_t numParamSets =
+                sizeof(ntruParamSets)/sizeof(NTRU_ENCRYPT_PARAM_SET);
+
+
+/* functions */
+
+/* ntru_encrypt_get_params_with_id
+ *
+ * Looks up a set of NTRUEncrypt parameters based on the id of the
+ * parameter set.
+ *
+ * Returns a pointer to the parameter set parameters if successful.
+ * Returns NULL if the parameter set cannot be found.
+ */
+
+NTRU_ENCRYPT_PARAM_SET *
+ntru_encrypt_get_params_with_id(
+    NTRU_ENCRYPT_PARAM_SET_ID id)   /*  in - parameter-set id */
+{
+    size_t i;
+
+    for (i = 0; i < numParamSets; i++) {
+        if (ntruParamSets[i].id == id) {
+            return &(ntruParamSets[i]);
+        }
+    }
+    return NULL;
+}
+
+
+/* ntru_encrypt_get_params_with_OID
+ *
+ * Looks up a set of NTRUEncrypt parameters based on the OID of the
+ * parameter set.
+ *
+ * Returns a pointer to the parameter set parameters if successful.
+ * Returns NULL if the parameter set cannot be found.
+ */
+
+NTRU_ENCRYPT_PARAM_SET *
+ntru_encrypt_get_params_with_OID(
+    uint8_t const *oid)             /*  in - pointer to parameter-set OID */
+{
+    size_t i;
+
+    for (i = 0; i < numParamSets; i++) {
+        if (!memcmp(ntruParamSets[i].OID, oid, 3)) {
+            return &(ntruParamSets[i]);
+        }
+    }
+    return NULL;
+}
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h
new file mode 100644
index 000000000..e5e977a0e
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h
@@ -0,0 +1,101 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_encrypt_param_sets.h is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File: ntru_crypto_ntru_encrypt_param_sets.h
+ *
+ * Contents: Definitions and declarations for the NTRUEncrypt parameter sets.
+ *
+ *****************************************************************************/
+
+#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H
+#define NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H
+
+#include "ntru_crypto.h"
+
+/* structures */
+
+typedef struct _NTRU_ENCRYPT_PARAM_SET {
+    NTRU_ENCRYPT_PARAM_SET_ID id;                 /* parameter-set ID */
+    uint8_t const             OID[3];             /* pointer to OID */
+    uint8_t                   der_id;             /* parameter-set DER id */
+    uint8_t                   N_bits;             /* no. of bits in N (i.e. in
+                                                     an index */
+    uint16_t                  N;                  /* ring dimension */
+    uint16_t                  sec_strength_len;   /* no. of octets of
+                                                     security strength */
+    uint16_t                  q;                  /* big modulus */
+    uint8_t                   q_bits;             /* no. of bits in q (i.e. in
+                                                     a coefficient */
+    bool                      is_product_form;    /* if product form used */
+    uint32_t                  dF_r;               /* no. of 1 or -1 coefficients
+                                                     in ring elements F, r */
+    uint16_t                  dg;                 /* no. - 1 of 1 coefficients
+                                                     or no. of -1 coefficients
+                                                     in ring element g */
+    uint16_t                  m_len_max;          /* max no. of plaintext
+                                                     octets */
+    uint16_t                  min_msg_rep_wt;     /* min. message
+                                                     representative weight */
+    uint8_t                   c_bits;             /* no. bits in candidate for
+                                                     deriving an index in
+                                                     IGF-2 */
+    uint8_t                   m_len_len;          /* no. of octets to hold
+                                                     mLenOctets */
+} NTRU_ENCRYPT_PARAM_SET;
+
+
+
+/* function declarations */
+
+/* ntru_encrypt_get_params_with_id
+ *
+ * Looks up a set of NTRU Encrypt parameters based on the id of the
+ * parameter set.
+ *
+ * Returns a pointer to the parameter set parameters if successful.
+ * Returns NULL if the parameter set cannot be found.
+ */
+
+extern NTRU_ENCRYPT_PARAM_SET *
+ntru_encrypt_get_params_with_id(
+    NTRU_ENCRYPT_PARAM_SET_ID id);  /*  in - parameter-set id */
+
+
+/* ntru_encrypt_get_params_with_OID
+ *
+ * Looks up a set of NTRU Encrypt parameters based on the OID of the
+ * parameter set.
+ *
+ * Returns a pointer to the parameter set parameters if successful.
+ * Returns NULL if the parameter set cannot be found.
+ */
+
+extern NTRU_ENCRYPT_PARAM_SET *
+ntru_encrypt_get_params_with_OID(
+    uint8_t const *oid);            /*  in - pointer to parameter-set OID */
+
+#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H */
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c
new file mode 100644
index 000000000..8e4eede87
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c
@@ -0,0 +1,242 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_poly.c is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+#include <stdlib.h>
+#include <string.h>
+#include "ntru_crypto_ntru_poly.h"
+
+/* ntru_poly_check_min_weight
+ *
+ * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
+ * a minimum weight.
+ */
+
+bool
+ntru_poly_check_min_weight(
+    uint16_t  num_els,              /*  in - degree of polynomial */
+    uint8_t  *ringels,              /*  in - pointer to trinary ring elements */
+    uint16_t  min_wt)               /*  in - minimum weight */
+{
+    uint16_t wt[3];
+    uint16_t i;
+
+    wt[0] = wt[1] = wt[2] = 0;
+    for (i = 0; i < num_els; i++) {
+       ++wt[ringels[i]];
+    }
+    if ((wt[0] < min_wt) || (wt[1] < min_wt) || (wt[2] < min_wt)) {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+/* ntru_ring_mult_coefficients
+ *
+ * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
+ * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
+ * This is a convolution operation.
+ *
+ * Ring element "b" has coefficients in the range [0,N).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
+ * beyond 16 bits does not matter.
+ */
+
+void
+ntru_ring_mult_coefficients(
+    uint16_t const *a,          /*  in - pointer to polynomial a */
+    uint16_t const *b,          /*  in - pointer to polynomial b */
+    uint16_t        N,          /*  in - no. of coefficients in a, b, c */
+    uint16_t        q,          /*  in - large modulus */
+    uint16_t       *c)          /* out - address for polynomial c */
+{
+    uint16_t const *bptr = b;
+    uint16_t        mod_q_mask = q - 1;
+    uint16_t        i, k;
+
+    /* c[k] = sum(a[i] * b[k-i]) mod q */
+    memset(c, 0, N * sizeof(uint16_t));
+    for (k = 0; k < N; k++) {
+        i = 0;
+        while (i <= k)
+            c[k] += a[i++] * *bptr--;
+        bptr += N;
+        while (i < N)
+            c[k] += a[i++] * *bptr--;
+        c[k] &= mod_q_mask;
+        ++bptr;
+    }
+}
+
+
+/* ntru_ring_inv
+ *
+ * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
+ * wait until the end, and only 16-bit arrays need to be used.
+ */
+
+bool
+ntru_ring_inv(
+    uint16_t       *a,          /*  in - pointer to polynomial a */
+    uint16_t        N,          /*  in - no. of coefficients in a */
+    uint16_t        q,          /*  in - large modulus */
+    uint16_t       *t,          /*  in - temp buffer of 2N elements */
+    uint16_t       *a_inv)      /* out - address for polynomial a^-1 */
+{
+    uint8_t  *b = (uint8_t *)t;     /* b cannot be in a_inv since it must be
+                                       rotated and copied there as a^-1 mod 2 */
+    uint8_t  *c = b + N;            /* c cannot be in a_inv since it exchanges
+                                       with b, and b cannot be in a_inv */
+    uint8_t  *f = c + N;
+    uint8_t  *g = (uint8_t *)a_inv; /* g needs N + 1 bytes */
+    uint16_t *t2 = t + N;
+    uint16_t  deg_b;
+    uint16_t  deg_c;
+    uint16_t  deg_f;
+    uint16_t  deg_g;
+    uint16_t  k = 0;
+    bool      done = FALSE;
+    uint16_t  i, j;
+
+    /* form a^-1 in (Z/2Z)[X]/X^N - 1) */
+    memset(b, 0, (N << 1));                /* clear to init b, c */
+
+    /* b(X) = 1 */
+    b[0] = 1;
+    deg_b = 0;
+
+    /* c(X) = 0 (cleared above) */
+    deg_c = 0;
+
+    /* f(X) = a(X) mod 2 */
+    for (i = 0; i < N; i++)
+        f[i] = (uint8_t)(a[i] & 1);
+    deg_f = N - 1;
+
+    /* g(X) = X^N - 1 */
+    g[0] = 1;
+    memset(g + 1, 0, N - 1);
+    g[N] = 1;
+    deg_g = N;
+
+    /* until f(X) = 1 */
+
+	while (!done)
+	{
+
+        /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */
+
+        for (i = 0; (i <= deg_f) && (f[i] == 0); ++i);
+        if (i > deg_f)
+            return FALSE;
+        if (i) {
+            f = f + i;
+            deg_f = deg_f - i;
+            deg_c = deg_c + i;
+            for (j = deg_c; j >= i; j--)
+                c[j] = c[j-i];
+            for (j = 0; j < i; j++)
+                c[j] = 0;
+            k = k + i;
+        }
+
+        /* adjust degree of f(X) if the highest coefficients are zero
+         * Note: f[0] = 1 from above so the loop will terminate.
+         */
+
+        while (f[deg_f] == 0)
+            --deg_f;
+
+        /* if f(X) = 1, done
+         * Note: f[0] = 1 from above, so only check the x term and up
+         */
+
+        for (i = 1; (i <= deg_f) && (f[i] == 0); ++i);
+        if (i > deg_f) {
+            done = TRUE;
+            break;
+        }
+
+        /* if deg_f < deg_g, f <-> g, b <-> c */
+
+        if (deg_f < deg_g) {
+            uint8_t *x;
+
+            x = f;
+            f = g;
+            g = x;
+            deg_f ^= deg_g;
+            deg_g ^= deg_f;
+            deg_f ^= deg_g;
+            x = b;
+            b = c;
+            c = x;
+            deg_b ^= deg_c;
+            deg_c ^= deg_b;
+            deg_b ^= deg_c;
+        }
+
+        /* f(X) += g(X), b(X) += c(X) */
+
+        for (i = 0; i <= deg_g; i++)
+            f[i] ^= g[i];
+
+        if (deg_c > deg_b)
+            deg_b = deg_c;
+        for (i = 0; i <= deg_c; i++)
+            b[i] ^= c[i];
+    }
+
+    /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */
+
+    j = 0;
+    if (k >= N)
+        k = k - N;
+    for (i = k; i < N; i++)
+        a_inv[j++] = (uint16_t)(b[i]);
+    for (i = 0; i < k; i++)
+        a_inv[j++] = (uint16_t)(b[i]);
+
+    /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */
+
+    for (j = 0; j < 4; ++j) {       /* assumes 256 < q <= 65536 */
+
+        /* a^-1 = a^-1 * (2 - a * a^-1) mod q */
+
+        memcpy(t2, a_inv, N * sizeof(uint16_t));
+        ntru_ring_mult_coefficients(a, t2, N, q, t);
+        for (i = 0; i < N; ++i)
+            t[i] = q - t[i];
+        t[0] = t[0] + 2;
+        ntru_ring_mult_coefficients(t2, t, N, q, a_inv);
+    }
+
+    return TRUE;
+
+
+}
+
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h
new file mode 100644
index 000000000..1e9d467ed
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h
@@ -0,0 +1,96 @@
+/******************************************************************************
+ * NTRU Cryptography Reference Source Code
+ * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. 
+ *
+ * ntru_crypto_ntru_poly.h is a component of ntru-crypto.
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ *****************************************************************************/
+ 
+/******************************************************************************
+ *
+ * File:  ntru_crypto_ntru_poly.h
+ *
+ * Contents: Public header file for generating and operating on polynomials
+ *           in the NTRU algorithm.
+ *
+ *****************************************************************************/
+
+
+#ifndef NTRU_CRYPTO_NTRU_POLY_H
+#define NTRU_CRYPTO_NTRU_POLY_H
+
+
+#include "ntru_crypto.h"
+
+#include <crypto/hashers/hasher.h>
+
+
+/* function declarations */
+
+/* ntru_poly_check_min_weight
+ *
+ * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
+ * a minimum weight.
+ */
+
+extern bool
+ntru_poly_check_min_weight(
+    uint16_t  num_els,              /*  in - degree of polynomial */
+    uint8_t  *ringels,              /*  in - pointer to trinary ring elements */
+    uint16_t  min_wt);              /*  in - minimum weight */
+
+/* ntru_ring_mult_coefficients
+ *
+ * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
+ * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
+ * This is a convolution operation.
+ *
+ * Ring element "b" has coefficients in the range [0,N).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
+ * beyond 16 bits does not matter.
+ */
+
+extern void
+ntru_ring_mult_coefficients(
+    uint16_t const *a,          /*  in - pointer to polynomial a */
+    uint16_t const *b,          /*  in - pointer to polynomial b */
+    uint16_t        N,          /*  in - no. of coefficients in a, b, c */
+    uint16_t        q,          /*  in - large modulus */
+    uint16_t       *c);         /* out - address for polynomial c */
+
+
+/* ntru_ring_inv
+ *
+ * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
+ * wait until the end, and only 16-bit arrays need to be used.
+ */
+
+extern bool
+ntru_ring_inv(
+    uint16_t       *a,          /*  in - pointer to polynomial a */
+    uint16_t        N,          /*  in - no. of coefficients in a */
+    uint16_t        q,          /*  in - large modulus */
+    uint16_t       *t,          /*  in - temp buffer of 2N elements */
+    uint16_t       *a_inv);     /* out - address for polynomial a^-1 */
+
+
+#endif /* NTRU_CRYPTO_NTRU_POLY_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.c b/src/libstrongswan/plugins/ntru/ntru_drbg.c
new file mode 100644
index 000000000..181a58939
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_drbg.c
@@ -0,0 +1,279 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_drbg.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+#define	MAX_STRENGTH_BITS	256
+#define MAX_DRBG_REQUESTS	0xfffffffe
+
+typedef struct private_ntru_drbg_t private_ntru_drbg_t;
+
+/**
+ * Private data of an ntru_drbg_t object.
+ */
+struct private_ntru_drbg_t {
+	/**
+	 * Public ntru_drbg_t interface.
+	 */
+	ntru_drbg_t public;
+
+	/**
+	 * Security strength in bits of the DRBG
+	 */
+	u_int32_t strength;
+
+	/**
+	 * Number of requests for pseudorandom bits
+	 */
+	u_int32_t reseed_counter;
+
+	/**
+	 * Maximum number of requests for pseudorandom bits
+	 */
+	u_int32_t max_requests;
+
+	/**
+	 * True entropy source
+	 */
+	rng_t *entropy;
+
+	/**
+	 * HMAC-SHA256
+	 */
+	signer_t *hmac;
+
+	/**
+	 * Internal state of HMAC-SHA256: key
+	 */
+	chunk_t key;
+
+	/**
+	 * Internal state of HMAC-SHA256: value
+	 */
+	chunk_t value;
+
+};
+
+/**
+ * Update the internal state of the HMAC_DRBG
+ */
+static bool update(private_ntru_drbg_t *this, chunk_t data)
+{
+	chunk_t ch_00 = chunk_from_chars(0x00);
+	chunk_t ch_01 = chunk_from_chars(0x01);
+
+	if (!this->hmac->set_key(this->hmac, this->key) ||
+		!this->hmac->get_signature(this->hmac, this->value, NULL) ||
+	    !this->hmac->get_signature(this->hmac, ch_00, NULL) ||
+	    !this->hmac->get_signature(this->hmac, data, this->key.ptr) ||
+		!this->hmac->set_key(this->hmac, this->key) ||
+	    !this->hmac->get_signature(this->hmac, this->value,
+											   this->value.ptr))
+	{
+		return FALSE;
+	}
+
+	if (data.len > 0)
+	{
+		if (!this->hmac->set_key(this->hmac, this->key) ||
+			!this->hmac->get_signature(this->hmac, this->value, NULL) ||
+			!this->hmac->get_signature(this->hmac, ch_01, NULL) ||
+			!this->hmac->get_signature(this->hmac, data, this->key.ptr) ||
+			!this->hmac->set_key(this->hmac, this->key) ||
+			!this->hmac->get_signature(this->hmac, this->value,
+												   this->value.ptr))
+		{
+			return FALSE;
+		}
+	}
+	DBG4(DBG_LIB, "HMAC_DRBG V: %B", &this->value);
+	DBG4(DBG_LIB, "HMAC_DRBG K: %B", &this->key);
+
+	return TRUE;
+}
+
+METHOD(ntru_drbg_t, get_strength, u_int32_t,
+	private_ntru_drbg_t *this)
+{
+	return this->strength;
+}
+
+METHOD(ntru_drbg_t, reseed, bool,
+	private_ntru_drbg_t *this)
+{
+	chunk_t seed;
+
+	seed = chunk_alloc(this->strength / BITS_PER_BYTE);
+	DBG2(DBG_LIB, "DRBG requests %u bytes of entropy", seed.len);
+
+	if (!this->entropy->get_bytes(this->entropy, seed.len, seed.ptr))
+	{
+		chunk_free(&seed);
+		return FALSE;
+	}
+	if (!update(this, seed))
+	{
+		chunk_free(&seed);
+		return FALSE;
+	}
+	chunk_clear(&seed);
+	this->reseed_counter = 1;
+
+	return TRUE;
+}
+
+METHOD(ntru_drbg_t, generate, bool,
+	private_ntru_drbg_t *this, u_int32_t strength, u_int32_t len, u_int8_t *out)
+{
+	size_t delta;
+	chunk_t output;
+
+	DBG2(DBG_LIB, "DRBG generates %u pseudorandom bytes", len);
+	if (!out || len == 0)
+	{
+		return FALSE;
+	}
+	output = chunk_create(out, len);
+
+	if (this->reseed_counter > this->max_requests)
+	{
+		if (!reseed(this))
+		{
+			return FALSE;
+		}
+	}
+	while (len)
+	{
+		if (!this->hmac->get_signature(this->hmac, this->value,
+												   this->value.ptr))
+		{
+			return FALSE;
+		}
+		delta = min(len, this->value.len);
+		memcpy(out, this->value.ptr, delta);
+		len -= delta;
+		out += delta;
+	}
+	DBG4(DBG_LIB, "HMAC_DRBG Out: %B", &output);
+
+	if (!update(this, chunk_empty))
+	{
+		return FALSE;
+	}
+	this->reseed_counter++;
+
+	return TRUE;
+}
+
+METHOD(ntru_drbg_t, destroy, void,
+	private_ntru_drbg_t *this)
+{
+	this->hmac->destroy(this->hmac);
+	chunk_clear(&this->key);
+	chunk_clear(&this->value);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
+							  rng_t *entropy)
+{
+	private_ntru_drbg_t *this;
+	chunk_t seed;
+	signer_t *hmac;
+	size_t entropy_len;
+	u_int32_t max_requests;
+
+	if (strength > MAX_STRENGTH_BITS)
+	{
+		return NULL;
+	}
+	if (strength <= 112)
+	{
+		strength = 112;
+	}
+	else if (strength <= 128)
+	{
+		strength = 128;
+	}
+	else if (strength <= 192)
+	{
+		strength = 192;
+	}
+	else
+	{
+		strength = 256;
+	}
+
+	hmac = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA2_256_256);
+	if (!hmac)
+	{
+		DBG1(DBG_LIB, "could not instantiate HMAC-SHA256");
+		return NULL;
+	}
+
+	max_requests = lib->settings->get_int(lib->settings,
+										  "%s.plugins.ntru.max_drbg_requests",
+										  MAX_DRBG_REQUESTS, lib->ns);
+
+	INIT(this,
+		.public = {
+			.get_strength = _get_strength,
+			.reseed = _reseed,
+			.generate = _generate,
+			.destroy = _destroy,
+		},
+		.strength = strength,
+		.entropy = entropy,
+		.hmac = hmac,
+		.key = chunk_alloc(hmac->get_key_size(hmac)),
+		.value = chunk_alloc(hmac->get_block_size(hmac)),
+		.max_requests = max_requests,
+		.reseed_counter = 1,
+	);
+
+	memset(this->key.ptr, 0x00, this->key.len);
+	memset(this->value.ptr, 0x01, this->value.len);
+
+	entropy_len = (strength + strength/2) / BITS_PER_BYTE;
+	seed = chunk_alloc(entropy_len + pers_str.len);
+	DBG2(DBG_LIB, "DRBG requests %u bytes of entropy", entropy_len);
+
+	if (!this->entropy->get_bytes(this->entropy, entropy_len, seed.ptr))
+	{
+		chunk_free(&seed);
+		destroy(this);
+		return NULL;
+	}
+	memcpy(seed.ptr + entropy_len, pers_str.ptr, pers_str.len);
+	DBG4(DBG_LIB, "seed: %B", &seed);
+
+	if (!update(this, seed))
+	{
+		chunk_free(&seed);
+		destroy(this);
+		return NULL;
+	}
+	chunk_clear(&seed);
+
+	return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create);
diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.h b/src/libstrongswan/plugins/ntru/ntru_drbg.h
new file mode 100644
index 000000000..38ac718ae
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_drbg.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_drbg ntru_drbg
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_DRBG_H_
+#define NTRU_DRBG_H_
+
+typedef struct ntru_drbg_t ntru_drbg_t;
+
+#include <library.h>
+
+/**
+ * Implements a HMAC Deterministic Random Bit Generator (HMAC_DRBG)
+ * compliant with NIST SP 800-90A
+ */
+struct ntru_drbg_t {
+
+	/**
+	 * Reseed the instantiated DRBG
+	 *
+	 * @return			configured security strength in bits
+	 */
+	u_int32_t (*get_strength)(ntru_drbg_t *this);
+
+	/**
+	 * Reseed the instantiated DRBG
+	 *
+	 * @return			TRUE if successful
+	 */
+	bool (*reseed)(ntru_drbg_t *this);
+
+	/**
+	 * Generate pseudorandom bytes.
+	 * If the maximum number of requests has been reached, reseeding occurs
+	 *
+	 * @param strength	requested security strength in bits
+	 * @param len		number of octets to generate
+	 * @param out		address of output buffer
+	 * @return			TRUE if successful
+	 */
+	bool (*generate)(ntru_drbg_t *this, u_int32_t strength, u_int32_t len,
+										u_int8_t *out);
+
+	/**
+	 * Uninstantiate and destroy the DRBG object
+	 */
+	void (*destroy)(ntru_drbg_t *this);
+};
+
+/**
+ * Create and instantiate a new DRBG objet.
+ *
+ * @param strength		security strength in bits
+ * @param pers_str		personalization string
+ * @param entropy		entropy source to use
+ */
+ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
+							  rng_t *entropy);
+
+#endif /** NTRU_DRBG_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c
new file mode 100644
index 000000000..39fb261cd
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_ke.h"
+#include "ntru_drbg.h"
+
+#include "ntru_crypto/ntru_crypto.h"
+
+#include <crypto/diffie_hellman.h>
+#include <utils/debug.h>
+
+typedef struct private_ntru_ke_t private_ntru_ke_t;
+typedef struct param_set_t param_set_t;
+
+/**
+ * Defines an NTRU parameter set by ID or OID
+ */
+struct param_set_t {
+	NTRU_ENCRYPT_PARAM_SET_ID id;
+	char oid[3];
+	char *name;
+};
+
+/* Best bandwidth and speed, no X9.98 compatibility */
+static param_set_t param_sets_optimum[] = {
+	{ NTRU_EES401EP2,  {0x00, 0x02, 0x10}, "ees401ep2"  },
+	{ NTRU_EES439EP1,  {0x00, 0x03, 0x10}, "ees439ep1"  },
+	{ NTRU_EES593EP1,  {0x00, 0x05, 0x10}, "ees593ep1"  },
+	{ NTRU_EES743EP1,  {0x00, 0x06, 0x10}, "ees743ep1"  }
+};
+
+/* X9.98/IEEE 1363.1 parameter sets for best speed */
+static param_set_t param_sets_x9_98_speed[] = {
+	{ NTRU_EES659EP1,  {0x00, 0x02, 0x06}, "ees659ep1"  },
+	{ NTRU_EES761EP1,  {0x00, 0x03, 0x05}, "ees761ep1"  },
+	{ NTRU_EES1087EP1, {0x00, 0x05, 0x05}, "ees1087ep1" },
+	{ NTRU_EES1499EP1, {0x00, 0x06, 0x05}, "ees1499ep1" }
+};
+
+/* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
+static param_set_t param_sets_x9_98_bandwidth[] = {
+	{ NTRU_EES401EP1,  {0x00, 0x02, 0x04}, "ees401ep1"  },
+	{ NTRU_EES449EP1,  {0x00, 0x03, 0x03}, "ees449ep1"  },
+	{ NTRU_EES677EP1,  {0x00, 0x05, 0x03}, "ees677ep1"  },
+	{ NTRU_EES1087EP2, {0x00, 0x06, 0x03}, "ees1087ep2" }
+};
+
+/* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */
+static param_set_t param_sets_x9_98_balance[] = {
+	{ NTRU_EES541EP1,  {0x00, 0x02, 0x05}, "ees541ep1"  },
+	{ NTRU_EES613EP1,  {0x00, 0x03, 0x04}, "ees613ep1"  },
+	{ NTRU_EES887EP1,  {0x00, 0x05, 0x04}, "ees887ep1"  },
+	{ NTRU_EES1171EP1, {0x00, 0x06, 0x04}, "ees1171ep1" }
+};
+
+/**
+ * Private data of an ntru_ke_t object.
+ */
+struct private_ntru_ke_t {
+	/**
+	 * Public ntru_ke_t interface.
+	 */
+	ntru_ke_t public;
+
+	/**
+	 * Diffie Hellman group number.
+	 */
+	u_int16_t group;
+
+	/**
+	 * NTRU Parameter Set
+	 */
+	param_set_t *param_set;
+
+	/**
+	 * Cryptographical strength in bits of the NTRU Parameter Set
+	 */
+	u_int32_t strength;
+
+	/**
+	 * NTRU Public Key
+	 */
+	chunk_t pub_key;
+
+	/**
+	 * NTRU Private Key
+	 */
+	chunk_t priv_key;
+
+	/**
+	 * NTRU encrypted shared secret
+	 */
+	chunk_t ciphertext;
+
+	/**
+	 * Shared secret
+	 */
+	chunk_t shared_secret;
+
+	/**
+	 * True if peer is responder
+	 */
+	bool responder;
+
+	/**
+	 * True if shared secret is computed
+	 */
+	bool computed;
+
+	/**
+	 * True Random Generator
+	 */
+	rng_t *entropy;
+
+	/**
+	 * Deterministic Random Bit Generator
+	 */
+    ntru_drbg_t *drbg;
+};
+
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_ntru_ke_t *this, chunk_t *value)
+{
+    uint16_t pub_key_len, priv_key_len;
+
+	*value = chunk_empty;
+
+	if (this->responder)
+	{
+		if (this->ciphertext.len)
+		{
+			*value = chunk_clone(this->ciphertext);
+		}
+	}
+	else
+	{
+		if (this->pub_key.len == 0)
+		{
+			/* determine the NTRU public and private key sizes */
+			if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
+								&pub_key_len, NULL,
+				 				&priv_key_len, NULL) != NTRU_OK)
+			{
+				DBG1(DBG_LIB, "error determining NTRU public and private key "
+							  "sizes");
+				return;
+			}
+			this->pub_key  = chunk_alloc(pub_key_len);
+			this->priv_key = chunk_alloc(priv_key_len);
+
+			/* generate a random NTRU public/private key pair */
+		    if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
+								&pub_key_len, this->pub_key.ptr,
+				 				&priv_key_len, this->priv_key.ptr) != NTRU_OK)
+			{
+				DBG1(DBG_LIB, "NTRU keypair generation failed");
+				chunk_free(&this->priv_key);
+				chunk_free(&this->pub_key);
+				return;
+			}
+			DBG3(DBG_LIB, "NTRU public key: %B", &this->pub_key);
+			DBG4(DBG_LIB, "NTRU private key: %B", &this->priv_key);
+		}
+		*value = chunk_clone(this->pub_key);
+	}
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_ntru_ke_t *this, chunk_t *secret)
+{
+	if (!this->computed || !this->shared_secret.len)
+	{
+		*secret = chunk_empty;
+		return FAILED;
+	}
+	*secret = chunk_clone(this->shared_secret);
+
+	return SUCCESS;
+}
+
+
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_ntru_ke_t *this, chunk_t value)
+{
+	u_int16_t plaintext_len, ciphertext_len;
+
+	if (this->priv_key.len)
+	{
+		/* initiator decrypting shared secret */
+		if (value.len == 0)
+		{
+			DBG1(DBG_LIB, "empty NTRU ciphertext");
+			return;
+		}
+		this->ciphertext = chunk_clone(value);
+		DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
+
+		/* determine the size of the maximum plaintext */
+    	if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
+								this->ciphertext.len, this->ciphertext.ptr,
+								&plaintext_len, NULL) != NTRU_OK)
+		{
+			DBG1(DBG_LIB, "error determining maximum plaintext size");
+			return;
+		}
+		this->shared_secret = chunk_alloc(plaintext_len);
+
+		/* decrypt the shared secret */
+    	if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
+						this->ciphertext.len, this->ciphertext.ptr,
+						&plaintext_len, this->shared_secret.ptr) != NTRU_OK)
+		{
+			DBG1(DBG_LIB, "NTRU decryption of shared secret failed");
+			chunk_free(&this->shared_secret);
+			return;
+		}
+		this->shared_secret.len = plaintext_len;
+		this->computed = TRUE;
+	}
+	else
+	{
+		/* responder generating and encrypting the shared secret */
+		this->responder = TRUE;
+
+		/* check the NTRU public key format */
+		if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3)
+		{
+			DBG1(DBG_LIB, "received NTRU public key with invalid header");
+			return;
+		}
+		if (!memeq(value.ptr + 2, this->param_set->oid, 3))
+		{
+			DBG1(DBG_LIB, "received NTRU public key with wrong OID");
+			return;
+		}
+		this->pub_key = chunk_clone(value);
+
+		/* shared secret size is chosen as twice the cryptographical strength */
+		this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE);
+
+		/* generate the random shared secret */
+		if (!this->drbg->generate(this->drbg, this->strength,
+				this->shared_secret.len, this->shared_secret.ptr))
+		{
+			DBG1(DBG_LIB, "generation of shared secret failed");
+			chunk_free(&this->shared_secret);
+			return;
+		}
+		this->computed = TRUE;
+
+		/* determine the size of the ciphertext */
+		if (ntru_crypto_ntru_encrypt(this->drbg,
+							this->pub_key.len,	this->pub_key.ptr,
+							this->shared_secret.len, this->shared_secret.ptr,
+                            &ciphertext_len, NULL) != NTRU_OK)
+		{
+			DBG1(DBG_LIB, "error determining ciphertext size");
+			return;
+		}
+		this->ciphertext = chunk_alloc(ciphertext_len);
+
+		/* encrypt the shared secret */
+		if (ntru_crypto_ntru_encrypt(this->drbg,
+							this->pub_key.len,	this->pub_key.ptr,
+							this->shared_secret.len, this->shared_secret.ptr,
+                            &ciphertext_len, this->ciphertext.ptr) != NTRU_OK)
+		{
+			DBG1(DBG_LIB, "NTRU encryption of shared secret failed");
+			chunk_free(&this->ciphertext);
+			return;
+		}
+		DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
+	}
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_ntru_ke_t *this)
+{
+	return this->group;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+	private_ntru_ke_t *this)
+{
+	this->drbg->destroy(this->drbg);
+	this->entropy->destroy(this->entropy);
+	chunk_free(&this->pub_key);
+	chunk_free(&this->ciphertext);
+	chunk_clear(&this->priv_key);
+	chunk_clear(&this->shared_secret);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
+{
+	private_ntru_ke_t *this;
+	param_set_t *param_sets, *param_set;
+	rng_t *entropy;
+	ntru_drbg_t *drbg;
+	char *parameter_set;
+	u_int32_t strength;
+
+	parameter_set = lib->settings->get_str(lib->settings,
+						"%s.plugins.ntru.parameter_set", "optimum", lib->ns);
+
+	if (streq(parameter_set, "x9_98_speed"))
+	{
+		param_sets = param_sets_x9_98_speed;
+	}
+	else if (streq(parameter_set, "x9_98_bandwidth"))
+	{
+		param_sets = param_sets_x9_98_bandwidth;
+	}
+	else if (streq(parameter_set, "x9_98_balance"))
+	{
+		param_sets = param_sets_x9_98_balance;
+	}
+	else
+	{
+		param_sets = param_sets_optimum;
+	}
+
+	switch (group)
+	{
+		case NTRU_112_BIT:
+			strength = 112;
+			param_set = &param_sets[0];
+			break;
+		case NTRU_128_BIT:
+			strength = 128;
+			param_set = &param_sets[1];
+			break;
+		case NTRU_192_BIT:
+			strength = 192;
+			param_set = &param_sets[2];
+			break;
+		case NTRU_256_BIT:
+			strength = 256;
+			param_set = &param_sets[3];
+			break;
+		default:
+			return NULL;
+	}
+	DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength,
+				   parameter_set, param_set->name);
+
+	entropy = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+	if (!entropy)
+	{
+		DBG1(DBG_LIB, "could not attach entropy source for DRBG");
+		return NULL;
+	}
+
+	drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy);
+	if (!drbg)
+ 	{
+		DBG1(DBG_LIB, "could not instantiate DRBG at %u bit security", strength);
+		entropy->destroy(entropy);
+        return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+		.param_set = param_set,
+		.strength = strength,
+		.entropy = entropy,
+		.drbg = drbg,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.h b/src/libstrongswan/plugins/ntru/ntru_ke.h
new file mode 100644
index 000000000..b8bbf5e54
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_ke ntru_ke
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_KE_H_
+#define NTRU_KE_H_
+
+typedef struct ntru_ke_t ntru_ke_t;
+
+#include <library.h>
+
+/**
+ * Implementation of a key exchange algorithm using NTRU encryption
+ */
+struct ntru_ke_t {
+
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new ntru_ke_t object.
+ *
+ * @param group			NTRU group number to use
+ * @param g				not used
+ * @param p				not used
+ * @return				ntru_ke_t object, NULL if not supported
+ */
+ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p);
+
+#endif /** NTRU_KE_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_mgf1.c b/src/libstrongswan/plugins/ntru/ntru_mgf1.c
new file mode 100644
index 000000000..2338db208
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_mgf1.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_mgf1.h"
+
+#include <crypto/hashers/hasher.h>
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_mgf1_t private_ntru_mgf1_t;
+
+/**
+ * Private data of an ntru_mgf1_t object.
+ */
+struct private_ntru_mgf1_t {
+
+	/**
+	 * Public ntru_mgf1_t interface.
+	 */
+	ntru_mgf1_t public;
+
+	/**
+	 * Hasher the MGF1 Mask Generation Function is based on
+	 */
+	hasher_t *hasher;
+
+	/**
+	 * Counter
+	 */
+	u_int32_t counter;
+
+	/**
+	 * Set if counter has reached 2^32
+	 */
+	bool overflow;
+
+	/**
+	 * Current state to be hashed
+	 */
+	chunk_t state;
+
+	/**
+	 * Position of the 4 octet counter string
+	 */
+	u_char *ctr_str;
+
+};
+
+METHOD(ntru_mgf1_t, get_hash_size, size_t,
+	private_ntru_mgf1_t *this)
+{
+	return this->hasher->get_hash_size(this->hasher);
+}
+
+METHOD(ntru_mgf1_t, get_mask, bool,
+	private_ntru_mgf1_t *this, size_t mask_len, u_char *mask)
+{
+	u_char buf[HASH_SIZE_SHA512];
+	size_t hash_len;
+
+	hash_len = this->hasher->get_hash_size(this->hasher);
+
+	while (mask_len > 0)
+	{
+		/* detect overflow, set counter string and increment counter */
+		if (this->overflow)
+		{
+			return FALSE;
+		}
+		htoun32(this->ctr_str, this->counter++);
+		if (this->counter == 0)
+		{
+			this->overflow = TRUE;
+		}
+
+		/* get the next or final mask block from the hash function */
+		if (!this->hasher->get_hash(this->hasher, this->state,
+								   (mask_len < hash_len) ? buf : mask))
+		{
+			return FALSE;
+		}
+		if (mask_len < hash_len)
+		{
+			memcpy(mask, buf, mask_len);
+			return TRUE;
+		}
+		mask_len -= hash_len;
+		mask += hash_len;
+	}
+	return TRUE;
+}
+
+METHOD(ntru_mgf1_t, allocate_mask, bool,
+	private_ntru_mgf1_t *this, size_t mask_len, chunk_t *mask)
+{
+	if (mask_len == 0)
+	{
+		*mask = chunk_empty;
+		return TRUE;
+	}
+	*mask = chunk_alloc(mask_len);
+
+	return get_mask(this, mask_len, mask->ptr);
+}
+
+METHOD(ntru_mgf1_t, destroy, void,
+	private_ntru_mgf1_t *this)
+{
+	this->hasher->destroy(this->hasher);
+	chunk_clear(&this->state);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed,
+							  bool hash_seed)
+{
+	private_ntru_mgf1_t *this;
+	hasher_t *hasher;
+	size_t state_len;
+
+	if (seed.len == 0)
+	{
+		DBG1(DBG_LIB, "empty seed for MGF1");
+		return NULL;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, alg);
+	if (!hasher)
+	{
+		DBG1(DBG_LIB, "failed to create %N hasher for MGF1",
+			 hash_algorithm_names, alg);
+		return NULL;
+	}
+	state_len = (hash_seed ? hasher->get_hash_size(hasher) : seed.len) + 4;
+	
+	INIT(this,
+		.public = {
+			.get_hash_size = _get_hash_size,
+			.allocate_mask = _allocate_mask,
+			.get_mask = _get_mask,
+			.destroy = _destroy,
+		},
+		.hasher = hasher,
+		.state = chunk_alloc(state_len),
+	);
+
+	/* determine position of the 4 octet counter string */
+	this->ctr_str = this->state.ptr + state_len - 4;
+
+	if (hash_seed)
+	{
+		if (!hasher->get_hash(hasher, seed, this->state.ptr))
+		{
+			DBG1(DBG_LIB, "failed to hash seed for MGF1");
+			destroy(this);
+			return NULL;
+		}
+	}
+	else
+	{
+		memcpy(this->state.ptr, seed.ptr, seed.len);
+	}
+
+	return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_mgf1_create);
diff --git a/src/libstrongswan/plugins/ntru/ntru_mgf1.h b/src/libstrongswan/plugins/ntru/ntru_mgf1.h
new file mode 100644
index 000000000..53e90412a
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_mgf1.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_mgf1 ntru_mgf1
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_MGF1_H_
+#define NTRU_MGF1_H_
+
+typedef struct ntru_mgf1_t ntru_mgf1_t;
+
+#include <library.h>
+
+/**
+ * Implements the PKCS#1 MGF1 Mask Generation Function based on a hash function
+ * defined in section 10.2.1 of RFC 2437 
+ */
+struct ntru_mgf1_t {
+
+	/**
+	 * Get the hash size of the underlying hash function
+	 *
+	 * @return			hash size in bytes
+	 */
+	size_t (*get_hash_size)(ntru_mgf1_t *this);
+
+	/**
+	 * Generate a mask pattern and copy it to an output buffer
+	 * If the maximum number of requests has been reached, reseeding occurs
+	 *
+	 * @param mask_len	number of mask bytes to generate
+	 * @param mask		output buffer of minimum size mask_len
+	 * @return			TRUE if successful
+	 */
+	bool (*get_mask)(ntru_mgf1_t *this, size_t mask_len, u_char *mask);
+
+	/**
+	 * Generate a mask pattern and return it in an allocated chunk
+	 *
+	 * @param mask_len	number of mask bytes to generate
+	 * @param mask		chunk containing generated mask
+	 * @return			TRUE if successful
+	 */
+	bool (*allocate_mask)(ntru_mgf1_t *this, size_t mask_len, chunk_t *mask);
+
+	/**
+	 * Destroy the MGF1 object
+	 */
+	void (*destroy)(ntru_mgf1_t *this);
+};
+
+/**
+ * Create an MGF1 object
+ *
+ * @param alg			hash algorithm to be used by MGF1
+ * @param seed			seed used by MGF1 to generate mask from
+ * @param hash_seed		hash seed before using it as a seed from MGF1
+ */
+ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed,
+							  bool hash_seed);
+
+#endif /** NTRU_MGF1_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_plugin.c b/src/libstrongswan/plugins/ntru/ntru_plugin.c
new file mode 100644
index 000000000..66be7c75b
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_plugin.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_plugin.h"
+#include "ntru_ke.h"
+
+#include <library.h>
+
+typedef struct private_ntru_plugin_t private_ntru_plugin_t;
+
+/**
+ * private data of ntru_plugin
+ */
+struct private_ntru_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	ntru_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_ntru_plugin_t *this)
+{
+	return "ntru";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_ntru_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(DH, ntru_ke_create),
+			PLUGIN_PROVIDE(DH, NTRU_112_BIT),
+			PLUGIN_PROVIDE(DH, NTRU_128_BIT),
+			PLUGIN_PROVIDE(DH, NTRU_192_BIT),
+			PLUGIN_PROVIDE(DH, NTRU_256_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_TRUE),
+				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256),
+				PLUGIN_DEPENDS(HASHER, HASH_SHA256),
+				PLUGIN_SDEPEND(HASHER, HASH_SHA1)
+	};
+	*features = f;
+
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_ntru_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ntru_plugin_create()
+{
+	private_ntru_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/ntru/ntru_plugin.h b/src/libstrongswan/plugins/ntru/ntru_plugin.h
new file mode 100644
index 000000000..187b83445
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_p ntru
+ * @ingroup plugins
+ *
+ * @defgroup ntru_plugin ntru_plugin
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PLUGIN_H_
+#define NTRU_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ntru_plugin_t ntru_plugin_t;
+
+/**
+ * Plugin implementing NTRU-base key exchange
+ */
+struct ntru_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** NTRU_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_poly.c
new file mode 100644
index 000000000..3f754f2a0
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_poly.c
@@ -0,0 +1,416 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_poly.h"
+#include "ntru_mgf1.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_poly_t private_ntru_poly_t;
+typedef struct indices_len_t indices_len_t;
+
+/**
+ * Stores number of +1 and -1 coefficients
+ */
+struct indices_len_t {
+	int p;
+	int m;
+};
+
+/**
+ * Private data of an ntru_poly_t object.
+ */
+struct private_ntru_poly_t {
+
+	/**
+	 * Public ntru_poly_t interface.
+	 */
+	ntru_poly_t public;
+
+	/**
+	 * Ring dimension equal to the number of polynomial coefficients
+	 */
+	uint16_t N;
+
+	/**
+	 * Large modulus
+	 */
+	uint16_t q;
+
+	/**
+	 * Array containing the indices of the non-zero coefficients
+	 */
+	uint16_t *indices;
+
+	/**
+	 * Number of indices of the non-zero coefficients
+	 */
+	size_t num_indices;
+
+	/**
+	 * Number of sparse polynomials
+	 */
+	int num_polynomials;
+
+	/**
+	 * Number of nonzero coefficients for up to 3 sparse polynomials
+	 */
+	indices_len_t indices_len[3];
+
+};
+
+METHOD(ntru_poly_t, get_size, size_t,
+	private_ntru_poly_t *this)
+{
+	return this->num_indices;
+}
+
+METHOD(ntru_poly_t, get_indices, uint16_t*,
+	private_ntru_poly_t *this)
+{
+	return this->indices;
+}
+
+/**
+  * Multiplication of polynomial a with a sparse polynomial b given by
+  * the indices of its +1 and -1 coefficients results in polynomial c.
+  * This is a convolution operation
+  */
+static void ring_mult_i(uint16_t *a, indices_len_t len, uint16_t *indices,
+							  uint16_t N, uint16_t mod_q_mask, uint16_t *t,
+							  uint16_t *c)
+{
+	int i, j, k;
+
+	/* initialize temporary array t */
+	for (k = 0; k < N; k++)
+	{
+		t[k] = 0;
+	}
+
+	/* t[(i+k)%N] = sum i=0 through N-1 of a[i], for b[k] = -1 */
+	for (j = len.p; j < len.p + len.m; j++)
+	{
+		k = indices[j];
+		for (i = 0; k < N; ++i, ++k)
+		{
+			t[k] += a[i];
+		}
+		for (k = 0; i < N; ++i, ++k)
+		{
+			t[k] += a[i];
+		}
+	}
+
+	/* t[(i+k)%N] = -(sum i=0 through N-1 of a[i] for b[k] = -1) */
+	for (k = 0; k < N; k++)
+	{
+		t[k] = -t[k];
+	}
+
+	/* t[(i+k)%N] += sum i=0 through N-1 of a[i] for b[k] = +1 */
+	for (j = 0; j < len.p; j++)
+	{
+		k = indices[j];
+		for (i = 0; k < N; ++i, ++k)
+		{
+			t[k] += a[i];
+		}
+		for (k = 0; i < N; ++i, ++k)
+		{
+			t[k] += a[i];
+		}
+	}
+
+	/* c = (a * b) mod q */
+	for (k = 0; k < N; k++)
+	{
+		c[k] = t[k] & mod_q_mask;
+	}
+}
+
+METHOD(ntru_poly_t, get_array, void,
+	private_ntru_poly_t *this, uint16_t *array)
+{
+	uint16_t *t, *bi;
+	uint16_t mod_q_mask = this->q - 1;
+	indices_len_t len;
+	int i;
+
+	/* form polynomial F or F1 */
+	memset(array, 0x00, this->N * sizeof(uint16_t));
+	bi = this->indices;
+	len = this->indices_len[0];
+	for (i = 0; i < len.p + len.m; i++)
+	{
+		array[bi[i]] = (i < len.p) ? 1 : mod_q_mask;
+	}
+
+	if (this->num_polynomials == 3)
+	{
+		/* allocate temporary array t */
+		t = malloc(this->N * sizeof(uint16_t));
+
+		/* form F1 * F2 */
+		bi += len.p + len.m;
+		len = this->indices_len[1];
+		ring_mult_i(array, len, bi, this->N, mod_q_mask, t, array);
+
+		/* form (F1 * F2) + F3 */
+		bi += len.p + len.m;
+		len = this->indices_len[2];
+		for (i = 0; i < len.p + len.m; i++)
+		{
+			if (i < len.p)
+			{
+				array[bi[i]] += 1;
+			}
+			else
+			{
+				array[bi[i]] -= 1;
+			}
+			array[bi[i]] &= mod_q_mask;
+		}
+		free(t);
+	}
+}
+
+METHOD(ntru_poly_t, ring_mult, void,
+	private_ntru_poly_t *this, uint16_t *a, uint16_t *c)
+{
+	uint16_t *t1, *t2;
+	uint16_t *bi = this->indices;
+	uint16_t mod_q_mask = this->q - 1;
+	int i;
+
+	/* allocate temporary array t1 */
+	t1 = malloc(this->N * sizeof(uint16_t));
+
+	if (this->num_polynomials == 1)
+	{
+		ring_mult_i(a, this->indices_len[0], bi, this->N, mod_q_mask, t1, c);
+	}
+	else
+	{
+		/* allocate temporary array t2 */
+		t2 = malloc(this->N * sizeof(uint16_t));
+
+		/* t1 = a * b1 */
+		ring_mult_i(a, this->indices_len[0], bi, this->N, mod_q_mask, t1, t1);
+
+		/* t1 = (a * b1) * b2 */
+		bi += this->indices_len[0].p + this->indices_len[0].m;
+		ring_mult_i(t1, this->indices_len[1], bi, this->N, mod_q_mask, t2, t1);
+
+		/* t2 = a * b3 */
+		bi += this->indices_len[1].p + this->indices_len[1].m;
+		ring_mult_i(a, this->indices_len[2], bi, this->N, mod_q_mask, t2, t2);
+
+		/* c = (a * b1 * b2) + (a * b3) */
+		for (i = 0; i < this->N; i++)
+		{
+			c[i] = (t1[i] + t2[i]) & mod_q_mask;
+		}
+		free(t2);
+	}
+	free(t1);
+}
+
+METHOD(ntru_poly_t, destroy, void,
+	private_ntru_poly_t *this)
+{
+	memwipe(this->indices, sizeof(uint16_t) * get_size(this));
+	free(this->indices);
+	free(this);
+}
+
+static void init_indices(private_ntru_poly_t *this, bool is_product_form,
+						 uint32_t indices_len_p, uint32_t indices_len_m)
+{
+	int n;
+
+	if (is_product_form)
+	{
+		this->num_polynomials = 3;
+		for (n = 0; n < 3; n++)
+		{
+			this->indices_len[n].p = 0xff & indices_len_p;
+			this->indices_len[n].m = 0xff & indices_len_m;
+			this->num_indices += this->indices_len[n].p +
+								 this->indices_len[n].m;
+			indices_len_p >>= 8;
+			indices_len_m >>= 8;
+		}
+	}
+	else
+	{
+		this->num_polynomials = 1;
+		this->indices_len[0].p = indices_len_p;
+		this->indices_len[0].m = indices_len_m;
+		this->num_indices = indices_len_p + indices_len_m;
+	}
+	this->indices = malloc(sizeof(uint16_t) * this->num_indices);
+}
+
+/*
+ * Described in header.
+ */
+ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
+										uint8_t c_bits, uint16_t N, uint16_t q,
+										uint32_t indices_len_p,
+										uint32_t indices_len_m,
+										bool is_product_form)
+{
+	private_ntru_poly_t *this;
+	size_t hash_len, octet_count = 0, i;
+	uint8_t octets[HASH_SIZE_SHA512], *used, num_left = 0, num_needed;
+	uint16_t index, limit, left = 0;
+	int n, num_indices, index_i = 0;
+	ntru_mgf1_t *mgf1;
+
+	DBG2(DBG_LIB, "MGF1 is seeded with %u bytes", seed.len);
+	mgf1 = ntru_mgf1_create(alg, seed, TRUE);
+	if (!mgf1)
+	{
+	    return NULL;
+	}
+	i = hash_len = mgf1->get_hash_size(mgf1);
+
+	INIT(this,
+		.public = {
+			.get_size = _get_size,
+			.get_indices = _get_indices,
+			.get_array = _get_array,
+			.ring_mult = _ring_mult,
+			.destroy = _destroy,
+		},
+		.N = N,
+		.q = q,
+	);
+
+	init_indices(this, is_product_form, indices_len_p, indices_len_m);
+	used = malloc(N);
+	limit = N * ((1 << c_bits) / N);
+
+	/* generate indices for all polynomials */
+	for (n = 0; n < this->num_polynomials; n++)
+	{
+		memset(used, 0, N);
+		num_indices = this->indices_len[n].p + this->indices_len[n].m;
+
+		/* generate indices for a single polynomial */
+		while (num_indices)
+		{
+			/* generate a random candidate index with a size of c_bits */		
+			do
+			{
+				/* use any leftover bits first */
+				index = num_left ? left << (c_bits - num_left) : 0;
+
+				/* get the rest of the bits needed from new octets */
+				num_needed = c_bits - num_left;
+
+				while (num_needed)
+				{
+					if (i == hash_len)
+					{
+						/* get another block from MGF1 */
+						if (!mgf1->get_mask(mgf1, hash_len, octets))
+						{
+							mgf1->destroy(mgf1);
+							destroy(this);
+							free(used);
+							return NULL;
+						}
+						octet_count += hash_len;
+						i = 0;
+					}
+					left = octets[i++];
+
+					if (num_needed <= 8)
+					{
+						/* all bits needed to fill the index are in this octet */
+						index |= left >> (8 - num_needed);
+						num_left = 8 - num_needed;
+						num_needed = 0;
+						left &= 0xff >> (8 - num_left);
+					}
+					else
+					{
+						/* more than one octet will be needed */
+						index |= left << (num_needed - 8);
+						num_needed -= 8;
+					}
+				}
+			}
+			while (index >= limit);
+
+			/* form index and check if unique */
+			index %= N;
+			if (!used[index])
+			{
+				used[index] = 1;
+				this->indices[index_i++] = index;
+				num_indices--;
+			}
+		}
+	}
+
+	DBG2(DBG_LIB, "MGF1 generates %u octets to derive %u indices",
+				   octet_count, this->num_indices);
+	mgf1->destroy(mgf1);
+	free(used);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+ntru_poly_t *ntru_poly_create_from_data(uint16_t *data, uint16_t N, uint16_t q,
+										uint32_t indices_len_p,
+										uint32_t indices_len_m,
+										bool is_product_form)
+{
+	private_ntru_poly_t *this;
+	int i;
+
+	INIT(this,
+		.public = {
+			.get_size = _get_size,
+			.get_indices = _get_indices,
+			.get_array = _get_array,
+			.ring_mult = _ring_mult,
+			.destroy = _destroy,
+		},
+		.N = N,
+		.q = q,
+	);
+
+	init_indices(this, is_product_form, indices_len_p, indices_len_m);
+	for (i = 0; i < this->num_indices; i++)
+	{
+		this->indices[i] = data[i];
+	}
+
+	return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_seed);
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_data);
diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.h b/src/libstrongswan/plugins/ntru/ntru_poly.h
new file mode 100644
index 000000000..87c77103c
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_poly.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_poly ntru_poly
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_POLY_H_
+#define NTRU_POLY_H_
+
+typedef struct ntru_poly_t ntru_poly_t;
+
+#include <library.h>
+
+/**
+ * Implements a trinary polynomial storing the indices of non-zero coefficients 
+ */
+struct ntru_poly_t {
+
+	/**
+	 * Get the size of the indices array
+	 *
+	 * @return			number of indices
+	 */
+	size_t (*get_size)(ntru_poly_t *this);
+
+	/**
+	 * @return			array containing the indices of the non-zero coefficients
+	 */
+	uint16_t* (*get_indices)(ntru_poly_t *this);
+
+	/**
+	 * @param array		array containing all N coefficients of the polynomial
+	 */
+	void (*get_array)(ntru_poly_t *this, uint16_t *array);
+
+	/**
+	 * Multiply polynomial a with ntru_poly_t object b having sparse coeffients
+	 * to form result polynomial c = a * b
+	 *
+	 * @param a			input polynomial a
+	 * @param b			output polynomial c
+	 */
+	void (*ring_mult)(ntru_poly_t *this, uint16_t *a, uint16_t *c);
+
+	/**
+	 * Destroy ntru_poly_t object
+	 */
+	void (*destroy)(ntru_poly_t *this);
+};
+
+/**
+ * Create a trits polynomial from a seed using MGF1 with a base hash function
+ *
+ * @param alg				hash algorithm to be used by MGF1
+ * @param seed				seed used by MGF1 to generate trits from
+ * @param N					ring dimension, number of polynomial coefficients
+ * @param q					large modulus
+ * @param c_bits			number of bits for candidate index
+ * @param indices_len_p		number of indices for +1 coefficients
+ * @param indices_len_m		number of indices for -1 coefficients
+ * @param is_product_form	generate multiple polynomials
+ */
+ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
+										uint8_t c_bits, uint16_t N, uint16_t q,
+										uint32_t indices_len_p,
+										uint32_t indices_len_m,
+										bool is_product_form);
+
+/**
+ * Create a trits polynomial from an array of indices of non-zero coefficients
+ *
+ * @param data				array of indices of non-zero coefficients
+ * @param N					ring dimension, number of polynomial coefficients
+ * @param q					large modulus
+ * @param indices_len_p		number of indices for +1 coefficients
+ * @param indices_len_m		number of indices for -1 coefficients
+ * @param is_product_form	generate multiple polynomials
+ */
+ntru_poly_t *ntru_poly_create_from_data(uint16_t *data, uint16_t N, uint16_t q,
+										uint32_t indices_len_p,
+										uint32_t indices_len_m,
+										bool is_product_form);
+
+#endif /** NTRU_POLY_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.c b/src/libstrongswan/plugins/ntru/ntru_trits.c
new file mode 100644
index 000000000..f82501629
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_trits.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_trits.h"
+#include "ntru_mgf1.h"
+
+#include "ntru_crypto/ntru_crypto_ntru_convert.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_trits_t private_ntru_trits_t;
+
+/**
+ * Private data of an ntru_trits_t object.
+ */
+struct private_ntru_trits_t {
+
+	/**
+	 * Public ntru_trits_t interface.
+	 */
+	ntru_trits_t public;
+
+	/**
+	 * Size of the trits array
+	 */
+	size_t trits_len;
+
+	/**
+	 * Array containing a trit per octet
+	 */
+	uint8_t *trits;
+
+};
+
+METHOD(ntru_trits_t, get_size, size_t,
+	private_ntru_trits_t *this)
+{
+	return this->trits_len;
+}
+
+METHOD(ntru_trits_t, get_trits, uint8_t*,
+	private_ntru_trits_t *this)
+{
+	return this->trits;
+}
+
+METHOD(ntru_trits_t, destroy, void,
+	private_ntru_trits_t *this)
+{
+	memwipe(this->trits, this->trits_len);
+	free(this->trits);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed)
+{
+	private_ntru_trits_t *this;
+	uint8_t octets[HASH_SIZE_SHA512], buf[5], *trits;
+	size_t hash_len, octet_count = 0, trits_needed, i;
+	ntru_mgf1_t *mgf1;
+
+	DBG2(DBG_LIB, "MGF1 is seeded with %u bytes", seed.len);
+	mgf1 = ntru_mgf1_create(alg, seed, TRUE);
+	if (!mgf1)
+	{
+	    return NULL;
+	}
+	i = hash_len = mgf1->get_hash_size(mgf1);
+
+	INIT(this,
+		.public = {
+			.get_size = _get_size,
+			.get_trits = _get_trits,
+			.destroy = _destroy,
+		},
+		.trits_len = len,
+		.trits = malloc(len),
+	);
+
+	trits = this->trits;
+	trits_needed = this->trits_len;
+
+	while (trits_needed > 0)
+	{
+		if (i == hash_len)
+		{
+			/* get another block from MGF1 */
+			if (!mgf1->get_mask(mgf1, hash_len, octets))
+			{
+				mgf1->destroy(mgf1);
+				destroy(this);
+				return NULL;
+			}
+			octet_count += hash_len;
+			i = 0;
+		}
+		if (octets[i] < 243)  /* 243 = 3^5 */ 
+		{		
+			ntru_octet_2_trits(octets[i], (trits_needed < 5) ? buf : trits);
+			if (trits_needed < 5)
+			{
+				memcpy(trits, buf, trits_needed);
+				break;
+			}
+			trits += 5;
+			trits_needed -= 5;
+		}
+		i++;
+	}
+	DBG2(DBG_LIB, "MGF1 generates %u octets to extract %u trits",
+				   octet_count, len);
+	mgf1->destroy(mgf1);
+
+	return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_trits_create);
diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.h b/src/libstrongswan/plugins/ntru/ntru_trits.h
new file mode 100644
index 000000000..524c51bac
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_trits.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_trits ntru_trits
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_TRITS_H_
+#define NTRU_TRITS_H_
+
+typedef struct ntru_trits_t ntru_trits_t;
+
+#include <library.h>
+
+/**
+ * Implements an array of trinary elements (trits) 
+ */
+struct ntru_trits_t {
+
+	/**
+	 * Get the size of the trits array
+	 *
+	 * @return			number of trinary elements
+	 */
+	size_t (*get_size)(ntru_trits_t *this);
+
+	/**
+	 * @return			octet array containing a trit per octet
+	 */
+	uint8_t* (*get_trits)(ntru_trits_t *this);
+
+	/**
+	 * Destroy ntru_trits_t object
+	 */
+	void (*destroy)(ntru_trits_t *this);
+};
+
+/**
+ * Create a trits array from a seed using MGF1 with a base hash function
+ *
+ * @param size			size of the trits array
+ * @param alg			hash algorithm to be used by MGF1
+ * @param seed			seed used by MGF1 to generate trits from
+ */
+ntru_trits_t *ntru_trits_create(size_t size, hash_algorithm_t alg, chunk_t seed);
+
+#endif /** NTRU_TRITS_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 53ff2eb4c..f0735294b 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -224,8 +224,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -293,6 +291,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -381,12 +384,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -401,6 +408,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 18aa5ceca..cb02c663c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -471,7 +471,7 @@ static bool parse_extensions(private_openssl_crl_t *this)
 				default:
 					ok = X509_EXTENSION_get_critical(ext) == 0 ||
 						 !lib->settings->get_bool(lib->settings,
-								"libstrongswan.x509.enforce_critical", TRUE);
+									"%s.x509.enforce_critical", TRUE, lib->ns);
 					if (!ok)
 					{
 						DBG1(DBG_LIB, "found unsupported critical X.509 "
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index c43fe455a..b487d59a5 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -102,6 +102,11 @@ static bool chunk2ecp(const EC_GROUP *group, chunk_t chunk, EC_POINT *point)
 		goto error;
 	}
 
+	if (!EC_POINT_is_on_curve(group, point, ctx))
+	{
+		goto error;
+	}
+
 	ret = TRUE;
 error:
 	BN_CTX_end(ctx);
@@ -196,7 +201,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this,
 	 * http://www.rfc-editor.org/errata_search.php?eid=9
 	 */
 	x_coordinate_only = lib->settings->get_bool(lib->settings,
-							"libstrongswan.ecp_x_coordinate_only", TRUE);
+									"%s.ecp_x_coordinate_only", TRUE, lib->ns);
 	if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only))
 	{
 		goto error;
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index ff2508609..f4aef8200 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -522,7 +522,7 @@ plugin_t *openssl_plugin_create()
 	int fips_mode;
 
 	fips_mode = lib->settings->get_int(lib->settings,
-						"libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
+							"%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);
 #ifdef OPENSSL_FIPS
 	if (fips_mode)
 	{
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 036f53d23..10a35c1fd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -558,7 +558,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 	if (!engine_id)
 	{
 		engine_id = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.openssl.engine_id", "pkcs11");
+							"%s.plugins.openssl.engine_id", "pkcs11", lib->ns);
 	}
 	engine = ENGINE_by_id(engine_id);
 	if (!engine)
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 24b12d50c..7a5b206dd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -1012,7 +1012,7 @@ static bool parse_extensions(private_openssl_x509_t *this)
 				default:
 					ok = X509_EXTENSION_get_critical(ext) == 0 ||
 						 !lib->settings->get_bool(lib->settings,
-								"libstrongswan.x509.enforce_critical", TRUE);
+									"%s.x509.enforce_critical", TRUE, lib->ns);
 					if (!ok)
 					{
 						char buf[80] = "";
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 5c3ce2a42..55c0271ce 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 060799dc8..22c33b0c8 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 254b1951b..62780c384 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -25,7 +25,6 @@
 #include <stddef.h>
 #include <fcntl.h>
 #include <sys/types.h>
-#include <sys/mman.h>
 #include <sys/stat.h>
 
 #include <utils/debug.h>
@@ -418,39 +417,17 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
 static void *load_from_file(char *file, credential_type_t type, int subtype,
 							identification_t *subject, x509_flag_t flags)
 {
-	void *cred = NULL;
-	struct stat sb;
-	void *addr;
-	int fd;
+	void *cred;
+	chunk_t *chunk;
 
-	fd = open(file, O_RDONLY);
-	if (fd == -1)
+	chunk = chunk_map(file, FALSE);
+	if (!chunk)
 	{
 		DBG1(DBG_LIB, "  opening '%s' failed: %s", file, strerror(errno));
 		return NULL;
 	}
-
-	if (fstat(fd, &sb) == -1)
-	{
-		DBG1(DBG_LIB, "  getting file size of '%s' failed: %s", file,
-			 strerror(errno));
-		close(fd);
-		return NULL;
-	}
-
-	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		DBG1(DBG_LIB, "  mapping '%s' failed: %s", file, strerror(errno));
-		close(fd);
-		return NULL;
-	}
-
-	cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype,
-									   subject, flags);
-
-	munmap(addr, sb.st_size);
-	close(fd);
+	cred = load_from_blob(*chunk, type, subtype, subject, flags);
+	chunk_unmap(chunk);
 	return cred;
 }
 
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 05319bb87..e2491f5a4 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 2befd0949..d3f3fdf49 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index 186d90ac6..c8cec3771 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
index 2e5af95ff..36cc284bf 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
@@ -135,7 +135,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 			};
 
 			if (!lib->settings->get_bool(lib->settings,
-								"libstrongswan.ecp_x_coordinate_only", TRUE))
+									"%s.ecp_x_coordinate_only", TRUE, lib->ns))
 			{	/* we only get the x coordinate back */
 				return;
 			}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
index 8bda5b66f..96c4a180d 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -338,7 +338,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
 	);
 
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
-										"libstrongswan.plugins.pkcs11.modules");
+										"%s.plugins.pkcs11.modules", lib->ns);
 	while (enumerator->enumerate(enumerator, &module))
 	{
 		INIT(entry,
@@ -346,7 +346,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
 		);
 
 		entry->path = lib->settings->get_str(lib->settings,
-				"libstrongswan.plugins.pkcs11.modules.%s.path", NULL, module);
+				"%s.plugins.pkcs11.modules.%s.path", NULL, lib->ns, module);
 		if (!entry->path)
 		{
 			DBG1(DBG_CFG, "PKCS11 module '%s' lacks library path", module);
@@ -355,8 +355,8 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
 		}
 		entry->lib = pkcs11_library_create(module, entry->path,
 						lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.modules.%s.os_locking",
-							FALSE, module));
+							"%s.plugins.pkcs11.modules.%s.os_locking",
+							FALSE, lib->ns, module));
 		if (!entry->lib)
 		{
 			free(entry);
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index 3faa59cae..bd2a2c114 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -83,8 +83,8 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
 	if (add && this->handle_events)
 	{
 		if (lib->settings->get_bool(lib->settings,
-						"libstrongswan.plugins.pkcs11.modules.%s.load_certs",
-						TRUE, p11->get_name(p11)))
+								"%s.plugins.pkcs11.modules.%s.load_certs",
+								TRUE, lib->ns, p11->get_name(p11)))
 		{
 			creds = pkcs11_creds_create(p11, slot);
 			if (creds)
@@ -174,8 +174,8 @@ static bool handle_certs(private_pkcs11_plugin_t *this,
 METHOD(plugin_t, reload, bool,
 	private_pkcs11_plugin_t *this)
 {
-	if (lib->settings->get_bool(lib->settings,
-					"libstrongswan.plugins.pkcs11.reload_certs", FALSE))
+	if (lib->settings->get_bool(lib->settings, "%s.plugins.pkcs11.reload_certs",
+								FALSE, lib->ns))
 	{
 		DBG1(DBG_CFG, "reloading certificates from PKCS#11 tokens");
 		handle_certs(this, NULL, FALSE, NULL);
@@ -247,28 +247,28 @@ METHOD(plugin_t, get_features, int,
 	if (!count)
 	{	/* initialize only once */
 		bool use_ecc = lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.use_ecc", FALSE);
+								"%s.plugins.pkcs11.use_ecc", FALSE, lib->ns);
 		plugin_features_add(f, f_manager, countof(f_manager), &count);
 		/* private key handling for EC keys is not disabled by use_ecc */
 		plugin_features_add(f, f_privkey, countof(f_privkey), &count);
 		if (lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.use_pubkey", FALSE))
+								"%s.plugins.pkcs11.use_pubkey", FALSE, lib->ns))
 		{
 			plugin_features_add(f, f_pubkey, countof(f_pubkey) - (use_ecc ? 0 : 1),
 								&count);
 		}
 		if (lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
+								"%s.plugins.pkcs11.use_hasher", FALSE, lib->ns))
 		{
 			plugin_features_add(f, f_hash, countof(f_hash), &count);
 		}
 		if (lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.use_rng", FALSE))
+								"%s.plugins.pkcs11.use_rng", FALSE, lib->ns))
 		{
 			plugin_features_add(f, f_rng, countof(f_rng), &count);
 		}
 		if (lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.pkcs11.use_dh", FALSE))
+								"%s.plugins.pkcs11.use_dh", FALSE, lib->ns))
 		{
 			plugin_features_add(f, f_dh, countof(f_dh), &count);
 			if (use_ecc)
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
index 1972f33b3..67b1f4f57 100644
--- a/src/libstrongswan/plugins/pkcs12/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index 300212173..feff6e5b0 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -219,8 +219,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index e2ccb326d..35a5c9a35 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 5ed0a9b0f..08a8442ea 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Tobias Brunner
+ * Copyright (C) 2010-2014 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -28,6 +28,7 @@
 #include <utils/debug.h>
 #include <library.h>
 #include <collections/hashtable.h>
+#include <collections/array.h>
 #include <collections/linked_list.h>
 #include <plugins/plugin.h>
 #include <utils/integrity_checker.h>
@@ -936,18 +937,146 @@ static bool find_plugin(char *path, char *name, char *buf, char **file)
 	return FALSE;
 }
 
+/**
+ * Used to sort plugins by priority
+ */
+typedef struct {
+	/* name of the plugin */
+	char *name;
+	/* the plugins priority */
+	int prio;
+	/* default priority */
+	int def;
+} plugin_priority_t;
+
+static void plugin_priority_free(const plugin_priority_t *this, int idx,
+								 void *user)
+{
+	free(this->name);
+}
+
+/**
+ * Sort plugins and their priority by name
+ */
+static int plugin_priority_cmp_name(const plugin_priority_t *a,
+								    const plugin_priority_t *b)
+{
+	return strcmp(a->name, b->name);
+}
+
+/**
+ * Sort plugins by decreasing priority or default priority then by name
+ */
+static int plugin_priority_cmp(const plugin_priority_t *a,
+							   const plugin_priority_t *b, void *user)
+{
+	int diff;
+
+	diff = b->prio - a->prio;
+	if (!diff)
+	{	/* the same priority, use default order */
+		diff = b->def - a->def;
+		if (!diff)
+		{	/* same default priority (i.e. both were not found in that list) */
+			return strcmp(a->name, b->name);
+		}
+	}
+	return diff;
+}
+
+
+/**
+ * Determine the list of plugins to load via load option in each plugin's
+ * config section.
+ */
+static char *modular_pluginlist(char *list)
+{
+	enumerator_t *enumerator;
+	array_t *given, *final;
+	plugin_priority_t item, *current, found;
+	char *plugin, *plugins = NULL;
+	int i = 0, max_prio;
+
+	if (!lib->settings->get_bool(lib->settings, "%s.load_modular", FALSE,
+								 lib->ns))
+	{
+		return list;
+	}
+
+	given = array_create(sizeof(plugin_priority_t), 0);
+	final = array_create(sizeof(plugin_priority_t), 0);
+
+	enumerator = enumerator_create_token(list, " ", " ");
+	while (enumerator->enumerate(enumerator, &plugin))
+	{
+		item.name = strdup(plugin);
+		item.prio = i++;
+		array_insert(given, ARRAY_TAIL, &item);
+	}
+	enumerator->destroy(enumerator);
+	array_sort(given, (void*)plugin_priority_cmp_name, NULL);
+	/* the maximum priority used for plugins not found in this list */
+	max_prio = i + 1;
+
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+														"%s.plugins", lib->ns);
+	while (enumerator->enumerate(enumerator, &plugin))
+	{
+		item.prio = lib->settings->get_int(lib->settings,
+								"%s.plugins.%s.load", 0, lib->ns, plugin);
+		if (!item.prio)
+		{
+			if (!lib->settings->get_bool(lib->settings,
+								"%s.plugins.%s.load", FALSE, lib->ns, plugin))
+			{
+				continue;
+			}
+			item.prio = 1;
+		}
+		item.name = plugin;
+		item.def = max_prio;
+		if (array_bsearch(given, &item, (void*)plugin_priority_cmp_name,
+						  &found) != -1)
+		{
+			item.def = max_prio - found.prio;
+		}
+		array_insert(final, ARRAY_TAIL, &item);
+	}
+	enumerator->destroy(enumerator);
+	array_destroy_function(given, (void*)plugin_priority_free, NULL);
+
+	array_sort(final, (void*)plugin_priority_cmp, NULL);
+
+	enumerator = array_create_enumerator(final);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		char *prev = plugins;
+		if (asprintf(&plugins, "%s %s", plugins ?: "", current->name) < 0)
+		{
+			plugins = prev;
+			break;
+		}
+		free(prev);
+	}
+	enumerator->destroy(enumerator);
+	array_destroy(final);
+	return plugins;
+}
+
 METHOD(plugin_loader_t, load_plugins, bool,
 	private_plugin_loader_t *this, char *list)
 {
 	enumerator_t *enumerator;
-	char *default_path = NULL, *token;
+	char *default_path = NULL, *plugins, *token;
 	bool critical_failed = FALSE;
 
 #ifdef PLUGINDIR
 	default_path = PLUGINDIR;
 #endif /* PLUGINDIR */
 
-	enumerator = enumerator_create_token(list, " ", " ");
+	plugins = modular_pluginlist(list);
+
+	enumerator = enumerator_create_token(plugins, " ", " ");
 	while (!critical_failed && enumerator->enumerate(enumerator, &token))
 	{
 		plugin_entry_t *entry;
@@ -1006,6 +1135,10 @@ METHOD(plugin_loader_t, load_plugins, bool,
 		free(this->loaded_plugins);
 		this->loaded_plugins = loaded_plugins_list(this);
 	}
+	if (plugins != list)
+	{
+		free(plugins);
+	}
 	return !critical_failed;
 }
 
@@ -1170,3 +1303,22 @@ plugin_loader_t *plugin_loader_create()
 
 	return &this->public;
 }
+
+/*
+ * See header
+ */
+void plugin_loader_add_plugindirs(char *basedir, char *plugins)
+{
+	enumerator_t *enumerator;
+	char *name, path[PATH_MAX], dir[64];
+
+	enumerator = enumerator_create_token(plugins, " ", "");
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		snprintf(dir, sizeof(dir), "%s", name);
+		translate(dir, "-", "_");
+		snprintf(path, sizeof(path), "%s/%s/.libs", basedir, dir);
+		lib->plugins->add_path(lib->plugins, path);
+	}
+	enumerator->destroy(enumerator);
+}
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index 285b33910..fec57ce98 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2013 Tobias Brunner
+ * Copyright (C) 2012-2014 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -67,6 +67,13 @@ struct plugin_loader_t {
 	 * for the plugins first, in the order they were added, then the default
 	 * path follows.
 	 *
+	 * If \<ns>.load_modular is enabled (where \<ns> is lib->ns) the plugins to
+	 * load are determined via a load option in their respective plugin config
+	 * section e.g. \<ns>.plugins.\<plugin>.load = <priority|bool>.
+	 * The oder is determined by the configured priority.  If two plugins have
+	 * the same priority the order as seen in list is preserved.  Plugins not
+	 * found in list are loaded first, in alphabetical order.
+	 *
 	 * @note Even though this method could be called multiple times this is
 	 * currently not really supported in regards to plugin features and their
 	 * dependencies (in particular soft dependencies).
@@ -146,4 +153,13 @@ struct plugin_loader_t {
  */
 plugin_loader_t *plugin_loader_create();
 
+/**
+ * Convenience function to add plugin directories for the given plugins within
+ * the given base directory according to the conventions in the src/build tree.
+ *
+ * @param basedir	base directory
+ * @param plugins	space separated list of plugins
+ */
+void plugin_loader_add_plugindirs(char *basedir, char *plugins);
+
 #endif /** PLUGIN_LOADER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index c5b3bad05..803eeab44 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 492bc31ac..0efe24cb7 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index 24c711a69..1f1079240 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -51,6 +51,9 @@ static int dev_random = -1;
 /** /dev/urandom file descriptor */
 static int dev_urandom = -1;
 
+/** Is strong randomness equivalent to true randomness? */
+static bool strong_equals_true = FALSE;
+
 /**
  * See header.
  */
@@ -68,6 +71,14 @@ int random_plugin_get_dev_urandom()
 }
 
 /**
+ * See header.
+ */
+bool random_plugin_get_strong_equals_true()
+{
+	return strong_equals_true;
+}
+
+/**
  * Open a random device file
  */
 static bool open_dev(char *file, int *fd)
@@ -131,10 +142,12 @@ plugin_t *random_plugin_create()
 		},
 	);
 
+	strong_equals_true = lib->settings->get_bool(lib->settings,
+						"%s.plugins.random.strong_equals_true", FALSE, lib->ns);
 	urandom_file = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.random.urandom", DEV_URANDOM);
+						"%s.plugins.random.urandom", DEV_URANDOM, lib->ns);
 	random_file = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.random.random", DEV_RANDOM);
+						"%s.plugins.random.random", DEV_RANDOM, lib->ns);
 	if (!open_dev(urandom_file, &dev_urandom) ||
 		!open_dev(random_file, &dev_random))
 	{
diff --git a/src/libstrongswan/plugins/random/random_plugin.h b/src/libstrongswan/plugins/random/random_plugin.h
index c34fa8196..ff79bef0c 100644
--- a/src/libstrongswan/plugins/random/random_plugin.h
+++ b/src/libstrongswan/plugins/random/random_plugin.h
@@ -49,4 +49,9 @@ int random_plugin_get_dev_random();
  */
 int random_plugin_get_dev_urandom();
 
+/**
+ * Must strong randomness be equivalent to true randomness?
+ */
+bool random_plugin_get_strong_equals_true();
+
 #endif /** RANDOM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 568844899..36d5446b8 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -99,6 +99,10 @@ random_rng_t *random_rng_create(rng_quality_t quality)
 			this->fd = random_plugin_get_dev_random();
 			break;
 		case RNG_STRONG:
+			this->fd = random_plugin_get_strong_equals_true() ?
+							random_plugin_get_dev_random() :
+							random_plugin_get_dev_urandom();
+			break;
 		case RNG_WEAK:
 		default:
 			this->fd = random_plugin_get_dev_urandom();
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
index e2cdbac7a..afcbc07eb 100644
--- a/src/libstrongswan/plugins/rc2/Makefile.in
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index 0a3063f04..88b283e87 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_plugin.c b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
index 4bdfc258e..b416c872f 100644
--- a/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
+++ b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
@@ -77,11 +77,11 @@ static bool have_rdrand()
 		cpuid(1, &a, &b, &c, &d);
 		if (c & CPUID_RDRAND)
 		{
-			DBG1(DBG_LIB, "detected RDRAND support on %s CPU", vendor);
+			DBG2(DBG_LIB, "detected RDRAND support on %s CPU", vendor);
 			return TRUE;
 		}
 	}
-	DBG1(DBG_LIB, "no RDRAND support on %s CPU, disabled", vendor);
+	DBG2(DBG_LIB, "no RDRAND support on %s CPU, disabled", vendor);
 	return FALSE;
 }
 
@@ -102,7 +102,11 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_DEPENDS(CRYPTER, ENCR_AES_CBC, 16),
 	};
 	*features = f;
-	return countof(f);
+	if (have_rdrand())
+	{
+		return countof(f);
+	}
+	return 0;
 }
 
 METHOD(plugin_t, destroy, void,
@@ -122,16 +126,12 @@ plugin_t *rdrand_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
+				.get_features = _get_features,
 				.reload = (void*)return_false,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	if (have_rdrand())
-	{
-		this->public.plugin.get_features = _get_features;
-	}
-
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index fe9aa16e7..745ee83e7 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 2095dbdb7..e57eb78ab 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 2eb572f70..c044178b9 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 5483bf91f..cc16ef5cb 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -216,8 +216,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -285,6 +283,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,12 +376,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -393,6 +400,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 13c0bf86d..c428b883f 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
index a62d22a5b..3c9926acc 100644
--- a/src/libstrongswan/plugins/sshkey/Makefile.in
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_builder.c b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
index 569b0b738..652663108 100644
--- a/src/libstrongswan/plugins/sshkey/sshkey_builder.c
+++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
@@ -13,6 +13,7 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for fmemopen() */
 #include <unistd.h>
 #include <stdio.h>
 #include <errno.h>
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index d4cbde107..a1439f6ea 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -232,8 +232,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -301,6 +299,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -389,12 +392,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -409,6 +416,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index d79803189..961311eb0 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/unbound/unbound_resolver.c b/src/libstrongswan/plugins/unbound/unbound_resolver.c
index 42cdbc6cc..745e59d5b 100644
--- a/src/libstrongswan/plugins/unbound/unbound_resolver.c
+++ b/src/libstrongswan/plugins/unbound/unbound_resolver.c
@@ -97,14 +97,14 @@ resolver_t *unbound_resolver_create(void)
 	char *resolv_conf, *trust_anchors, *dlv_anchors;
 
 	resolv_conf = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.unbound.resolv_conf",
-						RESOLV_CONF_FILE);
+										"%s.plugins.unbound.resolv_conf",
+										RESOLV_CONF_FILE, lib->ns);
 	trust_anchors = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.unbound.trust_anchors",
-						TRUST_ANCHOR_FILE);
+										"%s.plugins.unbound.trust_anchors",
+										TRUST_ANCHOR_FILE, lib->ns);
 	dlv_anchors = lib->settings->get_str(lib->settings,
-						"libstrongswan.plugins.unbound.dlv_anchors",
-						NULL);
+										"%s.plugins.unbound.dlv_anchors",
+										NULL, lib->ns);
 
 	INIT(this,
 		.public = {
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 09d300255..74552e00b 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -217,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -286,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -394,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 85c481552..ed850e8f5 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -20,14 +20,14 @@
 
 #define _GNU_SOURCE
 
-#include "x509_cert.h"
-
 #include <sys/stat.h>
 #include <time.h>
 #include <unistd.h>
 #include <string.h>
 #include <stdio.h>
 
+#include "x509_cert.h"
+
 #include <library.h>
 #include <utils/debug.h>
 #include <asn1/oid.h>
@@ -1446,7 +1446,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 						break;
 					default:
 						if (critical && lib->settings->get_bool(lib->settings,
-							"libstrongswan.x509.enforce_critical", TRUE))
+							"%s.x509.enforce_critical", TRUE, lib->ns))
 						{
 							DBG1(DBG_ASN, "critical '%s' extension not supported",
 								 (extn_oid == OID_UNKNOWN) ? "unknown" :
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index efb70c94c..d6057c30f 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -325,7 +325,7 @@ static bool parse(private_x509_crl_t *this)
 						break;
 					default:
 						if (critical && lib->settings->get_bool(lib->settings,
-							"libstrongswan.x509.enforce_critical", TRUE))
+							"%s.x509.enforce_critical", TRUE, lib->ns))
 						{
 							DBG1(DBG_ASN, "critical '%s' extension not supported",
 								 (extn_oid == OID_UNKNOWN) ? "unknown" :
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 59ee48377..c8f886c60 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -215,8 +215,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -284,6 +282,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,12 +375,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -392,6 +399,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c
index adbd95685..012b169e3 100644
--- a/src/libstrongswan/processing/processor.c
+++ b/src/libstrongswan/processing/processor.c
@@ -545,7 +545,7 @@ processor_t *processor_create()
 	{
 		this->jobs[i] = linked_list_create();
 		this->prio_threads[i] = lib->settings->get_int(lib->settings,
-						"libstrongswan.processor.priority_threads.%N", 0,
+						"%s.processor.priority_threads.%N", 0, lib->ns,
 						job_priority_names, i);
 	}
 
diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
index 9773e7601..cc3c3a788 100644
--- a/src/libstrongswan/processing/watcher.c
+++ b/src/libstrongswan/processing/watcher.c
@@ -340,7 +340,7 @@ static job_requeue_t watch(private_watcher_t *this)
 		}
 		else
 		{
-			if (!this->pending)
+			if (!this->pending && errno != EINTR)
 			{	/* complain only if no pending updates */
 				DBG1(DBG_JOB, "watcher select() error: %s", strerror(errno));
 			}
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index c3d41a1cd..331a5480d 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -1,23 +1,62 @@
-TESTS = test_runner
+check_LTLIBRARIES = libtest.la
+
+libtest_la_SOURCES = \
+  test_suite.c test_suite.h \
+  test_runner.c test_runner.h \
+  utils/test_rng.c utils/test_rng.h
+
+libtest_la_CFLAGS = \
+  -I$(top_srcdir)/src/libstrongswan \
+  @COVERAGE_CFLAGS@
+
+libtest_la_LDFLAGS = @COVERAGE_LDFLAGS@
+libtest_la_LIBADD = \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(PTHREADLIB)
+
+
+TESTS = tests
 
 check_PROGRAMS = $(TESTS)
 
-test_runner_SOURCES = \
-  test_runner.c test_runner.h test_suite.h \
-  test_linked_list.c test_enumerator.c test_linked_list_enumerator.c \
-  test_bio_reader.c test_bio_writer.c test_chunk.c test_enum.c test_hashtable.c \
-  test_identification.c test_threading.c test_utils.c test_vectors.c \
-  test_array.c test_ecdsa.c test_rsa.c test_host.c test_printf.c
+tests_SOURCES = tests.h tests.c \
+  suites/test_linked_list.c \
+  suites/test_enumerator.c \
+  suites/test_linked_list_enumerator.c \
+  suites/test_bio_reader.c \
+  suites/test_bio_writer.c \
+  suites/test_chunk.c \
+  suites/test_enum.c \
+  suites/test_hashtable.c \
+  suites/test_identification.c \
+  suites/test_threading.c \
+  suites/test_watcher.c \
+  suites/test_stream.c \
+  suites/test_fetch_http.c \
+  suites/test_utils.c \
+  suites/test_settings.c \
+  suites/test_vectors.c \
+  suites/test_array.c \
+  suites/test_ecdsa.c \
+  suites/test_rsa.c \
+  suites/test_host.c \
+  suites/test_hasher.c \
+  suites/test_crypter.c \
+  suites/test_pen.c \
+  suites/test_asn1.c \
+  suites/test_asn1_parser.c \
+  suites/test_printf.c \
+  suites/test_test_rng.c \
+  suites/test_ntru.c
 
-test_runner_CFLAGS = \
+tests_CFLAGS = \
   -I$(top_srcdir)/src/libstrongswan \
+  -I$(top_srcdir)/src/libstrongswan/tests \
   -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
   -DPLUGINS=\""${s_plugins}\"" \
-  @COVERAGE_CFLAGS@ \
-  @CHECK_CFLAGS@
+  @COVERAGE_CFLAGS@
 
-test_runner_LDFLAGS = @COVERAGE_LDFLAGS@
-test_runner_LDADD = \
+tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tests_LDADD = \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  $(PTHREADLIB) \
-  @CHECK_LIBS@
+  libtest.la
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index adeae1a81..656be4efb 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -77,11 +77,11 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-TESTS = test_runner$(EXEEXT)
+TESTS = tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
 subdir = src/libstrongswan/tests
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp $(top_srcdir)/test-driver
+	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -99,36 +99,57 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__EXEEXT_1 = test_runner$(EXEEXT)
-am_test_runner_OBJECTS = test_runner-test_runner.$(OBJEXT) \
-	test_runner-test_linked_list.$(OBJEXT) \
-	test_runner-test_enumerator.$(OBJEXT) \
-	test_runner-test_linked_list_enumerator.$(OBJEXT) \
-	test_runner-test_bio_reader.$(OBJEXT) \
-	test_runner-test_bio_writer.$(OBJEXT) \
-	test_runner-test_chunk.$(OBJEXT) \
-	test_runner-test_enum.$(OBJEXT) \
-	test_runner-test_hashtable.$(OBJEXT) \
-	test_runner-test_identification.$(OBJEXT) \
-	test_runner-test_threading.$(OBJEXT) \
-	test_runner-test_utils.$(OBJEXT) \
-	test_runner-test_vectors.$(OBJEXT) \
-	test_runner-test_array.$(OBJEXT) \
-	test_runner-test_ecdsa.$(OBJEXT) \
-	test_runner-test_rsa.$(OBJEXT) test_runner-test_host.$(OBJEXT) \
-	test_runner-test_printf.$(OBJEXT)
-test_runner_OBJECTS = $(am_test_runner_OBJECTS)
 am__DEPENDENCIES_1 =
-test_runner_DEPENDENCIES =  \
+libtest_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_libtest_la_OBJECTS = libtest_la-test_suite.lo \
+	libtest_la-test_runner.lo utils/libtest_la-test_rng.lo
+libtest_la_OBJECTS = $(am_libtest_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
-test_runner_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_runner_CFLAGS) \
-	$(CFLAGS) $(test_runner_LDFLAGS) $(LDFLAGS) -o $@
+libtest_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(libtest_la_CFLAGS) \
+	$(CFLAGS) $(libtest_la_LDFLAGS) $(LDFLAGS) -o $@
+am__EXEEXT_1 = tests$(EXEEXT)
+am_tests_OBJECTS = tests-tests.$(OBJEXT) \
+	suites/tests-test_linked_list.$(OBJEXT) \
+	suites/tests-test_enumerator.$(OBJEXT) \
+	suites/tests-test_linked_list_enumerator.$(OBJEXT) \
+	suites/tests-test_bio_reader.$(OBJEXT) \
+	suites/tests-test_bio_writer.$(OBJEXT) \
+	suites/tests-test_chunk.$(OBJEXT) \
+	suites/tests-test_enum.$(OBJEXT) \
+	suites/tests-test_hashtable.$(OBJEXT) \
+	suites/tests-test_identification.$(OBJEXT) \
+	suites/tests-test_threading.$(OBJEXT) \
+	suites/tests-test_watcher.$(OBJEXT) \
+	suites/tests-test_stream.$(OBJEXT) \
+	suites/tests-test_fetch_http.$(OBJEXT) \
+	suites/tests-test_utils.$(OBJEXT) \
+	suites/tests-test_settings.$(OBJEXT) \
+	suites/tests-test_vectors.$(OBJEXT) \
+	suites/tests-test_array.$(OBJEXT) \
+	suites/tests-test_ecdsa.$(OBJEXT) \
+	suites/tests-test_rsa.$(OBJEXT) \
+	suites/tests-test_host.$(OBJEXT) \
+	suites/tests-test_hasher.$(OBJEXT) \
+	suites/tests-test_crypter.$(OBJEXT) \
+	suites/tests-test_pen.$(OBJEXT) \
+	suites/tests-test_asn1.$(OBJEXT) \
+	suites/tests-test_asn1_parser.$(OBJEXT) \
+	suites/tests-test_printf.$(OBJEXT) \
+	suites/tests-test_test_rng.$(OBJEXT) \
+	suites/tests-test_ntru.$(OBJEXT)
+tests_OBJECTS = $(am_tests_OBJECTS)
+tests_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la libtest.la
+tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(tests_CFLAGS) $(CFLAGS) \
+	$(tests_LDFLAGS) $(LDFLAGS) -o $@
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -163,8 +184,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(test_runner_SOURCES)
-DIST_SOURCES = $(test_runner_SOURCES)
+SOURCES = $(libtest_la_SOURCES) $(tests_SOURCES)
+DIST_SOURCES = $(libtest_la_SOURCES) $(tests_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -211,188 +232,6 @@ am__tty_colors = { \
     std=''; \
   fi; \
 }
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-am__recheck_rx = ^[ 	]*:recheck:[ 	]*
-am__global_test_result_rx = ^[ 	]*:global-test-result:[ 	]*
-am__copy_in_global_log_rx = ^[ 	]*:copy-in-global-log:[ 	]*
-# A command that, given a newline-separated list of test names on the
-# standard input, print the name of the tests that are to be re-run
-# upon "make recheck".
-am__list_recheck_tests = $(AWK) '{ \
-  recheck = 1; \
-  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
-    { \
-      if (rc < 0) \
-        { \
-          if ((getline line2 < ($$0 ".log")) < 0) \
-	    recheck = 0; \
-          break; \
-        } \
-      else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \
-        { \
-          recheck = 0; \
-          break; \
-        } \
-      else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \
-        { \
-          break; \
-        } \
-    }; \
-  if (recheck) \
-    print $$0; \
-  close ($$0 ".trs"); \
-  close ($$0 ".log"); \
-}'
-# A command that, given a newline-separated list of test names on the
-# standard input, create the global log from their .trs and .log files.
-am__create_global_log = $(AWK) ' \
-function fatal(msg) \
-{ \
-  print "fatal: making $@: " msg | "cat >&2"; \
-  exit 1; \
-} \
-function rst_section(header) \
-{ \
-  print header; \
-  len = length(header); \
-  for (i = 1; i <= len; i = i + 1) \
-    printf "="; \
-  printf "\n\n"; \
-} \
-{ \
-  copy_in_global_log = 1; \
-  global_test_result = "RUN"; \
-  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
-    { \
-      if (rc < 0) \
-         fatal("failed to read from " $$0 ".trs"); \
-      if (line ~ /$(am__global_test_result_rx)/) \
-        { \
-          sub("$(am__global_test_result_rx)", "", line); \
-          sub("[ 	]*$$", "", line); \
-          global_test_result = line; \
-        } \
-      else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \
-        copy_in_global_log = 0; \
-    }; \
-  if (copy_in_global_log) \
-    { \
-      rst_section(global_test_result ": " $$0); \
-      while ((rc = (getline line < ($$0 ".log"))) != 0) \
-      { \
-        if (rc < 0) \
-          fatal("failed to read from " $$0 ".log"); \
-        print line; \
-      }; \
-      printf "\n"; \
-    }; \
-  close ($$0 ".trs"); \
-  close ($$0 ".log"); \
-}'
-# Restructured Text title.
-am__rst_title = { sed 's/.*/   &   /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; }
-# Solaris 10 'make', and several other traditional 'make' implementations,
-# pass "-e" to $(SHELL), and POSIX 2008 even requires this.  Work around it
-# by disabling -e (using the XSI extension "set +e") if it's set.
-am__sh_e_setup = case $$- in *e*) set +e;; esac
-# Default flags passed to test drivers.
-am__common_driver_flags = \
-  --color-tests "$$am__color_tests" \
-  --enable-hard-errors "$$am__enable_hard_errors" \
-  --expect-failure "$$am__expect_failure"
-# To be inserted before the command running the test.  Creates the
-# directory for the log if needed.  Stores in $dir the directory
-# containing $f, in $tst the test, in $log the log.  Executes the
-# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and
-# passes TESTS_ENVIRONMENT.  Set up options for the wrapper that
-# will run the test scripts (or their associated LOG_COMPILER, if
-# thy have one).
-am__check_pre = \
-$(am__sh_e_setup);					\
-$(am__vpath_adj_setup) $(am__vpath_adj)			\
-$(am__tty_colors);					\
-srcdir=$(srcdir); export srcdir;			\
-case "$@" in						\
-  */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;;	\
-    *) am__odir=.;; 					\
-esac;							\
-test "x$$am__odir" = x"." || test -d "$$am__odir" 	\
-  || $(MKDIR_P) "$$am__odir" || exit $$?;		\
-if test -f "./$$f"; then dir=./;			\
-elif test -f "$$f"; then dir=;				\
-else dir="$(srcdir)/"; fi;				\
-tst=$$dir$$f; log='$@'; 				\
-if test -n '$(DISABLE_HARD_ERRORS)'; then		\
-  am__enable_hard_errors=no; 				\
-else							\
-  am__enable_hard_errors=yes; 				\
-fi; 							\
-case " $(XFAIL_TESTS) " in				\
-  *[\ \	]$$f[\ \	]* | *[\ \	]$$dir$$f[\ \	]*) \
-    am__expect_failure=yes;;				\
-  *)							\
-    am__expect_failure=no;;				\
-esac; 							\
-$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT)
-# A shell command to get the names of the tests scripts with any registered
-# extension removed (i.e., equivalently, the names of the test logs, with
-# the '.log' extension removed).  The result is saved in the shell variable
-# '$bases'.  This honors runtime overriding of TESTS and TEST_LOGS.  Sadly,
-# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)",
-# since that might cause problem with VPATH rewrites for suffix-less tests.
-# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'.
-am__set_TESTS_bases = \
-  bases='$(TEST_LOGS)'; \
-  bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
-  bases=`echo $$bases`
-RECHECK_LOGS = $(TEST_LOGS)
-AM_RECURSIVE_TARGETS = check recheck
-TEST_SUITE_LOG = test-suite.log
-TEST_EXTENSIONS = @EXEEXT@ .test
-LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS)
-am__set_b = \
-  case '$@' in \
-    */*) \
-      case '$*' in \
-        */*) b='$*';; \
-          *) b=`echo '$@' | sed 's/\.log$$//'`; \
-       esac;; \
-    *) \
-      b='$*';; \
-  esac
-am__test_logs1 = $(TESTS:=.log)
-am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log)
-TEST_LOGS = $(am__test_logs2:.test.log=.log)
-TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
-	$(TEST_LOG_FLAGS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
@@ -408,8 +247,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -477,6 +314,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -565,12 +407,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -585,6 +431,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -595,30 +442,67 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-test_runner_SOURCES = \
-  test_runner.c test_runner.h test_suite.h \
-  test_linked_list.c test_enumerator.c test_linked_list_enumerator.c \
-  test_bio_reader.c test_bio_writer.c test_chunk.c test_enum.c test_hashtable.c \
-  test_identification.c test_threading.c test_utils.c test_vectors.c \
-  test_array.c test_ecdsa.c test_rsa.c test_host.c test_printf.c
-
-test_runner_CFLAGS = \
+check_LTLIBRARIES = libtest.la
+libtest_la_SOURCES = \
+  test_suite.c test_suite.h \
+  test_runner.c test_runner.h \
+  utils/test_rng.c utils/test_rng.h
+
+libtest_la_CFLAGS = \
+  -I$(top_srcdir)/src/libstrongswan \
+  @COVERAGE_CFLAGS@
+
+libtest_la_LDFLAGS = @COVERAGE_LDFLAGS@
+libtest_la_LIBADD = \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(PTHREADLIB)
+
+tests_SOURCES = tests.h tests.c \
+  suites/test_linked_list.c \
+  suites/test_enumerator.c \
+  suites/test_linked_list_enumerator.c \
+  suites/test_bio_reader.c \
+  suites/test_bio_writer.c \
+  suites/test_chunk.c \
+  suites/test_enum.c \
+  suites/test_hashtable.c \
+  suites/test_identification.c \
+  suites/test_threading.c \
+  suites/test_watcher.c \
+  suites/test_stream.c \
+  suites/test_fetch_http.c \
+  suites/test_utils.c \
+  suites/test_settings.c \
+  suites/test_vectors.c \
+  suites/test_array.c \
+  suites/test_ecdsa.c \
+  suites/test_rsa.c \
+  suites/test_host.c \
+  suites/test_hasher.c \
+  suites/test_crypter.c \
+  suites/test_pen.c \
+  suites/test_asn1.c \
+  suites/test_asn1_parser.c \
+  suites/test_printf.c \
+  suites/test_test_rng.c \
+  suites/test_ntru.c
+
+tests_CFLAGS = \
   -I$(top_srcdir)/src/libstrongswan \
+  -I$(top_srcdir)/src/libstrongswan/tests \
   -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
   -DPLUGINS=\""${s_plugins}\"" \
-  @COVERAGE_CFLAGS@ \
-  @CHECK_CFLAGS@
+  @COVERAGE_CFLAGS@
 
-test_runner_LDFLAGS = @COVERAGE_LDFLAGS@
-test_runner_LDADD = \
+tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tests_LDADD = \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  $(PTHREADLIB) \
-  @CHECK_LIBS@
+  libtest.la
 
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .c .lo .log .o .obj .test .test$(EXEEXT) .trs
+.SUFFIXES: .c .lo .o .obj
 $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -650,6 +534,28 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
 
+clean-checkLTLIBRARIES:
+	-test -z "$(check_LTLIBRARIES)" || rm -f $(check_LTLIBRARIES)
+	@list='$(check_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+utils/$(am__dirstamp):
+	@$(MKDIR_P) utils
+	@: > utils/$(am__dirstamp)
+utils/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) utils/$(DEPDIR)
+	@: > utils/$(DEPDIR)/$(am__dirstamp)
+utils/libtest_la-test_rng.lo: utils/$(am__dirstamp) \
+	utils/$(DEPDIR)/$(am__dirstamp)
+
+libtest.la: $(libtest_la_OBJECTS) $(libtest_la_DEPENDENCIES) $(EXTRA_libtest_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libtest_la_LINK)  $(libtest_la_OBJECTS) $(libtest_la_LIBADD) $(LIBS)
+
 clean-checkPROGRAMS:
 	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
 	echo " rm -f" $$list; \
@@ -658,35 +564,114 @@ clean-checkPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-
-test_runner$(EXEEXT): $(test_runner_OBJECTS) $(test_runner_DEPENDENCIES) $(EXTRA_test_runner_DEPENDENCIES) 
-	@rm -f test_runner$(EXEEXT)
-	$(AM_V_CCLD)$(test_runner_LINK) $(test_runner_OBJECTS) $(test_runner_LDADD) $(LIBS)
+suites/$(am__dirstamp):
+	@$(MKDIR_P) suites
+	@: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) suites/$(DEPDIR)
+	@: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_linked_list.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_enumerator.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_linked_list_enumerator.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_bio_reader.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_bio_writer.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_chunk.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_enum.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_hashtable.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_identification.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_threading.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_watcher.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_stream.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_fetch_http.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_utils.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_settings.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_vectors.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_array.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_ecdsa.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_rsa.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_host.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_hasher.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_crypter.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_pen.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_asn1.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_asn1_parser.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_printf.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_test_rng.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_ntru.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+
+tests$(EXEEXT): $(tests_OBJECTS) $(tests_DEPENDENCIES) $(EXTRA_tests_DEPENDENCIES) 
+	@rm -f tests$(EXEEXT)
+	$(AM_V_CCLD)$(tests_LINK) $(tests_OBJECTS) $(tests_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
+	-rm -f suites/*.$(OBJEXT)
+	-rm -f utils/*.$(OBJEXT)
+	-rm -f utils/*.lo
 
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_array.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_bio_reader.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_bio_writer.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_chunk.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_ecdsa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_enum.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_enumerator.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_hashtable.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_host.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_identification.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_linked_list.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_linked_list_enumerator.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_printf.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_rsa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_runner.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_threading.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_utils.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_vectors.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtest_la-test_runner.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtest_la-test_suite.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_array.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1_parser.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_reader.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_writer.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_chunk.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypter.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ecdsa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_enum.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_enumerator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_fetch_http.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hasher.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hashtable.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_host.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_identification.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ntru.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_pen.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_printf.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_rsa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_settings.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_stream.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_test_rng.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_threading.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_utils.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_vectors.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_watcher.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/libtest_la-test_rng.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -712,263 +697,439 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
-test_runner-test_runner.o: test_runner.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_runner.o -MD -MP -MF $(DEPDIR)/test_runner-test_runner.Tpo -c -o test_runner-test_runner.o `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_runner.Tpo $(DEPDIR)/test_runner-test_runner.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_runner.c' object='test_runner-test_runner.o' libtool=no @AMDEPBACKSLASH@
+libtest_la-test_suite.lo: test_suite.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -MT libtest_la-test_suite.lo -MD -MP -MF $(DEPDIR)/libtest_la-test_suite.Tpo -c -o libtest_la-test_suite.lo `test -f 'test_suite.c' || echo '$(srcdir)/'`test_suite.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libtest_la-test_suite.Tpo $(DEPDIR)/libtest_la-test_suite.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_suite.c' object='libtest_la-test_suite.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-test_suite.lo `test -f 'test_suite.c' || echo '$(srcdir)/'`test_suite.c
+
+libtest_la-test_runner.lo: test_runner.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -MT libtest_la-test_runner.lo -MD -MP -MF $(DEPDIR)/libtest_la-test_runner.Tpo -c -o libtest_la-test_runner.lo `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libtest_la-test_runner.Tpo $(DEPDIR)/libtest_la-test_runner.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_runner.c' object='libtest_la-test_runner.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-test_runner.lo `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
+
+utils/libtest_la-test_rng.lo: utils/test_rng.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -MT utils/libtest_la-test_rng.lo -MD -MP -MF utils/$(DEPDIR)/libtest_la-test_rng.Tpo -c -o utils/libtest_la-test_rng.lo `test -f 'utils/test_rng.c' || echo '$(srcdir)/'`utils/test_rng.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/libtest_la-test_rng.Tpo utils/$(DEPDIR)/libtest_la-test_rng.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/test_rng.c' object='utils/libtest_la-test_rng.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o utils/libtest_la-test_rng.lo `test -f 'utils/test_rng.c' || echo '$(srcdir)/'`utils/test_rng.c
+
+tests-tests.o: tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.o -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests.c' object='tests-tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c
+
+tests-tests.obj: tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.obj -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests.c' object='tests-tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi`
+
+suites/tests-test_linked_list.o: suites/test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list.o -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list.Tpo -c -o suites/tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list.Tpo suites/$(DEPDIR)/tests-test_linked_list.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_linked_list.c' object='suites/tests-test_linked_list.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c
+
+suites/tests-test_linked_list.obj: suites/test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list.Tpo -c -o suites/tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list.Tpo suites/$(DEPDIR)/tests-test_linked_list.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_linked_list.c' object='suites/tests-test_linked_list.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi`
+
+suites/tests-test_enumerator.o: suites/test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enumerator.o -MD -MP -MF suites/$(DEPDIR)/tests-test_enumerator.Tpo -c -o suites/tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enumerator.Tpo suites/$(DEPDIR)/tests-test_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_enumerator.c' object='suites/tests-test_enumerator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c
+
+suites/tests-test_enumerator.obj: suites/test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_enumerator.Tpo -c -o suites/tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enumerator.Tpo suites/$(DEPDIR)/tests-test_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_enumerator.c' object='suites/tests-test_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi`
+
+suites/tests-test_linked_list_enumerator.o: suites/test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list_enumerator.o -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo -c -o suites/tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/tests-test_linked_list_enumerator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c
+
+suites/tests-test_linked_list_enumerator.obj: suites/test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo -c -o suites/tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/tests-test_linked_list_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi`
+
+suites/tests-test_bio_reader.o: suites/test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_reader.o -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_reader.Tpo -c -o suites/tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_reader.Tpo suites/$(DEPDIR)/tests-test_bio_reader.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bio_reader.c' object='suites/tests-test_bio_reader.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c
+
+suites/tests-test_bio_reader.obj: suites/test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_reader.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_reader.Tpo -c -o suites/tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_reader.Tpo suites/$(DEPDIR)/tests-test_bio_reader.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bio_reader.c' object='suites/tests-test_bio_reader.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi`
+
+suites/tests-test_bio_writer.o: suites/test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_writer.o -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_writer.Tpo -c -o suites/tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_writer.Tpo suites/$(DEPDIR)/tests-test_bio_writer.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bio_writer.c' object='suites/tests-test_bio_writer.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c
+
+suites/tests-test_bio_writer.obj: suites/test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_writer.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_writer.Tpo -c -o suites/tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_writer.Tpo suites/$(DEPDIR)/tests-test_bio_writer.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bio_writer.c' object='suites/tests-test_bio_writer.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi`
+
+suites/tests-test_chunk.o: suites/test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_chunk.o -MD -MP -MF suites/$(DEPDIR)/tests-test_chunk.Tpo -c -o suites/tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_chunk.Tpo suites/$(DEPDIR)/tests-test_chunk.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_chunk.c' object='suites/tests-test_chunk.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_runner.o `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c
 
-test_runner-test_runner.obj: test_runner.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_runner.obj -MD -MP -MF $(DEPDIR)/test_runner-test_runner.Tpo -c -o test_runner-test_runner.obj `if test -f 'test_runner.c'; then $(CYGPATH_W) 'test_runner.c'; else $(CYGPATH_W) '$(srcdir)/test_runner.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_runner.Tpo $(DEPDIR)/test_runner-test_runner.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_runner.c' object='test_runner-test_runner.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_chunk.obj: suites/test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_chunk.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_chunk.Tpo -c -o suites/tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_chunk.Tpo suites/$(DEPDIR)/tests-test_chunk.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_chunk.c' object='suites/tests-test_chunk.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_runner.obj `if test -f 'test_runner.c'; then $(CYGPATH_W) 'test_runner.c'; else $(CYGPATH_W) '$(srcdir)/test_runner.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi`
 
-test_runner-test_linked_list.o: test_linked_list.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list.o -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list.Tpo -c -o test_runner-test_linked_list.o `test -f 'test_linked_list.c' || echo '$(srcdir)/'`test_linked_list.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list.Tpo $(DEPDIR)/test_runner-test_linked_list.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list.c' object='test_runner-test_linked_list.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_enum.o: suites/test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enum.o -MD -MP -MF suites/$(DEPDIR)/tests-test_enum.Tpo -c -o suites/tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enum.Tpo suites/$(DEPDIR)/tests-test_enum.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_enum.c' object='suites/tests-test_enum.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list.o `test -f 'test_linked_list.c' || echo '$(srcdir)/'`test_linked_list.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c
 
-test_runner-test_linked_list.obj: test_linked_list.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list.obj -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list.Tpo -c -o test_runner-test_linked_list.obj `if test -f 'test_linked_list.c'; then $(CYGPATH_W) 'test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list.Tpo $(DEPDIR)/test_runner-test_linked_list.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list.c' object='test_runner-test_linked_list.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_enum.obj: suites/test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enum.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_enum.Tpo -c -o suites/tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enum.Tpo suites/$(DEPDIR)/tests-test_enum.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_enum.c' object='suites/tests-test_enum.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list.obj `if test -f 'test_linked_list.c'; then $(CYGPATH_W) 'test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi`
 
-test_runner-test_enumerator.o: test_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enumerator.o -MD -MP -MF $(DEPDIR)/test_runner-test_enumerator.Tpo -c -o test_runner-test_enumerator.o `test -f 'test_enumerator.c' || echo '$(srcdir)/'`test_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enumerator.Tpo $(DEPDIR)/test_runner-test_enumerator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enumerator.c' object='test_runner-test_enumerator.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_hashtable.o: suites/test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hashtable.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hashtable.Tpo -c -o suites/tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hashtable.Tpo suites/$(DEPDIR)/tests-test_hashtable.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_hashtable.c' object='suites/tests-test_hashtable.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enumerator.o `test -f 'test_enumerator.c' || echo '$(srcdir)/'`test_enumerator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c
 
-test_runner-test_enumerator.obj: test_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enumerator.obj -MD -MP -MF $(DEPDIR)/test_runner-test_enumerator.Tpo -c -o test_runner-test_enumerator.obj `if test -f 'test_enumerator.c'; then $(CYGPATH_W) 'test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_enumerator.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enumerator.Tpo $(DEPDIR)/test_runner-test_enumerator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enumerator.c' object='test_runner-test_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_hashtable.obj: suites/test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hashtable.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_hashtable.Tpo -c -o suites/tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hashtable.Tpo suites/$(DEPDIR)/tests-test_hashtable.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_hashtable.c' object='suites/tests-test_hashtable.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enumerator.obj `if test -f 'test_enumerator.c'; then $(CYGPATH_W) 'test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_enumerator.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi`
 
-test_runner-test_linked_list_enumerator.o: test_linked_list_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list_enumerator.o -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo -c -o test_runner-test_linked_list_enumerator.o `test -f 'test_linked_list_enumerator.c' || echo '$(srcdir)/'`test_linked_list_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo $(DEPDIR)/test_runner-test_linked_list_enumerator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list_enumerator.c' object='test_runner-test_linked_list_enumerator.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_identification.o: suites/test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_identification.o -MD -MP -MF suites/$(DEPDIR)/tests-test_identification.Tpo -c -o suites/tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_identification.Tpo suites/$(DEPDIR)/tests-test_identification.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_identification.c' object='suites/tests-test_identification.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list_enumerator.o `test -f 'test_linked_list_enumerator.c' || echo '$(srcdir)/'`test_linked_list_enumerator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c
 
-test_runner-test_linked_list_enumerator.obj: test_linked_list_enumerator.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list_enumerator.obj -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo -c -o test_runner-test_linked_list_enumerator.obj `if test -f 'test_linked_list_enumerator.c'; then $(CYGPATH_W) 'test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list_enumerator.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo $(DEPDIR)/test_runner-test_linked_list_enumerator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list_enumerator.c' object='test_runner-test_linked_list_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_identification.obj: suites/test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_identification.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_identification.Tpo -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_identification.Tpo suites/$(DEPDIR)/tests-test_identification.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_identification.c' object='suites/tests-test_identification.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list_enumerator.obj `if test -f 'test_linked_list_enumerator.c'; then $(CYGPATH_W) 'test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list_enumerator.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi`
 
-test_runner-test_bio_reader.o: test_bio_reader.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_reader.o -MD -MP -MF $(DEPDIR)/test_runner-test_bio_reader.Tpo -c -o test_runner-test_bio_reader.o `test -f 'test_bio_reader.c' || echo '$(srcdir)/'`test_bio_reader.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_reader.Tpo $(DEPDIR)/test_runner-test_bio_reader.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_reader.c' object='test_runner-test_bio_reader.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_threading.o: suites/test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.o -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_threading.c' object='suites/tests-test_threading.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_reader.o `test -f 'test_bio_reader.c' || echo '$(srcdir)/'`test_bio_reader.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c
 
-test_runner-test_bio_reader.obj: test_bio_reader.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_reader.obj -MD -MP -MF $(DEPDIR)/test_runner-test_bio_reader.Tpo -c -o test_runner-test_bio_reader.obj `if test -f 'test_bio_reader.c'; then $(CYGPATH_W) 'test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_reader.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_reader.Tpo $(DEPDIR)/test_runner-test_bio_reader.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_reader.c' object='test_runner-test_bio_reader.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_threading.obj: suites/test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_threading.c' object='suites/tests-test_threading.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_reader.obj `if test -f 'test_bio_reader.c'; then $(CYGPATH_W) 'test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_reader.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi`
 
-test_runner-test_bio_writer.o: test_bio_writer.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_writer.o -MD -MP -MF $(DEPDIR)/test_runner-test_bio_writer.Tpo -c -o test_runner-test_bio_writer.o `test -f 'test_bio_writer.c' || echo '$(srcdir)/'`test_bio_writer.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_writer.Tpo $(DEPDIR)/test_runner-test_bio_writer.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_writer.c' object='test_runner-test_bio_writer.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_watcher.o: suites/test_watcher.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_watcher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_watcher.Tpo -c -o suites/tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_watcher.Tpo suites/$(DEPDIR)/tests-test_watcher.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_watcher.c' object='suites/tests-test_watcher.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_writer.o `test -f 'test_bio_writer.c' || echo '$(srcdir)/'`test_bio_writer.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c
 
-test_runner-test_bio_writer.obj: test_bio_writer.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_writer.obj -MD -MP -MF $(DEPDIR)/test_runner-test_bio_writer.Tpo -c -o test_runner-test_bio_writer.obj `if test -f 'test_bio_writer.c'; then $(CYGPATH_W) 'test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_writer.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_writer.Tpo $(DEPDIR)/test_runner-test_bio_writer.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_writer.c' object='test_runner-test_bio_writer.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_watcher.obj: suites/test_watcher.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_watcher.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_watcher.Tpo -c -o suites/tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_watcher.Tpo suites/$(DEPDIR)/tests-test_watcher.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_watcher.c' object='suites/tests-test_watcher.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_writer.obj `if test -f 'test_bio_writer.c'; then $(CYGPATH_W) 'test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_writer.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi`
 
-test_runner-test_chunk.o: test_chunk.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_chunk.o -MD -MP -MF $(DEPDIR)/test_runner-test_chunk.Tpo -c -o test_runner-test_chunk.o `test -f 'test_chunk.c' || echo '$(srcdir)/'`test_chunk.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_chunk.Tpo $(DEPDIR)/test_runner-test_chunk.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_chunk.c' object='test_runner-test_chunk.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_stream.o: suites/test_stream.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_stream.o -MD -MP -MF suites/$(DEPDIR)/tests-test_stream.Tpo -c -o suites/tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_stream.Tpo suites/$(DEPDIR)/tests-test_stream.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_stream.c' object='suites/tests-test_stream.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_chunk.o `test -f 'test_chunk.c' || echo '$(srcdir)/'`test_chunk.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c
 
-test_runner-test_chunk.obj: test_chunk.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_chunk.obj -MD -MP -MF $(DEPDIR)/test_runner-test_chunk.Tpo -c -o test_runner-test_chunk.obj `if test -f 'test_chunk.c'; then $(CYGPATH_W) 'test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/test_chunk.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_chunk.Tpo $(DEPDIR)/test_runner-test_chunk.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_chunk.c' object='test_runner-test_chunk.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_stream.obj: suites/test_stream.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_stream.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_stream.Tpo -c -o suites/tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_stream.Tpo suites/$(DEPDIR)/tests-test_stream.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_stream.c' object='suites/tests-test_stream.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_chunk.obj `if test -f 'test_chunk.c'; then $(CYGPATH_W) 'test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/test_chunk.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi`
 
-test_runner-test_enum.o: test_enum.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enum.o -MD -MP -MF $(DEPDIR)/test_runner-test_enum.Tpo -c -o test_runner-test_enum.o `test -f 'test_enum.c' || echo '$(srcdir)/'`test_enum.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enum.Tpo $(DEPDIR)/test_runner-test_enum.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enum.c' object='test_runner-test_enum.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_fetch_http.o: suites/test_fetch_http.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_fetch_http.o -MD -MP -MF suites/$(DEPDIR)/tests-test_fetch_http.Tpo -c -o suites/tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_fetch_http.Tpo suites/$(DEPDIR)/tests-test_fetch_http.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_fetch_http.c' object='suites/tests-test_fetch_http.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enum.o `test -f 'test_enum.c' || echo '$(srcdir)/'`test_enum.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c
 
-test_runner-test_enum.obj: test_enum.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enum.obj -MD -MP -MF $(DEPDIR)/test_runner-test_enum.Tpo -c -o test_runner-test_enum.obj `if test -f 'test_enum.c'; then $(CYGPATH_W) 'test_enum.c'; else $(CYGPATH_W) '$(srcdir)/test_enum.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enum.Tpo $(DEPDIR)/test_runner-test_enum.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enum.c' object='test_runner-test_enum.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_fetch_http.obj: suites/test_fetch_http.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_fetch_http.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_fetch_http.Tpo -c -o suites/tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_fetch_http.Tpo suites/$(DEPDIR)/tests-test_fetch_http.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_fetch_http.c' object='suites/tests-test_fetch_http.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enum.obj `if test -f 'test_enum.c'; then $(CYGPATH_W) 'test_enum.c'; else $(CYGPATH_W) '$(srcdir)/test_enum.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi`
 
-test_runner-test_hashtable.o: test_hashtable.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_hashtable.o -MD -MP -MF $(DEPDIR)/test_runner-test_hashtable.Tpo -c -o test_runner-test_hashtable.o `test -f 'test_hashtable.c' || echo '$(srcdir)/'`test_hashtable.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_hashtable.Tpo $(DEPDIR)/test_runner-test_hashtable.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_hashtable.c' object='test_runner-test_hashtable.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_utils.o: suites/test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_utils.o -MD -MP -MF suites/$(DEPDIR)/tests-test_utils.Tpo -c -o suites/tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_utils.Tpo suites/$(DEPDIR)/tests-test_utils.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_utils.c' object='suites/tests-test_utils.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_hashtable.o `test -f 'test_hashtable.c' || echo '$(srcdir)/'`test_hashtable.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c
 
-test_runner-test_hashtable.obj: test_hashtable.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_hashtable.obj -MD -MP -MF $(DEPDIR)/test_runner-test_hashtable.Tpo -c -o test_runner-test_hashtable.obj `if test -f 'test_hashtable.c'; then $(CYGPATH_W) 'test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/test_hashtable.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_hashtable.Tpo $(DEPDIR)/test_runner-test_hashtable.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_hashtable.c' object='test_runner-test_hashtable.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_utils.obj: suites/test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_utils.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_utils.Tpo -c -o suites/tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_utils.Tpo suites/$(DEPDIR)/tests-test_utils.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_utils.c' object='suites/tests-test_utils.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_hashtable.obj `if test -f 'test_hashtable.c'; then $(CYGPATH_W) 'test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/test_hashtable.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi`
 
-test_runner-test_identification.o: test_identification.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_identification.o -MD -MP -MF $(DEPDIR)/test_runner-test_identification.Tpo -c -o test_runner-test_identification.o `test -f 'test_identification.c' || echo '$(srcdir)/'`test_identification.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_identification.Tpo $(DEPDIR)/test_runner-test_identification.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_identification.c' object='test_runner-test_identification.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_settings.o: suites/test_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_settings.o -MD -MP -MF suites/$(DEPDIR)/tests-test_settings.Tpo -c -o suites/tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_settings.Tpo suites/$(DEPDIR)/tests-test_settings.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_settings.c' object='suites/tests-test_settings.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_identification.o `test -f 'test_identification.c' || echo '$(srcdir)/'`test_identification.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c
 
-test_runner-test_identification.obj: test_identification.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_identification.obj -MD -MP -MF $(DEPDIR)/test_runner-test_identification.Tpo -c -o test_runner-test_identification.obj `if test -f 'test_identification.c'; then $(CYGPATH_W) 'test_identification.c'; else $(CYGPATH_W) '$(srcdir)/test_identification.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_identification.Tpo $(DEPDIR)/test_runner-test_identification.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_identification.c' object='test_runner-test_identification.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_settings.obj: suites/test_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_settings.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_settings.Tpo -c -o suites/tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_settings.Tpo suites/$(DEPDIR)/tests-test_settings.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_settings.c' object='suites/tests-test_settings.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_identification.obj `if test -f 'test_identification.c'; then $(CYGPATH_W) 'test_identification.c'; else $(CYGPATH_W) '$(srcdir)/test_identification.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi`
 
-test_runner-test_threading.o: test_threading.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_threading.o -MD -MP -MF $(DEPDIR)/test_runner-test_threading.Tpo -c -o test_runner-test_threading.o `test -f 'test_threading.c' || echo '$(srcdir)/'`test_threading.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_threading.Tpo $(DEPDIR)/test_runner-test_threading.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_threading.c' object='test_runner-test_threading.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_vectors.o: suites/test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_vectors.o -MD -MP -MF suites/$(DEPDIR)/tests-test_vectors.Tpo -c -o suites/tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_vectors.Tpo suites/$(DEPDIR)/tests-test_vectors.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_vectors.c' object='suites/tests-test_vectors.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_threading.o `test -f 'test_threading.c' || echo '$(srcdir)/'`test_threading.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c
 
-test_runner-test_threading.obj: test_threading.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_threading.obj -MD -MP -MF $(DEPDIR)/test_runner-test_threading.Tpo -c -o test_runner-test_threading.obj `if test -f 'test_threading.c'; then $(CYGPATH_W) 'test_threading.c'; else $(CYGPATH_W) '$(srcdir)/test_threading.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_threading.Tpo $(DEPDIR)/test_runner-test_threading.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_threading.c' object='test_runner-test_threading.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_vectors.obj: suites/test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_vectors.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_vectors.Tpo -c -o suites/tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_vectors.Tpo suites/$(DEPDIR)/tests-test_vectors.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_vectors.c' object='suites/tests-test_vectors.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_threading.obj `if test -f 'test_threading.c'; then $(CYGPATH_W) 'test_threading.c'; else $(CYGPATH_W) '$(srcdir)/test_threading.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi`
 
-test_runner-test_utils.o: test_utils.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_utils.o -MD -MP -MF $(DEPDIR)/test_runner-test_utils.Tpo -c -o test_runner-test_utils.o `test -f 'test_utils.c' || echo '$(srcdir)/'`test_utils.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_utils.Tpo $(DEPDIR)/test_runner-test_utils.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_utils.c' object='test_runner-test_utils.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_array.o: suites/test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_array.o -MD -MP -MF suites/$(DEPDIR)/tests-test_array.Tpo -c -o suites/tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_array.Tpo suites/$(DEPDIR)/tests-test_array.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_array.c' object='suites/tests-test_array.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_utils.o `test -f 'test_utils.c' || echo '$(srcdir)/'`test_utils.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c
 
-test_runner-test_utils.obj: test_utils.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_utils.obj -MD -MP -MF $(DEPDIR)/test_runner-test_utils.Tpo -c -o test_runner-test_utils.obj `if test -f 'test_utils.c'; then $(CYGPATH_W) 'test_utils.c'; else $(CYGPATH_W) '$(srcdir)/test_utils.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_utils.Tpo $(DEPDIR)/test_runner-test_utils.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_utils.c' object='test_runner-test_utils.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_array.obj: suites/test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_array.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_array.Tpo -c -o suites/tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_array.Tpo suites/$(DEPDIR)/tests-test_array.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_array.c' object='suites/tests-test_array.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_utils.obj `if test -f 'test_utils.c'; then $(CYGPATH_W) 'test_utils.c'; else $(CYGPATH_W) '$(srcdir)/test_utils.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi`
 
-test_runner-test_vectors.o: test_vectors.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_vectors.o -MD -MP -MF $(DEPDIR)/test_runner-test_vectors.Tpo -c -o test_runner-test_vectors.o `test -f 'test_vectors.c' || echo '$(srcdir)/'`test_vectors.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_vectors.Tpo $(DEPDIR)/test_runner-test_vectors.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors.c' object='test_runner-test_vectors.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_ecdsa.o: suites/test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ecdsa.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ecdsa.Tpo -c -o suites/tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ecdsa.Tpo suites/$(DEPDIR)/tests-test_ecdsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ecdsa.c' object='suites/tests-test_ecdsa.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_vectors.o `test -f 'test_vectors.c' || echo '$(srcdir)/'`test_vectors.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c
 
-test_runner-test_vectors.obj: test_vectors.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_vectors.obj -MD -MP -MF $(DEPDIR)/test_runner-test_vectors.Tpo -c -o test_runner-test_vectors.obj `if test -f 'test_vectors.c'; then $(CYGPATH_W) 'test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/test_vectors.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_vectors.Tpo $(DEPDIR)/test_runner-test_vectors.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors.c' object='test_runner-test_vectors.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_ecdsa.obj: suites/test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ecdsa.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ecdsa.Tpo -c -o suites/tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ecdsa.Tpo suites/$(DEPDIR)/tests-test_ecdsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ecdsa.c' object='suites/tests-test_ecdsa.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_vectors.obj `if test -f 'test_vectors.c'; then $(CYGPATH_W) 'test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/test_vectors.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi`
 
-test_runner-test_array.o: test_array.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_array.o -MD -MP -MF $(DEPDIR)/test_runner-test_array.Tpo -c -o test_runner-test_array.o `test -f 'test_array.c' || echo '$(srcdir)/'`test_array.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_array.Tpo $(DEPDIR)/test_runner-test_array.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_array.c' object='test_runner-test_array.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_rsa.o: suites/test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_rsa.o -MD -MP -MF suites/$(DEPDIR)/tests-test_rsa.Tpo -c -o suites/tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_rsa.Tpo suites/$(DEPDIR)/tests-test_rsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_rsa.c' object='suites/tests-test_rsa.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_array.o `test -f 'test_array.c' || echo '$(srcdir)/'`test_array.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c
 
-test_runner-test_array.obj: test_array.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_array.obj -MD -MP -MF $(DEPDIR)/test_runner-test_array.Tpo -c -o test_runner-test_array.obj `if test -f 'test_array.c'; then $(CYGPATH_W) 'test_array.c'; else $(CYGPATH_W) '$(srcdir)/test_array.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_array.Tpo $(DEPDIR)/test_runner-test_array.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_array.c' object='test_runner-test_array.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_rsa.obj: suites/test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_rsa.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_rsa.Tpo -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_rsa.Tpo suites/$(DEPDIR)/tests-test_rsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_rsa.c' object='suites/tests-test_rsa.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_array.obj `if test -f 'test_array.c'; then $(CYGPATH_W) 'test_array.c'; else $(CYGPATH_W) '$(srcdir)/test_array.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi`
 
-test_runner-test_ecdsa.o: test_ecdsa.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_ecdsa.o -MD -MP -MF $(DEPDIR)/test_runner-test_ecdsa.Tpo -c -o test_runner-test_ecdsa.o `test -f 'test_ecdsa.c' || echo '$(srcdir)/'`test_ecdsa.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_ecdsa.Tpo $(DEPDIR)/test_runner-test_ecdsa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_ecdsa.c' object='test_runner-test_ecdsa.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_host.o: suites/test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.o -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_host.c' object='suites/tests-test_host.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_ecdsa.o `test -f 'test_ecdsa.c' || echo '$(srcdir)/'`test_ecdsa.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c
 
-test_runner-test_ecdsa.obj: test_ecdsa.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_ecdsa.obj -MD -MP -MF $(DEPDIR)/test_runner-test_ecdsa.Tpo -c -o test_runner-test_ecdsa.obj `if test -f 'test_ecdsa.c'; then $(CYGPATH_W) 'test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/test_ecdsa.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_ecdsa.Tpo $(DEPDIR)/test_runner-test_ecdsa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_ecdsa.c' object='test_runner-test_ecdsa.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_host.obj: suites/test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_host.c' object='suites/tests-test_host.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_ecdsa.obj `if test -f 'test_ecdsa.c'; then $(CYGPATH_W) 'test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/test_ecdsa.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi`
 
-test_runner-test_rsa.o: test_rsa.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_rsa.o -MD -MP -MF $(DEPDIR)/test_runner-test_rsa.Tpo -c -o test_runner-test_rsa.o `test -f 'test_rsa.c' || echo '$(srcdir)/'`test_rsa.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_rsa.Tpo $(DEPDIR)/test_runner-test_rsa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_rsa.c' object='test_runner-test_rsa.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_hasher.o: suites/test_hasher.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_hasher.c' object='suites/tests-test_hasher.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_rsa.o `test -f 'test_rsa.c' || echo '$(srcdir)/'`test_rsa.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c
 
-test_runner-test_rsa.obj: test_rsa.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_rsa.obj -MD -MP -MF $(DEPDIR)/test_runner-test_rsa.Tpo -c -o test_runner-test_rsa.obj `if test -f 'test_rsa.c'; then $(CYGPATH_W) 'test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/test_rsa.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_rsa.Tpo $(DEPDIR)/test_runner-test_rsa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_rsa.c' object='test_runner-test_rsa.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_hasher.obj: suites/test_hasher.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_hasher.c' object='suites/tests-test_hasher.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_rsa.obj `if test -f 'test_rsa.c'; then $(CYGPATH_W) 'test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/test_rsa.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi`
 
-test_runner-test_host.o: test_host.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_host.o -MD -MP -MF $(DEPDIR)/test_runner-test_host.Tpo -c -o test_runner-test_host.o `test -f 'test_host.c' || echo '$(srcdir)/'`test_host.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_host.Tpo $(DEPDIR)/test_runner-test_host.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_host.c' object='test_runner-test_host.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_crypter.o: suites/test_crypter.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypter.o -MD -MP -MF suites/$(DEPDIR)/tests-test_crypter.Tpo -c -o suites/tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypter.Tpo suites/$(DEPDIR)/tests-test_crypter.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_crypter.c' object='suites/tests-test_crypter.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_host.o `test -f 'test_host.c' || echo '$(srcdir)/'`test_host.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c
 
-test_runner-test_host.obj: test_host.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_host.obj -MD -MP -MF $(DEPDIR)/test_runner-test_host.Tpo -c -o test_runner-test_host.obj `if test -f 'test_host.c'; then $(CYGPATH_W) 'test_host.c'; else $(CYGPATH_W) '$(srcdir)/test_host.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_host.Tpo $(DEPDIR)/test_runner-test_host.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_host.c' object='test_runner-test_host.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_crypter.obj: suites/test_crypter.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypter.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_crypter.Tpo -c -o suites/tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypter.Tpo suites/$(DEPDIR)/tests-test_crypter.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_crypter.c' object='suites/tests-test_crypter.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_host.obj `if test -f 'test_host.c'; then $(CYGPATH_W) 'test_host.c'; else $(CYGPATH_W) '$(srcdir)/test_host.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi`
 
-test_runner-test_printf.o: test_printf.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_printf.o -MD -MP -MF $(DEPDIR)/test_runner-test_printf.Tpo -c -o test_runner-test_printf.o `test -f 'test_printf.c' || echo '$(srcdir)/'`test_printf.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_printf.Tpo $(DEPDIR)/test_runner-test_printf.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_printf.c' object='test_runner-test_printf.o' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_pen.o: suites/test_pen.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_pen.c' object='suites/tests-test_pen.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_printf.o `test -f 'test_printf.c' || echo '$(srcdir)/'`test_printf.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c
 
-test_runner-test_printf.obj: test_printf.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_printf.obj -MD -MP -MF $(DEPDIR)/test_runner-test_printf.Tpo -c -o test_runner-test_printf.obj `if test -f 'test_printf.c'; then $(CYGPATH_W) 'test_printf.c'; else $(CYGPATH_W) '$(srcdir)/test_printf.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_printf.Tpo $(DEPDIR)/test_runner-test_printf.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_printf.c' object='test_runner-test_printf.obj' libtool=no @AMDEPBACKSLASH@
+suites/tests-test_pen.obj: suites/test_pen.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_pen.c' object='suites/tests-test_pen.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_printf.obj `if test -f 'test_printf.c'; then $(CYGPATH_W) 'test_printf.c'; else $(CYGPATH_W) '$(srcdir)/test_printf.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi`
+
+suites/tests-test_asn1.o: suites/test_asn1.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1.o -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1.Tpo -c -o suites/tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1.Tpo suites/$(DEPDIR)/tests-test_asn1.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_asn1.c' object='suites/tests-test_asn1.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c
+
+suites/tests-test_asn1.obj: suites/test_asn1.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1.Tpo -c -o suites/tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1.Tpo suites/$(DEPDIR)/tests-test_asn1.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_asn1.c' object='suites/tests-test_asn1.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi`
+
+suites/tests-test_asn1_parser.o: suites/test_asn1_parser.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1_parser.o -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1_parser.Tpo -c -o suites/tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1_parser.Tpo suites/$(DEPDIR)/tests-test_asn1_parser.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/tests-test_asn1_parser.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c
+
+suites/tests-test_asn1_parser.obj: suites/test_asn1_parser.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1_parser.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1_parser.Tpo -c -o suites/tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1_parser.Tpo suites/$(DEPDIR)/tests-test_asn1_parser.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/tests-test_asn1_parser.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi`
+
+suites/tests-test_printf.o: suites/test_printf.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_printf.o -MD -MP -MF suites/$(DEPDIR)/tests-test_printf.Tpo -c -o suites/tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_printf.Tpo suites/$(DEPDIR)/tests-test_printf.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_printf.c' object='suites/tests-test_printf.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c
+
+suites/tests-test_printf.obj: suites/test_printf.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_printf.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_printf.Tpo -c -o suites/tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_printf.Tpo suites/$(DEPDIR)/tests-test_printf.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_printf.c' object='suites/tests-test_printf.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi`
+
+suites/tests-test_test_rng.o: suites/test_test_rng.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_test_rng.o -MD -MP -MF suites/$(DEPDIR)/tests-test_test_rng.Tpo -c -o suites/tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_test_rng.Tpo suites/$(DEPDIR)/tests-test_test_rng.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_test_rng.c' object='suites/tests-test_test_rng.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c
+
+suites/tests-test_test_rng.obj: suites/test_test_rng.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_test_rng.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_test_rng.Tpo -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_test_rng.Tpo suites/$(DEPDIR)/tests-test_test_rng.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_test_rng.c' object='suites/tests-test_test_rng.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi`
+
+suites/tests-test_ntru.o: suites/test_ntru.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ntru.c' object='suites/tests-test_ntru.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c
+
+suites/tests-test_ntru.obj: suites/test_ntru.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ntru.c' object='suites/tests-test_ntru.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
+	-rm -rf utils/.libs utils/_libs
 
 ID: $(am__tagged_files)
 	$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -1022,168 +1183,98 @@ cscopelist-am: $(am__tagged_files)
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
-# Recover from deleted '.trs' file; this should ensure that
-# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create
-# both 'foo.log' and 'foo.trs'.  Break the recipe in two subshells
-# to avoid problems with "make -n".
-.log.trs:
-	rm -f $< $@
-	$(MAKE) $(AM_MAKEFLAGS) $<
-
-# Leading 'am--fnord' is there to ensure the list of targets does not
-# expand to empty, as could happen e.g. with make check TESTS=''.
-am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck)
-am--force-recheck:
-	@:
-
-$(TEST_SUITE_LOG): $(TEST_LOGS)
-	@$(am__set_TESTS_bases); \
-	am__f_ok () { test -f "$$1" && test -r "$$1"; }; \
-	redo_bases=`for i in $$bases; do \
-	              am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \
-	            done`; \
-	if test -n "$$redo_bases"; then \
-	  redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \
-	  redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \
-	  if $(am__make_dryrun); then :; else \
-	    rm -f $$redo_logs && rm -f $$redo_results || exit 1; \
-	  fi; \
-	fi; \
-	if test -n "$$am__remaking_logs"; then \
-	  echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
-	       "recursion detected" >&2; \
-	else \
-	  am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
-	fi; \
-	if $(am__make_dryrun); then :; else \
-	  st=0;  \
-	  errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \
-	  for i in $$redo_bases; do \
-	    test -f $$i.trs && test -r $$i.trs \
-	      || { echo "$$errmsg $$i.trs" >&2; st=1; }; \
-	    test -f $$i.log && test -r $$i.log \
-	      || { echo "$$errmsg $$i.log" >&2; st=1; }; \
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
 	  done; \
-	  test $$st -eq 0 || exit 1; \
-	fi
-	@$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \
-	ws='[ 	]'; \
-	results=`for b in $$bases; do echo $$b.trs; done`; \
-	test -n "$$results" || results=/dev/null; \
-	all=`  grep "^$$ws*:test-result:"           $$results | wc -l`; \
-	pass=` grep "^$$ws*:test-result:$$ws*PASS"  $$results | wc -l`; \
-	fail=` grep "^$$ws*:test-result:$$ws*FAIL"  $$results | wc -l`; \
-	skip=` grep "^$$ws*:test-result:$$ws*SKIP"  $$results | wc -l`; \
-	xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \
-	xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \
-	error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \
-	if test `expr $$fail + $$xpass + $$error` -eq 0; then \
-	  success=true; \
-	else \
-	  success=false; \
-	fi; \
-	br='==================='; br=$$br$$br$$br$$br; \
-	result_count () \
-	{ \
-	    if test x"$$1" = x"--maybe-color"; then \
-	      maybe_colorize=yes; \
-	    elif test x"$$1" = x"--no-color"; then \
-	      maybe_colorize=no; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
 	    else \
-	      echo "$@: invalid 'result_count' usage" >&2; exit 4; \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
 	    fi; \
-	    shift; \
-	    desc=$$1 count=$$2; \
-	    if test $$maybe_colorize = yes && test $$count -gt 0; then \
-	      color_start=$$3 color_end=$$std; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
 	    else \
-	      color_start= color_end=; \
+	      skipped="($$skip tests were not run)"; \
 	    fi; \
-	    echo "$${color_start}# $$desc $$count$${color_end}"; \
-	}; \
-	create_testsuite_report () \
-	{ \
-	  result_count $$1 "TOTAL:" $$all   "$$brg"; \
-	  result_count $$1 "PASS: " $$pass  "$$grn"; \
-	  result_count $$1 "SKIP: " $$skip  "$$blu"; \
-	  result_count $$1 "XFAIL:" $$xfail "$$lgn"; \
-	  result_count $$1 "FAIL: " $$fail  "$$red"; \
-	  result_count $$1 "XPASS:" $$xpass "$$red"; \
-	  result_count $$1 "ERROR:" $$error "$$mgn"; \
-	}; \
-	{								\
-	  echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" |	\
-	    $(am__rst_title);						\
-	  create_testsuite_report --no-color;				\
-	  echo;								\
-	  echo ".. contents:: :depth: 2";				\
-	  echo;								\
-	  for b in $$bases; do echo $$b; done				\
-	    | $(am__create_global_log);					\
-	} >$(TEST_SUITE_LOG).tmp || exit 1;				\
-	mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG);			\
-	if $$success; then						\
-	  col="$$grn";							\
-	 else								\
-	  col="$$red";							\
-	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
-	fi;								\
-	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
-	echo "$${col}$$br$${std}"; 					\
-	create_testsuite_report --maybe-color;				\
-	echo "$$col$$br$$std";						\
-	if $$success; then :; else					\
-	  echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}";		\
-	  if test -n "$(PACKAGE_BUGREPORT)"; then			\
-	    echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}";	\
-	  fi;								\
-	  echo "$$col$$br$$std";					\
-	fi;								\
-	$$success || exit 1
-
-check-TESTS:
-	@list='$(RECHECK_LOGS)';           test -z "$$list" || rm -f $$list
-	@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
-	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-	@set +e; $(am__set_TESTS_bases); \
-	log_list=`for i in $$bases; do echo $$i.log; done`; \
-	trs_list=`for i in $$bases; do echo $$i.trs; done`; \
-	log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
-	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
-	exit $$?;
-recheck: all $(check_PROGRAMS)
-	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-	@set +e; $(am__set_TESTS_bases); \
-	bases=`for i in $$bases; do echo $$i; done \
-	         | $(am__list_recheck_tests)` || exit 1; \
-	log_list=`for i in $$bases; do echo $$i.log; done`; \
-	log_list=`echo $$log_list`; \
-	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \
-	        am__force_recheck=am--force-recheck \
-	        TEST_LOGS="$$log_list"; \
-	exit $$?
-test_runner.log: test_runner$(EXEEXT)
-	@p='test_runner$(EXEEXT)'; \
-	b='test_runner'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-.test.log:
-	@p='$<'; \
-	$(am__set_b); \
-	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-@am__EXEEXT_TRUE@.test$(EXEEXT).log:
-@am__EXEEXT_TRUE@	@p='$<'; \
-@am__EXEEXT_TRUE@	$(am__set_b); \
-@am__EXEEXT_TRUE@	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-@am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
-@am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-@am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
 
 distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -1216,7 +1307,7 @@ distdir: $(DISTFILES)
 	  fi; \
 	done
 check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) $(check_LTLIBRARIES) $(check_PROGRAMS)
 	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
 check: check-am
 all-am: Makefile
@@ -1241,26 +1332,27 @@ install-strip:
 	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
 	fi
 mostlyclean-generic:
-	-test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS)
-	-test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs)
-	-test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
 
 clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f suites/$(DEPDIR)/$(am__dirstamp)
+	-rm -f suites/$(am__dirstamp)
+	-rm -f utils/$(DEPDIR)/$(am__dirstamp)
+	-rm -f utils/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
-	mostlyclean-am
+clean-am: clean-checkLTLIBRARIES clean-checkPROGRAMS clean-generic \
+	clean-libtool mostlyclean-am
 
 distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR) utils/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -1306,7 +1398,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR) utils/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
@@ -1328,18 +1420,18 @@ uninstall-am:
 .MAKE: check-am install-am install-strip
 
 .PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
-	clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
-	ctags ctags-am distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	recheck tags tags-am uninstall uninstall-am
+	clean-checkLTLIBRARIES clean-checkPROGRAMS clean-generic \
+	clean-libtool cscopelist-am ctags ctags-am distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/tests/test_array.c b/src/libstrongswan/tests/suites/test_array.c
index 2220d5a2b..ba2aff460 100644
--- a/src/libstrongswan/tests/test_array.c
+++ b/src/libstrongswan/tests/suites/test_array.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -35,6 +38,14 @@ START_TEST(test_append_ptr)
 
 		/* 3, 4 */
 
+		ck_assert(array_get(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 3);
+		ck_assert(array_get(array, 1, &x));
+		ck_assert_int_eq(x, 4);
+		ck_assert(array_get(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 4);
+		ck_assert(!array_get(array, 3, &x));
+
 		array_insert(array, ARRAY_HEAD, (void*)(uintptr_t)1);
 		array_insert(array, 1, (void*)(uintptr_t)2);
 		ck_assert_int_eq(array_count(array), 4);
@@ -108,6 +119,14 @@ START_TEST(test_append_obj)
 
 		/* 3, 4 */
 
+		ck_assert(array_get(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 3);
+		ck_assert(array_get(array, 1, &x));
+		ck_assert_int_eq(x, 4);
+		ck_assert(array_get(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 4);
+		ck_assert(!array_get(array, 3, &x));
+
 		array_insert(array, ARRAY_HEAD, &y[1]);
 		array_insert(array, 1, &y[2]);
 		ck_assert_int_eq(array_count(array), 4);
@@ -258,6 +277,149 @@ START_TEST(test_enumerate)
 }
 END_TEST
 
+static int comp_obj(const void *a, const void *b, void *arg)
+{
+	ck_assert_str_eq(arg, "arg");
+	return *(int*)a - *(int*)b;
+}
+
+START_TEST(test_sort_obj)
+{
+	array_t *array;
+	int x[][3] = {
+		{1, 2, 3},
+		{1, 3, 2},
+		{2, 1, 3},
+		{2, 3, 1},
+		{3, 1, 2},
+		{3, 2, 1},
+	};
+	char *arg = "arg";
+	int i, v;
+
+	for (i = 0; i < countof(x); i++)
+	{
+		array = array_create(sizeof(x[i][0]), 0);
+		array_insert(array, ARRAY_TAIL, &x[i][0]);
+		array_insert(array, ARRAY_TAIL, &x[i][1]);
+		array_insert(array, ARRAY_TAIL, &x[i][2]);
+
+		array_sort(array, comp_obj, arg);
+
+		ck_assert(array_get(array, 0, &v));
+		ck_assert_int_eq(v, 1);
+		ck_assert(array_get(array, 1, &v));
+		ck_assert_int_eq(v, 2);
+		ck_assert(array_get(array, 2, &v));
+		ck_assert_int_eq(v, 3);
+
+		array_destroy(array);
+	}
+}
+END_TEST
+
+static int comp_ptr(const void *a, const void *b, void *arg)
+{
+	ck_assert_str_eq(arg, "arg");
+	return strcmp(a, b);
+}
+
+START_TEST(test_sort_ptr)
+{
+	array_t *array;
+	char *x[][3] = {
+		{"a", "b", "c"},
+		{"a", "c", "b"},
+		{"b", "a", "c"},
+		{"b", "c", "a"},
+		{"c", "a", "b"},
+		{"c", "b", "a"},
+	};
+	char *v, *arg = "arg";
+	int i;
+
+	for (i = 0; i < countof(x); i++)
+	{
+		array = array_create(0, 0);
+		array_insert(array, ARRAY_TAIL, x[i][0]);
+		array_insert(array, ARRAY_TAIL, x[i][1]);
+		array_insert(array, ARRAY_TAIL, x[i][2]);
+
+		array_sort(array, comp_ptr, arg);
+
+		ck_assert(array_get(array, 0, &v));
+		ck_assert_str_eq(v, "a");
+		ck_assert(array_get(array, 1, &v));
+		ck_assert_str_eq(v, "b");
+		ck_assert(array_get(array, 2, &v));
+		ck_assert_str_eq(v, "c");
+
+		array_destroy(array);
+	}
+}
+END_TEST
+
+static int comp_search_obj(const void *a, const void *b)
+{
+	return *(int*)a - *(int*)b;
+}
+
+START_TEST(test_bsearch_obj)
+{
+	array_t *array;
+	int x[] = { 3, 2, 1 };
+	int k, v;
+
+	array = array_create(sizeof(x[0]), 0);
+	array_insert(array, ARRAY_TAIL, &x[0]);
+	array_insert(array, ARRAY_TAIL, &x[1]);
+	array_insert(array, ARRAY_TAIL, &x[2]);
+
+	array_sort(array, (void*)comp_search_obj, NULL);
+
+	k = 0;
+	ck_assert_int_eq(array_bsearch(array, &k, comp_search_obj, &v), -1);
+	for (k = 1; k < 4; k++)
+	{
+		ck_assert_int_eq(array_bsearch(array, &k, comp_search_obj, &v), k-1);
+		ck_assert_int_eq(v, k);
+	}
+	k = 4;
+	ck_assert_int_eq(array_bsearch(array, &k, comp_search_obj, &v), -1);
+	array_destroy(array);
+}
+END_TEST
+
+static int comp_search_ptr(const void *a, const void *b)
+{
+	return strcmp(a, b);
+}
+
+START_TEST(test_bsearch_ptr)
+{
+	array_t *array;
+	char *x[] = {"c", "b", "a"};
+	char *v;
+
+	array = array_create(0, 0);
+	array_insert(array, ARRAY_TAIL, x[0]);
+	array_insert(array, ARRAY_TAIL, x[1]);
+	array_insert(array, ARRAY_TAIL, x[2]);
+
+	array_sort(array, (void*)comp_search_ptr, NULL);
+
+	ck_assert_int_eq(array_bsearch(array, "abc", comp_search_ptr, &v), -1);
+	ck_assert_int_eq(array_bsearch(array, "a", comp_search_ptr, &v), 0);
+	ck_assert_str_eq(v, "a");
+	ck_assert_int_eq(array_bsearch(array, "b", comp_search_ptr, &v), 1);
+	ck_assert_str_eq(v, "b");
+	ck_assert_int_eq(array_bsearch(array, "c", comp_search_ptr, &v), 2);
+	ck_assert_str_eq(v, "c");
+
+	array_destroy(array);
+}
+END_TEST
+
 static void invoke(void *data, int idx, void *user)
 {
 	int *y = user, *x = data;
@@ -336,11 +498,11 @@ Suite *array_suite_create()
 
 	s = suite_create("array");
 
-	tc = tcase_create("add/remove ptr");
+	tc = tcase_create("add/get/remove ptr");
 	tcase_add_test(tc, test_append_ptr);
 	suite_add_tcase(s, tc);
 
-	tc = tcase_create("add/remove obj");
+	tc = tcase_create("add/get/remove obj");
 	tcase_add_test(tc, test_append_obj);
 	suite_add_tcase(s, tc);
 
@@ -348,6 +510,16 @@ Suite *array_suite_create()
 	tcase_add_test(tc, test_enumerate);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("sort");
+	tcase_add_test(tc, test_sort_obj);
+	tcase_add_test(tc, test_sort_ptr);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("bsearch");
+	tcase_add_test(tc, test_bsearch_obj);
+	tcase_add_test(tc, test_bsearch_ptr);
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("invoke");
 	tcase_add_test(tc, test_invoke);
 	suite_add_tcase(s, tc);
diff --git a/src/libstrongswan/tests/suites/test_asn1.c b/src/libstrongswan/tests/suites/test_asn1.c
new file mode 100644
index 000000000..d0cd7e6e4
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_asn1.c
@@ -0,0 +1,869 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "test_suite.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+#include <utils/chunk.h>
+
+/*******************************************************************************
+ * algorithm_identifier
+ */
+
+START_TEST(test_asn1_algorithmIdentifier)
+{
+	typedef struct {
+		int n;
+		chunk_t algid;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ OID_ECDSA_WITH_SHA1, chunk_from_chars(0x30, 0x09, 0x06, 0x07,
+			0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01) },
+		{ OID_SHA1_WITH_RSA,   chunk_from_chars(0x30, 0x0d, 0x06, 0x09,
+			0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00) },
+	};
+
+	chunk_t algid;
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		algid = asn1_algorithmIdentifier(test[i].n);
+		ck_assert(chunk_equals(algid, test[i].algid));
+		free(algid.ptr);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * parse_algorithm_identifier
+ */
+
+START_TEST(test_asn1_parse_algorithmIdentifier)
+{
+	typedef struct {
+		int alg;
+		bool empty;
+		chunk_t parameters;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ OID_ECDSA_WITH_SHA1, TRUE,  chunk_empty },
+		{ OID_SHA1_WITH_RSA,   TRUE,  chunk_from_chars(0x05, 0x00) },
+		{ OID_3DES_EDE_CBC,    FALSE, chunk_from_chars(0x04, 0x01, 0xaa) },
+		{ OID_PBKDF2,          FALSE, chunk_from_chars(0x30, 0x01, 0xaa) }
+	};
+
+	chunk_t algid, parameters;
+	int i, alg;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		algid = asn1_wrap(ASN1_SEQUENCE, "mc",
+					 asn1_build_known_oid(test[i].alg), test[i].parameters);
+		parameters = chunk_empty;
+		if (i == 2)
+		{
+			alg = asn1_parse_algorithmIdentifier(algid, 0, NULL);
+		}
+		else
+		{
+			alg = asn1_parse_algorithmIdentifier(algid, 0, &parameters);
+			if (test[i].empty)
+			{
+				ck_assert(parameters.len == 0 && parameters.ptr == NULL);
+			}
+				else
+			{
+				ck_assert(chunk_equals(parameters, test[i].parameters));
+			}
+		}
+		ck_assert(alg == test[i].alg);
+		chunk_free(&algid);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * known_oid
+ */
+
+START_TEST(test_asn1_known_oid)
+{
+	typedef struct {
+		int n;
+		chunk_t oid;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ OID_UNKNOWN,    chunk_empty },
+		{ OID_UNKNOWN,    chunk_from_chars(0x55, 0x04, 0x02) },
+		{ OID_COUNTRY,    chunk_from_chars(0x55, 0x04, 0x06) },
+		{ OID_STRONGSWAN, chunk_from_chars(0x2b, 0x06, 0x01, 0x04, 0x01,
+										   0x82, 0xa0, 0x2a, 0x01) }
+	};
+
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		ck_assert(asn1_known_oid(test[i].oid) == test[i].n);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * build_known_oid
+ */
+
+START_TEST(test_asn1_build_known_oid)
+{
+	typedef struct {
+		int n;
+		chunk_t oid;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ OID_UNKNOWN,    chunk_empty },
+		{ OID_MAX,        chunk_empty },
+		{ OID_COUNTRY,    chunk_from_chars(0x06, 0x03, 0x55, 0x04, 0x06) },
+		{ OID_STRONGSWAN, chunk_from_chars(0x06, 0x09, 0x2b, 0x06, 0x01, 0x04,
+										   0x01, 0x82, 0xa0, 0x2a, 0x01) }
+	};
+
+	int i;
+	chunk_t oid = chunk_empty;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		oid = asn1_build_known_oid(test[i].n);
+		if (test[i].oid.len == 0)
+		{
+			ck_assert(oid.len == 0 && oid.ptr == NULL);
+		}
+		else
+		{
+			ck_assert(chunk_equals(oid, test[i].oid));
+			chunk_free(&oid);
+		}
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * oid_from_string
+ */
+
+START_TEST(test_asn1_oid_from_string)
+{
+	typedef struct {
+		char *string;
+		chunk_t oid;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ "",  chunk_empty },
+		{ " ", chunk_empty },
+		{ "0.2.262.1", chunk_from_chars(
+			0x02, 0x82, 0x06, 0x01) },
+		{ "1.2.840.10045.4.1", chunk_from_chars(
+			0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01) },
+		{ "1.3.6.1.4.1.36906.1", chunk_from_chars(
+			0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa0, 0x2a, 0x01) },
+		{ "2.16.840.1.101.3.4.2.1", chunk_from_chars(
+			0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01) },
+		{ "0.10.100.1000.10000.100000.1000000.10000000.100000000.268435455",
+			chunk_from_chars(0x0a,0x64, 0x87, 0x68, 0xce, 0x10, 0x86, 0x8d,
+			0x20, 0xbd, 0x84, 0x40, 0x84, 0xe2, 0xad, 0x00,
+			0xaf, 0xd7, 0xc2, 0x00, 0xff, 0xff, 0xff, 0x7f) },
+		{ "0.1.2.3.4.5.6.7.8.9.10.128.129.130.131.132.133.134.135.136.137."
+		  "256.257.258.259.260.261.262.263.264.265.384.385.386.387.388."
+		  "2097153", chunk_from_chars(
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+			0x81, 0x00, 0x81, 0x01, 0x81, 0x02, 0x81, 0x03, 0x81, 0x04,
+			0x81, 0x05, 0x81, 0x06, 0x81, 0x07, 0x81, 0x08, 0x81, 0x09,
+			0x82, 0x00, 0x82, 0x01, 0x82, 0x02, 0x82, 0x03, 0x82, 0x04,
+			0x82, 0x05, 0x82, 0x06, 0x82, 0x07, 0x82, 0x08, 0x82, 0x09,
+			0x83, 0x00, 0x83, 0x01, 0x83, 0x02, 0x83, 0x03, 0x83, 0x04,
+			0x81, 0x80, 0x80, 0x01) },
+		{ "0.1.2.3.4.5.6.7.8.9.10.128.129.130.131.132.133.134.135.136.137."
+		  "256.257.258.259.260.261.262.263.264.265.384.385.386.387.388."
+		  "1.2097153", chunk_empty },
+		{ "1.a.2.b.3", chunk_empty }
+	};
+
+	int i;
+	chunk_t oid = chunk_empty;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		oid = asn1_oid_from_string(test[i].string);
+		if (test[i].oid.len == 0)
+		{
+			ck_assert(oid.len == 0 && oid.ptr == NULL);
+		}
+		else
+		{
+			ck_assert(chunk_equals(oid, test[i].oid));
+			chunk_free(&oid);
+		}
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * oid_to_string
+ */
+
+START_TEST(test_asn1_oid_to_string)
+{
+	typedef struct {
+		char *string;
+		chunk_t oid;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{  NULL,  chunk_empty },
+		{ "0.2.262.1", chunk_from_chars(
+			0x02, 0x82, 0x06, 0x01) },
+		{ "1.2.840.10045.4.1", chunk_from_chars(
+			0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01) },
+		{ "1.3.6.1.4.1.36906.1", chunk_from_chars(
+			0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa0, 0x2a, 0x01) },
+		{ "2.16.840.1.101.3.4.2.1", chunk_from_chars(
+			0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01) },
+		{ "0.10.100.1000.10000.100000.1000000.10000000.100000000.268435455",
+			chunk_from_chars( 0x0a, 0x64, 0x87, 0x68, 0xce, 0x10, 0x86, 0x8d,
+			0x20, 0xbd, 0x84, 0x40, 0x84, 0xe2, 0xad, 0x00,
+			0xaf, 0xd7, 0xc2, 0x00, 0xff, 0xff, 0xff, 0x7f) },
+		{ NULL, chunk_from_chars(
+			0x0a, 0x02, 0x64, 0x87, 0x68, 0xce, 0x10, 0x86, 0x8d, 0x20,
+			0xbd, 0x84, 0x40, 0x84, 0xe2, 0xad, 0x00, 0xaf, 0xd7, 0xc2, 0x00,
+		    0xff, 0xff, 0xff, 0x7f) },
+		{ NULL, chunk_from_chars(0x0a, 0x87) }
+	};
+
+	int i;
+	char *string = NULL;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		string = asn1_oid_to_string(test[i].oid);
+		if (test[i].string == NULL)
+		{
+			ck_assert(string == NULL);
+		}
+		else
+		{
+			ck_assert(streq(string, test[i].string));
+			free(string);
+		}
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * length
+ */
+
+START_TEST(test_asn1_length)
+{
+	chunk_t a;
+
+	a = chunk_empty;
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04);
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04, 0x00);
+	ck_assert(asn1_length(&a) == 0);
+
+	a = chunk_from_chars(0x04, 0x01);
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04, 0x01, 0xaa);
+	ck_assert(asn1_length(&a) == 1);
+
+	a = chunk_from_chars(0x04, 0x7f, 0xaa);
+	a.len = 2 + 127;
+	ck_assert(asn1_length(&a) == 127);
+
+	a = chunk_from_chars(0x04, 0x80, 0xaa);
+	a.len = 2 + 128;
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04, 0x81);
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04, 0x81, 0x00);
+	ck_assert(asn1_length(&a) == 0);
+
+	a = chunk_from_chars(0x04, 0x81, 0x80, 0xaa);
+	ck_assert(asn1_length(&a) == ASN1_INVALID_LENGTH);
+
+	a = chunk_from_chars(0x04, 0x81, 0x80, 0xaa);
+	a.len = 3 + 128;
+	ck_assert(asn1_length(&a) == 128);
+
+	a = chunk_from_chars(0x04, 0x82, 0x01, 0x02, 0xaa);
+	a.len = 4 + 258;
+	ck_assert(asn1_length(&a) == 258);
+
+	a = chunk_from_chars(0x04, 0x83, 0x01, 0x02, 0x03, 0xaa);
+	a.len = 5 + 66051;
+	ck_assert(asn1_length(&a) == 66051);
+
+	a = chunk_from_chars(0x04, 0x84, 0x01, 0x02, 0x03, 0x04, 0xaa);
+	a.len = 6 + 16909060;
+	ck_assert(asn1_length(&a) == 16909060);
+
+	/* largest chunk on 32 bit system */
+	a = chunk_from_chars(0x04, 0x84, 0xff, 0xff, 0xff, 0xf9, 0xaa);
+	a.len = 4294967295;
+	ck_assert(asn1_length(&a) == 4294967289);
+
+}
+END_TEST
+
+/*******************************************************************************
+ * unwrap
+ */
+
+START_TEST(test_asn1_unwrap)
+{
+	chunk_t c0 = chunk_from_chars(0x30);
+	chunk_t c1 = chunk_from_chars(0x30, 0x01, 0xaa);
+	chunk_t c2 = chunk_from_chars(0x30, 0x80);
+	chunk_t c3 = chunk_from_chars(0x30, 0x81);
+	chunk_t c4 = chunk_from_chars(0x30, 0x81, 0x01, 0xaa);
+	chunk_t c5 = chunk_from_chars(0x30, 0x81, 0x02, 0xaa);
+
+	chunk_t inner;
+	chunk_t inner_ref = chunk_from_chars(0xaa);
+
+	ck_assert(asn1_unwrap(&c0, &inner) == ASN1_INVALID);
+
+	ck_assert(asn1_unwrap(&c1, &inner) == ASN1_SEQUENCE);
+
+	ck_assert(chunk_equals(inner, inner_ref));
+
+	ck_assert(asn1_unwrap(&c2, &inner) == ASN1_INVALID);
+
+	ck_assert(asn1_unwrap(&c3, &inner) == ASN1_INVALID);
+
+	ck_assert(asn1_unwrap(&c4, &inner) == ASN1_SEQUENCE);
+
+	ck_assert(chunk_equals(inner, inner_ref));
+
+	ck_assert(asn1_unwrap(&c5, &inner) == ASN1_INVALID);
+}
+END_TEST
+
+/*******************************************************************************
+ * is_asn1
+ */
+
+START_TEST(test_is_asn1)
+{
+	typedef struct {
+		bool asn1;
+		chunk_t chunk;
+	} testdata_t;
+
+	u_char buf[8];
+	chunk_t chunk_zero = { buf, 0 };
+	chunk_t chunk_mean = {   0, 1 };
+
+	testdata_t test[] = {
+		{ FALSE, chunk_zero },
+		{ FALSE, chunk_empty },
+		{ FALSE, chunk_mean },
+		{ TRUE,  chunk_from_chars(0x30, 0x00) },
+		{ TRUE,  chunk_from_chars(0x31, 0x00) },
+		{ TRUE,  chunk_from_chars(0x04, 0x00) },
+		{ FALSE, chunk_from_chars(0x02, 0x00) },
+		{ FALSE, chunk_from_chars(0x30, 0x01) },
+		{ FALSE, chunk_from_chars(0x30, 0x80) },
+		{ TRUE,  chunk_from_chars(0x30, 0x01, 0xa1) },
+		{ FALSE, chunk_from_chars(0x30, 0x01, 0xa1, 0xa2) },
+		{ TRUE,  chunk_from_chars(0x30, 0x01, 0xa1, 0x0a) },
+		{ FALSE, chunk_from_chars(0x30, 0x01, 0xa1, 0xa2, 0x0a) },
+	};
+
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		ck_assert(is_asn1(test[i].chunk) == test[i].asn1);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * is_printablestring
+ */
+
+START_TEST(test_asn1_is_printablestring)
+{
+	typedef struct {
+		bool printable;
+		char *string;
+	} testdata_t;
+
+
+	testdata_t test[] = {
+		{ TRUE,  "" },
+		{ TRUE,  "Z" },
+		{ FALSE, "Z#" },
+		{ FALSE, "&Z" },
+		{ FALSE, "Z@z" },
+		{ FALSE, "!" },  { FALSE, "*" },  { FALSE, "$" },  { FALSE, "%" },
+		{ FALSE, "[" },  { FALSE, "]" },  { FALSE, "{" },  { FALSE, "}" },
+		{ FALSE, "|" },  { FALSE, "~" },  { FALSE, "^" },  { FALSE, "_" },
+		{ FALSE, "\"" }, { FALSE, "\\" }, { FALSE, "ä" },  { FALSE, "à" },
+		{ TRUE,  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+				 "0123456789 '()+,-./:=?" },
+	};
+
+	chunk_t chunk;
+	int i;
+
+	ck_assert(asn1_is_printablestring(chunk_empty));
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk = chunk_from_str(test[i].string);
+		ck_assert(asn1_is_printablestring(chunk) == test[i].printable);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * to_time
+ */
+
+START_TEST(test_asn1_to_time)
+{
+	typedef struct {
+		time_t time;
+		u_int8_t type;
+		char *string;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{       352980, 0x18, "197001050203Z" },
+		{       352984, 0x18, "19700105020304Z" },
+		{       352980, 0x17, "7001050203Z" },
+		{       347580, 0x17, "7001050203+0130" },
+		{       358380, 0x17, "7001050203-0130" },
+		{       352984, 0x17, "700105020304Z" },
+		{       347584, 0x17, "700105020304+0130" },
+		{       358384, 0x17, "700105020304-0130" },
+		{            0, 0x17, "700105020304+01" },
+		{            0, 0x17, "700105020304-01" },
+		{            0, 0x17, "700105020304" },
+		{            0, 0x17, "70010502Z" },
+		{            0, 0x17, "7001050203xxZ" },
+		{            0, 0x17, "7000050203Z" },
+		{            0, 0x17, "7013050203Z" },
+		{            0, 0x17, "7001004203Z" },
+		{            0, 0x17, "7001320203Z" },
+		{            0, 0x17, "700101-103Z" },
+		{            0, 0x17, "7001016003Z" },
+		{            0, 0x17, "70010102-1Z" },
+		{            0, 0x17, "7001010260Z" },
+		{            0, 0x17, "7001010203-1Z" },
+		{            0, 0x17, "700101020361Z" },
+		{   -631152000, 0x17, "500101000000Z" }, /* UTCTime min */
+		{           59, 0x17, "691231235959-0001" },
+		{           -1, 0x17, "691231235959Z" },
+		{            0, 0x17, "700101000000Z" },
+		{          -60, 0x17, "700101000000+0001" },
+		{ 2524607999UL, 0x17, "491231235959Z" }, /* UTCTime max */
+		{      5097600, 0x17, "7003010000Z" },
+		{     68256000, 0x17, "7203010000Z" },
+		{    951868800, 0x17, "0003010000Z" },
+		{ 4107542400UL, 0x18, "210003010000Z" }
+	};
+
+	int i;
+	chunk_t chunk;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		if (sizeof(time_t) == 4 && test[i].time < 0)
+		{
+			continue;
+		}
+		chunk = chunk_from_str(test[i].string);
+		ck_assert(asn1_to_time(&chunk, test[i].type) == test[i].time);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * from_time
+ */
+
+START_TEST(test_asn1_from_time)
+{
+	typedef struct {
+		time_t time;
+		u_int8_t type;
+		chunk_t chunk;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{       352984, 0x18, chunk_from_chars(
+						0x18, 0x0f, 0x31, 0x39, 0x37, 0x30, 0x30, 0x31, 0x30, 0x35,
+						0x30, 0x32, 0x30, 0x33, 0x30, 0x34, 0x5a) },
+		{       352984, 0x17, chunk_from_chars(
+						0x17, 0x0d, 0x37, 0x30, 0x30, 0x31, 0x30, 0x35,
+						0x30, 0x32, 0x30, 0x33, 0x30, 0x34, 0x5a) },
+		{   1078099200, 0x17, chunk_from_chars(
+						0x17, 0x0d, 0x30, 0x34, 0x30, 0x33, 0x30, 0x31,
+						0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a) },
+		{ 4107542400UL, 0x18, chunk_from_chars(
+						0x18, 0x0f, 0x32, 0x31, 0x30, 0x30, 0x30, 0x33, 0x30, 0x31,
+						0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a) }
+	};
+
+	int i;
+	chunk_t chunk;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		if (sizeof(time_t) == 4 && test[i].time < 0)
+		{
+			continue;
+		}
+		chunk = asn1_from_time(&test[i].time, test[i].type);
+		ck_assert(chunk_equals(chunk, test[i].chunk));
+		free(chunk.ptr);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * parse_time
+ */
+
+START_TEST(test_asn1_parse_time)
+{
+	typedef struct {
+		time_t time;
+		chunk_t chunk;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ 352984, chunk_from_chars(
+					0x18, 0x0f, 0x31, 0x39, 0x37, 0x30, 0x30, 0x31, 0x30, 0x35,
+					0x30, 0x32, 0x30, 0x33, 0x30, 0x34, 0x5a) },
+		{ 352984, chunk_from_chars(
+					0x17, 0x0d, 0x37, 0x30, 0x30, 0x31, 0x30, 0x35,
+					0x30, 0x32, 0x30, 0x33, 0x30, 0x34, 0x5a) },
+		{      0, chunk_from_chars(0x05, 0x00) }
+	};
+
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		ck_assert(asn1_parse_time(test[i].chunk, 0) == test[i].time);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * build_object
+ */
+
+START_TEST(test_asn1_build_object)
+{
+	typedef struct {
+		size_t len;
+		size_t size;
+		u_char *b;
+	} testdata_t;
+
+	u_char b0[] = { 0x05, 0x00 };
+	u_char b1[] = { 0x04, 0x7f };
+	u_char b2[] = { 0x04, 0x81, 0x80 };
+	u_char b3[] = { 0x04, 0x81, 0xff };
+	u_char b4[] = { 0x04, 0x82, 0x01, 0x00 };
+	u_char b5[] = { 0x04, 0x82, 0xff, 0xff };
+	u_char b6[] = { 0x04, 0x83, 0x01, 0x00, 0x00 };
+
+	testdata_t test[] = {
+		{     0, sizeof(b0), b0 },
+		{   127, sizeof(b1), b1 },
+		{   128, sizeof(b2), b2 },
+ 		{   255, sizeof(b3), b3 },
+		{   256, sizeof(b4), b4 },
+		{ 65535, sizeof(b5), b5 },
+		{ 65536, sizeof(b6), b6 }
+	};
+
+	chunk_t a = chunk_empty;
+	u_char *pos;
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		pos = asn1_build_object(&a, test[i].b[0], test[i].len);
+		ck_assert(pos == (a.ptr + test[i].size));
+		ck_assert(a.len == test[i].size + test[i].len);
+		ck_assert(memeq(a.ptr, test[i].b, test[i].size));
+		chunk_free(&a);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * simple_object
+ */
+
+START_TEST(test_asn1_simple_object)
+{
+	chunk_t a = chunk_empty;
+	chunk_t b = chunk_from_chars(0x04, 0x05, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5);
+	chunk_t c = chunk_from_chars(0xa1, 0xa2, 0xa3, 0xa4, 0xa5);
+
+	a = asn1_simple_object(0x04, c);
+	ck_assert(chunk_equals(a, b));
+	chunk_free(&a);
+}
+END_TEST
+
+/*******************************************************************************
+ * parse_simple_object
+ */
+
+START_TEST(test_asn1_parse_simple_object)
+{
+	typedef struct {
+		bool res;
+		int type;
+		chunk_t chunk;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{ FALSE, 0x04, chunk_from_chars(0x04) },
+		{ FALSE, 0x04, chunk_from_chars(0x02, 0x01, 0x55) },
+		{ FALSE, 0x04, chunk_from_chars(0x04, 0x01) },
+		{ TRUE,  0x04, chunk_from_chars(0x04, 0x01, 0x55) },
+		{ TRUE,  0x06, chunk_from_chars(0x06, 0x02, 0x55, 0x03) },
+		{ TRUE,  0x06, chunk_from_chars(0x06, 0x00) },
+		{ TRUE,  0x13, chunk_from_chars(0x13, 0x01, 0x55), }
+	};
+
+	int i;
+	bool res;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		res = asn1_parse_simple_object(&test[i].chunk, test[i].type, 0, "test");
+		ck_assert(res == test[i].res);
+		if (res && test[i].chunk.len)
+		{
+			ck_assert(*test[i].chunk.ptr == 0x55);
+		}
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * bitstring
+ */
+
+START_TEST(test_asn1_bitstring)
+{
+	chunk_t a = chunk_empty;
+	chunk_t b = chunk_from_chars(0x03, 0x05, 0x00, 0xa1, 0xa2, 0xa3, 0xa4);
+	chunk_t c = chunk_from_chars(0xa1, 0xa2, 0xa3, 0xa4);
+	chunk_t d = chunk_clone(c);
+
+	a = asn1_bitstring("c", c);
+	ck_assert(chunk_equals(a, b));
+	chunk_free(&a);
+
+	a = asn1_bitstring("m", d);
+	ck_assert(chunk_equals(a, b));
+	chunk_free(&a);
+}
+END_TEST
+
+/*******************************************************************************
+ * integer
+ */
+
+START_TEST(test_asn1_integer)
+{
+	typedef struct {
+		chunk_t b;
+		chunk_t c;
+	} testdata_t;
+
+	chunk_t b0 = chunk_from_chars(0x02, 0x01, 0x00);
+	chunk_t b1 = chunk_from_chars(0x02, 0x01, 0x7f);
+	chunk_t b2 = chunk_from_chars(0x02, 0x02, 0x00, 0x80);
+
+	chunk_t c0 = chunk_empty;
+	chunk_t c1 = chunk_from_chars(0x7f);
+	chunk_t c2 = chunk_from_chars(0x80);
+	chunk_t c3 = chunk_from_chars(0x00, 0x80);
+
+	testdata_t test[] = {
+		{ b0, c0 },
+		{ b1, c1 },
+		{ b2, c2 },
+		{ b2, c3 }
+	};
+
+	chunk_t a = chunk_empty;
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		a = asn1_integer("c", test[i].c);
+		ck_assert(chunk_equals(a, test[i].b));
+		chunk_free(&a);
+
+		a = asn1_integer("m", chunk_clone(test[i].c));
+		ck_assert(chunk_equals(a, test[i].b));
+		chunk_free(&a);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * parse_integer_uint64
+ */
+
+START_TEST(test_asn1_parse_integer_uint64)
+{
+	typedef struct {
+		u_int64_t n;
+		chunk_t chunk;
+	} testdata_t;
+
+
+	testdata_t test[] = {
+		{             67305985ULL, chunk_from_chars(
+						0x04, 0x03, 0x02, 0x01) },
+		{   578437695752307201ULL, chunk_from_chars(
+						0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01) },
+		{ 18446744073709551615ULL, chunk_from_chars(
+						0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff) }
+	};
+
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		ck_assert(asn1_parse_integer_uint64(test[i].chunk) == test[i].n);
+	}
+}
+END_TEST
+
+Suite *asn1_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("asn1");
+
+	tc = tcase_create("algorithmIdentifier");
+	tcase_add_test(tc, test_asn1_algorithmIdentifier);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("parse_algorithmIdentifier");
+	tcase_add_test(tc, test_asn1_parse_algorithmIdentifier);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("known_oid");
+	tcase_add_test(tc, test_asn1_known_oid);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("build_known_oid");
+	tcase_add_test(tc, test_asn1_build_known_oid);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("oid_from_string");
+	tcase_add_test(tc, test_asn1_oid_from_string);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("oid_to_string");
+	tcase_add_test(tc, test_asn1_oid_to_string);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("length");
+	tcase_add_test(tc, test_asn1_length);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("unwrap");
+	tcase_add_test(tc, test_asn1_unwrap);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("is_asn1");
+	tcase_add_test(tc, test_is_asn1);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("is_printablestring");
+	tcase_add_test(tc, test_asn1_is_printablestring);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("to_time");
+	tcase_add_test(tc, test_asn1_to_time);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("from_time");
+	tcase_add_test(tc, test_asn1_from_time);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("parse_time");
+	tcase_add_test(tc, test_asn1_parse_time);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("build_object");
+	tcase_add_test(tc, test_asn1_build_object);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("simple_object");
+	tcase_add_test(tc, test_asn1_simple_object);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("parse_simple_object");
+	tcase_add_test(tc, test_asn1_parse_simple_object);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("bitstring");
+	tcase_add_test(tc, test_asn1_bitstring);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("integer");
+	tcase_add_test(tc, test_asn1_integer);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("parse_integer_uint64");
+	tcase_add_test(tc, test_asn1_parse_integer_uint64);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_asn1_parser.c b/src/libstrongswan/tests/suites/test_asn1_parser.c
new file mode 100644
index 000000000..973562bff
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_asn1_parser.c
@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <asn1/asn1_parser.h>
+#include <utils/chunk.h>
+
+/*******************************************************************************
+ * utilities
+ */
+
+typedef struct {
+	bool success;
+	int count;
+	chunk_t blob;
+} asn1_test_t;
+
+static void run_parser_test(const asn1Object_t *objects, int id,
+							asn1_test_t *test)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, count = 0;
+	bool success;
+
+	parser = asn1_parser_create(objects, test->blob);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == id)
+		{
+			count++;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	ck_assert(success == test->success && count == test->count);
+}
+
+/*******************************************************************************
+ * length
+ */
+
+static const asn1Object_t octetStringObjects[] = {
+	{ 0, "octetString",	ASN1_OCTET_STRING,	ASN1_BODY }, /* 0 */
+	{ 0, "exit",		ASN1_EOC,			ASN1_EXIT }
+};
+
+asn1_test_t length_tests[] = {
+	{ FALSE, 0, { NULL, 0 } },
+	{ FALSE, 0, chunk_from_chars(0x04) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x00) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x01, 0xaa) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x7f) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x80) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x81) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x81, 0x00) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x81, 0x01) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x81, 0x01, 0xaa) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x82, 0x00, 0x01) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x82, 0x00, 0x01, 0xaa) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x83, 0x00, 0x00, 0x01) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x83, 0x00, 0x00, 0x01, 0xaa) },
+	{ FALSE, 0, chunk_from_chars(0x04, 0x84, 0x00, 0x00, 0x00, 0x01) },
+	{ TRUE,  1, chunk_from_chars(0x04, 0x84, 0x00, 0x00, 0x00, 0x01, 0xaa) },
+};
+
+START_TEST(test_asn1_parser_length)
+{
+	run_parser_test(octetStringObjects, 0, &length_tests[_i]);
+}
+END_TEST
+
+/*******************************************************************************
+ * loop
+ */
+
+static const asn1Object_t loopObjects[] = {
+	{ 0, "loopObjects",		ASN1_SEQUENCE,		ASN1_LOOP }, /* 0 */
+	{ 1,   "octetString",	ASN1_OCTET_STRING,	ASN1_BODY }, /* 1 */
+	{ 0, "end loop",		ASN1_EOC,			ASN1_END  }, /* 2 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT }
+};
+
+asn1_test_t loop_tests[] = {
+	{ TRUE,  0, chunk_from_chars(0x30, 0x00) },
+	{ FALSE, 0, chunk_from_chars(0x30, 0x02, 0x04, 0x01) },
+	{ TRUE,  1, chunk_from_chars(0x30, 0x03, 0x04, 0x01, 0xaa) },
+	{ TRUE,  2, chunk_from_chars(0x30, 0x05, 0x04, 0x01, 0xaa, 0x04, 0x00) },
+	{ FALSE, 1, chunk_from_chars(0x30, 0x05, 0x04, 0x01, 0xaa, 0x05, 0x00) },
+	{ TRUE,  3, chunk_from_chars(0x30, 0x09, 0x04, 0x01, 0xaa, 0x04, 0x00,
+											 0x04, 0x02, 0xbb, 0xcc) },
+};
+
+START_TEST(test_asn1_parser_loop)
+{
+	run_parser_test(loopObjects, 1, &loop_tests[_i]);
+}
+END_TEST
+
+/*******************************************************************************
+ * default
+ */
+
+typedef struct {
+	int i1, i2, i3;
+	chunk_t blob;
+} default_opt_test_t;
+
+static const asn1Object_t defaultObjects[] = {
+	{ 0, "defaultObjects",	ASN1_SEQUENCE,		ASN1_OBJ			}, /* 0 */
+	{ 1,   "explicit int1",	ASN1_CONTEXT_C_1,	ASN1_DEF			}, /* 1 */
+	{ 2,     "int1",		ASN1_INTEGER,		ASN1_BODY			}, /* 2 */
+	{ 1,   "int2",			ASN1_INTEGER,		ASN1_DEF|ASN1_BODY	}, /* 3 */
+	{ 1,   "implicit int3", ASN1_CONTEXT_S_3,	ASN1_DEF|ASN1_BODY	}, /* 4 */		
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+
+default_opt_test_t default_tests[] = {
+	{ -1, -2, -3, chunk_from_chars(0x30, 0x00) },
+	{  1, -2, -3, chunk_from_chars(0x30, 0x05, 0xa1, 0x03, 0x02, 0x01, 0x01) },
+	{ -1,  2, -3, chunk_from_chars(0x30, 0x03, 0x02, 0x01, 0x02) },
+	{ -1, -2,  3, chunk_from_chars(0x30, 0x03, 0x83, 0x01, 0x03) },
+	{  1,  2, -3, chunk_from_chars(0x30, 0x08, 0xa1, 0x03, 0x02, 0x01, 0x01,
+											   0x02, 0x01, 0x02) },
+	{  1, -2,  3, chunk_from_chars(0x30, 0x08, 0xa1, 0x03, 0x02, 0x01, 0x01,
+											   0x83, 0x01, 0x03) },
+	{ -1,  2,  3, chunk_from_chars(0x30, 0x06, 0x02, 0x01, 0x02,
+											   0x83, 0x01, 0x03) },
+	{  1,  2,  3, chunk_from_chars(0x30, 0x0b, 0xa1, 0x03, 0x02, 0x01, 0x01,
+											   0x02, 0x01, 0x02,
+											   0x83, 0x01, 0x03) },
+	{  0,  0,  0, chunk_from_chars(0x30, 0x0b, 0xa1, 0x03, 0x04, 0x01, 0xaa,
+											   0x02, 0x01, 0x02,
+											   0x83, 0x01, 0x03) },
+	{  1,  0,  0, chunk_from_chars(0x30, 0x0b, 0xa1, 0x03, 0x02, 0x01, 0x01,
+											   0x02, 0x05, 0x02,
+											   0x83, 0x01, 0x03) },
+	{  1,  2,  0, chunk_from_chars(0x30, 0x0b, 0xa1, 0x03, 0x02, 0x01, 0x01,
+											   0x02, 0x01, 0x02,
+											   0x83, 0x02, 0x03) },
+};
+
+START_TEST(test_asn1_parser_default)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, i1 = 0, i2 = 0, i3 = 0;
+	bool success;
+
+	parser = asn1_parser_create(defaultObjects, default_tests[_i].blob);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case 2:
+				i1 = object.len ? *object.ptr : -1;
+				break;
+			case 3:
+				i2 = object.len ? *object.ptr : -2;
+				break;
+			case 4:
+				i3 = object.len ? *object.ptr : -3;
+				break;
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	ck_assert(success == (default_tests[_i].i1 &&
+						  default_tests[_i].i2 &&
+						  default_tests[_i].i3));
+
+	ck_assert(i1 == default_tests[_i].i1 &&
+			  i2 == default_tests[_i].i2 &&
+			  i3 == default_tests[_i].i3);
+}
+END_TEST
+
+/*******************************************************************************
+ * option
+ */
+
+static const asn1Object_t optionObjects[] = {
+	{ 0, "optionalObjects",	ASN1_SEQUENCE,		ASN1_OBJ			}, /* 0 */
+	{ 1,   "sequence int1",	ASN1_SEQUENCE,		ASN1_OPT			}, /* 1 */
+	{ 2,     "int1",		ASN1_INTEGER,		ASN1_OPT|ASN1_BODY  }, /* 2 */
+	{ 2,     "end opt",		ASN1_EOC,			ASN1_END			}, /* 3 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 4 */
+	{ 1,   "int2",			ASN1_INTEGER,		ASN1_OPT|ASN1_BODY	}, /* 5 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 6 */
+	{ 1,   "implicit int3", ASN1_CONTEXT_S_3,	ASN1_OPT|ASN1_BODY	}, /* 7 */		
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 8 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+
+default_opt_test_t option_tests[] = {
+	{ 0, 0, 0, chunk_from_chars(0x30, 0x00) },
+	{ 1, 0, 0, chunk_from_chars(0x30, 0x05, 0x30, 0x03, 0x02, 0x01, 0x01) },
+	{ 0, 2, 0, chunk_from_chars(0x30, 0x03, 0x02, 0x01, 0x02) },
+	{ 0, 0, 3, chunk_from_chars(0x30, 0x03, 0x83, 0x01, 0x03) },
+	{ 1, 2, 0, chunk_from_chars(0x30, 0x08, 0x30, 0x03, 0x02, 0x01, 0x01,
+											0x02, 0x01, 0x02) },
+	{ 1, 0, 3, chunk_from_chars(0x30, 0x08, 0x30, 0x03, 0x02, 0x01, 0x01,
+											0x83, 0x01, 0x03) },
+	{ 0, 2, 3, chunk_from_chars(0x30, 0x06, 0x02, 0x01, 0x02,
+											0x83, 0x01, 0x03) },
+	{ 1, 2, 3, chunk_from_chars(0x30, 0x0b, 0x30, 0x03, 0x02, 0x01, 0x01,
+											0x02, 0x01, 0x02,
+											0x83, 0x01, 0x03) },
+	{ 0, 2, 3, chunk_from_chars(0x30, 0x08, 0x30, 0x00,
+											0x02, 0x01, 0x02,
+											0x83, 0x01, 0x03) },
+};
+
+START_TEST(test_asn1_parser_option)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, i1 = 0, i2 = 0, i3 = 0;
+	bool success;
+
+	parser = asn1_parser_create(optionObjects, option_tests[_i].blob);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case 2:
+				i1 = *object.ptr;
+				break;
+			case 5:
+				i2 = *object.ptr;
+				break;
+			case 7:
+				i3 = *object.ptr;
+				break;
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	ck_assert(success);
+
+	ck_assert(i1 == option_tests[_i].i1 &&
+			  i2 == option_tests[_i].i2 &&
+			  i3 == option_tests[_i].i3);
+}
+END_TEST
+
+Suite *asn1_parser_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("asn1_parser");
+
+	tc = tcase_create("length");
+	tcase_add_loop_test(tc, test_asn1_parser_length, 0, countof(length_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("loop");
+	tcase_add_loop_test(tc, test_asn1_parser_loop, 0, countof(loop_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("default");
+	tcase_add_loop_test(tc, test_asn1_parser_default, 0, countof(default_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("option");
+	tcase_add_loop_test(tc, test_asn1_parser_option, 0, countof(option_tests));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_bio_reader.c b/src/libstrongswan/tests/suites/test_bio_reader.c
index 45b20db00..6a9743d62 100644
--- a/src/libstrongswan/tests/test_bio_reader.c
+++ b/src/libstrongswan/tests/suites/test_bio_reader.c
@@ -329,7 +329,7 @@ END_TEST
  */
 
 #define assert_read_data_len(bits) ({ \
- 	bio_reader_t *reader; \
+	bio_reader_t *reader; \
 	chunk_t read, data; \
 	int i, len = bits / 8; \
 	data = chunk_empty; \
diff --git a/src/libstrongswan/tests/test_bio_writer.c b/src/libstrongswan/tests/suites/test_bio_writer.c
index 665cd2d7c..e74288eb7 100644
--- a/src/libstrongswan/tests/test_bio_writer.c
+++ b/src/libstrongswan/tests/suites/test_bio_writer.c
@@ -181,7 +181,7 @@ END_TEST
  */
 
 #define assert_write_data_len(init, bits) ({ \
- 	bio_writer_t *writer; \
+	bio_writer_t *writer; \
 	chunk_t buf, data; \
 	int i, len = bits / 8; \
 	writer = bio_writer_create(init); \
@@ -240,7 +240,7 @@ END_TEST
  */
 
 #define assert_wrap_data(init, bits) ({ \
- 	bio_writer_t *writer; \
+	bio_writer_t *writer; \
 	chunk_t buf, data; \
 	int i, len = bits / 8; \
 	writer = bio_writer_create(init); \
diff --git a/src/libstrongswan/tests/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c
index 8e29971c1..e373fbdb6 100644
--- a/src/libstrongswan/tests/test_chunk.c
+++ b/src/libstrongswan/tests/suites/test_chunk.c
@@ -14,10 +14,16 @@
  * for more details.
  */
 
-
 #include "test_suite.h"
 
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+
 #include <utils/chunk.h>
+#include <threading/thread.h>
 
 /*******************************************************************************
  * utilities
@@ -672,6 +678,31 @@ static const u_char sip_vectors[64][8] =
 	{ 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
 };
 
+/**
+ * Our SipHash-2-4 implementation returns the result in host order, which
+ * doesn't matter for practical purposes and even avoids a byte swap.  But
+ * because the test vectors are in little-endian we have to account for this
+ * with this custom comparison function.
+ */
+static inline bool sipeq(const void *a, const void *b, size_t n)
+{
+	u_char *ap = (u_char*)a, *bp = (u_char*)b;
+	int i;
+
+	for (i = 0; i < n; i++)
+	{
+#ifdef WORDS_BIGENDIAN
+		if (ap[i] != bp[n - i - 1])
+#else
+		if (ap[i] != bp[i])
+#endif
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
 START_TEST(test_chunk_mac)
 {
 	chunk_t in;
@@ -692,7 +723,7 @@ START_TEST(test_chunk_mac)
 		in.ptr[i] = i;
 		in.len = i;
 		out = chunk_mac(in, key);
-		fail_unless(memeq(&out, sip_vectors[i], 8),
+		fail_unless(sipeq(&out, sip_vectors[i], 8),
 					"test vector failed for %d bytes", i);
 	}
 }
@@ -739,7 +770,7 @@ START_TEST(test_chunk_hash_static)
 		in.len = i;
 		/* compared to chunk_mac() we only get half the value back */
 		out = chunk_hash_static(in);
-		fail_unless(memeq(&out, sip_vectors[i], 4),
+		fail_unless(sipeq(&out, sip_vectors[i], 4),
 					"test vector failed for %d bytes", i);
 	}
 	hash_a = chunk_hash_static_inc(in, out);
@@ -750,6 +781,116 @@ START_TEST(test_chunk_hash_static)
 END_TEST
 
 /*******************************************************************************
+ * test for chunk_map and friends
+ */
+
+START_TEST(test_chunk_map)
+{
+	chunk_t *map, contents = chunk_from_chars(0x01,0x02,0x03,0x04,0x05);
+	char *path = "/tmp/strongswan-chunk-map-test";
+
+	ck_assert(chunk_write(contents, path, 022, TRUE));
+
+	/* read */
+	map = chunk_map(path, FALSE);
+	ck_assert(map != NULL);
+	ck_assert_msg(chunk_equals(*map, contents), "%B", map);
+	/* altering mapped chunk should not hurt */
+	*map = chunk_empty;
+	ck_assert(chunk_unmap(map));
+
+	/* write */
+	map = chunk_map(path, TRUE);
+	ck_assert(map != NULL);
+	ck_assert_msg(chunk_equals(*map, contents), "%B", map);
+	map->ptr[0] = 0x06;
+	ck_assert(chunk_unmap(map));
+
+	/* verify write */
+	contents.ptr[0] = 0x06;
+	map = chunk_map(path, FALSE);
+	ck_assert(map != NULL);
+	ck_assert_msg(chunk_equals(*map, contents), "%B", map);
+	ck_assert(chunk_unmap(map));
+
+	unlink(path);
+}
+END_TEST
+
+/*******************************************************************************
+ * test for chunk_from_fd
+ */
+
+START_TEST(test_chunk_from_fd_file)
+{
+	chunk_t in, contents = chunk_from_chars(0x01,0x02,0x03,0x04,0x05);
+	char *path = "/tmp/strongswan-chunk-fd-test";
+	int fd;
+
+	ck_assert(chunk_write(contents, path, 022, TRUE));
+
+	fd = open(path, O_RDONLY);
+	ck_assert(fd != -1);
+
+	ck_assert(chunk_from_fd(fd, &in));
+	close(fd);
+	ck_assert_msg(chunk_equals(in, contents), "%B", &in);
+	unlink(path);
+	free(in.ptr);
+}
+END_TEST
+
+START_TEST(test_chunk_from_fd_skt)
+{
+	chunk_t in, contents = chunk_from_chars(0x01,0x02,0x03,0x04,0x05);
+	int s[2];
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, s) == 0);
+	ck_assert(write(s[1], contents.ptr, contents.len) == contents.len);
+	close(s[1]);
+	ck_assert_msg(chunk_from_fd(s[0], &in), "%s", strerror(errno));
+	close(s[0]);
+	ck_assert_msg(chunk_equals(in, contents), "%B", &in);
+	free(in.ptr);
+}
+END_TEST
+
+#define FROM_FD_COUNT 8192
+
+void *chunk_from_fd_run(void *data)
+{
+	int i, fd = (uintptr_t)data;
+
+	for (i = 0; i < FROM_FD_COUNT; i++)
+	{
+		ck_assert(write(fd, &i, sizeof(i)) == sizeof(i));
+	}
+	close(fd);
+	return NULL;
+}
+
+START_TEST(test_chunk_from_fd_huge)
+{
+	thread_t *thread;
+	chunk_t in;
+	int s[2], i;
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, s) == 0);
+
+	thread = thread_create(chunk_from_fd_run, (void*)(uintptr_t)s[1]);
+	ck_assert_msg(chunk_from_fd(s[0], &in), "%s", strerror(errno));
+	ck_assert_int_eq(in.len, FROM_FD_COUNT * sizeof(i));
+	for (i = 0; i < FROM_FD_COUNT; i++)
+	{
+		ck_assert_int_eq(((int*)in.ptr)[i], i);
+	}
+	thread->join(thread);
+	close(s[0]);
+	free(in.ptr);
+}
+END_TEST
+
+/*******************************************************************************
  * printf_hook tests
  */
 
@@ -866,6 +1007,16 @@ Suite *chunk_suite_create()
 	tcase_add_test(tc, test_chunk_hash_static);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("chunk_map");
+	tcase_add_test(tc, test_chunk_map);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_from_fd");
+	tcase_add_test(tc, test_chunk_from_fd_file);
+	tcase_add_test(tc, test_chunk_from_fd_skt);
+	tcase_add_test(tc, test_chunk_from_fd_huge);
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("printf_hook");
 	tcase_add_loop_test(tc, test_printf_hook_hash, 0, countof(printf_hook_data));
 	tcase_add_loop_test(tc, test_printf_hook_plus, 0, countof(printf_hook_data));
diff --git a/src/libstrongswan/tests/suites/test_crypter.c b/src/libstrongswan/tests/suites/test_crypter.c
new file mode 100644
index 000000000..4e7550aee
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_crypter.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <crypto/crypters/crypter.h>
+#include <asn1/oid.h>
+#include <utils/test.h>
+
+typedef struct {
+	int oid;
+	encryption_algorithm_t alg;
+	size_t key_size;
+}crypter_oid_t;
+
+static crypter_oid_t oids[] = {
+	{ OID_UNKNOWN, ENCR_AES_CBC, 0 },
+	{ OID_UNKNOWN, ENCR_CAMELLIA_CBC, 0 },
+	{ OID_UNKNOWN, ENCR_UNDEFINED, 0 },
+	{ OID_DES_CBC, ENCR_DES, 0 },
+	{ OID_3DES_EDE_CBC, ENCR_3DES, 0 },
+	{ OID_AES128_CBC, ENCR_AES_CBC, 128 },
+	{ OID_AES192_CBC, ENCR_AES_CBC, 192 },
+	{ OID_AES256_CBC, ENCR_AES_CBC, 256 },
+	{ OID_CAMELLIA128_CBC, ENCR_CAMELLIA_CBC, 128 },
+	{ OID_CAMELLIA192_CBC, ENCR_CAMELLIA_CBC, 192 },
+	{ OID_CAMELLIA256_CBC, ENCR_CAMELLIA_CBC, 256 }
+};
+
+START_TEST(test_crypter_from_oid)
+{
+	size_t key_size;
+
+	ck_assert(encryption_algorithm_from_oid(oids[_i].oid, NULL) ==
+										    oids[_i].alg);
+	ck_assert(encryption_algorithm_from_oid(oids[_i].oid, &key_size) ==
+										    oids[_i].alg);
+	ck_assert(key_size == oids[_i].key_size);
+}
+END_TEST
+
+START_TEST(test_crypter_to_oid)
+{
+	ck_assert(encryption_algorithm_to_oid(oids[_i].alg,
+									      oids[_i].key_size) == oids[_i].oid);
+}
+END_TEST
+
+typedef struct {
+	encryption_algorithm_t alg;
+	bool is_aead;
+}crypter_aead_t;
+
+static crypter_aead_t aead[] = {
+	{ ENCR_AES_CCM_ICV8, TRUE },
+	{ ENCR_AES_CCM_ICV12, TRUE },
+	{ ENCR_AES_CCM_ICV16, TRUE },
+	{ ENCR_AES_GCM_ICV8, TRUE },
+	{ ENCR_AES_GCM_ICV12, TRUE },
+	{ ENCR_AES_GCM_ICV16, TRUE },
+	{ ENCR_NULL_AUTH_AES_GMAC, TRUE },
+	{ ENCR_CAMELLIA_CCM_ICV8, TRUE },
+	{ ENCR_CAMELLIA_CCM_ICV12, TRUE },
+	{ ENCR_CAMELLIA_CCM_ICV16, TRUE },
+	{ ENCR_AES_CBC, FALSE },
+	{ ENCR_CAMELLIA_CBC, FALSE }
+};
+     
+START_TEST(test_crypter_is_aead)
+{
+	ck_assert(encryption_algorithm_is_aead(aead[_i].alg) == aead[_i].is_aead);
+}
+END_TEST
+
+Suite *crypter_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("crypter");
+
+	tc = tcase_create("from_oid");
+	tcase_add_loop_test(tc, test_crypter_from_oid, 2, countof(oids));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("to_oid");
+	tcase_add_loop_test(tc, test_crypter_to_oid, 0, countof(oids));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("is_aead");
+	tcase_add_loop_test(tc, test_crypter_is_aead, 0, countof(aead));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_ecdsa.c b/src/libstrongswan/tests/suites/test_ecdsa.c
index 2955bae2f..3c842996d 100644
--- a/src/libstrongswan/tests/test_ecdsa.c
+++ b/src/libstrongswan/tests/suites/test_ecdsa.c
@@ -222,11 +222,17 @@ Suite *ecdsa_suite_create()
 {
 	Suite *s;
 	TCase *tc;
+	int gen_count = countof(key_sizes);
 
 	s = suite_create("ecdsa");
 
+	if (getenv("TESTS_REDUCED_KEYLENGTHS") != NULL)
+	{
+		gen_count = min(1, gen_count);
+	}
+
 	tc = tcase_create("generate");
-	tcase_add_loop_test(tc, test_gen, 0, countof(key_sizes));
+	tcase_add_loop_test(tc, test_gen, 0, gen_count);
 	suite_add_tcase(s, tc);
 
 	tc = tcase_create("load");
diff --git a/src/libstrongswan/tests/test_enum.c b/src/libstrongswan/tests/suites/test_enum.c
index 990d9cfad..990d9cfad 100644
--- a/src/libstrongswan/tests/test_enum.c
+++ b/src/libstrongswan/tests/suites/test_enum.c
diff --git a/src/libstrongswan/tests/test_enumerator.c b/src/libstrongswan/tests/suites/test_enumerator.c
index b5dde4650..b5dde4650 100644
--- a/src/libstrongswan/tests/test_enumerator.c
+++ b/src/libstrongswan/tests/suites/test_enumerator.c
diff --git a/src/libstrongswan/tests/suites/test_fetch_http.c b/src/libstrongswan/tests/suites/test_fetch_http.c
new file mode 100644
index 000000000..8749ff375
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_fetch_http.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <unistd.h>
+#include <time.h>
+
+/**
+ * HTTP test definition
+ */
+typedef struct {
+	/* HTTP Method */
+	char *meth;
+	/* HTTP 1.x minor version */
+	int minor;
+	/* host to connect to */
+	char *host;
+	/* HTTP service port */
+	int port;
+	/* path on host to fetch from */
+	char *path;
+	/* request Content-Type, if any */
+	char *type;
+	/* request data, if any */
+	void *req;
+	/* length of request data */
+	int req_len;
+	/* response data, if any */
+	void *res;
+	/* length of response data */
+	int res_len;
+} test_service_t;
+
+static char large[] = {
+	0x88,0x3e,0xa3,0xe3,0x95,0x67,0x53,0x93,0xc8,0xce,0x5c,0xcd,0x8c,0x03,0x0c,0xa8,
+	0x94,0xaf,0x49,0xf6,0xc6,0x50,0xad,0xb8,0xea,0xb8,0x85,0x8a,0xde,0x92,0xe1,0xbc,
+	0xf3,0x15,0xbb,0x5b,0xb8,0x35,0xd8,0x17,0xad,0xcf,0x6b,0x07,0x63,0x61,0x2e,0x2f,
+	0xa5,0xc9,0x1d,0xa7,0xac,0xaa,0x4d,0xde,0x71,0x65,0x95,0x87,0x66,0x50,0xa2,0xa6,
+	0x28,0xef,0x49,0x5c,0x53,0xa3,0x87,0xad,0x42,0xc3,0x41,0xd8,0xfa,0x92,0xd8,0x32,
+	0xce,0x7c,0xf2,0x72,0x2f,0x51,0x27,0x71,0xe3,0x78,0x59,0xf9,0x46,0x23,0xf3,0xa7,
+	0x38,0x12,0x05,0xbb,0x1a,0xb0,0xe0,0x12,0xae,0x97,0xa1,0x0f,0xd4,0x34,0xe0,0x15,
+	0xb4,0xa3,0x15,0x08,0xbe,0xff,0x4d,0x31,0x81,0x39,0x62,0x29,0xf0,0x90,0x79,0x02,
+	0x4d,0x0c,0xf4,0x9e,0xe5,0xd4,0xdc,0xca,0xea,0xb8,0x85,0x8a,0xde,0x92,0xe1,0xbc,
+	0xf3,0x15,0xbb,0x5b,0xb8,0x35,0xd8,0x17,0xad,0xcf,0x6b,0x07,0x63,0x61,0x2e,0x2f,
+	0xa5,0xc9,0x1d,0xa7,0xac,0xaa,0x4d,0xde,0x71,0x65,0x95,0x87,0x66,0x50,0xa2,0xa6,
+	0x28,0xef,0x49,0x5c,0x53,0xa3,0x87,0xad,0x42,0xc3,0x41,0xd8,0xfa,0x92,0xd8,0x32,
+	0xce,0x7c,0xf2,0x72,0x2f,0x51,0x27,0x71,0xe3,0x78,0x59,0xf9,0x46,0x23,0xf3,0xa7,
+	0x38,0x12,0x05,0xbb,0x1a,0xb0,0xe0,0x12,0xae,0x97,0xa1,0x0f,0xd4,0x34,0xe0,0x15,
+	0xf3,0x15,0xbb,0x5b,0xb8,0x35,0xd8,0x17,0xad,0xcf,0x6b,0x07,0x63,0x61,0x2e,0x2f,
+	0xa5,0xc9,0x1d,0xa7,0xac,0xaa,0x4d,0xde,0x71,0x65,0x95,0x87,0x66,0x50,0xa2,0xa6,
+	0x28,0xef,0x49,0x5c,0x53,0xa3,0x87,0xad,0x42,0xc3,0x41,0xd8,0xfa,0x92,0xd8,0x32,
+	0xce,0x7c,0xf2,0x72,0x2f,0x51,0x27,0x71,0xe3,0x78,0x59,0xf9,0x46,0x23,0xf3,0xa7,
+	0x38,0x12,0x05,0xbb,0x1a,0xb0,0xe0,0x12,0xae,0x97,0xa1,0x0f,0xd4,0x34,0xe0,0x15,
+	0xb4,0xa3,0x15,0x08,0xbe,0xff,0x4d,0x31,0x81,0x39,0x62,0x29,0xf0,0x90,0x79,0x02,
+	0x4d,0x0c,0xf4,0x9e,0xe5,0xd4,0xdc,0xca,0xea,0xb8,0x85,0x8a,0xde,0x92,0xe1,0xbc,
+	0xf3,0x15,0xbb,0x5b,0xb8,0x35,0xd8,0x17,0xad,0xcf,0x6b,0x07,0x63,0x61,0x2e,0x2f,
+	0xa5,0xc9,0x1d,0xa7,0xac,0xaa,0x4d,0xde,0x71,0x65,0x95,0x87,0x66,0x50,0xa2,0xa6,
+	0x28,0xef,0x49,0x5c,0x53,0xa3,0x87,0xad,0x42,0xc3,0x41,0xd8,0xfa,0x92,0xd8,0x32,
+	0xce,0x7c,0xf2,0x72,0x2f,0x51,0x27,0x71,0xe3,0x78,0x59,0xf9,0x46,0x23,0xf3,0xa7,
+	0x38,0x12,0x05,0xbb,0x1a,0xb0,0xe0,0x12,0xae,0x97,0xa1,0x0f,0xd4,0x34,0xe0,0x15,
+	0xb4,0xa3,0x15,0x08,0xbe,0xff,0x4d,0x31,0x81,0x39,0x62,0x29,0xf0,0x90,0x79,0x02,
+	0x4d,0x0c,0xf4,0x9e,0xe5,0xd4,0xdc,0xca,0xea,0xb8,0x85,0x8a,0xde,0x92,0xe1,0xbc,
+};
+
+static bool servicing(void *data, stream_t *stream)
+{
+	test_service_t *test = (test_service_t*)data;
+	char buf[1024], hdr[256], *start, *end = NULL, *body = NULL, *type = NULL;
+	struct tm tm;
+	time_t t;
+	ssize_t len, tot = 0;
+	int nr = 0;
+
+	start = buf;
+
+	/* parse method and headers */
+	while (end != start)
+	{
+		len = stream->read(stream, buf + tot, sizeof(buf) - tot, TRUE);
+		ck_assert(len > 0);
+		tot += len;
+
+		while (TRUE)
+		{
+			end = memchr(start, '\n', tot);
+			if (!end)
+			{
+				break;
+			}
+			*end = '\0';
+			ck_assert(end > buf);
+			ck_assert(*(--end) == '\r');
+			*end = '\0';
+			if (end == start)
+			{
+				body = end + strlen("\r\n");
+				break;
+			}
+			switch (nr++)
+			{
+				case 0:
+					snprintf(hdr, sizeof(hdr), "%s %s HTTP/1.%u",
+							 test->meth, test->path, test->minor);
+					ck_assert_str_eq(hdr, start);
+					break;
+				default:
+					if (strcasepfx(start, "Content-Length: "))
+					{
+						ck_assert_int_eq(
+							atoi(start + strlen("Content-Length: ")),
+							test->req_len);
+					}
+					if (strcasepfx(start, "Content-Type: "))
+					{
+						type = start + strlen("Content-Type: ");
+					}
+					break;
+			}
+			start = end + strlen("\r\n");
+		}
+	}
+
+	if (test->type)
+	{
+		ck_assert(type);
+		ck_assert_str_eq(type, test->type);
+	}
+
+	/* request body */
+	if (test->req_len)
+	{
+		ck_assert(stream->read_all(stream, buf + tot,
+								   test->req_len - (tot - (body - buf))));
+		ck_assert(memeq(body, test->req, test->req_len));
+	}
+
+	/* response headers */
+	snprintf(buf, sizeof(buf), "HTTP/1.%u 200 OK\r\n", test->minor);
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+	t = time(NULL);
+	gmtime_r(&t, &tm);
+	strftime(buf, sizeof(buf), "%a, %d %b %Y %T %z", &tm);
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+	snprintf(buf, sizeof(buf), "Server: strongSwan unit test\r\n");
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+
+	/* rest of response headers */
+	snprintf(buf, sizeof(buf), "Content-Type: text/plain\r\n");
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+	snprintf(buf, sizeof(buf), "Content-Length: %u\r\n", test->res_len);
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+	snprintf(buf, sizeof(buf), "Connection: close\r\n");
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+	snprintf(buf, sizeof(buf), "\r\n");
+	ck_assert(stream->write_all(stream, buf, strlen(buf)));
+
+	/* response body */
+	ck_assert(stream->write_all(stream, test->res, test->res_len));
+	return FALSE;
+}
+
+static test_service_t gtests[] = {
+	{ "GET", 1, "127.0.0.1", 6543, "/a/test/?b=c", NULL,
+	  NULL, 0, "\x12\x34", 2 },
+	{ "GET", 0, "localhost", 6543, "/", NULL,
+	  NULL, 0, NULL, 0 },
+	{ "GET", 0, "127.0.0.1", 6543, "/largefile", NULL,
+	  NULL, 0, large, sizeof(large) },
+	{ "GET", 1, "[::1]", 6543, "/ipv6-url", NULL,
+	  NULL, 0, "\x00\r\n\r\x00testdatablabla", 20 },
+};
+
+START_TEST(test_get)
+{
+	stream_service_t *service;
+	status_t status;
+	chunk_t data, expected;
+	char uri[256];
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	snprintf(uri, sizeof(uri), "tcp://%s:%u", gtests[_i].host, gtests[_i].port);
+	service = lib->streams->create_service(lib->streams, uri, 1);
+	ck_assert(service != NULL);
+	service->on_accept(service, servicing, &gtests[_i], JOB_PRIO_HIGH, 0);
+
+	snprintf(uri, sizeof(uri), "http://%s:%u%s",
+			 gtests[_i].host, gtests[_i].port, gtests[_i].path);
+	status = lib->fetcher->fetch(lib->fetcher, uri, &data,
+			!gtests[_i].minor ? FETCH_HTTP_VERSION_1_0 : FETCH_END,
+			FETCH_END);
+	ck_assert_int_eq(status, SUCCESS);
+	expected = chunk_create(gtests[_i].res, gtests[_i].res_len);
+	ck_assert_msg(chunk_compare(expected, data) == 0,
+				  "exp %B\ngot %B\n", &expected, &data);
+	free(data.ptr);
+
+	service->destroy(service);
+}
+END_TEST
+
+
+static test_service_t ptests[] = {
+	{ "POST", 1, "127.0.0.1", 6543, "/a/test/?b=c", "application/binary",
+	  "\x23\x45", 2, "\x12\x34", 2 },
+	{ "POST", 0, "localhost", 6543, "/largefile", "application/x-large",
+	  large, sizeof(large), large, sizeof(large) },
+	{ "POST", 1, "[::1]", 6543, "/ipv6-url", "text/plain",
+	  "\x00\r\n\r\x00testdatablabla", 20, "\x00\r\n\r\x00testdatablabla", 20 },
+};
+
+START_TEST(test_post)
+{
+	stream_service_t *service;
+	status_t status;
+	chunk_t data, expected;
+	char uri[256];
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	snprintf(uri, sizeof(uri), "tcp://%s:%u", ptests[_i].host, ptests[_i].port);
+	service = lib->streams->create_service(lib->streams, uri, 1);
+	ck_assert(service != NULL);
+	service->on_accept(service, servicing, &ptests[_i], JOB_PRIO_HIGH, 0);
+
+	snprintf(uri, sizeof(uri), "http://%s:%u%s",
+			 ptests[_i].host, ptests[_i].port, ptests[_i].path);
+	status = lib->fetcher->fetch(lib->fetcher, uri, &data,
+					FETCH_REQUEST_TYPE, ptests[_i].type,
+					FETCH_REQUEST_DATA,
+						chunk_create(ptests[_i].req, ptests[_i].req_len),
+					!ptests[_i].minor ? FETCH_HTTP_VERSION_1_0 : FETCH_END,
+					FETCH_END);
+	ck_assert_int_eq(status, SUCCESS);
+	expected = chunk_create(ptests[_i].res, ptests[_i].res_len);
+	ck_assert_msg(chunk_compare(expected, data) == 0,
+				  "exp %B\ngot %B\n", &expected, &data);
+	free(data.ptr);
+
+	service->destroy(service);
+}
+END_TEST
+
+Suite *fetch_http_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("http fetcher");
+
+	tc = tcase_create("GET");
+	tcase_add_loop_test(tc, test_get, 0, countof(gtests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("POST");
+	tcase_add_loop_test(tc, test_post, 0, countof(ptests));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
new file mode 100644
index 000000000..41a9d64ef
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_hasher.c
@@ -0,0 +1,189 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <crypto/hashers/hasher.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/signers/signer.h>
+#include <asn1/oid.h>
+#include <utils/test.h>
+
+typedef struct {
+	int oid;
+	hash_algorithm_t alg;
+	key_type_t key;
+}hasher_oid_t;
+
+static hasher_oid_t oids[] = {
+	{ OID_MD2, HASH_MD2, KEY_ANY },
+	{ OID_MD5, HASH_MD5, KEY_ANY },
+	{ OID_SHA1, HASH_SHA1, KEY_ANY },
+	{ OID_SHA224, HASH_SHA224, KEY_ANY },
+	{ OID_SHA256, HASH_SHA256, KEY_ANY },
+	{ OID_SHA384, HASH_SHA384, KEY_ANY },
+	{ OID_SHA512, HASH_SHA512, KEY_ANY },
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY },
+	{ OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA },
+	{ OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA },
+	{ OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA },
+	{ OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA },
+	{ OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA },
+	{ OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA },
+	{ OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA },
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA },
+	{ OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA },
+	{ OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },
+	{ OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },
+	{ OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }
+};
+
+START_TEST(test_hasher_from_oid)
+{
+	ck_assert(hasher_algorithm_from_oid(oids[_i].oid) == oids[_i].alg);
+}
+END_TEST
+
+START_TEST(test_hasher_to_oid)
+{
+	ck_assert(hasher_algorithm_to_oid(oids[_i].alg) == oids[_i].oid);
+}
+END_TEST
+
+START_TEST(test_hasher_sig_to_oid)
+{
+	ck_assert(hasher_signature_algorithm_to_oid(oids[_i].alg,
+												oids[_i].key) == oids[_i].oid);
+}
+END_TEST
+
+typedef struct {
+	pseudo_random_function_t prf;
+	hash_algorithm_t alg;
+}hasher_prf_t;
+
+static hasher_prf_t prfs[] = {
+	{ PRF_HMAC_MD5, HASH_MD5 },
+	{ PRF_HMAC_SHA1, HASH_SHA1 },
+	{ PRF_FIPS_SHA1_160, HASH_SHA1 },
+	{ PRF_KEYED_SHA1, HASH_SHA1 },
+	{ PRF_HMAC_SHA2_256, HASH_SHA256 },
+	{ PRF_HMAC_SHA2_384, HASH_SHA384 },
+	{ PRF_HMAC_SHA2_512, HASH_SHA512 },
+	{ PRF_HMAC_TIGER, HASH_UNKNOWN },
+	{ PRF_AES128_XCBC, HASH_UNKNOWN },
+	{ PRF_AES128_CMAC, HASH_UNKNOWN },
+	{ PRF_FIPS_DES, HASH_UNKNOWN },
+	{ PRF_CAMELLIA128_XCBC, HASH_UNKNOWN },
+	{ PRF_UNDEFINED, HASH_UNKNOWN },
+	{ 0, HASH_UNKNOWN }
+};
+
+START_TEST(test_hasher_from_prf)
+{
+	ck_assert(hasher_algorithm_from_prf(prfs[_i].prf) == prfs[_i].alg);
+}
+END_TEST
+
+typedef struct {
+	integrity_algorithm_t auth;
+	hash_algorithm_t alg;
+	size_t length;
+}hasher_auth_t;
+
+static hasher_auth_t auths[] = {
+	{ AUTH_UNDEFINED, HASH_MD2, 0 },
+	{ AUTH_UNDEFINED, HASH_MD4, 0 },
+	{ AUTH_UNDEFINED, HASH_SHA224, 0 },
+	{ AUTH_UNDEFINED, 9, 0 },
+	{ AUTH_UNDEFINED, HASH_UNKNOWN, 0 },
+	{ AUTH_HMAC_MD5_96, HASH_MD5, 12 },
+	{ AUTH_HMAC_SHA1_96, HASH_SHA1, 12 },
+	{ AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 },
+	{ AUTH_HMAC_MD5_128, HASH_MD5, 16 },
+	{ AUTH_HMAC_SHA1_128, HASH_SHA1, 16 },
+	{ AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 },
+	{ AUTH_HMAC_SHA1_160, HASH_SHA1, 20 },
+	{ AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 },
+	{ AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 },
+	{ AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 },
+	{ AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 },
+	{ AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 },
+	{ AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 },
+	{ AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 },
+	{ AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 },
+	{ AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 },
+	{ AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 },
+	{ AUTH_DES_MAC, HASH_UNKNOWN, 0 },
+	{ AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 },
+	{ 0, HASH_UNKNOWN, 0 }
+};
+
+START_TEST(test_hasher_from_integrity)
+{
+	size_t length;
+
+	length = 0;
+	ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, NULL) == 
+											  auths[_i].alg);
+	ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, &length) == 
+											  auths[_i].alg);
+	ck_assert(length == auths[_i].length);
+}
+END_TEST
+
+START_TEST(test_hasher_to_integrity)
+{
+	ck_assert(hasher_algorithm_to_integrity(
+						auths[_i].alg, auths[_i].length) == auths[_i].auth);
+	ck_assert(hasher_algorithm_to_integrity(
+						auths[_i].alg, 0) == AUTH_UNDEFINED);
+}
+END_TEST
+
+Suite *hasher_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("hasher");
+
+	tc = tcase_create("from_oid");
+	tcase_add_loop_test(tc, test_hasher_from_oid, 0, 15);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("to_oid");
+	tcase_add_loop_test(tc, test_hasher_to_oid, 0, 8);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("sig_to_oid");
+	tcase_add_loop_test(tc, test_hasher_sig_to_oid, 7, countof(oids));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("from_prf");
+	tcase_add_loop_test(tc, test_hasher_from_prf, 0, countof(prfs));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("from_integrity");
+	tcase_add_loop_test(tc, test_hasher_from_integrity, 4, countof(auths));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("to_integrity");
+	tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 17);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_hashtable.c b/src/libstrongswan/tests/suites/test_hashtable.c
index 8cc7bfe42..8cc7bfe42 100644
--- a/src/libstrongswan/tests/test_hashtable.c
+++ b/src/libstrongswan/tests/suites/test_hashtable.c
diff --git a/src/libstrongswan/tests/test_host.c b/src/libstrongswan/tests/suites/test_host.c
index 30b9eb940..30b9eb940 100644
--- a/src/libstrongswan/tests/test_host.c
+++ b/src/libstrongswan/tests/suites/test_host.c
diff --git a/src/libstrongswan/tests/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c
index 1dc6776d1..edf53f0fd 100644
--- a/src/libstrongswan/tests/test_identification.c
+++ b/src/libstrongswan/tests/suites/test_identification.c
@@ -179,7 +179,7 @@ static struct {
 START_TEST(test_from_string)
 {
 	identification_t *a;
-	chunk_t encoding, expected;
+	chunk_t encoding, expected = chunk_empty;
 	char *id;
 
 	id = string_data[_i].id;
diff --git a/src/libstrongswan/tests/test_linked_list.c b/src/libstrongswan/tests/suites/test_linked_list.c
index 9e85c58d8..922f954e3 100644
--- a/src/libstrongswan/tests/test_linked_list.c
+++ b/src/libstrongswan/tests/suites/test_linked_list.c
@@ -246,10 +246,10 @@ struct invoke_t {
 
 static void invoke(intptr_t item, void *a, void *b, void *c, void *d, int *sum)
 {
-	ck_assert(a == (void*)1);
-	ck_assert(b == (void*)2);
-	ck_assert(c == (void*)3);
-	ck_assert(d == (void*)4);
+	ck_assert_int_eq((uintptr_t)a, 1);
+	ck_assert_int_eq((uintptr_t)b, 2);
+	ck_assert_int_eq((uintptr_t)c, 3);
+	ck_assert_int_eq((uintptr_t)d, 4);
 	*sum += item;
 }
 
@@ -267,7 +267,9 @@ START_TEST(test_invoke_function)
 	list->insert_last(list, (void*)3);
 	list->insert_last(list, (void*)4);
 	list->insert_last(list, (void*)5);
-	list->invoke_function(list, (linked_list_invoke_t)invoke, 1, 2, 3, 4, &sum);
+	list->invoke_function(list, (linked_list_invoke_t)invoke,
+						  (uintptr_t)1, (uintptr_t)2,
+						  (uintptr_t)3, (uintptr_t)4, &sum);
 	ck_assert_int_eq(sum, 15);
 }
 END_TEST
@@ -287,7 +289,9 @@ START_TEST(test_invoke_offset)
 	{
 		list->insert_last(list, &items[i]);
 	}
-	list->invoke_offset(list, offsetof(invoke_t, invoke), 1, 2, 3, 4, &sum);
+	list->invoke_offset(list, offsetof(invoke_t, invoke),
+						(uintptr_t)1, (uintptr_t)2,
+						(uintptr_t)3, (uintptr_t)4, &sum);
 	ck_assert_int_eq(sum, 15);
 }
 END_TEST
@@ -303,7 +307,7 @@ struct clone_t {
 	void *(*clone)(clone_t *item);
 };
 
-static void *clone(clone_t *item)
+static void *clonefn(clone_t *item)
 {
 	return item->val;
 }
@@ -326,11 +330,11 @@ START_TEST(test_clone_offset)
 {
 	linked_list_t *other;
 	clone_t items[] = {
-		{ .val = (void*)1, .clone = clone, },
-		{ .val = (void*)2, .clone = clone, },
-		{ .val = (void*)3, .clone = clone, },
-		{ .val = (void*)4, .clone = clone, },
-		{ .val = (void*)5, .clone = clone, },
+		{ .val = (void*)1, .clone = clonefn, },
+		{ .val = (void*)2, .clone = clonefn, },
+		{ .val = (void*)3, .clone = clonefn, },
+		{ .val = (void*)4, .clone = clonefn, },
+		{ .val = (void*)5, .clone = clonefn, },
 	};
 	int i;
 
diff --git a/src/libstrongswan/tests/test_linked_list_enumerator.c b/src/libstrongswan/tests/suites/test_linked_list_enumerator.c
index 48d6f40e6..48d6f40e6 100644
--- a/src/libstrongswan/tests/test_linked_list_enumerator.c
+++ b/src/libstrongswan/tests/suites/test_linked_list_enumerator.c
diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c
new file mode 100644
index 000000000..a46f5742c
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_ntru.c
@@ -0,0 +1,1042 @@
+/*
+ * Copyright (C) 2013-2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <tests/utils/test_rng.h>
+#include <plugins/ntru/ntru_drbg.h>
+#include <plugins/ntru/ntru_mgf1.h>
+#include <plugins/ntru/ntru_trits.h>
+#include <plugins/ntru/ntru_poly.h>
+#include <utils/test.h>
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*,
+						  u_int32_t strength, chunk_t pers_str, rng_t *entropy)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_mgf1_create, ntru_mgf1_t*,
+						  hash_algorithm_t alg, chunk_t seed, bool hash_seed)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_trits_create, ntru_trits_t*,
+						  size_t len, hash_algorithm_t alg, chunk_t seed)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_seed, ntru_poly_t*,
+						  hash_algorithm_t alg, chunk_t seed, uint8_t c_bits,
+						  uint16_t N, uint16_t q, uint32_t indices_len_p,
+						  uint32_t indices_len_m, bool is_product_form)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_data, ntru_poly_t*,
+						  u_int16_t *data, uint16_t N, uint16_t q,
+						  uint32_t indices_len_p, uint32_t indices_len_m,
+						  bool is_product_form)
+
+/**
+ * NTRU parameter sets to test
+ */
+static struct {
+	diffie_hellman_group_t group;
+	char *group_name;
+} params[] = {
+	{ NTRU_112_BIT, "NTRU_112" },
+	{ NTRU_128_BIT, "NTRU_128" },
+	{ NTRU_192_BIT, "NTRU_192" },
+	{ NTRU_256_BIT, "NTRU_256" }
+};
+
+/**
+ * NTRU parameter set selection
+ */
+char *parameter_sets[] = {
+		"x9_98_speed", "x9_98_bandwidth", "x9_98_balance", "optimum"
+};
+
+typedef struct {
+	u_int32_t requested;
+	u_int32_t standard;
+}strength_t;
+
+strength_t strengths[] = {
+	{  80, 112 },
+	{ 112, 112 },
+	{ 120, 128 },
+	{ 128, 128 },
+	{ 150, 192 },
+	{ 192, 192 },
+	{ 200, 256 },
+	{ 256, 256 },
+	{ 512,   0 }
+};
+
+START_TEST(test_ntru_drbg_strength)
+{
+	ntru_drbg_t *drbg;
+	rng_t *entropy;
+
+	entropy = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	ck_assert(entropy != NULL);
+
+	drbg = ntru_drbg_create(strengths[_i].requested, chunk_empty, entropy);
+	if (strengths[_i].standard)
+	{
+		ck_assert(drbg != NULL);
+		ck_assert(drbg->get_strength(drbg) == strengths[_i].standard);
+		drbg->destroy(drbg);
+	}
+	else
+	{
+		ck_assert(drbg == NULL);
+	}
+	entropy->destroy(entropy);
+}
+END_TEST
+
+typedef struct {
+	chunk_t pers_str;
+	chunk_t entropy;
+	chunk_t out;
+} drbg_test_t;
+
+/**
+ * NIST SP 800-90A Deterministic Random Generator Validation System (DRBGVS)
+ */
+drbg_test_t drbg_tests[] = {
+	/* SHA-256 test case 1 - count 0 */
+	{ { NULL, 0 },
+	  chunk_from_chars(0x06, 0x03, 0x2c, 0xd5, 0xee, 0xd3, 0x3f, 0x39,
+					   0x26, 0x5f, 0x49, 0xec, 0xb1, 0x42, 0xc5, 0x11,
+					   0xda, 0x9a, 0xff, 0x2a, 0xf7, 0x12, 0x03, 0xbf,
+					   0xfa, 0xf3, 0x4a, 0x9c, 0xa5, 0xbd, 0x9c, 0x0d,
+					   0x0e, 0x66, 0xf7, 0x1e, 0xdc, 0x43, 0xe4, 0x2a,
+					   0x45, 0xad, 0x3c, 0x6f, 0xc6, 0xcd, 0xc4, 0xdf,
+					   0x01, 0x92, 0x0a, 0x4e, 0x66, 0x9e, 0xd3, 0xa8,
+					   0x5a, 0xe8, 0xa3, 0x3b, 0x35, 0xa7, 0x4a, 0xd7,
+					   0xfb, 0x2a, 0x6b, 0xb4, 0xcf, 0x39, 0x5c, 0xe0,
+					   0x03, 0x34, 0xa9, 0xc9, 0xa5, 0xa5, 0xd5, 0x52),
+	  chunk_from_chars(0x76, 0xfc, 0x79, 0xfe, 0x9b, 0x50, 0xbe, 0xcc,
+					   0xc9, 0x91, 0xa1, 0x1b, 0x56, 0x35, 0x78, 0x3a,
+					   0x83, 0x53, 0x6a, 0xdd, 0x03, 0xc1, 0x57, 0xfb,
+					   0x30, 0x64, 0x5e, 0x61, 0x1c, 0x28, 0x98, 0xbb,
+					   0x2b, 0x1b, 0xc2, 0x15, 0x00, 0x02, 0x09, 0x20,
+					   0x8c, 0xd5, 0x06, 0xcb, 0x28, 0xda, 0x2a, 0x51,
+					   0xbd, 0xb0, 0x38, 0x26, 0xaa, 0xf2, 0xbd, 0x23,
+					   0x35, 0xd5, 0x76, 0xd5, 0x19, 0x16, 0x08, 0x42,
+					   0xe7, 0x15, 0x8a, 0xd0, 0x94, 0x9d, 0x1a, 0x9e,
+					   0xc3, 0xe6, 0x6e, 0xa1, 0xb1, 0xa0, 0x64, 0xb0,
+					   0x05, 0xde, 0x91, 0x4e, 0xac, 0x2e, 0x9d, 0x4f,
+					   0x2d, 0x72, 0xa8, 0x61, 0x6a, 0x80, 0x22, 0x54,
+					   0x22, 0x91, 0x82, 0x50, 0xff, 0x66, 0xa4, 0x1b,
+					   0xd2, 0xf8, 0x64, 0xa6, 0xa3, 0x8c, 0xc5, 0xb6,
+					   0x49, 0x9d, 0xc4, 0x3f, 0x7f, 0x2b, 0xd0, 0x9e,
+					   0x1e, 0x0f, 0x8f, 0x58, 0x85, 0x93, 0x51, 0x24)
+	},
+	/* SHA-256 test case 3 - count 0 */
+	{ chunk_from_chars(0xf2, 0xe5, 0x8f, 0xe6, 0x0a, 0x3a, 0xfc, 0x59,
+					   0xda, 0xd3, 0x75, 0x95, 0x41, 0x5f, 0xfd, 0x31,
+					   0x8c, 0xcf, 0x69, 0xd6, 0x77, 0x80, 0xf6, 0xfa,
+					   0x07, 0x97, 0xdc, 0x9a, 0xa4, 0x3e, 0x14, 0x4c),
+	  chunk_from_chars(0xfa, 0x0e, 0xe1, 0xfe, 0x39, 0xc7, 0xc3, 0x90,
+					   0xaa, 0x94, 0x15, 0x9d, 0x0d, 0xe9, 0x75, 0x64,
+					   0x34, 0x2b, 0x59, 0x17, 0x77, 0xf3, 0xe5, 0xf6,
+					   0xa4, 0xba, 0x2a, 0xea, 0x34, 0x2e, 0xc8, 0x40,
+					   0xdd, 0x08, 0x20, 0x65, 0x5c, 0xb2, 0xff, 0xdb,
+					   0x0d, 0xa9, 0xe9, 0x31, 0x0a, 0x67, 0xc9, 0xe5,
+					   0xe0, 0x62, 0x9b, 0x6d, 0x79, 0x75, 0xdd, 0xfa,
+					   0x96, 0xa3, 0x99, 0x64, 0x87, 0x40, 0xe6, 0x0f,
+					   0x1f, 0x95, 0x57, 0xdc, 0x58, 0xb3, 0xd7, 0x41,
+					   0x5f, 0x9b, 0xa9, 0xd4, 0xdb, 0xb5, 0x01, 0xf6),
+	  chunk_from_chars(0xf9, 0x2d, 0x4c, 0xf9, 0x9a, 0x53, 0x5b, 0x20,
+					   0x22, 0x2a, 0x52, 0xa6, 0x8d, 0xb0, 0x4c, 0x5a,
+					   0xf6, 0xf5, 0xff, 0xc7, 0xb6, 0x6a, 0x47, 0x3a,
+					   0x37, 0xa2, 0x56, 0xbd, 0x8d, 0x29, 0x8f, 0x9b,
+					   0x4a, 0xa4, 0xaf, 0x7e, 0x8d, 0x18, 0x1e, 0x02,
+					   0x36, 0x79, 0x03, 0xf9, 0x3b, 0xdb, 0x74, 0x4c,
+					   0x6c, 0x2f, 0x3f, 0x34, 0x72, 0x62, 0x6b, 0x40,
+					   0xce, 0x9b, 0xd6, 0xa7, 0x0e, 0x7b, 0x8f, 0x93,
+					   0x99, 0x2a, 0x16, 0xa7, 0x6f, 0xab, 0x6b, 0x5f,
+					   0x16, 0x25, 0x68, 0xe0, 0x8e, 0xe6, 0xc3, 0xe8,
+					   0x04, 0xae, 0xfd, 0x95, 0x2d, 0xdd, 0x3a, 0xcb,
+					   0x79, 0x1c, 0x50, 0xf2, 0xad, 0x69, 0xe9, 0xa0,
+					   0x40, 0x28, 0xa0, 0x6a, 0x9c, 0x01, 0xd3, 0xa6,
+					   0x2a, 0xca, 0x2a, 0xaf, 0x6e, 0xfe, 0x69, 0xed,
+					   0x97, 0xa0, 0x16, 0x21, 0x3a, 0x2d, 0xd6, 0x42,
+					   0xb4, 0x88, 0x67, 0x64, 0x07, 0x2d, 0x9c, 0xbe)
+	},
+	/* SHA-256 test case 5 - count 0 */
+	{ { NULL, 0 },
+	  chunk_from_chars(0xff, 0x0c, 0xdd, 0x55, 0x5c, 0x60, 0x46, 0x47,
+					   0x60, 0xb2, 0x89, 0xb7, 0xbc, 0x1f, 0x81, 0x1a,
+					   0x41, 0xff, 0xf7, 0x2d, 0xe5, 0x90, 0x83, 0x85,
+					   0x8c, 0x02, 0x0a, 0x10, 0x53, 0xbd, 0xc7, 0x4a,
+					   0x7b, 0xc0, 0x99, 0x28, 0x5a, 0xd5, 0x62, 0x19,
+					   0x93, 0xb6, 0x39, 0xc4, 0xa9, 0x4c, 0x37, 0x6b,
+					   0x14, 0xfc, 0x6c, 0x9b, 0x17, 0x8d, 0xb6, 0x44,
+					   0xa8, 0xcd, 0x71, 0x30, 0xa4, 0xcf, 0x05, 0x16,
+					   0x78, 0xc8, 0xf4, 0xfa, 0x8f, 0x24, 0xc2, 0x7b,
+					   0x0a, 0x53, 0x13, 0x38, 0xa5, 0xce, 0x85, 0x89),
+	  chunk_from_chars(0x2f, 0x26, 0x20, 0x34, 0x7b, 0xdd, 0xca, 0xa2,
+					   0x94, 0x36, 0x85, 0x34, 0x6b, 0xbf, 0x31, 0xc4,
+					   0x40, 0x81, 0xf8, 0x66, 0x5f, 0x3d, 0xdb, 0x2b,
+					   0x42, 0xae, 0x14, 0x16, 0xa7, 0x4c, 0x4b, 0x77,
+					   0xfa, 0xb3, 0xfa, 0x19, 0xae, 0xec, 0xc5, 0x47,
+					   0xe7, 0x6c, 0x8c, 0xbe, 0x6a, 0xd1, 0xf1, 0x00,
+					   0xa3, 0xfc, 0x8b, 0x2c, 0xe2, 0xa1, 0xea, 0x3a,
+					   0x3d, 0xd7, 0xcf, 0xad, 0x46, 0xc1, 0xb2, 0x78,
+					   0x30, 0xb9, 0x40, 0xba, 0x18, 0xd0, 0x9e, 0x9b,
+					   0x7f, 0xa9, 0x02, 0xbb, 0x76, 0x06, 0x69, 0xb1,
+					   0x73, 0x5c, 0xc7, 0xb7, 0xbd, 0x39, 0x05, 0x2d,
+					   0xa7, 0xf2, 0x62, 0x6f, 0xa8, 0x70, 0x00, 0xcf,
+					   0xfa, 0xda, 0x41, 0x00, 0x19, 0xd0, 0x53, 0x38,
+					   0x6a, 0xd8, 0x08, 0xbd, 0x3c, 0x0c, 0xfc, 0xf5,
+					   0x6b, 0x91, 0x87, 0x9e, 0xb8, 0xd3, 0xf9, 0x32,
+					   0xee, 0x2d, 0x18, 0x5e, 0x54, 0xf3, 0x1b, 0x74)
+	},
+	/* SHA-256 test case 7 - count 0 */
+	{ chunk_from_chars(0x40, 0x93, 0x3f, 0xdc, 0xce, 0x41, 0x59, 0xb0,
+					   0x95, 0x51, 0x11, 0xf8, 0x44, 0x47, 0x1b, 0x0d,
+					   0xb8, 0x5b, 0x73, 0xbd, 0xd2, 0xb7, 0x8c, 0x46,
+					   0x8d, 0xd3, 0x9e, 0x2a, 0x9b, 0x29, 0xae, 0xf2),
+	  chunk_from_chars(0x28, 0xba, 0x1a, 0x66, 0x16, 0x32, 0xef, 0xc8,
+					   0xec, 0xce, 0xd5, 0xf5, 0x1b, 0x79, 0x13, 0x00,
+					   0xfb, 0x3b, 0x55, 0xb0, 0x5d, 0x04, 0x17, 0x08,
+					   0x63, 0x8d, 0xe4, 0xbe, 0xb7, 0x57, 0xa9, 0xe5,
+					   0x76, 0x82, 0x87, 0x96, 0xaf, 0xf0, 0x7f, 0x55,
+					   0x79, 0x5c, 0xb5, 0x47, 0x13, 0xc7, 0x7e, 0xd4,
+					   0xa5, 0xf5, 0x42, 0xb0, 0x4a, 0xaa, 0x5d, 0xbc,
+					   0x93, 0x1e, 0x47, 0x01, 0x9f, 0xeb, 0x38, 0x96,
+					   0x26, 0x16, 0xc5, 0x7a, 0xf0, 0x9b, 0x7c, 0x1d,
+					   0xf8, 0x3f, 0x2b, 0x86, 0x0f, 0xf7, 0x65, 0x86),
+	  chunk_from_chars(0x65, 0xe5, 0xaa, 0x47, 0xb3, 0x85, 0xf1, 0xea,
+					   0x42, 0xb2, 0x31, 0xb9, 0xfe, 0x74, 0x42, 0x53,
+					   0xb8, 0x59, 0x88, 0x59, 0xd7, 0x01, 0x1e, 0x52,
+					   0x5f, 0x5a, 0x2a, 0x1a, 0xd3, 0x2a, 0x97, 0x2a,
+					   0x85, 0x08, 0x02, 0xc6, 0x0a, 0x2b, 0xe1, 0x9b,
+					   0xe2, 0x70, 0x06, 0x3a, 0x3c, 0xfb, 0xea, 0xae,
+					   0x95, 0x4f, 0x10, 0xb1, 0x22, 0x35, 0x2d, 0xe6,
+					   0xa0, 0x8a, 0xc4, 0x10, 0xe0, 0x99, 0x16, 0x53,
+					   0xaa, 0xb2, 0x71, 0xb3, 0x60, 0xfe, 0x91, 0x91,
+					   0xcf, 0x5a, 0xdd, 0xcc, 0xcc, 0xed, 0x8c, 0x4a,
+					   0xcf, 0xb6, 0x14, 0x57, 0x04, 0x99, 0x92, 0x98,
+					   0x8f, 0xd7, 0xa9, 0xac, 0xca, 0x1f, 0x1b, 0xca,
+					   0x35, 0xf1, 0x47, 0x58, 0x13, 0x69, 0x4a, 0x39,
+					   0x98, 0x8e, 0x5f, 0xac, 0x9f, 0x4a, 0xc0, 0x57,
+					   0x22, 0x86, 0xbc, 0x46, 0x25, 0x82, 0xad, 0x0a,
+					   0xf7, 0x8a, 0xb3, 0xb8, 0x5e, 0xc1, 0x7a, 0x25)
+	}
+};
+
+START_TEST(test_ntru_drbg)
+{
+	ntru_drbg_t *drbg;
+	rng_t *entropy;
+	chunk_t out;
+
+	out = chunk_alloc(128);
+	entropy = test_rng_create(drbg_tests[_i].entropy);
+	drbg = ntru_drbg_create(256, drbg_tests[_i].pers_str, entropy);
+	ck_assert(drbg != NULL);
+	ck_assert(drbg->reseed(drbg));
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+	ck_assert(chunk_equals(out, drbg_tests[_i].out));
+	drbg->destroy(drbg);
+	entropy->destroy(entropy);
+	chunk_free(&out);
+}
+END_TEST
+
+START_TEST(test_ntru_drbg_reseed)
+{
+	ntru_drbg_t *drbg;
+	rng_t *entropy;
+	chunk_t out;
+
+	lib->settings->set_int(lib->settings,
+						  "libstrongswan.plugins.ntru.max_drbg_requests", 2);
+	out = chunk_alloc(128);
+	entropy = test_rng_create(drbg_tests[0].entropy);
+	drbg = ntru_drbg_create(256, chunk_empty, entropy);
+
+	/* bad output parameters */
+	ck_assert(!drbg->generate(drbg, 256, 0, out.ptr));
+	ck_assert(!drbg->generate(drbg, 256, 128, NULL));
+
+	/* no reseeding occurs */
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+
+	/* consuming remaining entropy */
+	ck_assert(entropy->get_bytes(entropy, 32, out.ptr));
+
+	/* no entropy available for automatic reseeding */
+	ck_assert(!drbg->generate(drbg, 256, 128, out.ptr));
+	drbg->destroy(drbg);
+
+	/* no entropy available for DRBG instantiation */
+	drbg = ntru_drbg_create(256, chunk_empty, entropy);
+	ck_assert(drbg == NULL);
+	entropy->destroy(entropy);
+
+	/* one automatic reseeding occurs */
+	entropy = test_rng_create(drbg_tests[0].entropy);
+	drbg = ntru_drbg_create(256, chunk_empty, entropy);
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+	ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+
+	/* no entropy left */
+	ck_assert(!entropy->get_bytes(entropy, 32, out.ptr));
+
+	drbg->destroy(drbg);
+	entropy->destroy(entropy);
+	chunk_free(&out);
+	lib->settings->set_int(lib->settings,
+						  "libstrongswan.plugins.ntru.max_drbg_requests", 2000);
+}
+END_TEST
+
+typedef struct {
+	uint8_t c_bits;
+	uint16_t N;
+	uint16_t q;
+	bool is_product_form;
+	uint32_t indices_len;
+	uint32_t indices_size;
+	uint16_t *indices;
+} poly_test_t;
+
+typedef struct {
+	hash_algorithm_t alg;
+	size_t hash_size;
+	size_t ml1, ml2, ml3, seed_len;
+	chunk_t seed;
+	chunk_t hashed_seed;
+	chunk_t mask;
+	chunk_t trits;
+	poly_test_t poly_test[2];
+} mgf1_test_t;
+
+uint16_t indices_ees439ep1[] = {
+	367, 413,  16, 214, 114, 128,  42, 268, 346, 329, 119, 303, 208, 287, 150,
+	  3,  45, 321, 110, 109, 272, 430,  80, 305,  51, 381, 322, 140, 207, 315,
+	206, 186,  56,   5, 273, 177,  44, 100, 205, 210,  98, 191,   8, 336
+};
+
+uint16_t indices_ees613ep1[] = {
+	245, 391, 251, 428, 301,   2, 176, 296, 461, 224, 590, 215, 250,  91, 395,
+	363,  58, 537, 278, 291, 247,  33, 140, 447, 172, 514, 424, 412,  95,  94,
+	281, 159, 196, 302, 277,  63, 404, 150, 608, 315, 195, 334, 207, 376, 398,
+	  0, 309, 486, 516,  86, 267, 139, 130,  38, 141, 258,  21, 341, 526, 388,
+	194, 116, 138, 524, 547, 383, 542, 406, 270, 438, 240, 445, 527, 168, 320,
+	186, 327, 212, 543,  82, 606, 131, 294, 392, 477, 430, 583, 142, 253, 434,
+	134, 458, 559, 414, 162, 407, 580, 577, 191, 109, 554, 523,  32,  62, 297,
+	283, 268,  54, 539,   5
+};
+
+uint16_t indices_ees743ep1[] = {
+	285,  62, 136, 655, 460,  35, 450, 208, 340, 212,  61, 234, 454,  52, 520,
+	399, 315, 616, 496,  88, 280, 543, 508, 237, 553,  39, 214, 253, 720, 291,
+	586, 615, 635, 596,  62, 499, 301, 176, 271, 659, 372, 185, 621, 350, 683,
+	180, 717, 509, 641, 738, 666, 171, 639, 606, 353, 706, 237, 358, 410, 423,
+	197, 501, 261, 654, 658, 701, 377, 182, 548, 287, 700, 403, 248, 137
+};
+
+uint16_t indices_ees1171ep1[] = {
+	514, 702, 760, 505, 262, 486, 695, 783, 533,  74, 403, 847, 170,1019, 568,
+	676,1057, 277,1021, 238, 203, 884, 124,  87,  65,  93, 131, 881,1102, 133,
+	459, 462,  92,  40,   5,1152,1158, 297, 599, 299,   7, 458, 347, 343, 173,
+   1044, 264, 871, 819, 679, 328, 438, 990, 982, 308,1135, 423, 470, 254, 295,
+   1029, 892, 759, 789, 123, 939, 749, 353,1062, 145, 562, 337, 550, 102, 549,
+	821,1098, 823,  96, 365, 135,1110, 334, 391, 638, 963, 962,1002,1069, 993,
+	983, 649,1056, 399, 385, 715, 582, 799, 161, 512, 629, 979, 250,  37, 213,
+	929, 413, 566, 336, 727, 160, 616,1170, 748, 282,1115, 325, 994, 189, 500,
+	913, 332,1118, 753, 946, 775,  59, 809, 782, 612, 909,1090, 223, 777, 940,
+	866,1032, 471, 298, 969, 192, 411, 721, 476, 910,1045,1027, 812, 352, 487,
+	215, 625, 808, 230, 602, 457, 900, 416, 985, 850, 908, 155, 670, 669,1054,
+	400,1126, 733, 647, 786, 195, 148, 362,1094, 389,1086,1166, 231, 436, 210,
+	333, 824, 785, 826, 658, 472, 639,1046,1028, 519, 422,  80, 924,1089, 547,
+   1157, 579,   2, 508,1040, 998, 902,1058, 600, 220, 805, 945, 140,1117, 179,
+	536, 191
+};
+
+/**
+ * MGF1 Mask Generation Function Test Vectors
+ */
+mgf1_test_t mgf1_tests[] = {
+	{	HASH_SHA1, 20, 60, 20, 15, 24,
+		chunk_from_chars( 
+						0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
+						0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
+						0x8C, 0x9B, 0xD5, 0x63, 0x57, 0x38, 0x11, 0xC2,
+						0xB5, 0xCA, 0xBF, 0x06, 0x43, 0x45, 0x19, 0xD5,
+						0xE7, 0x36, 0xD0, 0x29, 0x21, 0xDA, 0x02, 0x20,
+						0x45, 0xF6, 0x5F, 0x0F, 0x10, 0x04, 0x2A, 0xE3,
+						0x6A, 0x1D, 0xD5, 0x9F, 0x1D, 0x66, 0x44, 0x8F,
+						0xFA, 0xC6, 0xCA, 0xA4, 0x6E, 0x3B, 0x00, 0x66,
+						0xA6, 0xC9, 0x80, 0x5C, 0xF5, 0x2D, 0xD7, 0x72,
+						0xC6, 0xD4, 0x4F, 0x30, 0x72, 0xA2, 0xAD, 0xE0,
+						0x33, 0xE8, 0x55, 0xD5, 0xE6, 0xD6, 0x00, 0x1D,
+						0xA8, 0x68, 0xFF, 0x97, 0x36, 0x8A, 0xF4, 0xD6,
+						0xF1, 0xB6, 0x7E, 0x1F, 0x06, 0xCB, 0x57, 0xCB,
+						0x35, 0x38, 0xF2, 0x2D, 0xF6, 0x20),
+		chunk_from_chars(
+						0xF3, 0x9B, 0x0B, 0xB4, 0x97, 0x50, 0xB5, 0xA7,
+						0xE6, 0xBD, 0xDA, 0xD0, 0x9A, 0x52, 0xBE, 0xA0,
+						0x21, 0xC4, 0x90, 0xB6),
+		chunk_from_chars(
+						0x10, 0x43, 0x76, 0x72, 0x6C, 0xDE, 0xA0, 0x0E,
+						0x77, 0x51, 0xFB, 0x58, 0x39, 0x8A, 0x36, 0xE1,
+						0x63, 0x2B, 0xC9, 0x17, 0x56, 0x0C, 0x4B, 0x46,
+						0xA4, 0x07, 0xA4, 0x3B, 0x8E, 0x33, 0x4D, 0xD1,
+						0x65, 0xF1, 0xAC, 0xC8, 0x59, 0x21, 0x32, 0x16,
+						0x44, 0x2B, 0x7F, 0xB2, 0xA8, 0xA7, 0x26, 0x5D,
+						0xE8, 0x02, 0xBE, 0x8E, 0xDC, 0x34, 0xEB, 0x10,
+						0x76, 0x16, 0x8C, 0xDD, 0x90, 0x92, 0x3D, 0x29,
+						0x90, 0x98, 0x46, 0x11, 0x73, 0x53, 0x47, 0xB1,
+						0x2C, 0xD4, 0x83, 0x78, 0x9B, 0x93, 0x2F, 0x5B,
+						0xFC, 0x26, 0xFF, 0x42, 0x08, 0x1F, 0x70, 0x66,
+						0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D,
+						0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C,
+						0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92,
+						0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14), 
+		chunk_from_chars(
+				1, 2, 1, 0, 0,  1, 1, 1, 2, 0,  1, 0, 1, 1, 1,  0, 2, 0, 1, 1,
+				0, 0, 0, 1, 1,  0, 2, 0, 2, 2,	1, 2, 2, 2, 1,  2, 1, 1, 0, 0,
+				2, 0, 1, 1, 1,	0, 0, 0, 0, 1,  1, 2, 0, 0, 1,  0, 1, 0, 2, 0,
+				0, 1, 0, 2, 1,  0, 0, 0, 2, 0,  0, 0, 1, 2, 2,	0, 0, 2, 0, 1,
+				1, 2, 1, 1, 0,  0, 1, 1, 1, 2,	2, 1, 2, 0, 0,  2, 1, 0, 0, 1,
+				0, 1, 1, 0, 0,	0, 1, 2, 2, 0,  1, 2, 1, 2, 0,  2, 0, 0, 0, 2,
+				1, 2, 0, 0, 0,  2, 0, 0, 0, 2,  2, 1, 0, 2, 0,	1, 2, 0, 2, 1,
+				0, 2, 2, 1, 0,  2, 1, 2, 2, 0,  2, 0, 2, 1, 2,  2, 0, 2, 0, 1,
+				1, 2, 2, 2, 2,  1, 0, 1, 0, 2,  2, 0, 1, 1, 2,  2, 2, 0, 0, 1,
+				0, 2, 0, 1, 0,  2, 1, 2, 1, 0,  1, 1, 2, 0, 0,  2, 1, 1, 2, 0,
+				1, 2, 1, 1, 0,  1, 0, 2, 1, 1,  1, 2, 1, 0, 2,  0, 2, 0, 0, 2,
+				2, 1, 0, 0, 2,  2, 0, 1, 1, 0,  0, 1, 1, 0, 1,  1, 2, 1, 2, 2,
+				2, 0, 0, 0, 0,  1, 0, 0, 1, 2,  1, 2, 0, 2, 1,  1, 1, 0, 2, 2,
+				1, 2, 2, 1, 0,  1, 0, 2, 2, 2,  1, 2, 1, 0, 0,  1, 0, 1, 1, 1,
+				1, 1, 2, 0, 0,  2, 1, 0, 2, 1,  2, 1, 0, 2, 2,  0, 0, 1, 2, 1,
+				2, 0, 1, 2, 1,  1, 2, 0, 2, 0,  2, 1, 1, 1, 0,  0, 0, 1, 2, 1,
+				2, 2, 1, 2, 1,  1, 2, 1, 2, 0,  2, 2, 1, 0, 0,  1, 2, 0, 1, 1,
+				2, 0, 0, 0, 1,  2, 2, 1, 2, 0,  0, 2, 1, 0, 2,  2, 2, 1, 1, 0,
+				2, 1, 2, 1, 2,  2, 1, 2, 1, 1,  0, 1, 1, 1, 1,  2, 0, 2, 2, 1,
+				0, 1, 1, 2, 1,  2, 0, 2, 1, 0,  1, 0, 1, 0, 1,  2, 0, 1, 1, 0,
+				0, 1, 1, 2, 0,  2, 2, 0, 0, 0,  1, 1, 0, 1, 0,  1, 1, 0, 1, 1,
+				0, 1, 2, 0, 1,  1, 0, 1, 2, 0,  0, 1, 2, 2, 0,  0, 2, 1, 2),
+		{
+			{	9, 439, 2048, TRUE, 9 + (8 << 8) + (5 << 16),
+				countof(indices_ees439ep1), indices_ees439ep1
+			},
+			{	11, 613, 2048, FALSE, 55,
+				countof(indices_ees613ep1), indices_ees613ep1
+			}
+		}
+	},
+	{	HASH_SHA256, 32, 64, 32, 33, 40,
+		chunk_from_chars(
+						0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53,
+						0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69,
+						0xC5, 0x9D, 0xDE, 0xF6, 0xFC, 0xFA, 0x93, 0xCE,
+						0x32, 0x52, 0x66, 0xF9, 0xC9, 0x97, 0xF6, 0x42,
+						0x00, 0x2C, 0x64, 0xED, 0x1A, 0x6B, 0x14, 0x0A,
+						0x4B, 0x04, 0xCF, 0x6D, 0x2D, 0x82, 0x0A, 0x07,
+						0xA2, 0x3B, 0xDE, 0xCE, 0x19, 0x8A, 0x39, 0x43,
+						0x16, 0x61, 0x29, 0x98, 0x68, 0xEA, 0xE5, 0xCC,
+						0x0A, 0xF8, 0xE9, 0x71, 0x26, 0xF1, 0x07, 0x36,
+						0x2C, 0x07, 0x1E, 0xEB, 0xE4, 0x28, 0xA2, 0xF4,
+						0xA8, 0x12, 0xC0, 0xC8, 0x20, 0x37, 0xF8, 0xF2,
+						0x6C, 0xAF, 0xDC, 0x6F, 0x2E, 0xD0, 0x62, 0x58,
+						0xD2, 0x37, 0x03, 0x6D, 0xFA, 0x6E, 0x1A, 0xAC,
+						0x9F, 0xCA, 0x56, 0xC6, 0xA4, 0x52, 0x41, 0xE8,
+						0x0F, 0x1B, 0x0C, 0xB9, 0xE6, 0xBA, 0xDE, 0xE1,
+						0x03, 0x5E, 0xC2, 0xE5, 0xF8, 0xF4, 0xF3, 0x46,
+						0x3A, 0x12, 0xC0, 0x1F, 0x3A, 0x00, 0xD0, 0x91,
+						0x18, 0xDD, 0x53, 0xE4, 0x22, 0xF5, 0x26, 0xA4,
+						0x54, 0xEE, 0x20, 0xF0, 0x80),
+		chunk_from_chars(
+						0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D,
+						0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB,
+						0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C,
+						0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28), 
+		chunk_from_chars(
+						0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A,
+						0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46,
+						0xCB, 0x35, 0x3C, 0xDC, 0xAD, 0x20, 0xD9, 0x3F,
+						0x0D, 0xD1, 0xAA, 0x64, 0x66, 0x5C, 0xFA, 0x4A,
+						0xFE, 0xD6, 0x8F, 0x55, 0x57, 0x15, 0xB2, 0xA6,
+						0xA0, 0xE6, 0xA8, 0xC6, 0xBD, 0x28, 0xB4, 0xD5,
+						0x6E, 0x5B, 0x4B, 0xB0, 0x97, 0x09, 0xF5, 0xAC,
+						0x57, 0x65, 0x13, 0x97, 0x71, 0x2C, 0x45, 0x13,
+						0x3D, 0xEE, 0xFB, 0xBF, 0xFE, 0xAF, 0xBB, 0x4B,
+						0x0D, 0x5C, 0x45, 0xD4, 0x2F, 0x17, 0x92, 0x07,
+						0x66, 0x11, 0xF5, 0x46, 0xF8, 0x0C, 0x03, 0x92,
+						0xF5, 0xF5, 0xFF, 0xA4, 0xF3, 0x52, 0xF4, 0x08,
+						0x2C, 0x49, 0x32, 0x1A, 0x93, 0x51, 0x98, 0xB6,
+						0x94, 0x83, 0x39, 0xCF, 0x6B, 0x1F, 0x2F, 0xFC,
+						0x2B, 0xFF, 0x10, 0x71, 0x7D, 0x35, 0x6C, 0xEA,
+						0xC5, 0x66, 0xC7, 0x26, 0x7D, 0x9E, 0xAC, 0xDD,
+						0x35, 0xD7, 0x06, 0x3F, 0x40, 0x82, 0xDA, 0xC3,
+						0x2B, 0x3C, 0x91, 0x3A, 0x32, 0xF8, 0xB2, 0xC6,
+						0x44, 0x4D, 0xCD, 0xB6, 0x54, 0x5F, 0x81, 0x95,
+						0x59, 0xA1, 0xE5, 0x4E, 0xA5, 0x0A, 0x4A, 0x42),
+		chunk_from_chars(
+				1, 2, 2, 2, 2,  1, 2, 2, 0, 0,  2, 0, 0, 0, 0,  1, 2, 2, 2, 0,
+				2, 0, 0, 2, 2,  1, 2, 0, 0, 1,  2, 1, 0, 0, 0,  1, 0, 2, 2, 1,
+				1, 2, 0, 0, 0,  1, 2, 0, 2, 2,  1, 2, 1, 0, 1,  0, 1, 2, 1, 1,
+				1, 2, 0, 1, 0,  2, 1, 1, 0, 0,  0, 1, 2, 0, 0,  1, 2, 1, 2, 0,
+				2, 1, 1, 1, 2,  2, 2, 2, 1, 0,  0, 2, 0, 2, 0,  1, 1, 0, 2, 2,
+				2, 0, 1, 0, 2,  2, 1, 0, 1, 0,  1, 0, 0, 2, 2,  0, 0, 1, 2, 0,
+				1, 1, 1, 0, 0,  2, 0, 2, 1, 2,  2, 2, 0, 0, 2,  1, 0, 2, 0, 1,
+				0, 1, 2, 0, 1,  2, 0, 1, 0, 1,  2, 0, 2, 2, 0,  1, 2, 2, 1, 2,
+				2, 2, 0, 2, 1,  1, 1, 0, 0, 1,  0, 2, 0, 0, 1,  0, 1, 2, 0, 0,
+				1, 2, 1, 0, 2,  1, 1, 0, 0, 2,  1, 2, 2, 2, 1,  2, 1, 1, 2, 2,
+				0, 2, 0, 0, 2,  0, 0, 1, 1, 2,  0, 0, 0, 1, 2,  1, 1, 1, 1, 0,
+				0, 0, 2, 0, 2,  0, 2, 2, 1, 2,  2, 0, 0, 1, 1,  1, 0, 1, 0, 1,
+				0, 1, 2, 2, 0,  2, 1, 1, 0, 2,  1, 2, 1, 2, 1,  0, 0, 1, 0, 0,
+				1, 0, 1, 0, 2,  0, 2, 0, 0, 1,  2, 0, 2, 0, 1,  1, 0, 2, 0, 0,
+				1, 2, 1, 2, 1,  2, 1, 0, 1, 1,  2, 2, 1, 1, 0,  0, 2, 1, 2, 0,
+				1, 0, 2, 0, 0,  1, 2, 0, 2, 0,  1, 1, 2, 2, 2,  2, 0, 0, 1, 2,
+				1, 1, 1, 0, 2,  1, 2, 2, 0, 2,  0, 1, 2, 2, 0,  1, 1, 1, 0, 0,
+				2, 0, 1, 0, 1,  0, 2, 1, 2, 0,  2, 1, 2, 1, 2,  2, 0, 2, 1, 0,
+				2, 1, 2, 0, 0,  2, 0, 1, 2, 1,  1, 2, 0, 0, 0,  0, 1, 2, 0, 1,
+				2, 2, 1, 0, 0,  1, 2, 1, 2, 0,  0, 1, 1, 0, 0,  0, 1, 0, 0, 0,
+				2, 0, 1, 2, 1,  2, 0, 0, 0, 2,  1, 0, 0, 0, 1,  2, 2, 0, 0, 0,
+				2, 2, 1, 1, 0,  1, 0, 2, 2, 0,  2, 1, 2, 1, 0,  2, 2, 2, 0, 0,
+				0, 1, 1, 2, 1,  0, 0, 0, 0, 1,  2, 2, 1, 2, 1,  2, 0, 2, 0, 2,
+				1, 1, 1, 2, 1,  2, 1, 2, 1, 1,  0, 1, 0, 2, 0,  0, 0, 2, 1, 2,
+				2, 2, 2, 0, 1,  1, 1, 0, 1, 0,  2, 0, 2, 1, 0,  1, 2, 1, 1, 0,
+				1, 2, 1, 0, 0,  2, 1, 0, 1, 1,  2, 2, 1, 1, 1,  2, 2, 2, 1, 0,
+				0, 0, 0, 1, 1,  0, 0, 2, 2, 2,  2, 2, 0, 1, 2,  0, 1, 2, 0, 1,
+				1, 0, 1, 1, 2,  2, 0, 1, 1, 0,  2, 2, 1, 1, 1,  2, 1, 2, 2, 1,
+				1, 0, 1, 0, 2,  2, 1, 0, 2, 2,  2, 2, 2, 1, 0,  2, 2, 2, 1, 2,
+				0, 2, 0, 0, 0,  0, 0, 1, 2, 0,  1, 0, 1),
+		{
+			{	13, 743, 2048, TRUE, 11 + (11 << 8) + (15 << 16),
+				countof(indices_ees743ep1), indices_ees743ep1
+			},
+			{	12, 1171, 2048, FALSE, 106,
+				countof(indices_ees1171ep1), indices_ees1171ep1
+			}
+		}
+	}
+};
+
+START_TEST(test_ntru_mgf1)
+{
+	ntru_mgf1_t *mgf1;
+	chunk_t mask, mask1, mask2, mask3;
+
+	mask1 = mgf1_tests[_i].mask;
+	mask2 = chunk_skip(mask1, mgf1_tests[_i].ml1);
+	mask3 = chunk_skip(mask2, mgf1_tests[_i].ml2);
+	mask1.len = mgf1_tests[_i].ml1;
+	mask2.len = mgf1_tests[_i].ml2;
+	mask3.len = mgf1_tests[_i].ml3;
+
+	mgf1 = ntru_mgf1_create(HASH_UNKNOWN, mgf1_tests[_i].seed, TRUE);
+	ck_assert(mgf1 == NULL);
+
+	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, chunk_empty, TRUE);
+	ck_assert(mgf1 == NULL);
+
+	/* return mask in allocated chunk */
+	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+	ck_assert(mgf1);
+
+	/* check hash size */
+	ck_assert(mgf1->get_hash_size(mgf1) == mgf1_tests[_i].hash_size);
+
+	/* get zero number of octets */
+	ck_assert(mgf1->allocate_mask(mgf1, 0, &mask));
+	ck_assert(mask.len == 0 && mask.ptr == NULL);
+
+	/* get non-zero number of octets */
+	ck_assert(mgf1->allocate_mask(mgf1, mgf1_tests[_i].mask.len, &mask));
+	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
+	mgf1->destroy(mgf1);
+
+	/* copy mask to pre-allocated buffer */
+	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+	ck_assert(mgf1);
+	ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr));
+	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
+	mgf1->destroy(mgf1);
+
+	/* get mask in batches without hashing the seed */
+	mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].hashed_seed, FALSE);
+	ck_assert(mgf1);
+
+	/* first batch */
+	ck_assert(mgf1->get_mask(mgf1, mask1.len, mask.ptr));
+	mask.len = mask1.len;
+	ck_assert(chunk_equals(mask, mask1));
+
+	/* second batch */
+	ck_assert(mgf1->get_mask(mgf1, mask2.len, mask.ptr));
+	mask.len = mask2.len;
+	ck_assert(chunk_equals(mask, mask2));
+
+	/* third batch */
+	ck_assert(mgf1->get_mask(mgf1, mask3.len, mask.ptr));
+	mask.len = mask3.len;
+	ck_assert(chunk_equals(mask, mask3));
+
+	mgf1->destroy(mgf1);
+	chunk_free(&mask);
+}
+END_TEST
+
+START_TEST(test_ntru_trits)
+{
+	ntru_trits_t *mask;
+	chunk_t trits;
+
+	mask = ntru_trits_create(mgf1_tests[_i].trits.len, HASH_UNKNOWN,
+							 mgf1_tests[_i].seed);
+	ck_assert(mask == NULL);
+
+	mask = ntru_trits_create(mgf1_tests[_i].trits.len, mgf1_tests[_i].alg,
+							 chunk_empty);
+	ck_assert(mask == NULL);
+
+	mask = ntru_trits_create(mgf1_tests[_i].trits.len, mgf1_tests[_i].alg,
+							 mgf1_tests[_i].seed);
+	ck_assert(mask);
+
+	trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
+	ck_assert(chunk_equals(trits, mgf1_tests[_i].trits));
+	mask->destroy(mask);
+
+	/* generate a multiple of 5 trits */
+	mask = ntru_trits_create(10, mgf1_tests[_i].alg, mgf1_tests[_i].seed);
+	ck_assert(mask);
+
+	trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
+	ck_assert(chunk_equals(trits, chunk_create(mgf1_tests[_i].trits.ptr, 10)));
+	mask->destroy(mask);
+}
+END_TEST
+
+START_TEST(test_ntru_poly)
+{
+	ntru_poly_t *poly;
+	uint16_t *indices;
+	chunk_t seed;
+	poly_test_t *p;
+	int j, n;
+
+	seed = mgf1_tests[_i].seed;
+	seed.len = mgf1_tests[_i].seed_len;
+
+	p = &mgf1_tests[_i].poly_test[0];
+	poly = ntru_poly_create_from_seed(HASH_UNKNOWN, seed, p->c_bits, p->N, p->q,
+									  p->indices_len, p->indices_len,
+									  p->is_product_form);
+	ck_assert(poly == NULL);
+
+	for (n = 0; n < 2; n++)
+	{
+		p = &mgf1_tests[_i].poly_test[n];
+		poly = ntru_poly_create_from_seed(mgf1_tests[_i].alg, seed, p->c_bits,
+										  p->N, p->q, p->indices_len,
+										  p->indices_len, p->is_product_form);
+		ck_assert(poly != NULL && poly->get_size(poly) == p->indices_size);
+
+		indices = poly->get_indices(poly);
+		for (j = 0; j < p->indices_size; j++)
+		{
+			ck_assert(indices[j] == p->indices[j]);
+		}
+		poly->destroy(poly);
+	}
+}
+END_TEST
+
+typedef struct {
+	uint16_t N;
+	uint16_t q;
+	bool is_product_form;
+	uint32_t indices_len_p;
+	uint32_t indices_len_m;
+	uint16_t *indices;
+	uint16_t *a;
+	uint16_t *c;
+} ring_mult_test_t;
+
+uint16_t t1_indices[] = { 1, 6, 5, 3 };
+
+uint16_t t1_a[] = { 1, 0, 0, 0, 0, 0, 0 };
+uint16_t t1_c[] = { 0, 1, 0, 7, 0, 7, 1 };
+
+uint16_t t2_a[] = { 5, 0, 0, 0, 0, 0, 0 };
+uint16_t t2_c[] = { 0, 5, 0, 3, 0, 3, 5 };
+
+uint16_t t3_a[]  = { 4, 0, 0, 0, 0, 0, 0 };
+uint16_t t3_c[]  = { 0, 4, 0, 4, 0, 4, 4 };
+
+uint16_t t4_a[]  = { 0, 6, 0, 0, 0, 0, 0 };
+uint16_t t4_c[]  = { 6, 0, 6, 0, 2, 0, 2 };
+
+uint16_t t5_a[]  = { 4, 6, 0, 0, 0, 0, 0 };
+uint16_t t5_c[]  = { 6, 4, 6, 4, 2, 4, 6 };
+
+uint16_t t6_a[]  = { 0, 0, 3, 0, 0, 0, 0 };
+uint16_t t6_c[]  = { 5, 3, 0, 3, 0, 5, 0 };
+
+uint16_t t7_a[]  = { 4, 6, 3, 0, 0, 0, 0 };
+uint16_t t7_c[]  = { 3, 7, 6, 7, 2, 1, 6 };
+
+uint16_t t8_a[]  = { 0, 0, 0, 7, 0, 0, 0 };
+uint16_t t8_c[]  = { 0, 1, 7, 0, 7, 0, 1 };
+
+uint16_t t9_a[]  = { 4, 6, 3, 7, 0, 0, 0 };
+uint16_t t9_c[]  = { 3, 0, 5, 7, 1, 1, 7 };
+
+uint16_t t10_a[] = { 0, 0, 0, 0, 0, 1, 0 };
+uint16_t t10_c[] = { 0, 7, 0, 7, 1, 0, 1 };
+
+uint16_t t11_a[] = { 4, 6, 3, 7, 0, 1, 0 };
+uint16_t t11_c[] = { 3, 7, 5, 6, 2, 1, 0 };
+
+uint16_t t2_indices[] = { 1, 6, 5, 2, 3 };
+
+uint16_t t12_c[] = { 0, 1, 7, 7, 0, 1, 1 };
+uint16_t t13_c[] = { 0, 1, 7, 7, 0, 7, 1 };
+uint16_t t14_c[] = { 0, 1, 0, 31, 0, 31, 1 };
+uint16_t t15_c[] = { 0, 5, 0, 2043, 0, 2043, 5 };
+uint16_t t16_c[] = { 0, 5, 0, 32763, 0, 32763, 5 };
+
+uint16_t t3_indices[] = { 7, 2, 3, 5, 0, 2, 3, 10, 7, 0, 8, 2 };
+
+uint16_t t17_a[] = { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+uint16_t t17_c[] = { 7, 1, 0, 1, 1, 7, 0, 7, 7, 7, 2 };
+
+ring_mult_test_t ring_mult_tests[] = {
+	{  7,     8, FALSE, 2, 2, t1_indices, t1_a,  t1_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t2_a,  t2_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t3_a,  t3_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t4_a,  t4_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t5_a,  t5_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t6_a,  t6_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t7_a,  t7_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t8_a,  t8_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t9_a,  t9_c  },
+	{  7,     8, FALSE, 2, 2, t1_indices, t10_a, t10_c },
+	{  7,     8, FALSE, 2, 2, t1_indices, t11_a, t11_c },
+	{  7,     8, FALSE, 3, 2, t2_indices, t1_a,  t12_c },
+	{  7,     8, FALSE, 2, 3, t2_indices, t1_a,  t13_c },
+	{  7,    32, FALSE, 2, 2, t1_indices, t1_a,  t14_c },
+	{  7,  2048, FALSE, 2, 2, t1_indices, t2_a,  t15_c },
+	{  7, 32768, FALSE, 2, 2, t1_indices, t2_a,  t16_c },
+	{ 11,     8, TRUE, 197121, 197121, t3_indices, t17_a,  t17_c },
+};
+
+START_TEST(test_ntru_ring_mult)
+{
+	ntru_poly_t *poly;
+	ring_mult_test_t *t;
+	uint16_t *c;
+	int i;
+
+	t = &ring_mult_tests[_i];
+	poly = ntru_poly_create_from_data(t->indices, t->N, t->q, t->indices_len_p,
+									  t->indices_len_m, t->is_product_form);
+	ck_assert(poly != NULL);
+
+	c = malloc(t->N * sizeof(uint16_t));
+	poly->ring_mult(poly, t->a, c);
+
+	for (i = 0; i < t->N; i++)
+	{
+		ck_assert(c[i] == t->c[i]);
+	}
+
+	free(c);
+	poly->destroy(poly);
+}
+END_TEST
+
+int array_tests[] = { 0, 11, 12, 16 };
+
+START_TEST(test_ntru_array)
+{
+	ntru_poly_t *poly;
+	ring_mult_test_t *t;
+	uint16_t *c;
+	int i;
+
+	t = &ring_mult_tests[array_tests[_i]];
+
+	poly = ntru_poly_create_from_data(t->indices, t->N, t->q, t->indices_len_p,
+									  t->indices_len_m, t->is_product_form);
+	ck_assert(poly != NULL);
+
+	c = malloc(t->N * sizeof(uint16_t));
+	poly->get_array(poly, c);
+
+	for (i = 0; i < t->N; i++)
+	{
+		ck_assert(c[i] == t->c[i]);
+	}
+
+	free(c);
+	poly->destroy(poly);
+}
+END_TEST
+
+START_TEST(test_ntru_ke)
+{
+	chunk_t pub_key, cipher_text, i_shared_secret, r_shared_secret;
+	diffie_hellman_t *i_ntru, *r_ntru;
+	char buf[10];
+	int n, len;
+	status_t status;
+
+	len = snprintf(buf, sizeof(buf), "%N", diffie_hellman_group_names,
+				   params[_i].group);
+	ck_assert(len == 8);
+	ck_assert(streq(buf, params[_i].group_name));
+
+	for (n = 0; n < countof(parameter_sets); n++)
+	{
+		lib->settings->set_str(lib->settings,
+							  "libstrongswan.plugins.ntru.parameter_set",
+							   parameter_sets[n]);
+
+		i_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
+		ck_assert(i_ntru != NULL);
+		ck_assert(i_ntru->get_dh_group(i_ntru) == params[_i].group);
+
+		i_ntru->get_my_public_value(i_ntru, &pub_key);
+		ck_assert(pub_key.len > 0);
+
+		r_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
+		ck_assert(r_ntru != NULL);
+
+		r_ntru->set_other_public_value(r_ntru, pub_key);
+		r_ntru->get_my_public_value(r_ntru, &cipher_text);
+		ck_assert(cipher_text.len > 0);
+
+		status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
+		ck_assert(status == SUCCESS);
+		ck_assert(r_shared_secret.len > 0);
+
+		i_ntru->set_other_public_value(i_ntru, cipher_text);
+		status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
+
+		if (status == SUCCESS)
+		{
+			ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
+		}
+		else
+		{
+			ck_assert(i_shared_secret.len == 0);
+		}
+
+		chunk_clear(&i_shared_secret);
+		chunk_clear(&r_shared_secret);
+		chunk_free(&pub_key);
+		chunk_free(&cipher_text);
+		i_ntru->destroy(i_ntru);
+		r_ntru->destroy(r_ntru);
+	}
+}
+END_TEST
+
+START_TEST(test_ntru_retransmission)
+{
+	diffie_hellman_t *i_ntru;
+	chunk_t pub_key1, pub_key2;
+
+	i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_256_BIT);
+	i_ntru->get_my_public_value(i_ntru, &pub_key1);
+	i_ntru->get_my_public_value(i_ntru, &pub_key2);
+	ck_assert(chunk_equals(pub_key1, pub_key2));
+
+	chunk_free(&pub_key1);
+	chunk_free(&pub_key2);
+	i_ntru->destroy(i_ntru);
+}
+END_TEST
+
+chunk_t oid_tests[] = {
+	{ NULL, 0 },
+	chunk_from_chars(0x00),
+	chunk_from_chars(0x01),
+	chunk_from_chars(0x02),
+	chunk_from_chars(0x02, 0x03, 0x00, 0x03, 0x10),
+	chunk_from_chars(0x01, 0x04, 0x00, 0x03, 0x10),
+	chunk_from_chars(0x01, 0x03, 0x00, 0x03, 0x10),
+	chunk_from_chars(0x01, 0x03, 0xff, 0x03, 0x10),
+};
+
+START_TEST(test_ntru_pubkey_oid)
+{
+	diffie_hellman_t *r_ntru;
+	chunk_t cipher_text;
+
+	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+	r_ntru->set_other_public_value(r_ntru, oid_tests[_i]);
+	r_ntru->get_my_public_value(r_ntru, &cipher_text);
+	ck_assert(cipher_text.len == 0);
+	r_ntru->destroy(r_ntru);
+}
+END_TEST
+
+START_TEST(test_ntru_wrong_set)
+{
+	diffie_hellman_t *i_ntru, *r_ntru;
+	chunk_t pub_key, cipher_text;
+
+	lib->settings->set_str(lib->settings,
+						  "libstrongswan.plugins.ntru.parameter_set",
+			 			  "x9_98_bandwidth");
+	i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT);
+	i_ntru->get_my_public_value(i_ntru, &pub_key);
+
+	lib->settings->set_str(lib->settings,
+						  "libstrongswan.plugins.ntru.parameter_set",
+						  "optimum");
+	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT);
+	r_ntru->set_other_public_value(r_ntru, pub_key);
+	r_ntru->get_my_public_value(r_ntru, &cipher_text);
+	ck_assert(cipher_text.len == 0);
+
+	chunk_free(&pub_key);
+	chunk_free(&cipher_text);
+	i_ntru->destroy(i_ntru);
+	r_ntru->destroy(r_ntru);
+}
+END_TEST
+
+START_TEST(test_ntru_ciphertext)
+{
+	char buf_00[604], buf_ff[604];
+
+	chunk_t test[] = {
+		chunk_empty,
+		chunk_from_chars(0x00),
+		chunk_create(buf_00, sizeof(buf_00)),
+		chunk_create(buf_ff, sizeof(buf_ff)),
+	};
+
+	diffie_hellman_t *i_ntru;
+	chunk_t pub_key, shared_secret;
+	int i;
+
+	memset(buf_00, 0x00, sizeof(buf_00));
+	memset(buf_ff, 0xff, sizeof(buf_ff));
+
+	for (i = 0; i < countof(test); i++)
+	{
+		i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+		i_ntru->get_my_public_value(i_ntru, &pub_key);
+		i_ntru->set_other_public_value(i_ntru, test[i]);
+		ck_assert(i_ntru->get_shared_secret(i_ntru, &shared_secret) != SUCCESS);
+		ck_assert(shared_secret.len == 0);
+
+		chunk_free(&pub_key);
+		i_ntru->destroy(i_ntru);
+	}
+}
+END_TEST
+
+START_TEST(test_ntru_wrong_ciphertext)
+{
+	diffie_hellman_t *i_ntru, *r_ntru, *m_ntru;
+	chunk_t pub_key_i, pub_key_m, cipher_text, shared_secret;
+
+	i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+	m_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+
+	i_ntru->get_my_public_value(i_ntru, &pub_key_i);
+	m_ntru->get_my_public_value(m_ntru, &pub_key_m);
+	r_ntru->set_other_public_value(r_ntru, pub_key_m);
+	r_ntru->get_my_public_value(r_ntru, &cipher_text);
+	i_ntru->set_other_public_value(i_ntru, cipher_text);
+	ck_assert(i_ntru->get_shared_secret(i_ntru, &shared_secret) != SUCCESS);
+	ck_assert(shared_secret.len == 0);
+
+	chunk_free(&pub_key_i);
+	chunk_free(&pub_key_m);
+	chunk_free(&cipher_text);
+	i_ntru->destroy(i_ntru);
+	m_ntru->destroy(m_ntru);
+	r_ntru->destroy(r_ntru);
+}
+END_TEST
+
+Suite *ntru_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("ntru");
+
+	tc = tcase_create("drbg_strength");
+	tcase_add_loop_test(tc, test_ntru_drbg_strength, 0, countof(strengths));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("drbg");
+	tcase_add_loop_test(tc, test_ntru_drbg, 0, countof(drbg_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("drgb_reseed");
+	tcase_add_test(tc, test_ntru_drbg_reseed);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("mgf1");
+	tcase_add_loop_test(tc, test_ntru_mgf1, 0, countof(mgf1_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("trits");
+	tcase_add_loop_test(tc, test_ntru_trits, 0, countof(mgf1_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("poly");
+	tcase_add_loop_test(tc, test_ntru_poly, 0, countof(mgf1_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ring_mult");
+	tcase_add_loop_test(tc, test_ntru_ring_mult, 0, countof(ring_mult_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("array");
+	tcase_add_loop_test(tc, test_ntru_array, 0, countof(array_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ke");
+	tcase_add_loop_test(tc, test_ntru_ke, 0, countof(params));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("retransmission");
+	tcase_add_test(tc, test_ntru_retransmission);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("pubkey_oid");
+	tcase_add_loop_test(tc, test_ntru_pubkey_oid, 0, countof(oid_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("wrong_set");
+	tcase_add_test(tc, test_ntru_wrong_set);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ciphertext");
+	tcase_add_test(tc, test_ntru_ciphertext);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("wrong_ciphertext");
+	tcase_add_test(tc, test_ntru_wrong_ciphertext);
+	suite_add_tcase(s, tc);
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_pen.c b/src/libstrongswan/tests/suites/test_pen.c
new file mode 100644
index 000000000..a6cbc9aa1
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_pen.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "test_suite.h"
+
+#include <pen/pen.h>
+
+/*******************************************************************************
+ * create
+ */
+
+START_TEST(test_pen_type_create)
+{
+	pen_type_t ita_1 = pen_type_create(PEN_ITA, 100);
+
+	ck_assert(ita_1.vendor_id == PEN_ITA);
+	ck_assert(ita_1.type == 100);
+}
+END_TEST
+
+/*******************************************************************************
+ * equals
+ */
+
+START_TEST(test_pen_type_equals)
+{
+	pen_type_t ita_1 = pen_type_create(PEN_ITA, 100);
+	pen_type_t ita_2 = pen_type_create(PEN_ITA, 200);
+	pen_type_t fhh_1 = pen_type_create(PEN_FHH, 100);
+	pen_type_t fhh_2 = pen_type_create(PEN_FHH, 200);
+
+	ck_assert( pen_type_equals(ita_1, ita_1));
+	ck_assert(!pen_type_equals(ita_1, ita_2));
+	ck_assert(!pen_type_equals(ita_1, fhh_1));
+	ck_assert(!pen_type_equals(ita_1, fhh_2));
+}
+END_TEST
+
+/*******************************************************************************
+ * is
+ */
+
+START_TEST(test_pen_type_is)
+{
+	pen_type_t ita_1 = pen_type_create(PEN_ITA, 100);
+
+	ck_assert( pen_type_is(ita_1, PEN_ITA, 100));
+	ck_assert(!pen_type_is(ita_1, PEN_ITA, 200));
+	ck_assert(!pen_type_is(ita_1, PEN_FHH, 100));
+	ck_assert(!pen_type_is(ita_1, PEN_FHH, 200));
+}
+END_TEST
+
+Suite *pen_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("pen");
+
+	tc = tcase_create("create");
+	tcase_add_test(tc, test_pen_type_create);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("equals");
+	tcase_add_test(tc, test_pen_type_equals);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("is");
+	tcase_add_test(tc, test_pen_type_is);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_printf.c b/src/libstrongswan/tests/suites/test_printf.c
index 6c15fbea1..9e40d1fc0 100644
--- a/src/libstrongswan/tests/test_printf.c
+++ b/src/libstrongswan/tests/suites/test_printf.c
@@ -17,10 +17,10 @@
 
 #include <errno.h>
 #include <math.h>
+#include <inttypes.h>
 
 static void verify(char *expected, char *format, ...)
 {
-	FILE *mem;
 	char buf[128];
 	va_list args;
 
@@ -29,17 +29,35 @@ static void verify(char *expected, char *format, ...)
 	ck_assert_str_eq(expected, buf);
 	va_end(args);
 
-	mem = fmemopen(buf, sizeof(buf), "w");
-	va_start(args, format);
-	vfprintf(mem, format, args);
-	va_end(args);
-	fclose(mem);
-	ck_assert_str_eq(expected, buf);
+#ifdef HAVE_FMEMOPEN
+	{
+		FILE *mem;
+
+		mem = fmemopen(buf, sizeof(buf), "w");
+		va_start(args, format);
+		vfprintf(mem, format, args);
+		va_end(args);
+		fclose(mem);
+		ck_assert_str_eq(expected, buf);
+	}
+#endif /* HAVE_FMEMOPEN */
 }
 
+START_TEST(test_printf_null)
+{
+	char buf[16];
+
+	/* on FreeBSD "(null)" gets printed even when a precision of 0 is used.
+	 * because printing of "(null)" for NULL is not standardized we don't verify
+	 * the output and just make sure there is no crash */
+	snprintf(buf, sizeof(buf), "%s", NULL);
+}
+END_TEST
+
 START_TEST(test_printf_strings)
 {
 	verify("a bc def", "%s %s %s", "a", "bc", "def");
+	verify("", "%.0s", "asdfg");
 	verify("asd", "%.3s", "asdfg");
 	verify("asdf", "%.*s", (int)4, "asdfg");
 	verify("  asdf", "%6s", "asdf");
@@ -150,6 +168,26 @@ START_TEST(test_printf_float)
 }
 END_TEST
 
+START_TEST(test_printf_pri)
+{
+	verify("255", "%" PRIu8, (u_int8_t)0xFF);
+	verify("65535", "%" PRIu16, (u_int16_t)0xFFFF);
+	verify("4294967295", "%" PRIu32, (u_int32_t)0x1FFFFFFFFll);
+	verify("18446744073709551615", "%" PRIu64, (u_int64_t)0xFFFFFFFFFFFFFFFFll);
+
+	verify("-1", "%" PRId8, (int8_t)-1);
+	verify("-1", "%" PRId16, (int16_t)-1);
+	verify("-1", "%" PRId32, (int32_t)-1);
+	verify("-1", "%" PRId64, (int64_t)-1);
+
+	verify("1", "%" PRIuMAX, (uintmax_t)1);
+	verify("1", "%" PRIuPTR, (uintptr_t)1);
+
+	verify("-1", "%" PRIdMAX, (intmax_t)-1);
+	verify("-1", "%" PRIdPTR, (intptr_t)-1);
+}
+END_TEST
+
 Suite *printf_suite_create()
 {
 	Suite *s;
@@ -158,6 +196,7 @@ Suite *printf_suite_create()
 	s = suite_create("printf");
 
 	tc = tcase_create("strings");
+	tcase_add_test(tc, test_printf_null);
 	tcase_add_test(tc, test_printf_strings);
 	suite_add_tcase(s, tc);
 
@@ -181,5 +220,9 @@ Suite *printf_suite_create()
 	tcase_add_test(tc, test_printf_float);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("PRI*");
+	tcase_add_test(tc, test_printf_pri);
+	suite_add_tcase(s, tc);
+
 	return s;
 }
diff --git a/src/libstrongswan/tests/test_rsa.c b/src/libstrongswan/tests/suites/test_rsa.c
index 4c75c34bc..2c1c6fb8d 100644
--- a/src/libstrongswan/tests/test_rsa.c
+++ b/src/libstrongswan/tests/suites/test_rsa.c
@@ -117,7 +117,7 @@ static void test_bad_sigs(public_key_t *pubkey)
  * RSA key sizes to test
  */
 static int key_sizes[] = {
-	786, 1024, 1536, 2048, 3072, 4096,
+	768, 1024, 1536, 2048, 3072, 4096,
 };
 
 START_TEST(test_gen)
@@ -377,11 +377,17 @@ Suite *rsa_suite_create()
 {
 	Suite *s;
 	TCase *tc;
+	int gen_count = countof(key_sizes);
 
 	s = suite_create("rsa");
 
+	if (getenv("TESTS_REDUCED_KEYLENGTHS") != NULL)
+	{
+		gen_count = min(1, gen_count);
+	}
+
 	tc = tcase_create("generate");
-	tcase_add_loop_test(tc, test_gen, 0, countof(key_sizes));
+	tcase_add_loop_test(tc, test_gen, 0, gen_count);
 	tcase_set_timeout(tc, 8);
 	suite_add_tcase(s, tc);
 
diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c
new file mode 100644
index 000000000..096465191
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_settings.c
@@ -0,0 +1,920 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <unistd.h>
+
+#include <utils/settings.h>
+#include <utils/chunk.h>
+#include <utils/utils.h>
+#include <collections/linked_list.h>
+
+static char *path = "/tmp/strongswan-settings-test";
+static settings_t *settings;
+
+static void create_settings(chunk_t contents)
+{
+	ck_assert(chunk_write(contents, path, 0022, TRUE));
+	settings = settings_create(path);
+}
+
+START_SETUP(setup_base_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = val1\n"
+		"	# this gets overridden below\n"
+		"	key2 = val2\n"
+		"	none = \n"
+		"	sub1 {\n"
+		"		key = value\n"
+		"		key2 = value2\n"
+		"		subsub {\n"
+		"			foo = bar\n"
+		"		}\n"
+		"		# subsub is a section and a value\n"
+		"		subsub = section value\n"
+		"	}\n"
+		"	sub% {\n"
+		"		id = %any\n"
+		"	}\n"
+		"	key2 = with spaces\n"
+		"}\n"
+		"out = side\n"
+		"other {\n"
+		"	key1 = other val\n"
+		"	empty {\n"
+		"	}\n"
+		"}"));
+}
+END_SETUP
+
+START_TEARDOWN(teardown_config)
+{
+	settings->destroy(settings);
+	unlink(path);
+}
+END_TEARDOWN
+
+#define verify_string(expected, key, ...) \
+	ck_assert_str_eq(expected, settings->get_str(settings, key, NULL, ##__VA_ARGS__))
+#define verify_null(key, ...) \
+	ck_assert(!settings->get_str(settings, key, NULL, ##__VA_ARGS__))
+
+START_TEST(test_get_str)
+{
+	verify_string("val1", "main.key1");
+	verify_string("val1", "main..key1");
+	verify_string("val1", ".main.key1");
+	verify_string("with spaces", "main.key2");
+	verify_string("value", "main.sub1.key");
+	verify_string("value2", "main.sub1.key2");
+	verify_string("bar", "main.sub1.subsub.foo");
+	verify_string("section value", "main.sub1.subsub");
+	verify_string("%any", "main.sub%%.id");
+	verify_string("side", "out");
+	verify_string("other val", "other.key1");
+
+	/* FIXME: should this rather be undefined i.e. return the default value? */
+	verify_string("", "main.none");
+
+	verify_null("main.key3");
+	verify_null("other.sub");
+}
+END_TEST
+
+enum {
+	KEY1,
+	SUB1
+} settings_test_enum;
+
+enum_name_t *test_settings_test_names;
+
+ENUM_BEGIN(test_settings_test_names, KEY1, SUB1,
+	"key1", "sub1");
+ENUM_END(test_settings_test_names, SUB1);
+
+START_TEST(test_get_str_printf)
+{
+	verify_string("val1", "%s.key1", "main");
+	verify_string("val1", "%s.%s", "main", "key1");
+	verify_string("val1", "%s.%N", "main", test_settings_test_names, KEY1);
+	verify_string("val1", "%s.%s%d", "main", "key", 1);
+	verify_string("bar", "%s.sub1.%s.foo", "main", "subsub");
+	verify_string("bar", "%s.%N.%s.foo", "main", test_settings_test_names, SUB1, "subsub");
+	verify_string("bar", "%s.sub%d.%s.foo", "main", 1, "subsub");
+	verify_string("%any", "%s.sub%%.id", "main");
+
+	/* FIXME: this is a bit inconsistent, while this works */
+	verify_string("value2", "main.%s%u.key2", "sub", 1);
+	/* this won't because no argument is consumed for %u so key1 will be tried
+	 * granted, we never actually used any other specifiers, but we should
+	 * probably document it at least */
+	verify_null("main.%s%u.key%d", "sub", 1, 2);
+
+	verify_null("%s.%s%d", "main", "key", 3);
+}
+END_TEST
+
+START_TEST(test_set_str)
+{
+	settings->set_str(settings, "main.key1", "val");
+	verify_string("val", "main.key1");
+	settings->set_str(settings, "main.key1", "longer value");
+	verify_string("longer value", "main.key1");
+	settings->set_str(settings, "main", "main val");
+	verify_string("main val", "main");
+	settings->set_str(settings, "main.sub1.new", "added");
+	verify_string("added", "main.sub1.new");
+	settings->set_str(settings, "main.sub2.newsub.foo", "bar");
+	verify_string("bar", "main.sub2.newsub.foo");
+	settings->set_str(settings, "new.newsub.foo", "bar");
+	verify_string("bar", "new.newsub.foo");
+	settings->set_str(settings, "main.key1", NULL);
+	verify_null("main.key1");
+}
+END_TEST
+
+START_TEST(test_set_str_printf)
+{
+	settings->set_str(settings, "%s.key1", "val", "main");
+	verify_string("val", "main.key1");
+	settings->set_str(settings, "main.%N.new", "added", test_settings_test_names, SUB1);
+	verify_string("added", "main.sub1.new");
+	settings->set_str(settings, "main.%s%d.newsub.%s", "bar", "sub", 2, "foo");
+	verify_string("bar", "main.sub2.newsub.foo");
+}
+END_TEST
+
+START_TEST(test_set_default_str)
+{
+	settings->set_default_str(settings, "main.key1", "default");
+	verify_string("val1", "main.key1");
+	settings->set_default_str(settings, "main.sub1.new", "added");
+	verify_string("added", "main.sub1.new");
+	settings->set_str(settings, "main.sub1.new", "changed");
+	verify_string("changed", "main.sub1.new");
+}
+END_TEST
+
+START_SETUP(setup_bool_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = yes\n"
+		"	key2 = true\n"
+		"	key3 = Enabled\n"
+		"	key4 = 1\n"
+		"	key5 = no\n"
+		"	key6 = FALSE\n"
+		"	key7 = disabled\n"
+		"	key8 = 0\n"
+		"	key9 = 5\n"
+		"	none = \n"
+		"	foo = bar\n"
+		"}"));
+}
+END_SETUP
+
+#define verify_bool(expected, def, key, ...) \
+	ck_assert(expected == settings->get_bool(settings, key, def, ##__VA_ARGS__))
+
+START_TEST(test_get_bool)
+{
+	verify_bool(TRUE, FALSE, "main.key1");
+	verify_bool(TRUE, FALSE, "main.key2");
+	verify_bool(TRUE, FALSE, "main.key3");
+	verify_bool(TRUE, FALSE, "main.key4");
+	verify_bool(FALSE, TRUE, "main.key5");
+	verify_bool(FALSE, TRUE, "main.key6");
+	verify_bool(FALSE, TRUE, "main.key7");
+	verify_bool(FALSE, TRUE, "main.key8");
+
+	verify_bool(FALSE, FALSE, "main.none");
+	verify_bool(TRUE, TRUE, "main.none");
+	verify_bool(FALSE, FALSE, "main.foo");
+	verify_bool(TRUE, TRUE, "main.foo");
+
+	verify_bool(FALSE, FALSE, "main.key9");
+	verify_bool(TRUE, TRUE, "main.key9");
+	verify_bool(FALSE, FALSE, "main");
+	verify_bool(TRUE, TRUE, "main");
+
+}
+END_TEST
+
+START_TEST(test_set_bool)
+{
+	settings->set_str(settings, "main.key1", "no");
+	verify_bool(FALSE, TRUE, "main.key1");
+	settings->set_bool(settings, "main.key2", FALSE);
+	verify_bool(FALSE, TRUE, "main.key2");
+	settings->set_str(settings, "main.key3", NULL);
+	verify_bool(FALSE, FALSE, "main.key3");
+	verify_bool(TRUE, TRUE, "main.key3");
+	settings->set_bool(settings, "main.key5", TRUE);
+	verify_bool(TRUE, FALSE, "main.key5");
+	settings->set_bool(settings, "main.new", TRUE);
+	verify_bool(TRUE, FALSE, "main.new");
+}
+END_TEST
+
+START_SETUP(setup_int_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = 5\n"
+		"	# gets cut off\n"
+		"	key2 = 5.5\n"
+		"	key3 = -42\n"
+		"	none = \n"
+		"	foo1 = bar\n"
+		"	foo2 = bar13\n"
+		"	foo3 = 13bar\n"
+		"}"));
+}
+END_SETUP
+
+#define verify_int(expected, def, key, ...) \
+	ck_assert_int_eq(expected, settings->get_int(settings, key, def, ##__VA_ARGS__))
+
+START_TEST(test_get_int)
+{
+	verify_int(5, 0, "main.key1");
+	verify_int(5, 0, "main.key2");
+	verify_int(-42, 0, "main.key3");
+
+	/* FIXME: do we want this behavior? */
+	verify_int(0, 11, "main.none");
+	verify_int(0, 11, "main.foo1");
+	verify_int(0, 11, "main.foo2");
+	verify_int(13, 11, "main.foo3");
+
+	verify_int(13, 13, "main.key4");
+	verify_int(-13, -13, "main");
+}
+END_TEST
+
+START_TEST(test_set_int)
+{
+	settings->set_str(settings, "main.key1", "13");
+	verify_int(13, 0, "main.key1");
+	settings->set_int(settings, "main.key2", 6);
+	verify_int(6, 0, "main.key2");
+	settings->set_int(settings, "main.key3", -6);
+	verify_int(-6, 0, "main.key3");
+	settings->set_str(settings, "main.key3", NULL);
+	verify_int(15, 15, "main.key3");
+	settings->set_int(settings, "main.new", 314);
+	verify_int(314, 0, "main.new");
+}
+END_TEST
+
+START_SETUP(setup_double_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = 5\n"
+		"	key2 = 5.5\n"
+		"	key3 = -42\n"
+		"	key4 = -42.5\n"
+		"	none = \n"
+		"	foo1 = bar\n"
+		"	foo2 = bar13.5\n"
+		"	foo3 = 13.5bar\n"
+		"}"));
+}
+END_SETUP
+
+#define verify_double(expected, def, key, ...) \
+	ck_assert(expected == settings->get_double(settings, key, def, ##__VA_ARGS__))
+
+START_TEST(test_get_double)
+{
+	verify_double(5, 0, "main.key1");
+	verify_double(5.5, 0, "main.key2");
+	verify_double(-42, 0, "main.key3");
+	verify_double(-42.5, 0, "main.key4");
+
+	/* FIXME: do we want this behavior? */
+	verify_double(0, 11.5, "main.none");
+	verify_double(0, 11.5, "main.foo1");
+	verify_double(0, 11.5, "main.foo2");
+	verify_double(13.5, 11.5, "main.foo3");
+
+	verify_double(11.5, 11.5, "main.key5");
+	verify_double(-11.5, -11.5, "main");
+}
+END_TEST
+
+START_TEST(test_set_double)
+{
+	settings->set_str(settings, "main.key1", "5.5");
+	verify_double(5.5, 0, "main.key1");
+	settings->set_double(settings, "main.key2", 13);
+	verify_double(13, 0, "main.key2");
+	settings->set_double(settings, "main.key3", -13.5);
+	verify_double(-13.5, 0, "main.key3");
+	settings->set_double(settings, "main.key4", 11.5);
+	verify_double(11.5, 0, "main.key4");
+	settings->set_str(settings, "main.key4", NULL);
+	verify_double(42.5, 42.5, "main.key4");
+	settings->set_double(settings, "main.new", 3.14);
+	verify_double(3.14, 0, "main.new");
+}
+END_TEST
+
+START_SETUP(setup_time_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = 5s\n"
+		"	key2 = 5m\n"
+		"	key3 = 5h\n"
+		"	key4 = 5d\n"
+		"	none = \n"
+		"	foo1 = bar\n"
+		"	foo2 = bar13\n"
+		"	foo3 = 13bar\n"
+		"}"));
+}
+END_SETUP
+
+#define verify_time(expected, def, key, ...) \
+	ck_assert_int_eq(expected, settings->get_time(settings, key, def, ##__VA_ARGS__))
+
+START_TEST(test_get_time)
+{
+	verify_time(5, 0, "main.key1");
+	verify_time(300, 0, "main.key2");
+	verify_time(18000, 0, "main.key3");
+	verify_time(432000, 0, "main.key4");
+
+	/* FIXME: do we want this behavior? */
+	verify_time(0, 11, "main.none");
+	verify_time(0, 11, "main.foo1");
+	verify_time(0, 11, "main.foo2");
+	verify_time(13, 11, "main.foo3");
+
+	verify_time(11, 11, "main.key5");
+	verify_time(11, 11, "main");
+}
+END_TEST
+
+START_TEST(test_set_time)
+{
+	settings->set_str(settings, "main.key1", "15m");
+	verify_time(900, 0, "main.key1");
+	settings->set_time(settings, "main.key2", 15);
+	verify_time(15, 0, "main.key2");
+	settings->set_str(settings, "main.key3", NULL);
+	verify_time(300, 300, "main.key3");
+	settings->set_time(settings, "main.new", 314);
+	verify_time(314, 0, "main.new");
+}
+END_TEST
+
+static bool verify_section(linked_list_t *verifier, char *section)
+{
+	enumerator_t *enumerator;
+	char *current;
+	bool result = FALSE;
+
+	enumerator = verifier->create_enumerator(verifier);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (streq(current, section))
+		{
+			verifier->remove_at(verifier, enumerator);
+			result = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return result;
+}
+
+static void verify_sections(linked_list_t *verifier, char *parent)
+{
+	enumerator_t *enumerator;
+	char *section;
+
+	enumerator = settings->create_section_enumerator(settings, parent);
+	while (enumerator->enumerate(enumerator, &section))
+	{
+		ck_assert(verify_section(verifier, section));
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(0, verifier->get_count(verifier));
+	verifier->destroy(verifier);
+}
+
+START_TEST(test_section_enumerator)
+{
+	linked_list_t *verifier;
+
+	verifier = linked_list_create_with_items("sub1", "sub%", NULL);
+	verify_sections(verifier, "main");
+
+	settings->set_str(settings, "main.sub2.new", "added");
+	verifier = linked_list_create_with_items("sub1", "sub%", "sub2", NULL);
+	verify_sections(verifier, "main");
+
+	verifier = linked_list_create_with_items("subsub", NULL);
+	verify_sections(verifier, "main.sub1");
+
+	verifier = linked_list_create_with_items(NULL);
+	verify_sections(verifier, "main.sub%%");
+
+	verifier = linked_list_create_with_items(NULL);
+	verify_sections(verifier, "main.key1");
+
+	verifier = linked_list_create_with_items(NULL);
+	verify_sections(verifier, "main.unknown");
+}
+END_TEST
+
+static bool verify_key_value(linked_list_t *keys, linked_list_t *values,
+							 char *key, char *value)
+{
+	enumerator_t *enum_keys, *enum_values;
+	char *current_key, *current_value;
+	bool result = FALSE;
+
+	enum_keys = keys->create_enumerator(keys);
+	enum_values = values->create_enumerator(values);
+	while (enum_keys->enumerate(enum_keys, &current_key) &&
+		   enum_values->enumerate(enum_values, &current_value))
+	{
+		if (streq(current_key, key))
+		{
+			ck_assert_str_eq(current_value, value);
+			keys->remove_at(keys, enum_keys);
+			values->remove_at(values, enum_values);
+			result = TRUE;
+			break;
+		}
+	}
+	enum_keys->destroy(enum_keys);
+	enum_values->destroy(enum_values);
+	return result;
+}
+
+static void verify_key_values(linked_list_t *keys, linked_list_t *values,
+							  char *parent)
+{
+	enumerator_t *enumerator;
+	char *key, *value;
+
+	enumerator = settings->create_key_value_enumerator(settings, parent);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		ck_assert(verify_key_value(keys, values, key, value));
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(0, keys->get_count(keys));
+	keys->destroy(keys);
+	values->destroy(values);
+}
+
+START_TEST(test_key_value_enumerator)
+{
+	linked_list_t *keys, *values;
+
+	keys = linked_list_create_with_items("key1", "key2", "none", NULL);
+	values = linked_list_create_with_items("val1", "with spaces", "", NULL);
+	verify_key_values(keys, values, "main");
+
+	keys = linked_list_create_with_items("key", "key2", "subsub", NULL);
+	values = linked_list_create_with_items("value", "value2", "section value", NULL);
+	verify_key_values(keys, values, "main.sub1");
+
+	settings->set_str(settings, "main.sub2.new", "added");
+	keys = linked_list_create_with_items("new", NULL);
+	values = linked_list_create_with_items("added", NULL);
+	verify_key_values(keys, values, "main.sub2");
+
+	keys = linked_list_create_with_items(NULL);
+	values = linked_list_create_with_items(NULL);
+	verify_key_values(keys, values, "other.empty");
+
+	settings->set_str(settings, "other.empty.new", "added");
+	keys = linked_list_create_with_items("new", NULL);
+	values = linked_list_create_with_items("added", NULL);
+	verify_key_values(keys, values, "other.empty");
+
+	keys = linked_list_create_with_items(NULL);
+	values = linked_list_create_with_items(NULL);
+	verify_key_values(keys, values, "main.unknown");
+}
+END_TEST
+
+#define include1 "/tmp/strongswan-settings-test-include1"
+#define include2 "/tmp/strongswan-settings-test-include2"
+
+START_SETUP(setup_include_config)
+{
+	chunk_t inc1 = chunk_from_str(
+		"main {\n"
+		"	key1 = n1\n"
+		"	key2 = n2\n"
+		"	none = \n"
+		"	sub1 {\n"
+		"		key3 = value\n"
+		"	}\n"
+		"	sub2 {\n"
+		"		sub3 = val3\n"
+		"	}\n"
+		"	include " include2 "\n"
+		"}");
+	chunk_t inc2 = chunk_from_str(
+		"key2 = v2\n"
+		"sub1 {\n"
+		"	key = val\n"
+		"}");
+	ck_assert(chunk_write(inc1, include1, 0022, TRUE));
+	ck_assert(chunk_write(inc2, include2, 0022, TRUE));
+}
+END_SETUP
+
+START_TEARDOWN(teardown_include_config)
+{
+	settings->destroy(settings);
+	unlink(include2);
+	unlink(include1);
+	unlink(path);
+}
+END_TEARDOWN
+
+static void verify_include()
+{
+	verify_string("n1", "main.key1");
+	verify_string("v2", "main.key2");
+	verify_string("", "main.none");
+	verify_string("val", "main.sub1.key");
+	verify_string("v2", "main.sub1.key2");
+	verify_string("val", "main.sub1.sub1.key");
+	verify_string("value", "main.sub1.key3");
+	verify_string("value", "main.sub1.include");
+	verify_string("val3", "main.sub2.sub3");
+}
+
+START_TEST(test_include)
+{
+	chunk_t contents = chunk_from_str(
+		"main {\n"
+		"	key1 = val1\n"
+		"	key2 = val2\n"
+		"	none = x\n"
+		"	sub1 {\n"
+		"		include = value\n"
+		"		key2 = value2\n"
+		"		include " include2 "\n"
+		"	}\n"
+		"}\n"
+		"# currently there must be a newline after include statements\n"
+		"include " include1 "\n");
+
+	create_settings(contents);
+	verify_include();
+}
+END_TEST
+
+START_TEST(test_load_files)
+{
+	chunk_t contents = chunk_from_str(
+		"main {\n"
+		"	key1 = val1\n"
+		"	key2 = val2\n"
+		"	none = x\n"
+		"	sub1 {\n"
+		"		include = value\n"
+		"		key2 = v2\n"
+		"		sub1 {\n"
+		"			key = val\n"
+		"		}\n"
+		"	}\n"
+		"}");
+
+	create_settings(contents);
+
+	ck_assert(settings->load_files(settings, include1, TRUE));
+	verify_include();
+
+	ck_assert(settings->load_files(settings, include2, FALSE));
+	verify_null("main.key1");
+	verify_string("v2", "key2");
+	verify_string("val", "sub1.key");
+	verify_null("main.sub1.key3");
+}
+END_TEST
+
+START_TEST(test_load_files_section)
+{
+	chunk_t contents = chunk_from_str(
+		"main {\n"
+		"	key1 = val1\n"
+		"	key2 = val2\n"
+		"	none = x\n"
+		"	sub1 {\n"
+		"		include = value\n"
+		"		key2 = value2\n"
+		"	}\n"
+		"}");
+
+	create_settings(contents);
+
+	ck_assert(settings->load_files_section(settings, include1, TRUE, ""));
+	ck_assert(settings->load_files_section(settings, include2, TRUE, "main.sub1"));
+	verify_include();
+
+	/* non existing files are no failure */
+	ck_assert(settings->load_files_section(settings, include1".conf", TRUE, ""));
+	verify_include();
+
+	/* unreadable files are */
+	ck_assert(chunk_write(contents, include1".no", 0444, TRUE));
+	ck_assert(!settings->load_files_section(settings, include1".no", TRUE, ""));
+	unlink(include1".no");
+	verify_include();
+
+	ck_assert(settings->load_files_section(settings, include2, FALSE, "main"));
+	verify_null("main.key1");
+	verify_string("v2", "main.key2");
+	verify_string("val", "main.sub1.key");
+	verify_null("main.sub1.key3");
+	verify_null("main.sub2.sub3");
+
+	ck_assert(settings->load_files_section(settings, include2, TRUE, "main.sub2"));
+	verify_string("v2", "main.sub2.key2");
+	verify_string("val", "main.sub2.sub1.key");
+}
+END_TEST
+
+START_SETUP(setup_fallback_config)
+{
+	create_settings(chunk_from_str(
+		"main {\n"
+		"	key1 = val1\n"
+		"	sub1 {\n"
+		"		key1 = val1\n"
+		"	}\n"
+		"}\n"
+		"sub {\n"
+		"	key1 = subval1\n"
+		"	key2 = subval2\n"
+		"	subsub {\n"
+		"		subkey1 = subsubval1\n"
+		"	}\n"
+		"}\n"
+		"base {\n"
+		"	key1 = baseval1\n"
+		"	key2 = baseval2\n"
+		"	sub1 {\n"
+		"		key1 = subbase1\n"
+		"		key2 = subbase2\n"
+		"		key3 = subbase3\n"
+		"		subsub {\n"
+		"			subkey1 = subsubbaseval1\n"
+		"			subkey2 = subsubbaseval2\n"
+		"		}\n"
+		"	}\n"
+		"	sub2 {\n"
+		"		key4 = subbase4\n"
+		"	}\n"
+		"}"));
+}
+END_SETUP
+
+START_TEST(test_add_fallback)
+{
+	linked_list_t *keys, *values;
+
+	settings->add_fallback(settings, "main.sub1", "sub");
+	verify_string("val1", "main.sub1.key1");
+	verify_string("subval2", "main.sub1.key2");
+	verify_string("subsubval1", "main.sub1.subsub.subkey1");
+
+	/* fallbacks are preserved even if the complete config is replaced */
+	settings->load_files(settings, path, FALSE);
+	verify_string("val1", "main.sub1.key1");
+	verify_string("subval2", "main.sub1.key2");
+	verify_string("subsubval1", "main.sub1.subsub.subkey1");
+
+	keys = linked_list_create_with_items("sub1", NULL);
+	verify_sections(keys, "main");
+	keys = linked_list_create_with_items("subsub", NULL);
+	verify_sections(keys, "main.sub1");
+
+	keys = linked_list_create_with_items("key1", NULL);
+	values = linked_list_create_with_items("val1", NULL);
+	verify_key_values(keys, values, "main");
+
+	keys = linked_list_create_with_items("key1", "key2", NULL);
+	values = linked_list_create_with_items("val1", "subval2", NULL);
+	verify_key_values(keys, values, "main.sub1");
+
+	keys = linked_list_create_with_items("subkey1", NULL);
+	values = linked_list_create_with_items("subsubval1", NULL);
+	verify_key_values(keys, values, "main.sub1.subsub");
+
+	settings->add_fallback(settings, "main", "base");
+	verify_string("val1", "main.key1");
+	verify_string("baseval2", "main.key2");
+	verify_string("val1", "main.sub1.key1");
+	verify_string("subval2", "main.sub1.key2");
+	verify_string("subsubval1", "main.sub1.subsub.subkey1");
+	verify_string("subsubbaseval2", "main.sub1.subsub.subkey2");
+	verify_string("subbase3", "main.sub1.key3");
+	verify_string("subbase4", "main.sub2.key4");
+
+
+	keys = linked_list_create_with_items("sub1", "sub2", NULL);
+	verify_sections(keys, "main");
+	keys = linked_list_create_with_items("subsub", NULL);
+	verify_sections(keys, "main.sub1");
+
+	keys = linked_list_create_with_items("key1", "key2", NULL);
+	values = linked_list_create_with_items("val1", "baseval2", NULL);
+	verify_key_values(keys, values, "main");
+
+	keys = linked_list_create_with_items("key1", "key2", "key3", NULL);
+	values = linked_list_create_with_items("val1", "subval2", "subbase3", NULL);
+	verify_key_values(keys, values, "main.sub1");
+
+	keys = linked_list_create_with_items("subkey1", "subkey2", NULL);
+	values = linked_list_create_with_items("subsubval1", "subsubbaseval2", NULL);
+	verify_key_values(keys, values, "main.sub1.subsub");
+
+	settings->set_str(settings, "main.sub1.key2", "val2");
+	verify_string("val2", "main.sub1.key2");
+	settings->set_str(settings, "main.sub1.subsub.subkey2", "val2");
+	verify_string("val2", "main.sub1.subsub.subkey2");
+	verify_string("subsubval1", "main.sub1.subsub.subkey1");
+}
+END_TEST
+
+START_TEST(test_add_fallback_printf)
+{
+	settings->add_fallback(settings, "%s.sub1", "sub", "main");
+	verify_string("val1", "main.sub1.key1");
+	verify_string("subval2", "main.sub1.key2");
+	verify_string("subsubval1", "main.sub1.subsub.subkey1");
+
+	settings->add_fallback(settings, "%s.%s2", "%s.%s1", "main", "sub");
+	verify_string("val1", "main.sub2.key1");
+	verify_string("subval2", "main.sub2.key2");
+	verify_string("subsubval1", "main.sub2.subsub.subkey1");
+}
+END_TEST
+
+START_SETUP(setup_invalid_config)
+{
+	create_settings(chunk_from_str(
+		"# section without name\n"
+		"{\n"
+		"	key1 = val1\n"
+		"}\n"
+		"main {\n"
+		"	key2 = val2\n"
+		"   # value without key\n"
+		"	= val3\n"
+		"	key4 = val4\n"
+		"	# key without value does not change it\n"
+		"	key4\n"
+		"	# subsection without name\n"
+		"	{\n"
+		"		key5 = val5\n"
+		"	}\n"
+		"	# empty include pattern\n"
+		"	include\n"
+		"	key6 = val6\n"
+		"}"));
+}
+END_SETUP
+
+START_TEST(test_invalid)
+{
+	linked_list_t *keys, *values;
+	chunk_t contents;
+
+	verify_null("key1");
+	verify_null(".key1");
+	verify_null("%s.key1", "");
+	verify_string("val2", "main.key2");
+	verify_string("val4", "main.key4");
+	verify_null("main..key5");
+	verify_string("val6", "main.key6");
+
+	keys = linked_list_create_with_items("main", NULL);
+	verify_sections(keys, "");
+
+	keys = linked_list_create_with_items(NULL);
+	verify_sections(keys, "main");
+
+	keys = linked_list_create_with_items("key2", "key4", "key6", NULL);
+	values = linked_list_create_with_items("val2", "val4", "val6", NULL);
+	verify_key_values(keys, values, "main");
+
+	/* FIXME: we should probably fix this */
+	contents = chunk_from_str(
+		"requires = newline");
+	ck_assert(chunk_write(contents, path, 0022, TRUE));
+	ck_assert(!settings->load_files(settings, path, FALSE));
+
+	contents = chunk_from_str(
+		"unterminated {\n"
+		"	not = valid\n");
+	ck_assert(chunk_write(contents, path, 0022, TRUE));
+	ck_assert(!settings->load_files(settings, path, FALSE));
+
+	contents = chunk_from_str(
+		"singleline { not = valid }\n");
+	ck_assert(chunk_write(contents, path, 0022, TRUE));
+	ck_assert(!settings->load_files(settings, path, FALSE));
+}
+END_TEST
+
+Suite *settings_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("settings");
+
+	tc = tcase_create("get/set_str (basic behavior)");
+	tcase_add_checked_fixture(tc, setup_base_config, teardown_config);
+	tcase_add_test(tc, test_get_str);
+	tcase_add_test(tc, test_get_str_printf);
+	tcase_add_test(tc, test_set_str);
+	tcase_add_test(tc, test_set_str_printf);
+	tcase_add_test(tc, test_set_default_str);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get/set_bool");
+	tcase_add_checked_fixture(tc, setup_bool_config, teardown_config);
+	tcase_add_test(tc, test_get_bool);
+	tcase_add_test(tc, test_set_bool);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get/set_int");
+	tcase_add_checked_fixture(tc, setup_int_config, teardown_config);
+	tcase_add_test(tc, test_get_int);
+	tcase_add_test(tc, test_set_int);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get/set_double");
+	tcase_add_checked_fixture(tc, setup_double_config, teardown_config);
+	tcase_add_test(tc, test_get_double);
+	tcase_add_test(tc, test_set_double);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get/set_time");
+	tcase_add_checked_fixture(tc, setup_time_config, teardown_config);
+	tcase_add_test(tc, test_get_time);
+	tcase_add_test(tc, test_set_time);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("section enumerator");
+	tcase_add_checked_fixture(tc, setup_base_config, teardown_config);
+	tcase_add_test(tc, test_section_enumerator);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("key/value enumerator");
+	tcase_add_checked_fixture(tc, setup_base_config, teardown_config);
+	tcase_add_test(tc, test_key_value_enumerator);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("include/load_files[_section]");
+	tcase_add_checked_fixture(tc, setup_include_config, teardown_include_config);
+	tcase_add_test(tc, test_include);
+	tcase_add_test(tc, test_load_files);
+	tcase_add_test(tc, test_load_files_section);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("fallback");
+	tcase_add_checked_fixture(tc, setup_fallback_config, teardown_config);
+	tcase_add_test(tc, test_add_fallback);
+	tcase_add_test(tc, test_add_fallback_printf);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("invalid data");
+	tcase_add_checked_fixture(tc, setup_invalid_config, teardown_config);
+	tcase_add_test(tc, test_invalid);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_stream.c b/src/libstrongswan/tests/suites/test_stream.c
new file mode 100644
index 000000000..2d3173d46
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_stream.c
@@ -0,0 +1,267 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <unistd.h>
+
+static char* services[] = {
+	"unix:///tmp/strongswan-test-service.sck",
+	"tcp://127.0.0.1:7766",
+	"tcp://[::1]:7766",
+};
+
+static char msg[] = "testmessage";
+static int msglen = 12;
+
+static bool servicing(void *data, stream_t *stream)
+{
+	char buf[64];
+	ssize_t len, total;
+
+	ck_assert(streq((char*)data, "test"));
+
+	for (total = 0; total < msglen;)
+	{
+		len = stream->read(stream, buf, sizeof(buf), TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+	for (total = 0; total < msglen;)
+	{
+		len = stream->write(stream, buf, len, TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+
+	return FALSE;
+}
+
+START_TEST(test_sync)
+{
+	char buf[64];
+	stream_service_t *service;
+	stream_t *stream;
+	ssize_t len, total;
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	service = lib->streams->create_service(lib->streams, services[_i], 1);
+	ck_assert(service != NULL);
+	service->on_accept(service, servicing, "test", JOB_PRIO_HIGH, 1);
+
+	stream = lib->streams->connect(lib->streams, services[_i]);
+	ck_assert(stream != NULL);
+	for (total = 0; total < msglen;)
+	{
+		len = stream->write(stream, msg, msglen, TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+	for (total = 0; total < msglen;)
+	{
+		len = stream->read(stream, buf, sizeof(buf), TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+	ck_assert(streq(buf, msg));
+	stream->destroy(stream);
+
+	service->destroy(service);
+}
+END_TEST
+
+static bool on_write(void *data, stream_t *stream)
+{
+	ssize_t len, total;
+
+	ck_assert(streq((char*)data, "test-write"));
+	for (total = 0; total < msglen;)
+	{
+		len = stream->write(stream, msg, msglen, TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+	return FALSE;
+}
+
+static bool read_done = FALSE;
+
+static bool on_read(void *data, stream_t *stream)
+{
+	ssize_t len, total;
+	char buf[64];
+
+	ck_assert(streq((char*)data, "test-read"));
+	for (total = 0; total < msglen;)
+	{
+		len = stream->read(stream, buf, sizeof(buf), TRUE);
+		ck_assert(len > 0);
+		total += len;
+	}
+	ck_assert(streq(buf, msg));
+	read_done = TRUE;
+	return FALSE;
+}
+
+START_TEST(test_async)
+{
+	stream_service_t *service;
+	stream_t *stream;
+
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	service = lib->streams->create_service(lib->streams, services[_i], 1);
+	ck_assert(service != NULL);
+	service->on_accept(service, servicing, "test", JOB_PRIO_HIGH, 0);
+
+	stream = lib->streams->connect(lib->streams, services[_i]);
+	ck_assert(stream != NULL);
+	read_done = FALSE;
+	stream->on_write(stream, (stream_cb_t)on_write, "test-write");
+	stream->on_read(stream, (stream_cb_t)on_read, "test-read");
+
+	while (!read_done)
+	{
+		usleep(1000);
+	}
+	stream->destroy(stream);
+
+	service->destroy(service);
+}
+END_TEST
+
+static bool all(void *data, stream_t *stream)
+{
+	char buf[64], *pos;
+	ssize_t len;
+	int i;
+
+	pos = buf;
+	for (i = 0; i < msglen; i++)
+	{
+		len = stream->read(stream, pos, 1, TRUE);
+		ck_assert_int_eq(len, 1);
+		pos += len;
+	}
+	pos = buf;
+	for (i = 0; i < msglen; i++)
+	{
+		len = stream->write(stream, pos, 1, TRUE);
+		ck_assert_int_eq(len, 1);
+		pos += len;
+	}
+
+	return FALSE;
+}
+
+START_TEST(test_all)
+{
+	char buf[64];
+	stream_service_t *service;
+	stream_t *stream;
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	service = lib->streams->create_service(lib->streams, services[_i], 1);
+	ck_assert(service != NULL);
+	service->on_accept(service, all, NULL, JOB_PRIO_HIGH, 1);
+
+	stream = lib->streams->connect(lib->streams, services[_i]);
+	ck_assert(stream != NULL);
+	ck_assert(stream->write_all(stream, msg, msglen));
+	ck_assert(stream->read_all(stream, buf, msglen));
+	ck_assert(streq(buf, msg));
+	stream->destroy(stream);
+
+	service->destroy(service);
+}
+END_TEST
+
+static bool concurrency(void *data, stream_t *stream)
+{
+	static refcount_t refs = 0;
+	u_int current;
+	ssize_t len;
+
+	current = ref_get(&refs);
+	ck_assert(current <= 3);
+	len = stream->write(stream, "x", 1, TRUE);
+	ck_assert_int_eq(len, 1);
+	usleep(1000);
+	ignore_result(ref_put(&refs));
+
+	return FALSE;
+}
+
+START_TEST(test_concurrency)
+{
+	stream_service_t *service;
+	stream_t *streams[10];
+	ssize_t len;
+	char x;
+	int i;
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	service = lib->streams->create_service(lib->streams, services[_i], 10);
+	ck_assert(service != NULL);
+	service->on_accept(service, concurrency, NULL, JOB_PRIO_HIGH, 3);
+
+	for (i = 0; i < countof(streams); i++)
+	{
+		streams[i] = lib->streams->connect(lib->streams, services[_i]);
+		ck_assert(streams[i] != NULL);
+	}
+	for (i = 0; i < countof(streams); i++)
+	{
+		len = streams[i]->read(streams[i], &x, 1, TRUE);
+		ck_assert_int_eq(len, 1);
+		ck_assert_int_eq(x, 'x');
+	}
+	for (i = 0; i < countof(streams); i++)
+	{
+		streams[i]->destroy(streams[i]);
+	}
+	service->destroy(service);
+}
+END_TEST
+
+Suite *stream_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("stream");
+
+	tc = tcase_create("sync");
+	tcase_add_loop_test(tc, test_sync, 0, countof(services));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("async");
+	tcase_add_loop_test(tc, test_async, 0, countof(services));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("all");
+	tcase_add_loop_test(tc, test_all, 0, countof(services));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("concurrency");
+	tcase_add_loop_test(tc, test_concurrency, 0, countof(services));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_test_rng.c b/src/libstrongswan/tests/suites/test_test_rng.c
new file mode 100644
index 000000000..9a983b677
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_test_rng.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <tests/utils/test_rng.h>
+#include <utils/test.h>
+
+START_TEST(test_test_rng)
+{
+	rng_t *entropy;
+	chunk_t in, in1, in2, out;
+
+	in1 = chunk_from_chars(0x01, 0x02, 0x03, 0x04, 0x05, 0x06);
+	in2 = chunk_from_chars(0x07, 0x08);
+	in = chunk_cat("cc", in1, in2);
+
+	entropy = test_rng_create(in);
+	ck_assert(entropy->allocate_bytes(entropy, 6, &out));
+	ck_assert(chunk_equals(in1, out));
+	ck_assert(entropy->get_bytes(entropy, 2, out.ptr));
+	ck_assert(memeq(in2.ptr, out.ptr, in2.len));
+	ck_assert(!entropy->get_bytes(entropy, 4, out.ptr));
+	chunk_free(&out);
+	ck_assert(!entropy->allocate_bytes(entropy, 4, &out));
+	entropy->destroy(entropy);
+	chunk_free(&in);
+}
+END_TEST
+
+
+Suite *test_rng_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("test_rng");
+
+	tc = tcase_create("test_rng");
+	tcase_add_test(tc, test_test_rng);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_threading.c b/src/libstrongswan/tests/suites/test_threading.c
new file mode 100644
index 000000000..844959e46
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_threading.c
@@ -0,0 +1,1466 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <sched.h>
+#include <unistd.h>
+
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <threading/rwlock.h>
+#include <threading/rwlock_condvar.h>
+#include <threading/spinlock.h>
+#include <threading/semaphore.h>
+#include <threading/thread_value.h>
+
+/*******************************************************************************
+ * recursive mutex test
+ */
+
+#define THREADS 20
+
+/**
+ * Thread barrier data
+ */
+typedef struct {
+	mutex_t *mutex;
+	condvar_t *cond;
+	int count;
+	int current;
+	bool active;
+} barrier_t;
+
+/**
+ * Create a thread barrier for count threads
+ */
+static barrier_t* barrier_create(int count)
+{
+	barrier_t *this;
+
+	INIT(this,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.cond = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.count = count,
+	);
+
+	return this;
+}
+
+/**
+ * Destroy a thread barrier
+ */
+static void barrier_destroy(barrier_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	this->cond->destroy(this->cond);
+	free(this);
+}
+
+/**
+ * Wait to have configured number of threads in barrier
+ */
+static bool barrier_wait(barrier_t *this)
+{
+	bool winner = FALSE;
+
+	this->mutex->lock(this->mutex);
+	if (!this->active)
+	{	/* first, reset */
+		this->active = TRUE;
+		this->current = 0;
+	}
+
+	this->current++;
+	while (this->current < this->count)
+	{
+		this->cond->wait(this->cond, this->mutex);
+	}
+	if (this->active)
+	{	/* first, win */
+		winner = TRUE;
+		this->active = FALSE;
+	}
+	this->mutex->unlock(this->mutex);
+	this->cond->broadcast(this->cond);
+	sched_yield();
+
+	return winner;
+}
+
+/**
+ * Barrier for some tests
+ */
+static barrier_t *barrier;
+
+/**
+ * A mutex for tests requiring one
+ */
+static mutex_t *mutex;
+
+/**
+ * A condvar for tests requiring one
+ */
+static condvar_t *condvar;
+
+/**
+ * A counter for signaling
+ */
+static int sigcount;
+
+static void *mutex_run(void *data)
+{
+	int locked = 0;
+	int i;
+
+	/* wait for all threads before getting in action */
+	barrier_wait(barrier);
+
+	for (i = 0; i < 100; i++)
+	{
+		mutex->lock(mutex);
+		mutex->lock(mutex);
+		mutex->lock(mutex);
+		locked++;
+		sched_yield();
+		if (locked > 1)
+		{
+			fail("two threads locked the mutex concurrently");
+		}
+		locked--;
+		mutex->unlock(mutex);
+		mutex->unlock(mutex);
+		mutex->unlock(mutex);
+	}
+	return NULL;
+}
+
+START_TEST(test_mutex)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	barrier = barrier_create(THREADS);
+	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+
+	for (i = 0; i < 10; i++)
+	{
+		mutex->lock(mutex);
+		mutex->unlock(mutex);
+	}
+	for (i = 0; i < 10; i++)
+	{
+		mutex->lock(mutex);
+	}
+	for (i = 0; i < 10; i++)
+	{
+		mutex->unlock(mutex);
+	}
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(mutex_run, NULL);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	mutex->destroy(mutex);
+	barrier_destroy(barrier);
+}
+END_TEST
+
+/**
+ * Spinlock for testing
+ */
+static spinlock_t *spinlock;
+
+static void *spinlock_run(void *data)
+{
+	int i, *locked = (int*)data;
+
+	barrier_wait(barrier);
+
+	for (i = 0; i < 1000; i++)
+	{
+		spinlock->lock(spinlock);
+		(*locked)++;
+		ck_assert_int_eq(*locked, 1);
+		(*locked)--;
+		spinlock->unlock(spinlock);
+	}
+	return NULL;
+}
+
+START_TEST(test_spinlock)
+{
+	thread_t *threads[THREADS];
+	int i, locked = 0;
+
+	barrier = barrier_create(THREADS);
+	spinlock = spinlock_create();
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(spinlock_run, &locked);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	spinlock->destroy(spinlock);
+	barrier_destroy(barrier);
+}
+END_TEST
+
+static void *condvar_run(void *data)
+{
+	mutex->lock(mutex);
+	sigcount++;
+	condvar->signal(condvar);
+	mutex->unlock(mutex);
+	return NULL;
+}
+
+START_TEST(test_condvar)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(condvar_run, NULL);
+	}
+
+	mutex->lock(mutex);
+	while (sigcount < THREADS)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	mutex->unlock(mutex);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+static void *condvar_recursive_run(void *data)
+{
+	mutex->lock(mutex);
+	mutex->lock(mutex);
+	mutex->lock(mutex);
+	sigcount++;
+	condvar->signal(condvar);
+	mutex->unlock(mutex);
+	mutex->unlock(mutex);
+	mutex->unlock(mutex);
+	return NULL;
+}
+
+START_TEST(test_condvar_recursive)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	mutex->lock(mutex);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(condvar_recursive_run, NULL);
+	}
+
+	mutex->lock(mutex);
+	mutex->lock(mutex);
+	while (sigcount < THREADS)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	mutex->unlock(mutex);
+	mutex->unlock(mutex);
+	mutex->unlock(mutex);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+static void *condvar_run_broad(void *data)
+{
+	mutex->lock(mutex);
+	while (sigcount < 0)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	mutex->unlock(mutex);
+	return NULL;
+}
+
+START_TEST(test_condvar_broad)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(condvar_run_broad, NULL);
+	}
+
+	sched_yield();
+
+	mutex->lock(mutex);
+	sigcount = 1;
+	condvar->broadcast(condvar);
+	mutex->unlock(mutex);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+START_TEST(test_condvar_timed)
+{
+	thread_t *thread;
+	timeval_t start, end, diff = { .tv_usec = 50000 };
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	mutex->lock(mutex);
+	while (TRUE)
+	{
+		time_monotonic(&start);
+		if (condvar->timed_wait(condvar, mutex, diff.tv_usec / 1000))
+		{
+			break;
+		}
+	}
+	time_monotonic(&end);
+	mutex->unlock(mutex);
+	timersub(&end, &start, &end);
+	ck_assert_msg(timercmp(&end, &diff, >), "end: %u.%u, diff: %u.%u",
+					end.tv_sec, end.tv_usec, diff.tv_sec, diff.tv_usec);
+
+	thread = thread_create(condvar_run, NULL);
+
+	mutex->lock(mutex);
+	while (sigcount == 0)
+	{
+		ck_assert(!condvar->timed_wait(condvar, mutex, 1000));
+	}
+	mutex->unlock(mutex);
+
+	thread->join(thread);
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+START_TEST(test_condvar_timed_abs)
+{
+	thread_t *thread;
+	timeval_t start, end, abso, diff = { .tv_usec = 50000 };
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	mutex->lock(mutex);
+	while (TRUE)
+	{
+		time_monotonic(&start);
+		timeradd(&start, &diff, &abso);
+		if (condvar->timed_wait_abs(condvar, mutex, abso))
+		{
+			break;
+		}
+	}
+	time_monotonic(&end);
+	mutex->unlock(mutex);
+	ck_assert_msg(timercmp(&end, &diff, >), "end: %u.%u, diff: %u.%u",
+					end.tv_sec, end.tv_usec, abso.tv_sec, abso.tv_usec);
+
+	thread = thread_create(condvar_run, NULL);
+
+	time_monotonic(&start);
+	diff.tv_sec = 1;
+	timeradd(&start, &diff, &abso);
+	mutex->lock(mutex);
+	while (sigcount == 0)
+	{
+		ck_assert(!condvar->timed_wait_abs(condvar, mutex, abso));
+	}
+	mutex->unlock(mutex);
+
+	thread->join(thread);
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+static void *condvar_cancel_run(void *data)
+{
+	thread_cancelability(FALSE);
+
+	mutex->lock(mutex);
+
+	sigcount++;
+	condvar->broadcast(condvar);
+
+	thread_cleanup_push((void*)mutex->unlock, mutex);
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	thread_cleanup_pop(TRUE);
+
+	return NULL;
+}
+
+START_TEST(test_condvar_cancel)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(condvar_cancel_run, NULL);
+	}
+
+	/* wait for all threads */
+	mutex->lock(mutex);
+	while (sigcount < THREADS)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	mutex->unlock(mutex);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+}
+END_TEST
+
+/**
+ * RWlock for different tests
+ */
+static rwlock_t *rwlock;
+
+static void *rwlock_run(refcount_t *refs)
+{
+	rwlock->read_lock(rwlock);
+	ref_get(refs);
+	sched_yield();
+	ignore_result(ref_put(refs));
+	rwlock->unlock(rwlock);
+
+	if (rwlock->try_write_lock(rwlock))
+	{
+		ck_assert_int_eq(*refs, 0);
+		sched_yield();
+		rwlock->unlock(rwlock);
+	}
+
+	rwlock->write_lock(rwlock);
+	ck_assert_int_eq(*refs, 0);
+	sched_yield();
+	rwlock->unlock(rwlock);
+
+	rwlock->read_lock(rwlock);
+	rwlock->read_lock(rwlock);
+	ref_get(refs);
+	sched_yield();
+	ignore_result(ref_put(refs));
+	rwlock->unlock(rwlock);
+	rwlock->unlock(rwlock);
+
+	return NULL;
+}
+
+START_TEST(test_rwlock)
+{
+	thread_t *threads[THREADS];
+	refcount_t refs = 0;
+	int i;
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create((void*)rwlock_run, &refs);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	rwlock->destroy(rwlock);
+}
+END_TEST
+
+/**
+ * Rwlock condvar
+ */
+static rwlock_condvar_t *rwcond;
+
+static void *rwlock_condvar_run(void *data)
+{
+	rwlock->write_lock(rwlock);
+	sigcount++;
+	rwcond->signal(rwcond);
+	rwlock->unlock(rwlock);
+	return NULL;
+}
+
+START_TEST(test_rwlock_condvar)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	rwcond = rwlock_condvar_create();
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(rwlock_condvar_run, NULL);
+	}
+
+	rwlock->write_lock(rwlock);
+	while (sigcount < THREADS)
+	{
+		rwcond->wait(rwcond, rwlock);
+	}
+	rwlock->unlock(rwlock);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	rwlock->destroy(rwlock);
+	rwcond->destroy(rwcond);
+}
+END_TEST
+
+static void *rwlock_condvar_run_broad(void *data)
+{
+	rwlock->write_lock(rwlock);
+	while (sigcount < 0)
+	{
+		rwcond->wait(rwcond, rwlock);
+	}
+	rwlock->unlock(rwlock);
+	return NULL;
+}
+
+START_TEST(test_rwlock_condvar_broad)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	rwcond = rwlock_condvar_create();
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(rwlock_condvar_run_broad, NULL);
+	}
+
+	sched_yield();
+
+	rwlock->write_lock(rwlock);
+	sigcount = 1;
+	rwcond->broadcast(rwcond);
+	rwlock->unlock(rwlock);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	rwlock->destroy(rwlock);
+	rwcond->destroy(rwcond);
+}
+END_TEST
+
+START_TEST(test_rwlock_condvar_timed)
+{
+	thread_t *thread;
+	timeval_t start, end, diff = { .tv_usec = 50000 };
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	rwcond = rwlock_condvar_create();
+	sigcount = 0;
+
+	rwlock->write_lock(rwlock);
+	while (TRUE)
+	{
+		time_monotonic(&start);
+		if (rwcond->timed_wait(rwcond, rwlock, diff.tv_usec / 1000))
+		{
+			break;
+		}
+	}
+	rwlock->unlock(rwlock);
+	time_monotonic(&end);
+	timersub(&end, &start, &end);
+	ck_assert_msg(timercmp(&end, &diff, >), "end: %u.%u, diff: %u.%u",
+					end.tv_sec, end.tv_usec, diff.tv_sec, diff.tv_usec);
+
+	thread = thread_create(rwlock_condvar_run, NULL);
+
+	rwlock->write_lock(rwlock);
+	while (sigcount == 0)
+	{
+		ck_assert(!rwcond->timed_wait(rwcond, rwlock, 1000));
+	}
+	rwlock->unlock(rwlock);
+
+	thread->join(thread);
+	rwlock->destroy(rwlock);
+	rwcond->destroy(rwcond);
+}
+END_TEST
+
+START_TEST(test_rwlock_condvar_timed_abs)
+{
+	thread_t *thread;
+	timeval_t start, end, abso, diff = { .tv_usec = 50000 };
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	rwcond = rwlock_condvar_create();
+	sigcount = 0;
+
+	rwlock->write_lock(rwlock);
+	while (TRUE)
+	{
+		time_monotonic(&start);
+		timeradd(&start, &diff, &abso);
+		if (rwcond->timed_wait_abs(rwcond, rwlock, abso))
+		{
+			break;
+		}
+	}
+	rwlock->unlock(rwlock);
+	time_monotonic(&end);
+	ck_assert_msg(timercmp(&end, &abso, >), "end: %u.%u, abso: %u.%u",
+					end.tv_sec, end.tv_usec, abso.tv_sec, abso.tv_usec);
+
+	thread = thread_create(rwlock_condvar_run, NULL);
+
+	time_monotonic(&start);
+	diff.tv_sec = 1;
+	timeradd(&start, &diff, &abso);
+	rwlock->write_lock(rwlock);
+	while (sigcount == 0)
+	{
+		ck_assert(!rwcond->timed_wait_abs(rwcond, rwlock, abso));
+	}
+	rwlock->unlock(rwlock);
+
+	thread->join(thread);
+	rwlock->destroy(rwlock);
+	rwcond->destroy(rwcond);
+}
+END_TEST
+
+static void *rwlock_condvar_cancel_run(void *data)
+{
+	thread_cancelability(FALSE);
+
+	rwlock->write_lock(rwlock);
+
+	sigcount++;
+	rwcond->broadcast(rwcond);
+
+	thread_cleanup_push((void*)rwlock->unlock, rwlock);
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		rwcond->wait(rwcond, rwlock);
+	}
+	thread_cleanup_pop(TRUE);
+
+	return NULL;
+}
+
+START_TEST(test_rwlock_condvar_cancel)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	rwcond = rwlock_condvar_create();
+	sigcount = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(rwlock_condvar_cancel_run, NULL);
+	}
+
+	/* wait for all threads */
+	rwlock->write_lock(rwlock);
+	while (sigcount < THREADS)
+	{
+		rwcond->wait(rwcond, rwlock);
+	}
+	rwlock->unlock(rwlock);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	rwlock->destroy(rwlock);
+	rwcond->destroy(rwcond);
+}
+END_TEST
+
+/**
+ * Semaphore for different tests
+ */
+static semaphore_t *semaphore;
+
+static void *semaphore_run(void *data)
+{
+	semaphore->post(semaphore);
+	return NULL;
+}
+
+START_TEST(test_semaphore)
+{
+	thread_t *threads[THREADS];
+	int i, initial = 5;
+
+	semaphore = semaphore_create(initial);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(semaphore_run, NULL);
+	}
+	for (i = 0; i < THREADS + initial; i++)
+	{
+		semaphore->wait(semaphore);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	semaphore->destroy(semaphore);
+}
+END_TEST
+
+START_TEST(test_semaphore_timed)
+{
+	thread_t *thread;
+	timeval_t start, end, diff = { .tv_usec = 50000 };
+
+	semaphore = semaphore_create(0);
+
+	time_monotonic(&start);
+	ck_assert(semaphore->timed_wait(semaphore, diff.tv_usec / 1000));
+	time_monotonic(&end);
+	timersub(&end, &start, &end);
+	ck_assert_msg(timercmp(&end, &diff, >), "end: %u.%u, diff: %u.%u",
+					end.tv_sec, end.tv_usec, diff.tv_sec, diff.tv_usec);
+
+	thread = thread_create(semaphore_run, NULL);
+
+	ck_assert(!semaphore->timed_wait(semaphore, 1000));
+
+	thread->join(thread);
+	semaphore->destroy(semaphore);
+}
+END_TEST
+
+START_TEST(test_semaphore_timed_abs)
+{
+	thread_t *thread;
+	timeval_t start, end, abso, diff = { .tv_usec = 50000 };
+
+	semaphore = semaphore_create(0);
+
+	time_monotonic(&start);
+	timeradd(&start, &diff, &abso);
+	ck_assert(semaphore->timed_wait_abs(semaphore, abso));
+	time_monotonic(&end);
+	ck_assert_msg(timercmp(&end, &abso, >), "end: %u.%u, abso: %u.%u",
+					end.tv_sec, end.tv_usec, abso.tv_sec, abso.tv_usec);
+
+	thread = thread_create(semaphore_run, NULL);
+
+	time_monotonic(&start);
+	diff.tv_sec = 1;
+	timeradd(&start, &diff, &abso);
+	ck_assert(!semaphore->timed_wait_abs(semaphore, abso));
+
+	thread->join(thread);
+	semaphore->destroy(semaphore);
+}
+END_TEST
+
+static void *semaphore_cancel_run(void *data)
+{
+	refcount_t *ready = (refcount_t*)data;
+
+	thread_cancelability(FALSE);
+	ref_get(ready);
+
+	thread_cancelability(TRUE);
+	semaphore->wait(semaphore);
+
+	ck_assert(FALSE);
+	return NULL;
+}
+
+START_TEST(test_semaphore_cancel)
+{
+	thread_t *threads[THREADS];
+	refcount_t ready = 0;
+	int i;
+
+	semaphore = semaphore_create(0);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(semaphore_cancel_run, &ready);
+	}
+	while (ready < THREADS)
+	{
+		sched_yield();
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+
+	semaphore->destroy(semaphore);
+}
+END_TEST
+
+static void *join_run(void *data)
+{
+	/* force some context switches */
+	sched_yield();
+	return (void*)((uintptr_t)data + THREADS);
+}
+
+START_TEST(test_join)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(join_run, (void*)(uintptr_t)i);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		ck_assert_int_eq((uintptr_t)threads[i]->join(threads[i]), i + THREADS);
+	}
+}
+END_TEST
+
+static void *exit_join_run(void *data)
+{
+	sched_yield();
+	thread_exit((void*)((uintptr_t)data + THREADS));
+	/* not reached */
+	ck_assert(FALSE);
+	return NULL;
+}
+
+START_TEST(test_join_exit)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(exit_join_run, (void*)(uintptr_t)i);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		ck_assert_int_eq((uintptr_t)threads[i]->join(threads[i]), i + THREADS);
+	}
+}
+END_TEST
+
+static void *detach_run(void *data)
+{
+	refcount_t *running = (refcount_t*)data;
+
+	ignore_result(ref_put(running));
+	return NULL;
+}
+
+START_TEST(test_detach)
+{
+	thread_t *threads[THREADS];
+	int i;
+	refcount_t running = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		ref_get(&running);
+		threads[i] = thread_create(detach_run, &running);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->detach(threads[i]);
+	}
+	while (running > 0)
+	{
+		sched_yield();
+	}
+	/* no checks done here, but we check that thread state gets cleaned
+	 * up with leak detective. */
+}
+END_TEST
+
+static void *detach_exit_run(void *data)
+{
+	refcount_t *running = (refcount_t*)data;
+
+	ignore_result(ref_put(running));
+	thread_exit(NULL);
+	/* not reached */
+	ck_assert(FALSE);
+	return NULL;
+}
+
+START_TEST(test_detach_exit)
+{
+	thread_t *threads[THREADS];
+	int i;
+	refcount_t running = 0;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		ref_get(&running);
+		threads[i] = thread_create(detach_exit_run, &running);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->detach(threads[i]);
+	}
+	while (running > 0)
+	{
+		sched_yield();
+	}
+	/* no checks done here, but we check that thread state gets cleaned
+	 * up with leak detective. */
+}
+END_TEST
+
+static void *cancel_run(void *data)
+{
+	/* default cancellability should be TRUE, so don't change it */
+	while (TRUE)
+	{
+		sleep(10);
+	}
+	return NULL;
+}
+
+START_TEST(test_cancel)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(cancel_run, NULL);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+}
+END_TEST
+
+static void *cancel_onoff_run(void *data)
+{
+	bool *cancellable = (bool*)data;
+
+	thread_cancelability(FALSE);
+	*cancellable = FALSE;
+
+	/* we should not get cancelled here */
+	usleep(50000);
+
+	*cancellable = TRUE;
+	thread_cancelability(TRUE);
+
+	/* but here */
+	while (TRUE)
+	{
+		sleep(10);
+	}
+	return NULL;
+}
+
+START_TEST(test_cancel_onoff)
+{
+	thread_t *threads[THREADS];
+	bool cancellable[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		cancellable[i] = TRUE;
+		threads[i] = thread_create(cancel_onoff_run, &cancellable[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		/* wait until thread has cleared its cancellability */
+		while (cancellable[i])
+		{
+			sched_yield();
+		}
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert(cancellable[i]);
+	}
+}
+END_TEST
+
+static void *cancel_point_run(void *data)
+{
+	thread_cancelability(FALSE);
+	while (TRUE)
+	{
+		/* implicitly enables cancellability */
+		thread_cancellation_point();
+	}
+	return NULL;
+}
+
+START_TEST(test_cancel_point)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(cancel_point_run, NULL);
+	}
+	sched_yield();
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+}
+END_TEST
+
+static void cleanup1(void *data)
+{
+	uintptr_t *value = (uintptr_t*)data;
+
+	ck_assert_int_eq(*value, 1);
+	(*value)++;
+}
+
+static void cleanup2(void *data)
+{
+	uintptr_t *value = (uintptr_t*)data;
+
+	ck_assert_int_eq(*value, 2);
+	(*value)++;
+}
+
+static void cleanup3(void *data)
+{
+	uintptr_t *value = (uintptr_t*)data;
+
+	ck_assert_int_eq(*value, 3);
+	(*value)++;
+}
+
+static void *cleanup_run(void *data)
+{
+	thread_cleanup_push(cleanup3, data);
+	thread_cleanup_push(cleanup2, data);
+	thread_cleanup_push(cleanup1, data);
+	return NULL;
+}
+
+START_TEST(test_cleanup)
+{
+	thread_t *threads[THREADS];
+	uintptr_t values[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		values[i] = 1;
+		threads[i] = thread_create(cleanup_run, &values[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert_int_eq(values[i], 4);
+	}
+}
+END_TEST
+
+static void *cleanup_exit_run(void *data)
+{
+	thread_cleanup_push(cleanup3, data);
+	thread_cleanup_push(cleanup2, data);
+	thread_cleanup_push(cleanup1, data);
+	thread_exit(NULL);
+	ck_assert(FALSE);
+	return NULL;
+}
+
+START_TEST(test_cleanup_exit)
+{
+	thread_t *threads[THREADS];
+	uintptr_t values[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		values[i] = 1;
+		threads[i] = thread_create(cleanup_exit_run, &values[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert_int_eq(values[i], 4);
+	}
+}
+END_TEST
+
+static void *cleanup_cancel_run(void *data)
+{
+	thread_cancelability(FALSE);
+
+	thread_cleanup_push(cleanup3, data);
+	thread_cleanup_push(cleanup2, data);
+	thread_cleanup_push(cleanup1, data);
+
+	thread_cancelability(TRUE);
+
+	while (TRUE)
+	{
+		sleep(1);
+	}
+	return NULL;
+}
+
+START_TEST(test_cleanup_cancel)
+{
+	thread_t *threads[THREADS];
+	uintptr_t values[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		values[i] = 1;
+		threads[i] = thread_create(cleanup_cancel_run, &values[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->cancel(threads[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert_int_eq(values[i], 4);
+	}
+}
+END_TEST
+
+static void *cleanup_pop_run(void *data)
+{
+	thread_cleanup_push(cleanup3, data);
+	thread_cleanup_push(cleanup2, data);
+	thread_cleanup_push(cleanup1, data);
+
+	thread_cleanup_push(cleanup2, data);
+	thread_cleanup_pop(FALSE);
+
+	thread_cleanup_pop(TRUE);
+	return NULL;
+}
+
+START_TEST(test_cleanup_pop)
+{
+	thread_t *threads[THREADS];
+	uintptr_t values[THREADS];
+	int i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		values[i] = 1;
+		threads[i] = thread_create(cleanup_pop_run, &values[i]);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert_int_eq(values[i], 4);
+	}
+}
+END_TEST
+
+static thread_value_t *tls[10];
+
+static void *tls_run(void *data)
+{
+	uintptr_t value = (uintptr_t)data;
+	int i, j;
+
+	for (i = 0; i < countof(tls); i++)
+	{
+		ck_assert(tls[i]->get(tls[i]) == NULL);
+	}
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i]->set(tls[i], (void*)(value * i));
+	}
+	for (j = 0; j < 1000; j++)
+	{
+		for (i = 0; i < countof(tls); i++)
+		{
+			tls[i]->set(tls[i], (void*)(value * i));
+			ck_assert(tls[i]->get(tls[i]) == (void*)(value * i));
+		}
+		sched_yield();
+	}
+	for (i = 0; i < countof(tls); i++)
+	{
+		ck_assert(tls[i]->get(tls[i]) == (void*)(value * i));
+	}
+	return (void*)(value + 1);
+}
+
+START_TEST(test_tls)
+{
+	thread_t *threads[THREADS];
+	int i;
+
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i] = thread_value_create(NULL);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i] = thread_create(tls_run, (void*)(uintptr_t)i);
+	}
+
+	ck_assert_int_eq((uintptr_t)tls_run((void*)(uintptr_t)(THREADS + 1)),
+					 THREADS + 2);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		ck_assert_int_eq((uintptr_t)threads[i]->join(threads[i]), i + 1);
+	}
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i]->destroy(tls[i]);
+	}
+}
+END_TEST
+
+static void tls_cleanup(void *data)
+{
+	uintptr_t *value = (uintptr_t*)data;
+
+	(*value)--;
+}
+
+static void *tls_cleanup_run(void *data)
+{
+	int i;
+
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i]->set(tls[i], data);
+	}
+	return NULL;
+}
+
+START_TEST(test_tls_cleanup)
+{
+	thread_t *threads[THREADS];
+	uintptr_t values[THREADS], main_value = countof(tls);
+	int i;
+
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i] = thread_value_create(tls_cleanup);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		values[i] = countof(tls);
+		threads[i] = thread_create(tls_cleanup_run, &values[i]);
+	}
+
+	tls_cleanup_run(&main_value);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		threads[i]->join(threads[i]);
+		ck_assert_int_eq(values[i], 0);
+	}
+	for (i = 0; i < countof(tls); i++)
+	{
+		tls[i]->destroy(tls[i]);
+	}
+	ck_assert_int_eq(main_value, 0);
+}
+END_TEST
+
+Suite *threading_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("threading");
+
+	tc = tcase_create("recursive mutex");
+	tcase_add_test(tc, test_mutex);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("spinlock");
+	tcase_add_test(tc, test_spinlock);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("condvar");
+	tcase_add_test(tc, test_condvar);
+	tcase_add_test(tc, test_condvar_recursive);
+	tcase_add_test(tc, test_condvar_broad);
+	tcase_add_test(tc, test_condvar_timed);
+	tcase_add_test(tc, test_condvar_timed_abs);
+	tcase_add_test(tc, test_condvar_cancel);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("rwlock");
+	tcase_add_test(tc, test_rwlock);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("rwlock condvar");
+	tcase_add_test(tc, test_rwlock_condvar);
+	tcase_add_test(tc, test_rwlock_condvar_broad);
+	tcase_add_test(tc, test_rwlock_condvar_timed);
+	tcase_add_test(tc, test_rwlock_condvar_timed_abs);
+	tcase_add_test(tc, test_rwlock_condvar_cancel);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("semaphore");
+	tcase_add_test(tc, test_semaphore);
+	tcase_add_test(tc, test_semaphore_timed);
+	tcase_add_test(tc, test_semaphore_timed_abs);
+	tcase_add_test(tc, test_semaphore_cancel);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("thread joining");
+	tcase_add_test(tc, test_join);
+	tcase_add_test(tc, test_join_exit);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("thread detaching");
+	tcase_add_test(tc, test_detach);
+	tcase_add_test(tc, test_detach_exit);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("thread cancellation");
+	tcase_add_test(tc, test_cancel);
+	tcase_add_test(tc, test_cancel_onoff);
+	tcase_add_test(tc, test_cancel_point);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("thread cleanup");
+	tcase_add_test(tc, test_cleanup);
+	tcase_add_test(tc, test_cleanup_exit);
+	tcase_add_test(tc, test_cleanup_cancel);
+	tcase_add_test(tc, test_cleanup_pop);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("thread local storage");
+	tcase_add_test(tc, test_tls);
+	tcase_add_test(tc, test_tls_cleanup);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c
index 3ca0412b4..0260726b2 100644
--- a/src/libstrongswan/tests/test_utils.c
+++ b/src/libstrongswan/tests/suites/test_utils.c
@@ -346,6 +346,46 @@ START_TEST(test_memstr)
 END_TEST
 
 /*******************************************************************************
+ * utils_memrchr
+ */
+
+static struct {
+	char *s;
+	int c;
+	size_t n;
+	int offset;
+} memrchr_data[] = {
+	{NULL, 'f', 0, -1},
+	{NULL, 'f', 3, -1},
+	{"", 'f', 0, -1},
+	{"", '\0', 1, 0},
+	{"foo", '\0', 3, -1},
+	{"foo", '\0', 4, 3},
+	{"foo", 'f', 3, 0},
+	{"foo", 'o', 3, 2},
+	{"foo", 'o', 2, 1},
+	{"foo", 'o', 1, -1},
+	{"foo", 'o', 0, -1},
+	{"foo", 'x', 3, -1},
+};
+
+START_TEST(test_utils_memrchr)
+{
+	void *ret;
+
+	ret = utils_memrchr(memrchr_data[_i].s, memrchr_data[_i].c, memrchr_data[_i].n);
+	if (memrchr_data[_i].offset >= 0)
+	{
+		ck_assert(ret == memrchr_data[_i].s + memrchr_data[_i].offset);
+	}
+	else
+	{
+		ck_assert(ret == NULL);
+	}
+}
+END_TEST
+
+/*******************************************************************************
  * translate
  */
 
@@ -385,6 +425,140 @@ START_TEST(test_translate)
 END_TEST
 
 /*******************************************************************************
+ * strreplace
+ */
+
+static struct {
+	char *in;
+	char *out;
+	char *search;
+	char *replace;
+	bool allocated;
+} strreplace_data[] = {
+	/* invalid arguments */
+	{NULL, NULL, NULL, NULL, FALSE},
+	{"", "", NULL, NULL, FALSE},
+	{"", "", "", NULL, FALSE},
+	{"", "", NULL, "", FALSE},
+	{"", "", "", "", FALSE},
+	{"", "", "", "asdf", FALSE},
+	{"", "", "asdf", "", FALSE},
+	{"asdf", "asdf", NULL, NULL, FALSE},
+	{"asdf", "asdf", "", NULL, FALSE},
+	{"asdf", "asdf", NULL, "", FALSE},
+	{"asdf", "asdf", "", "", FALSE},
+	{"asdf", "asdf", "", "asdf", FALSE},
+	{"asdf", "asdf", "asdf", NULL, FALSE},
+	{"qwer", "qwer", "", "asdf", FALSE},
+	/* replacement shorter */
+	{"asdf", "", "asdf", "", TRUE},
+	{"asdfasdf", "", "asdf", "", TRUE},
+	{"asasdfdf", "asdf", "asdf", "", TRUE},
+	{"asdf", "df", "as", "", TRUE},
+	{"asdf", "as", "df", "", TRUE},
+	{"qwer", "qwer", "asdf", "", FALSE},
+	/* replacement same length */
+	{"a", "b", "a", "b", TRUE},
+	{"aaa", "bbb", "a", "b", TRUE},
+	{"aaa", "bbb", "aaa", "bbb", TRUE},
+	{"asdf", "asdf", "asdf", "asdf", TRUE},
+	{"qwer", "qwer", "asdf", "asdf", FALSE},
+	/* replacement longer */
+	{"asdf", "asdf", "", "asdf", FALSE},
+	{"asdf", "asdfasdf", "asdf", "asdfasdf", TRUE},
+	{"asdf", "asdfsdf", "a", "asdf", TRUE},
+	{"asdf", "asdasdf", "f", "asdf", TRUE},
+	{"aaa", "asdfasdfasdf", "a", "asdf", TRUE},
+	{"qwer", "qwer", "asdf", "asdfasdf", FALSE},
+	/* real examples */
+	{"http://x.org/no/spaces", "http://x.org/no/spaces", " ", "%20", FALSE},
+	{"http://x.org/end ", "http://x.org/end%20", " ", "%20", TRUE},
+	{" http://x.org/start", "%20http://x.org/start", " ", "%20", TRUE},
+	{" http://x.org/both ", "%20http://x.org/both%20", " ", "%20", TRUE},
+	{"http://x.org/ /slash", "http://x.org/%20/slash", " ", "%20", TRUE},
+	{"http://x.org/   /three", "http://x.org/%20%20%20/three", " ", "%20", TRUE},
+	{"http://x.org/      ", "http://x.org/%20%20%20%20%20%20", " ", "%20", TRUE},
+	{"http://x.org/%20/encoded", "http://x.org/%20/encoded", " ", "%20", FALSE},
+};
+
+START_TEST(test_strreplace)
+{
+	char *ret;
+
+	ret = strreplace(strreplace_data[_i].in, strreplace_data[_i].search,
+					 strreplace_data[_i].replace);
+	if (ret && strreplace_data[_i].out)
+	{
+		ck_assert_str_eq(ret, strreplace_data[_i].out);
+	}
+	else
+	{
+		ck_assert(ret == strreplace_data[_i].out);
+	}
+	if (strreplace_data[_i].allocated)
+	{
+		ck_assert(ret != strreplace_data[_i].in);
+		free(ret);
+	}
+	else
+	{
+		ck_assert(ret == strreplace_data[_i].in);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * path_dirname/basename
+ */
+
+static struct {
+	char *path;
+	char *dir;
+	char *base;
+} path_data[] = {
+	{NULL, ".", "."},
+	{"", ".", "."},
+	{".", ".", "."},
+	{"..", ".", ".."},
+	{"/", "/", "/"},
+	{"//", "/", "/"},
+	{"foo", ".", "foo"},
+	{"f/", ".", "f"},
+	{"foo/", ".", "foo"},
+	{"foo//", ".", "foo"},
+	{"/f", "/", "f"},
+	{"/f/", "/", "f"},
+	{"/foo", "/", "foo"},
+	{"/foo/", "/", "foo"},
+	{"//foo/", "/", "foo"},
+	{"foo/bar", "foo", "bar"},
+	{"foo//bar", "foo", "bar"},
+	{"/foo/bar", "/foo", "bar"},
+	{"/foo/bar/", "/foo", "bar"},
+	{"/foo/bar/baz", "/foo/bar", "baz"},
+};
+
+START_TEST(test_path_dirname)
+{
+	char *dir;
+
+	dir = path_dirname(path_data[_i].path);
+	ck_assert_str_eq(path_data[_i].dir, dir);
+	free(dir);
+}
+END_TEST
+
+START_TEST(test_path_basename)
+{
+	char *base;
+
+	base = path_basename(path_data[_i].path);
+	ck_assert_str_eq(path_data[_i].base, base);
+	free(base);
+}
+END_TEST
+
+/*******************************************************************************
  * time_printf_hook
  */
 
@@ -539,10 +713,23 @@ Suite *utils_suite_create()
 	tcase_add_loop_test(tc, test_memstr, 0, countof(memstr_data));
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("utils_memrchr");
+	tcase_add_loop_test(tc, test_utils_memrchr, 0, countof(memrchr_data));
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("translate");
 	tcase_add_loop_test(tc, test_translate, 0, countof(translate_data));
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("strreplace");
+	tcase_add_loop_test(tc, test_strreplace, 0, countof(strreplace_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("path_dirname/basename");
+	tcase_add_loop_test(tc, test_path_dirname, 0, countof(path_data));
+	tcase_add_loop_test(tc, test_path_basename, 0, countof(path_data));
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("printf_hooks");
 	tcase_add_loop_test(tc, test_time_printf_hook, 0, countof(time_data));
 	tcase_add_loop_test(tc, test_time_delta_printf_hook, 0, countof(time_delta_data));
diff --git a/src/libstrongswan/tests/test_vectors.c b/src/libstrongswan/tests/suites/test_vectors.c
index f2817d314..242ac9d09 100644
--- a/src/libstrongswan/tests/test_vectors.c
+++ b/src/libstrongswan/tests/suites/test_vectors.c
@@ -21,7 +21,8 @@
 
 START_TEST(test_vectors)
 {
-	fail_if(lib->crypto->get_test_vector_failures(lib->crypto));
+	u_int failed = lib->crypto->get_test_vector_failures(lib->crypto);
+	fail_if(failed > 0, "%u test vectors failed", failed);
 }
 END_TEST
 
diff --git a/src/libstrongswan/tests/suites/test_watcher.c b/src/libstrongswan/tests/suites/test_watcher.c
new file mode 100644
index 000000000..9415bead9
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_watcher.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <library.h>
+
+#include <sched.h>
+#include <unistd.h>
+#include <errno.h>
+
+static char testbuf[1] = "";
+
+static bool readcb(void *data, int fd, watcher_event_t event)
+{
+	ck_assert_int_eq(*(int*)data, fd);
+	ck_assert_int_eq(event, WATCHER_READ);
+
+	if (recv(fd, testbuf, 1, MSG_DONTWAIT) != 1)
+	{
+		ck_assert(errno == EAGAIN || errno == EWOULDBLOCK);
+	}
+	return TRUE;
+}
+
+START_TEST(test_read)
+{
+	int fd[2];
+	char c;
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, fd) != -1);
+
+	lib->watcher->add(lib->watcher, fd[0], WATCHER_READ, readcb, &fd[0]);
+
+	for (c = 'a'; c <= 'z'; c++)
+	{
+		ck_assert_int_eq(write(fd[1], &c, 1), 1);
+		while (testbuf[0] != c)
+		{
+			sched_yield();
+		}
+	}
+
+	lib->watcher->remove(lib->watcher, fd[0]);
+	close(fd[0]);
+	close(fd[1]);
+
+	lib->processor->cancel(lib->processor);
+}
+END_TEST
+
+static bool writecb(void *data, int fd, watcher_event_t event)
+{
+	ck_assert_int_eq(event, WATCHER_WRITE);
+	if (send(fd, data, 1, MSG_DONTWAIT) != 1)
+	{
+		ck_assert(errno == EAGAIN || errno == EWOULDBLOCK);
+	}
+	return TRUE;
+}
+
+START_TEST(test_write)
+{
+	int fd[2];
+	char in = 'x', out;
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, fd) != -1);
+
+	lib->watcher->add(lib->watcher, fd[1], WATCHER_WRITE, writecb, &in);
+
+	ck_assert_int_eq(read(fd[0], &out, 1), 1);
+	ck_assert_int_eq(out, in);
+
+	lib->watcher->remove(lib->watcher, fd[1]);
+	close(fd[1]);
+	close(fd[0]);
+
+	lib->processor->cancel(lib->processor);
+}
+END_TEST
+
+static bool multiread(void *data, int fd, watcher_event_t event)
+{
+	ck_assert_int_eq(event, WATCHER_READ);
+	if (recv(fd, data, 1, MSG_DONTWAIT) != 1)
+	{
+		ck_assert(errno == EAGAIN || errno == EWOULDBLOCK);
+	}
+	return TRUE;
+}
+
+START_TEST(test_multiread)
+{
+	int fd[10][2], i;
+	char in, out[countof(fd)];
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	for (i = 0; i < countof(fd); i++)
+	{
+		ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, fd[i]) != -1);
+		lib->watcher->add(lib->watcher, fd[i][0],
+						  WATCHER_READ, multiread, &out[i]);
+	}
+
+	for (i = 0; i < countof(fd); i++)
+	{
+		for (in = 'a'; in <= 'z'; in++)
+		{
+			ck_assert_int_eq(write(fd[i][1], &in, 1), 1);
+			while (out[i] != in)
+			{
+				sched_yield();
+			}
+		}
+	}
+
+	for (i = 0; i < countof(fd); i++)
+	{
+		lib->watcher->remove(lib->watcher, fd[i][0]);
+		close(fd[i][1]);
+		close(fd[i][0]);
+	}
+
+	lib->processor->cancel(lib->processor);
+}
+END_TEST
+
+static bool multiwrite(void *data, int fd, watcher_event_t event)
+{
+	ck_assert_int_eq(event, WATCHER_WRITE);
+	if (send(fd, data, 1, MSG_DONTWAIT) != 1)
+	{
+		ck_assert(errno == EAGAIN || errno == EWOULDBLOCK);
+	}
+	return TRUE;
+}
+
+START_TEST(test_multiwrite)
+{
+	int fd[10][2], i, j;
+	u_char out, in[countof(fd)];
+
+	lib->processor->set_threads(lib->processor, 8);
+
+	for (i = 0; i < countof(fd); i++)
+	{
+		ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, fd[i]) != -1);
+		in[i] = i;
+		lib->watcher->add(lib->watcher, fd[i][1],
+						  WATCHER_WRITE, multiwrite, &in[i]);
+	}
+
+	for (j = 0; j < 10; j++)
+	{
+		for (i = 0; i < countof(fd); i++)
+		{
+			ck_assert_int_eq(read(fd[i][0], &out, 1), 1);
+			ck_assert_int_eq(out, i);
+		}
+	}
+
+	for (i = 0; i < countof(fd); i++)
+	{
+		lib->watcher->remove(lib->watcher, fd[i][1]);
+		close(fd[i][1]);
+		close(fd[i][0]);
+	}
+
+	lib->processor->cancel(lib->processor);
+}
+END_TEST
+
+Suite *watcher_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("watcher");
+
+	tc = tcase_create("read");
+	tcase_add_test(tc, test_read);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("write");
+	tcase_add_test(tc, test_write);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("multiread");
+	tcase_add_test(tc, test_multiread);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("multiwrite");
+	tcase_add_test(tc, test_multiwrite);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c
index f85858504..0b26ee128 100644
--- a/src/libstrongswan/tests/test_runner.c
+++ b/src/libstrongswan/tests/test_runner.c
@@ -1,6 +1,8 @@
 /*
  * Copyright (C) 2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,48 +15,170 @@
  * for more details.
  */
 
-#include <unistd.h>
-
 #include "test_runner.h"
 
 #include <library.h>
 #include <plugins/plugin_feature.h>
+#include <collections/array.h>
+#include <utils/test.h>
 
 #include <dirent.h>
+#include <unistd.h>
+#include <limits.h>
+
+/**
+ * Get a tty color escape character for stderr
+ */
+#define TTY(color) tty_escape_get(2, TTY_FG_##color)
 
 /**
- * Load plugins from builddir
+ * Initialize the lookup table for testable functions (defined in libstrongswan)
  */
-static bool load_plugins()
+static void testable_functions_create() __attribute__ ((constructor(1000)));
+static void testable_functions_create()
 {
-	enumerator_t *enumerator;
-	char *name, path[PATH_MAX], dir[64];
+	testable_functions = hashtable_create(hashtable_hash_str,
+										  hashtable_equals_str, 8);
+}
+
+/**
+ * Destroy the lookup table for testable functions
+ */
+static void testable_functions_destroy() __attribute__ ((destructor(1000)));
+static void testable_functions_destroy()
+{
+	testable_functions->destroy(testable_functions);
+	/* if leak detective is enabled plugins are not actually unloaded, which
+	 * means their destructor is called AFTER this one when the process
+	 * terminates, even though the priority says differently, make sure this
+	 * does not crash */
+	testable_functions = NULL;
+}
+
+/**
+ * Load all available test suites
+ */
+static array_t *load_suites(test_configuration_t configs[],
+							test_runner_init_t init)
+{
+	array_t *suites;
+	bool old = FALSE;
+	int i;
 
-	enumerator = enumerator_create_token(PLUGINS, " ", "");
-	while (enumerator->enumerate(enumerator, &name))
+	library_init(NULL, "test-runner");
+
+	test_setup_handler();
+
+	if (init && !init(TRUE))
 	{
-		snprintf(dir, sizeof(dir), "%s", name);
-		translate(dir, "-", "_");
-		snprintf(path, sizeof(path), "%s/%s/.libs", PLUGINDIR, dir);
-		lib->plugins->add_path(lib->plugins, path);
+		library_deinit();
+		return NULL;
 	}
-	enumerator->destroy(enumerator);
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
-	return lib->plugins->load(lib->plugins, PLUGINS);
+	if (lib->leak_detective)
+	{
+		old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
+	}
+
+	suites = array_create(0, 0);
+
+	for (i = 0; configs[i].suite; i++)
+	{
+		if (configs[i].feature.type == 0 ||
+			lib->plugins->has_feature(lib->plugins, configs[i].feature))
+		{
+			array_insert(suites, -1, configs[i].suite());
+		}
+	}
+
+	if (lib->leak_detective)
+	{
+		lib->leak_detective->set_state(lib->leak_detective, old);
+	}
+
+	if (init)
+	{
+		init(FALSE);
+	}
+	library_deinit();
+
+	return suites;
 }
 
-int main()
+/**
+ * Unload and destroy test suites and associated data
+ */
+static void unload_suites(array_t *suites)
 {
-	SRunner *sr;
-	int nf;
+	test_suite_t *suite;
+	test_case_t *tcase;
 
-	/* test cases are forked and there is no cleanup, so disable leak detective.
-	 * if test_suite.h is included leak detective is enabled in test cases */
-	setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
-	/* redirect all output to stderr (to redirect make's stdout to /dev/null) */
-	dup2(2, 1);
+	while (array_remove(suites, 0, &suite))
+	{
+		while (array_remove(suite->tcases, 0, &tcase))
+		{
+			array_destroy(tcase->functions);
+			array_destroy(tcase->fixtures);
+		}
+		free(suite);
+	}
+	array_destroy(suites);
+}
 
-	library_init(NULL);
+/**
+ * Run a single test function, return FALSE on failure
+ */
+static bool run_test(test_function_t *tfun, int i)
+{
+	if (test_restore_point())
+	{
+		tfun->cb(i);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Invoke fixture setup/teardown
+ */
+static bool call_fixture(test_case_t *tcase, bool up)
+{
+	enumerator_t *enumerator;
+	test_fixture_t *fixture;
+	bool failure = FALSE;
+
+	enumerator = array_create_enumerator(tcase->fixtures);
+	while (enumerator->enumerate(enumerator, &fixture))
+	{
+		if (test_restore_point())
+		{
+			if (up)
+			{
+				fixture->setup();
+			}
+			else
+			{
+				fixture->teardown();
+			}
+		}
+		else
+		{
+			failure = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return !failure;
+}
+
+/**
+ * Test initialization, initializes libstrongswan for the next run
+ */
+static bool pre_test(test_runner_init_t init)
+{
+	library_init(NULL, "test-runner");
 
 	/* use non-blocking RNG to generate keys fast */
 	lib->settings->set_default_str(lib->settings,
@@ -62,45 +186,305 @@ int main()
 			lib->settings->get_str(lib->settings,
 				"libstrongswan.plugins.random.urandom", "/dev/urandom"));
 
-	if (!load_plugins())
+	if (lib->leak_detective)
+	{
+		/* disable leak reports during testing */
+		lib->leak_detective->set_report_cb(lib->leak_detective,
+										   NULL, NULL, NULL);
+	}
+	if (init && !init(TRUE))
 	{
 		library_deinit();
-		return EXIT_FAILURE;
+		return FALSE;
 	}
-	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+	dbg_default_set_level(LEVEL_SILENT);
+	return TRUE;
+}
+
+/**
+ * Failure description
+ */
+typedef struct {
+	char *name;
+	char msg[512 - sizeof(char*) - 2 * sizeof(int)];
+	const char *file;
+	int line;
+	int i;
+	backtrace_t *bt;
+} failure_t;
+
+/**
+ * Data passed to leak report callbacks
+ */
+typedef struct {
+	array_t *failures;
+	char *name;
+	int i;
+	int leaks;
+} report_data_t;
+
+/**
+ * Leak report callback, build failures from leaks
+ */
+static void report_leaks(report_data_t *data, int count, size_t bytes,
+						 backtrace_t *bt, bool detailed)
+{
+	failure_t failure = {
+		.name = data->name,
+		.i = data->i,
+		.bt = bt->clone(bt),
+	};
+
+	snprintf(failure.msg, sizeof(failure.msg),
+			 "Leak detected: %d allocations using %zu bytes", count, bytes);
+
+	array_insert(data->failures, -1, &failure);
+}
+
+/**
+ * Leak summary callback, check if any leaks found
+ */
+static void sum_leaks(report_data_t *data, int count, size_t bytes,
+					  int whitelisted)
+{
+	data->leaks = count;
+}
+
+/**
+ * Do library cleanup and optionally check for memory leaks
+ */
+static bool post_test(test_runner_init_t init, bool check_leaks,
+					  array_t *failures, char *name, int i)
+{
+	report_data_t data = {
+		.failures = failures,
+		.name = name,
+		.i = i,
+	};
 
-	sr = srunner_create(NULL);
-	srunner_add_suite(sr, bio_reader_suite_create());
-	srunner_add_suite(sr, bio_writer_suite_create());
-	srunner_add_suite(sr, chunk_suite_create());
-	srunner_add_suite(sr, enum_suite_create());
-	srunner_add_suite(sr, enumerator_suite_create());
-	srunner_add_suite(sr, linked_list_suite_create());
-	srunner_add_suite(sr, linked_list_enumerator_suite_create());
-	srunner_add_suite(sr, hashtable_suite_create());
-	srunner_add_suite(sr, array_suite_create());
-	srunner_add_suite(sr, identification_suite_create());
-	srunner_add_suite(sr, threading_suite_create());
-	srunner_add_suite(sr, utils_suite_create());
-	srunner_add_suite(sr, host_suite_create());
-	srunner_add_suite(sr, vectors_suite_create());
-	srunner_add_suite(sr, printf_suite_create());
-	if (lib->plugins->has_feature(lib->plugins,
-								  PLUGIN_DEPENDS(PRIVKEY_GEN, KEY_RSA)))
-	{
-		srunner_add_suite(sr, rsa_suite_create());
-	}
-	if (lib->plugins->has_feature(lib->plugins,
-								  PLUGIN_DEPENDS(PRIVKEY_GEN, KEY_ECDSA)))
-	{
-		srunner_add_suite(sr, ecdsa_suite_create());
-	}
-
-	srunner_run_all(sr, CK_NORMAL);
-	nf = srunner_ntests_failed(sr);
-
-	srunner_free(sr);
+	if (init)
+	{
+		init(FALSE);
+	}
+	if (check_leaks && lib->leak_detective)
+	{
+		lib->leak_detective->set_report_cb(lib->leak_detective,
+								(leak_detective_report_cb_t)report_leaks,
+								(leak_detective_summary_cb_t)sum_leaks, &data);
+	}
 	library_deinit();
 
-	return (nf == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+	return data.leaks != 0;
+}
+
+/**
+ * Collect failure information, add failure_t to array
+ */
+static void collect_failure_info(array_t *failures, char *name, int i)
+{
+	failure_t failure = {
+		.name = name,
+		.i = i,
+		.bt = test_failure_backtrace(),
+	};
+
+	failure.line = test_failure_get(failure.msg, sizeof(failure.msg),
+									&failure.file);
+
+	array_insert(failures, -1, &failure);
+}
+
+/**
+ * Print array of collected failure_t to stderr
+ */
+static void print_failures(array_t *failures)
+{
+	failure_t failure;
+
+	backtrace_init();
+
+	while (array_remove(failures, 0, &failure))
+	{
+		fprintf(stderr, "      %sFailure in '%s': %s (",
+				TTY(RED), failure.name, failure.msg);
+		if (failure.line)
+		{
+			fprintf(stderr, "%s:%d, ", failure.file, failure.line);
+		}
+		fprintf(stderr, "i = %d)%s\n", failure.i, TTY(DEF));
+		if (failure.bt)
+		{
+			failure.bt->log(failure.bt, stderr, TRUE);
+			failure.bt->destroy(failure.bt);
+		}
+	}
+
+	backtrace_deinit();
+}
+
+/**
+ * Run a single test case with fixtures
+ */
+static bool run_case(test_case_t *tcase, test_runner_init_t init)
+{
+	enumerator_t *enumerator;
+	test_function_t *tfun;
+	int passed = 0;
+	array_t *failures;
+
+	failures = array_create(sizeof(failure_t), 0);
+
+	fprintf(stderr, "    Running case '%s': ", tcase->name);
+	fflush(stderr);
+
+	enumerator = array_create_enumerator(tcase->functions);
+	while (enumerator->enumerate(enumerator, &tfun))
+	{
+		int i, rounds = 0;
+
+		for (i = tfun->start; i < tfun->end; i++)
+		{
+			if (pre_test(init))
+			{
+				bool ok = FALSE, leaks = FALSE;
+
+				test_setup_timeout(tcase->timeout);
+
+				if (call_fixture(tcase, TRUE))
+				{
+					if (run_test(tfun, i))
+					{
+						if (call_fixture(tcase, FALSE))
+						{
+							ok = TRUE;
+						}
+					}
+					else
+					{
+						call_fixture(tcase, FALSE);
+					}
+
+				}
+				leaks = post_test(init, ok, failures, tfun->name, i);
+
+				test_setup_timeout(0);
+
+				if (ok)
+				{
+					if (!leaks)
+					{
+						rounds++;
+						fprintf(stderr, "%s+%s", TTY(GREEN), TTY(DEF));
+					}
+				}
+				else
+				{
+					collect_failure_info(failures, tfun->name, i);
+				}
+				if (!ok || leaks)
+				{
+					fprintf(stderr, "%s-%s", TTY(RED), TTY(DEF));
+				}
+			}
+			else
+			{
+				fprintf(stderr, "!");
+			}
+		}
+		fflush(stderr);
+		if (rounds == tfun->end - tfun->start)
+		{
+			passed++;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	fprintf(stderr, "\n");
+
+	print_failures(failures);
+	array_destroy(failures);
+
+	return passed == array_count(tcase->functions);
+}
+
+/**
+ * Run a single test suite
+ */
+static bool run_suite(test_suite_t *suite, test_runner_init_t init)
+{
+	enumerator_t *enumerator;
+	test_case_t *tcase;
+	int passed = 0;
+
+	fprintf(stderr, "  Running suite '%s':\n", suite->name);
+
+	enumerator = array_create_enumerator(suite->tcases);
+	while (enumerator->enumerate(enumerator, &tcase))
+	{
+		if (run_case(tcase, init))
+		{
+			passed++;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (passed == array_count(suite->tcases))
+	{
+		fprintf(stderr, "  %sPassed all %u '%s' test cases%s\n",
+				TTY(GREEN), array_count(suite->tcases), suite->name, TTY(DEF));
+		return TRUE;
+	}
+	fprintf(stderr, "  %sPassed %u/%u '%s' test cases%s\n",
+			TTY(RED), passed, array_count(suite->tcases), suite->name, TTY(DEF));
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+int test_runner_run(const char *name, test_configuration_t configs[],
+					test_runner_init_t init)
+{
+	array_t *suites;
+	test_suite_t *suite;
+	enumerator_t *enumerator;
+	int passed = 0, result;
+
+	/* redirect all output to stderr (to redirect make's stdout to /dev/null) */
+	dup2(2, 1);
+
+	suites = load_suites(configs, init);
+	if (!suites)
+	{
+		return EXIT_FAILURE;
+	}
+
+	fprintf(stderr, "Running %u '%s' test suites:\n", array_count(suites), name);
+
+	enumerator = array_create_enumerator(suites);
+	while (enumerator->enumerate(enumerator, &suite))
+	{
+		if (run_suite(suite, init))
+		{
+			passed++;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (passed == array_count(suites))
+	{
+		fprintf(stderr, "%sPassed all %u '%s' suites%s\n",
+				TTY(GREEN), array_count(suites), name, TTY(DEF));
+		result = EXIT_SUCCESS;
+	}
+	else
+	{
+		fprintf(stderr, "%sPassed %u of %u '%s' suites%s\n",
+				TTY(RED), passed, array_count(suites), name, TTY(DEF));
+		result = EXIT_FAILURE;
+	}
+
+	unload_suites(suites);
+
+	return result;
 }
diff --git a/src/libstrongswan/tests/test_runner.h b/src/libstrongswan/tests/test_runner.h
index 6315abba7..643b622e5 100644
--- a/src/libstrongswan/tests/test_runner.h
+++ b/src/libstrongswan/tests/test_runner.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2013 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,27 +13,65 @@
  * for more details.
  */
 
+/**
+ * @defgroup libtest libtest
+ *
+ * @defgroup test_utils test_utils
+ * @ingroup libtest
+ *
+ * @defgroup test_runner test_runner
+ * @{ @ingroup libtest
+ */
+
 #ifndef TEST_RUNNER_H_
 #define TEST_RUNNER_H_
 
-#include <check.h>
-
-Suite *bio_reader_suite_create();
-Suite *bio_writer_suite_create();
-Suite *chunk_suite_create();
-Suite *enum_suite_create();
-Suite *enumerator_suite_create();
-Suite *linked_list_suite_create();
-Suite *linked_list_enumerator_suite_create();
-Suite *hashtable_suite_create();
-Suite *array_suite_create();
-Suite *identification_suite_create();
-Suite *threading_suite_create();
-Suite *utils_suite_create();
-Suite *vectors_suite_create();
-Suite *ecdsa_suite_create();
-Suite *rsa_suite_create();
-Suite *host_suite_create();
-Suite *printf_suite_create();
-
-#endif /** TEST_RUNNER_H_ */
+#include "test_suite.h"
+
+#include <plugins/plugin_feature.h>
+
+typedef struct test_configuration_t test_configuration_t;
+
+/**
+ * Callback called before and after each test case to de-/initialize the
+ * environment (e.g. to load plugins).  It is also called before and after the
+ * test suites are loaded.
+ *
+ * It is called after libstrongswan has been initialized and likewise before it
+ * gets deinitialized.
+ *
+ * @param init			TRUE during initialization
+ * @return				FALSE if de-/init failed
+ */
+typedef bool (*test_runner_init_t)(bool init);
+
+/**
+ * Test configuration, suite constructor with plugin dependency
+ */
+struct test_configuration_t {
+
+	/**
+	 * Constructor function to create suite.
+	 */
+	test_suite_t *(*suite)();
+
+	/**
+	 * Plugin feature this test suite depends on
+	 */
+	plugin_feature_t feature;
+};
+
+/**
+ * Run test configuration.
+ *
+ * The configs array must be terminated with a NULL element.
+ *
+ * @param name			name of test runner
+ * @param config		test suite constructors with dependencies
+ * @param init_cb		init/deinit callback
+ * @return				test result, EXIT_SUCCESS if all tests passed
+ */
+int test_runner_run(const char *name, test_configuration_t config[],
+					test_runner_init_t init_cb);
+
+#endif /** TEST_RUNNER_H_ @}*/
diff --git a/src/libstrongswan/tests/test_suite.c b/src/libstrongswan/tests/test_suite.c
new file mode 100644
index 000000000..0f2e74b7c
--- /dev/null
+++ b/src/libstrongswan/tests/test_suite.c
@@ -0,0 +1,277 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <signal.h>
+#include <unistd.h>
+
+#include <pthread.h>
+
+/**
+ * Failure message buf
+ */
+static char failure_buf[512];
+
+/**
+ * Source file failure occurred
+ */
+static const char *failure_file;
+
+/**
+ * Line of source file failure occurred
+ */
+static int failure_line;
+
+/**
+ * Backtrace of failure, if any
+ */
+static backtrace_t *failure_backtrace;
+
+/**
+ * Longjump restore point when failing
+ */
+sigjmp_buf test_restore_point_env;
+
+/**
+ * See header.
+ */
+test_suite_t* test_suite_create(const char *name)
+{
+	test_suite_t *suite;
+
+	INIT(suite,
+		.name = name,
+		.tcases = array_create(0, 0),
+	);
+	return suite;
+}
+
+/**
+ * See header.
+ */
+test_case_t* test_case_create(const char *name)
+{
+	test_case_t *tcase;
+
+	INIT(tcase,
+		.name = name,
+		.functions = array_create(sizeof(test_function_t), 0),
+		.fixtures = array_create(sizeof(test_fixture_t), 0),
+		.timeout = TEST_FUNCTION_DEFAULT_TIMEOUT,
+	);
+	return tcase;
+}
+
+/**
+ * See header.
+ */
+void test_case_add_checked_fixture(test_case_t *tcase, test_fixture_cb_t setup,
+								   test_fixture_cb_t teardown)
+{
+	test_fixture_t fixture = {
+		.setup = setup,
+		.teardown = teardown,
+	};
+	array_insert(tcase->fixtures, -1, &fixture);
+}
+
+/**
+ * See header.
+ */
+void test_case_add_test_name(test_case_t *tcase, char *name,
+							 test_function_cb_t cb, int start, int end)
+{
+	test_function_t fun = {
+		.name = name,
+		.cb = cb,
+		.start = start,
+		.end = end,
+	};
+	array_insert(tcase->functions, -1, &fun);
+}
+
+/**
+ * See header.
+ */
+void test_case_set_timeout(test_case_t *tcase, int s)
+{
+	tcase->timeout = s;
+}
+
+/**
+ * See header.
+ */
+void test_suite_add_case(test_suite_t *suite, test_case_t *tcase)
+{
+	array_insert(suite->tcases, -1, tcase);
+}
+
+/**
+ * Main thread performing tests
+ */
+static pthread_t main_thread;
+
+/**
+ * Let test case fail
+ */
+static inline void test_failure()
+{
+	if (pthread_self() == main_thread)
+	{
+		siglongjmp(test_restore_point_env, 1);
+	}
+	else
+	{
+		pthread_kill(main_thread, SIGUSR1);
+		/* how can we stop just the thread? longjmp to a restore point? */
+	}
+}
+
+/**
+ * See header.
+ */
+void test_fail_vmsg(const char *file, int line, char *fmt, va_list args)
+{
+	vsnprintf(failure_buf, sizeof(failure_buf), fmt, args);
+	failure_line = line;
+	failure_file = file;
+
+	test_failure();
+}
+
+/**
+ * See header.
+ */
+void test_fail_msg(const char *file, int line, char *fmt, ...)
+{
+	va_list args;
+
+	va_start(args, fmt);
+	vsnprintf(failure_buf, sizeof(failure_buf), fmt, args);
+	failure_line = line;
+	failure_file = file;
+	va_end(args);
+
+	test_failure();
+}
+
+/**
+ * Signal handler catching critical and alarm signals
+ */
+static void test_sighandler(int signal)
+{
+	char *signame;
+	bool old = FALSE;
+
+	switch (signal)
+	{
+		case SIGUSR1:
+			/* a different thread failed, abort test */
+			return test_failure();
+		case SIGSEGV:
+			signame = "SIGSEGV";
+			break;
+		case SIGILL:
+			signame = "SIGILL";
+			break;
+		case SIGBUS:
+			signame = "SIGBUS";
+			break;
+		case SIGALRM:
+			signame = "timeout";
+			break;
+		default:
+			signame = "SIG";
+			break;
+	}
+	if (lib->leak_detective)
+	{
+		old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
+	}
+	failure_backtrace = backtrace_create(3);
+	if (lib->leak_detective)
+	{
+		lib->leak_detective->set_state(lib->leak_detective, old);
+	}
+	test_fail_msg(NULL, 0, "%s(%d)", signame, signal);
+	/* unable to restore a valid context for that thread, terminate */
+	fprintf(stderr, "\n%s(%d) outside of main thread:\n", signame, signal);
+	failure_backtrace->log(failure_backtrace, stderr, TRUE);
+	fprintf(stderr, "terminating...\n");
+	abort();
+}
+
+/**
+ * See header.
+ */
+void test_setup_handler()
+{
+	struct sigaction action = {
+		.sa_handler = test_sighandler,
+	};
+
+	main_thread = pthread_self();
+
+	/* signal handler inherited by all threads */
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	/* ignore ALRM/USR1, these are catched by main thread only */
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGALRM, &action, NULL);
+	sigaction(SIGUSR1, &action, NULL);
+}
+
+/**
+ * See header.
+ */
+void test_setup_timeout(int s)
+{
+	struct sigaction action = {
+		.sa_handler = test_sighandler,
+	};
+
+	/* This called by main thread only. Setup handler for timeout and
+	 * failure cross-thread signaling. */
+	sigaction(SIGALRM, &action, NULL);
+	sigaction(SIGUSR1, &action, NULL);
+
+	alarm(s);
+}
+
+/**
+ * See header.
+ */
+int test_failure_get(char *msg, int len, const char **file)
+{
+	strncpy(msg, failure_buf, len - 1);
+	msg[len - 1] = 0;
+	*file = failure_file;
+	return failure_line;
+}
+
+/**
+ * See header.
+ */
+backtrace_t *test_failure_backtrace()
+{
+	backtrace_t *bt;
+
+	bt = failure_backtrace;
+	failure_backtrace = NULL;
+
+	return bt;
+}
diff --git a/src/libstrongswan/tests/test_suite.h b/src/libstrongswan/tests/test_suite.h
index 2a2861323..c44f149f5 100644
--- a/src/libstrongswan/tests/test_suite.h
+++ b/src/libstrongswan/tests/test_suite.h
@@ -1,6 +1,8 @@
 /*
  * Copyright (C) 2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,98 +15,318 @@
  * for more details.
  */
 
-#ifndef TEST_UTILS_H_
-#define TEST_UTILS_H_
+/**
+ * @defgroup test_suite test_suite
+ * @{ @ingroup libtest
+ */
+
+#ifndef TEST_SUITE_H_
+#define TEST_SUITE_H_
+
+#define _GNU_SOURCE
+#include <setjmp.h>
 
-#include <check.h>
 #include <library.h>
 #include <utils/debug.h>
+#include <utils/backtrace.h>
+#include <collections/array.h>
+
+typedef struct test_suite_t test_suite_t;
+typedef struct test_case_t test_case_t;
+typedef struct test_function_t test_function_t;
+typedef struct test_fixture_t test_fixture_t;
 
 /**
- * Used to mark test cases that use test fixtures.
+ * Default timeout for a single test function
  */
-#define UNIT_TEST_FIXTURE_USED "UNIT_TEST_FIXTURE_USED"
+#define TEST_FUNCTION_DEFAULT_TIMEOUT 2
 
 /**
- * Check for memory leaks and fail if any are encountered.
+ * Test function implementation
  */
-#define CHECK_FOR_LEAKS() do \
-{ \
-	if (lib->leak_detective) \
-	{ \
-		if (lib->leak_detective->leaks(lib->leak_detective)) { \
-			lib->leak_detective->report(lib->leak_detective, TRUE); \
-		} \
-		ck_assert_int_eq(lib->leak_detective->leaks(lib->leak_detective), 0); \
-	} \
-} \
-while(0)
+typedef void (*test_function_cb_t)(int);
+
+/**
+ * Fixture for a test case.
+ */
+typedef void (*test_fixture_cb_t)(void);
+
+/**
+ * A test suite; a collection of test cases with fixtures
+ */
+struct test_suite_t {
+	/** name of the test suite */
+	const char *name;
+	/** test cases registered, as test_case_t* */
+	array_t *tcases;
+};
 
 /**
- * Extended versions of the START|END_TEST macros that use leak detective.
+ * A test case; multiple test functions using the same fixtures
+ */
+struct test_case_t {
+	/** name of the test case */
+	const char *name;
+	/** tests registered, as test_function_t */
+	array_t *functions;
+	/** fixture for tests, as test_fixture_t */
+	array_t *fixtures;
+	/** timeout for each function, in s */
+	int timeout;
+};
+
+/**
+ * A test function, with optional loop setup
+ */
+struct test_function_t {
+	/** name of test function */
+	char *name;
+	/** tests function registered, test_function_t* */
+	test_function_cb_t cb;
+	/** start for loop test */
+	int start;
+	/** end for loop test */
+	int end;
+};
+
+/**
+ * Registered fixture for a test case
+ */
+struct test_fixture_t {
+	test_fixture_cb_t setup;
+	test_fixture_cb_t teardown;
+};
+
+/**
+ * Create a new test suite
  *
- * Since each test case runs in its own fork of the test runner the stuff
- * allocated before the test starts is not freed, so leak detective is disabled
- * by default to prevent false positives.  By enabling it right when the test
- * starts we at least capture leaks created by the tested objects/functions and
- * the test case itself.  This allows writing test cases for cleanup functions.
+ * @param name		name of the test suite
+ * @return			test suite
+ */
+test_suite_t* test_suite_create(const char *name);
+
+/**
+ * Create a new test case
  *
- * To define test fixture with possibly allocated/destroyed memory that is
- * allocated/freed in a test case use the START|END_SETUP|TEARDOWN macros.
+ * @param name		name of test case
+ * @return			test case
  */
-#undef START_TEST
-#define START_TEST(name) \
-static void name (int _i CK_ATTRIBUTE_UNUSED) \
-{ \
-	tcase_fn_start(""#name, __FILE__, __LINE__); \
-	dbg_default_set_level(LEVEL_SILENT); \
-	if (lib->leak_detective) \
-	{ \
-		lib->leak_detective->set_state(lib->leak_detective, TRUE); \
-	}
+test_case_t* test_case_create(const char *name);
 
-#undef END_TEST
-#define END_TEST \
-	if (!lib->get(lib, UNIT_TEST_FIXTURE_USED)) \
-	{ \
-		CHECK_FOR_LEAKS(); \
-	} \
-}
+/**
+ * Add a setup/teardown function to the test case
+ *
+ * @param tcase		test case to add a fixture to
+ * @param setup		setup function called before each test
+ * @param teardown	cleanup function called after each test
+ */
+void test_case_add_checked_fixture(test_case_t *tcase, test_fixture_cb_t setup,
+								   test_fixture_cb_t teardown);
+
+/**
+ * Add a test function to a test case, with a name, looped several times
+ *
+ * @param name		name of the test case
+ * @param tcase		test case to add test function to
+ * @param cb		callback function to invoke for test
+ * @param start		start of loop counter
+ * @param end		end of loop counter
+ */
+void test_case_add_test_name(test_case_t *tcase, char *name,
+							 test_function_cb_t cb, int start, int end);
+
+/**
+ * Add a test function to a test case
+ *
+ * @param tcase		test case to add test function to
+ * @param cb		callback function to invoke for test
+ */
+#define test_case_add_test(tcase, cb) \
+	test_case_add_test_name(tcase, #cb, cb, 0, 1)
+
+/**
+ * Add a test function to a test case, looped several times
+ *
+ * @param tcase		test case to add test function to
+ * @param cb		callback function to invoke for test
+ * @param start		start of loop counter
+ * @param end		end of loop counter
+ */
+#define test_case_add_loop_test(tcase, cb, start, end) \
+	test_case_add_test_name(tcase, #cb, cb, start, end)
+
+/**
+ * Set a custom timeout for test functions in a test case
+ *
+ * @param tcase		test case to set timeout for
+ * @param s			test timeout in s
+ */
+void test_case_set_timeout(test_case_t *tcase, int s);
+
+/**
+ * Add a test function to a test case, looped several times
+ *
+ * @param suite		test suite to add test case to
+ * @param tcase		test case to add
+ */
+void test_suite_add_case(test_suite_t *suite, test_case_t *tcase);
 
 /**
- * Define a function to setup a test fixture that can be used with the above
- * macros.
+ * sigjmp restore point used by test_restore_point
+ */
+extern sigjmp_buf test_restore_point_env;
+
+/**
+ * Set or return from an execution restore point
+ *
+ * This call sets a restore execution point and returns TRUE after it has
+ * been set up. On test failure, the execution is returned to the restore point
+ * and FALSE is returned to indicate test failure.
+ *
+ * @return			TRUE if restore point set, FALSE when restored
  */
-#define START_SETUP(name) \
-static void name() \
-{ \
-	lib->set(lib, UNIT_TEST_FIXTURE_USED, (void*)TRUE); \
-	if (lib->leak_detective) \
+#define test_restore_point() (sigsetjmp(test_restore_point_env, 1) == 0)
+
+/**
+ * Set up signal handlers for test cases
+ */
+void test_setup_handler();
+
+/**
+ * Set up a timeout to let a test fail
+ *
+ * @param s			timeout, 0 to disable timeout
+ */
+void test_setup_timeout(int s);
+
+/**
+ * Get info about a test failure
+ *
+ * @param msg		buffer receiving failure info
+ * @param len		size of msg buffer
+ * @param file		pointer receiving source code file
+ * @return			source code line number
+ */
+int test_failure_get(char *msg, int len, const char **file);
+
+/**
+ * Get a backtrace for a failure.
+ *
+ * @return			allocated backtrace of test failure, if any
+ */
+backtrace_t *test_failure_backtrace();
+
+/**
+ * Let a test fail and set a message using vprintf style arguments.
+ *
+ * @param file		source code file name
+ * @param line		source code line number
+ * @param fmt		printf format string
+ * @param args		argument list for fmt
+ */
+void test_fail_vmsg(const char *file, int line, char *fmt, va_list args);
+
+/**
+ * Let a test fail and set a message using printf style arguments.
+ *
+ * @param file		source code file name
+ * @param line		source code line number
+ * @param fmt		printf format string
+ * @param ...		arguments for fmt
+ */
+void test_fail_msg(const char *file, int line, char *fmt, ...);
+
+/**
+ * Check if two integers equal, fail test if not
+ *
+ * @param a			first integer
+ * @param b			second integer
+ */
+#define test_int_eq(a, b) \
+({ \
+	typeof(a) _a = a; \
+	typeof(b) _b = b; \
+	if (_a != _b) \
 	{ \
-		lib->leak_detective->set_state(lib->leak_detective, TRUE); \
-	}
+		test_fail_msg(__FILE__, __LINE__, #a " != " #b " (%d != %d)", _a, _b); \
+	} \
+})
 
 /**
- * End a setup function
+ * Check if two strings equal, fail test if not
+ *
+ * @param a			first string
+ * @param b			second string
  */
-#define END_SETUP }
+#define test_str_eq(a, b) \
+({ \
+	char* _a = (char*)a; \
+	char* _b = (char*)b; \
+	if (!_a || !_b || !streq(_a, _b)) \
+	{ \
+		test_fail_msg(__FILE__, __LINE__, \
+					  #a " != " #b " (\"%s\" != \"%s\")", _a, _b); \
+	} \
+})
 
 /**
- * Define a function to teardown a test fixture that can be used with the above
- * macros.
+ * Check if a statement evaluates to TRUE, fail test if not
+ *
+ * @param x			statement to evaluate
  */
-#define START_TEARDOWN(name) \
-static void name() \
-{
+#define test_assert(x) \
+({ \
+	if (!(x)) \
+	{ \
+		test_fail_msg(__FILE__, __LINE__, #x); \
+	} \
+})
 
 /**
- * End a teardown function
+ * Check if a statement evaluates to TRUE, fail and print a message if not
+ *
+ * @param x			statement to evaluate
+ * @param fmt		message format string
+ * @param ...		fmt printf arguments
  */
-#define END_TEARDOWN \
-	if (lib->get(lib, UNIT_TEST_FIXTURE_USED)) \
+#define test_assert_msg(x, fmt, ...) \
+({ \
+	if (!(x)) \
 	{ \
-		CHECK_FOR_LEAKS(); \
+		test_fail_msg(__FILE__, __LINE__, #x ": " fmt, ##__VA_ARGS__); \
 	} \
-}
+})
+
+
+
+/* "check unit testing" compatibility */
+#define Suite test_suite_t
+#define TCase test_case_t
+#define ck_assert_int_eq test_int_eq
+#define ck_assert test_assert
+#define ck_assert_msg test_assert_msg
+#define ck_assert_str_eq test_str_eq
+#define fail(fmt, ...) test_fail_msg(__FILE__, __LINE__, fmt, ##__VA_ARGS__)
+#define fail_if(x, fmt, ...) \
+({ \
+	if (x) \
+	{ \
+		test_fail_msg(__FILE__, __LINE__, #x ": " fmt, ##__VA_ARGS__); \
+	} \
+})
+#define fail_unless test_assert_msg
+#define suite_create test_suite_create
+#define tcase_create test_case_create
+#define tcase_add_checked_fixture test_case_add_checked_fixture
+#define tcase_add_test test_case_add_test
+#define tcase_add_loop_test test_case_add_loop_test
+#define tcase_set_timeout test_case_set_timeout
+#define suite_add_tcase test_suite_add_case
+#define START_TEST(name) static void name (int _i) {
+#define END_TEST }
+#define START_SETUP(name) static void name() {
+#define END_SETUP }
+#define START_TEARDOWN(name) static void name() {
+#define END_TEARDOWN }
 
-#endif /** TEST_UTILS_H_ */
+#endif /** TEST_SUITE_H_ @}*/
diff --git a/src/libstrongswan/tests/test_threading.c b/src/libstrongswan/tests/test_threading.c
deleted file mode 100644
index 0c768b3e2..000000000
--- a/src/libstrongswan/tests/test_threading.c
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Copyright (C) 2013 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sched.h>
-#include <pthread.h>
-
-#include "test_suite.h"
-
-#include <threading/mutex.h>
-
-/*******************************************************************************
- * recursive mutex test
- */
-
-#define THREADS 20
-
-static mutex_t *mutex;
-
-static pthread_barrier_t mutex_barrier;
-
-static int mutex_locked = 0;
-
-static void *mutex_run(void *data)
-{
-	int i;
-
-	/* wait for all threads before getting in action */
-	pthread_barrier_wait(&mutex_barrier);
-
-	for (i = 0; i < 100; i++)
-	{
-		mutex->lock(mutex);
-		mutex->lock(mutex);
-		mutex->lock(mutex);
-		mutex_locked++;
-		sched_yield();
-		if (mutex_locked > 1)
-		{
-			fail("two threads locked the mutex concurrently");
-		}
-		mutex_locked--;
-		mutex->unlock(mutex);
-		mutex->unlock(mutex);
-		mutex->unlock(mutex);
-	}
-	return NULL;
-}
-
-START_TEST(test_mutex)
-{
-	pthread_t threads[THREADS];
-	int i;
-
-	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-
-	for (i = 0; i < 10; i++)
-	{
-		mutex->lock(mutex);
-		mutex->unlock(mutex);
-	}
-	for (i = 0; i < 10; i++)
-	{
-		mutex->lock(mutex);
-	}
-	for (i = 0; i < 10; i++)
-	{
-		mutex->unlock(mutex);
-	}
-
-	pthread_barrier_init(&mutex_barrier, NULL, THREADS);
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_create(&threads[i], NULL, mutex_run, NULL);
-	}
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_join(threads[i], NULL);
-	}
-	pthread_barrier_destroy(&mutex_barrier);
-
-	mutex->destroy(mutex);
-}
-END_TEST
-
-Suite *threading_suite_create()
-{
-	Suite *s;
-	TCase *tc;
-
-	s = suite_create("threading");
-
-	tc = tcase_create("recursive mutex");
-	tcase_add_test(tc, test_mutex);
-	suite_add_tcase(s, tc);
-
-	return s;
-}
diff --git a/src/libstrongswan/tests/tests.c b/src/libstrongswan/tests/tests.c
new file mode 100644
index 000000000..9f2adfd15
--- /dev/null
+++ b/src/libstrongswan/tests/tests.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, args) \
+	{ .suite = x, .feature = PLUGIN_DEPENDS(type, args) },
+#include "tests.h"
+	{ .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+	if (init)
+	{
+		plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
+		if (!lib->plugins->load(lib->plugins, PLUGINS))
+		{
+			return FALSE;
+		}
+	}
+	else
+	{
+		lib->processor->set_threads(lib->processor, 0);
+		lib->processor->cancel(lib->processor);
+		lib->plugins->unload(lib->plugins);
+	}
+	return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+	return test_runner_run("libstrongswan", tests, test_runner_init);
+}
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
new file mode 100644
index 000000000..82a5137c1
--- /dev/null
+++ b/src/libstrongswan/tests/tests.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(bio_reader_suite_create)
+TEST_SUITE(bio_writer_suite_create)
+TEST_SUITE(chunk_suite_create)
+TEST_SUITE(enum_suite_create)
+TEST_SUITE(enumerator_suite_create)
+TEST_SUITE(linked_list_suite_create)
+TEST_SUITE(linked_list_enumerator_suite_create)
+TEST_SUITE(hashtable_suite_create)
+TEST_SUITE(array_suite_create)
+TEST_SUITE(identification_suite_create)
+TEST_SUITE(threading_suite_create)
+TEST_SUITE(watcher_suite_create)
+TEST_SUITE(stream_suite_create)
+TEST_SUITE(utils_suite_create)
+TEST_SUITE(settings_suite_create)
+TEST_SUITE(vectors_suite_create)
+TEST_SUITE_DEPEND(ecdsa_suite_create, PRIVKEY_GEN, KEY_ECDSA)
+TEST_SUITE_DEPEND(rsa_suite_create, PRIVKEY_GEN, KEY_RSA)
+TEST_SUITE(host_suite_create)
+TEST_SUITE(printf_suite_create)
+TEST_SUITE(hasher_suite_create)
+TEST_SUITE(crypter_suite_create)
+TEST_SUITE(pen_suite_create)
+TEST_SUITE(asn1_suite_create)
+TEST_SUITE(asn1_parser_suite_create)
+TEST_SUITE(test_rng_suite_create)
+TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
+TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://")
diff --git a/src/libstrongswan/tests/utils/test_rng.c b/src/libstrongswan/tests/utils/test_rng.c
new file mode 100644
index 000000000..01569509b
--- /dev/null
+++ b/src/libstrongswan/tests/utils/test_rng.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_rng.h"
+
+typedef struct private_rng_t private_rng_t;
+
+/**
+ * Private data.
+ */
+struct private_rng_t {
+
+	/**
+	 * Public interface.
+	 */
+	rng_t public;
+
+	/**
+	 * Entropy string.
+	 */
+	chunk_t entropy;
+};
+
+METHOD(rng_t, get_bytes, bool,
+	private_rng_t *this, size_t bytes, u_int8_t *buffer)
+{
+	if (bytes > this->entropy.len)
+	{
+		return FALSE;
+	}
+	memcpy(buffer, this->entropy.ptr, bytes);
+	this->entropy = chunk_skip(this->entropy, bytes);
+	return TRUE;
+}
+
+METHOD(rng_t, allocate_bytes, bool,
+	private_rng_t *this, size_t bytes, chunk_t *chunk)
+{
+	if (bytes > this->entropy.len)
+	{
+		*chunk = chunk_empty;
+		return FALSE;
+	}
+
+	*chunk = chunk_alloc(bytes);
+	memcpy(chunk->ptr, this->entropy.ptr, bytes);
+	this->entropy = chunk_skip(this->entropy, bytes);
+	return TRUE;
+}
+
+METHOD(rng_t, destroy, void,
+	private_rng_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+rng_t *test_rng_create(chunk_t entropy)
+{
+	private_rng_t *this;
+
+	INIT(this,
+		.public = {
+			.get_bytes = _get_bytes,
+			.allocate_bytes = _allocate_bytes,
+			.destroy = _destroy,
+		},
+		.entropy = entropy,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/tests/utils/test_rng.h b/src/libstrongswan/tests/utils/test_rng.h
new file mode 100644
index 000000000..e588f3be7
--- /dev/null
+++ b/src/libstrongswan/tests/utils/test_rng.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * rng_t providing NIST SP 800-90A entropy test vectors
+ *
+ * @defgroup test_rng test_rng
+ * @{ @ingroup test_utils
+ */
+
+#ifndef TEST_RNG_H_
+#define TEST_RNG_H_
+
+#include <library.h>
+
+/**
+ * Creates a test_rng_t instance.
+ *
+ * @param entropy	entropy test vector
+ * @return			created test_rng_t
+ */
+rng_t *test_rng_create(chunk_t entropy);
+
+#endif /** TEST_RNG_H_ @} */
diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h
index 31b9e1b3a..8d3c30e9b 100644
--- a/src/libstrongswan/threading/thread.h
+++ b/src/libstrongswan/threading/thread.h
@@ -71,7 +71,6 @@ typedef void *(*thread_main_t)(void *arg);
  */
 typedef void (*thread_cleanup_t)(void *arg);
 
-
 /**
  * Thread wrapper implements simple, portable and advanced thread functions.
  *
@@ -110,10 +109,8 @@ struct thread_t {
 	 *					a call to exit.
 	 */
 	void *(*join)(thread_t *this);
-
 };
 
-
 /**
  * Create a new thread instance.
  *
@@ -168,6 +165,10 @@ bool thread_cancelability(bool enable);
 
 /**
  * Force creation of a cancellation point in the calling thread.
+ *
+ * This temporarily enables thread cancelability, tests for a pending
+ * cancellation request and then disables cancelability again if it was
+ * disabled before the call to thread_cancellation_point().
  */
 void thread_cancellation_point();
 
@@ -188,6 +189,4 @@ void threads_init();
  */
 void threads_deinit();
 
-
 #endif /** THREADING_THREAD_H_ @} */
-
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index fb2c4d1e8..f1584620b 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -314,7 +314,7 @@ static void print_sourceline(FILE *file, char *filename, void *ptr, void *base)
 	bool old = FALSE;
 
 	bfd_mutex->lock(bfd_mutex);
-	if (lib->leak_detective)
+	if (lib && lib->leak_detective)
 	{
 		old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
 	}
@@ -324,7 +324,7 @@ static void print_sourceline(FILE *file, char *filename, void *ptr, void *base)
 		data.entry = entry;
 		bfd_map_over_sections(entry->abfd, (void*)find_addr, &data);
 	}
-	if (lib->leak_detective)
+	if (lib && lib->leak_detective)
 	{
 		lib->leak_detective->set_state(lib->leak_detective, old);
 	}
diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h
index 416f58898..16e84c4d9 100644
--- a/src/libstrongswan/utils/backtrace.h
+++ b/src/libstrongswan/utils/backtrace.h
@@ -21,12 +21,12 @@
 #ifndef BACKTRACE_H_
 #define BACKTRACE_H_
 
+typedef struct backtrace_t backtrace_t;
+
 #include <stdio.h>
 
 #include <library.h>
 
-typedef struct backtrace_t backtrace_t;
-
 /**
  * A backtrace registers the frames on the stack during creation.
  */
diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h
index fe11a4dfc..20c18554b 100644
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@@ -44,6 +44,9 @@ typedef struct capabilities_t capabilities_t;
 #ifndef CAP_NET_RAW
 # define CAP_NET_RAW 13
 #endif
+#ifndef CAP_DAC_OVERRIDE
+# define CAP_DAC_OVERRIDE 1
+#endif
 
 /**
  * POSIX capability dropping abstraction layer.
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
index 644b8060f..47181719a 100644
--- a/src/libstrongswan/utils/chunk.c
+++ b/src/libstrongswan/utils/chunk.c
@@ -18,6 +18,9 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#ifdef HAVE_MMAP
+# include <sys/mman.h>
+#endif
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
@@ -25,7 +28,6 @@
 #include <ctype.h>
 
 #include "chunk.h"
-#include "debug.h"
 
 /**
  * Empty chunk.
@@ -206,15 +208,16 @@ void chunk_split(chunk_t chunk, const char *mode, ...)
 /**
  * Described in header.
  */
-bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force)
+bool chunk_write(chunk_t chunk, char *path, mode_t mask, bool force)
 {
 	mode_t oldmask;
 	FILE *fd;
 	bool good = FALSE;
+	int tmp = 0;
 
 	if (!force && access(path, F_OK) == 0)
 	{
-		DBG1(DBG_LIB, "  %s file '%s' already exists", label, path);
+		errno = EEXIST;
 		return FALSE;
 	}
 	oldmask = umask(mask);
@@ -223,58 +226,206 @@ bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force
 	{
 		if (fwrite(chunk.ptr, sizeof(u_char), chunk.len, fd) == chunk.len)
 		{
-			DBG1(DBG_LIB, "  written %s file '%s' (%d bytes)",
-				 label, path, chunk.len);
 			good = TRUE;
 		}
 		else
 		{
-			DBG1(DBG_LIB, "  writing %s file '%s' failed: %s",
-				 label, path, strerror(errno));
+			tmp = errno;
 		}
 		fclose(fd);
 	}
 	else
 	{
-		DBG1(DBG_LIB, "  could not open %s file '%s': %s", label, path,
-			 strerror(errno));
+		tmp = errno;
 	}
 	umask(oldmask);
+	errno = tmp;
 	return good;
 }
 
 /**
  * Described in header.
  */
-chunk_t chunk_from_fd(int fd)
+bool chunk_from_fd(int fd, chunk_t *out)
 {
-	char buf[8096];
-	char *pos = buf;
-	ssize_t len, total = 0;
+	struct stat sb;
+	char *buf, *tmp;
+	ssize_t len, total = 0, bufsize;
+
+	if (fstat(fd, &sb) == 0 && S_ISREG(sb.st_mode))
+	{
+		bufsize = sb.st_size;
+	}
+	else
+	{
+		bufsize = 256;
+	}
+	buf = malloc(bufsize);
+	if (!buf)
+	{	/* for huge files */
+		return FALSE;
+	}
 
 	while (TRUE)
 	{
-		len = read(fd, pos, buf + sizeof(buf) - pos);
+		len = read(fd, buf + total, bufsize - total);
 		if (len < 0)
 		{
-			DBG1(DBG_LIB, "reading from file descriptor failed: %s",
-				 strerror(errno));
-			return chunk_empty;
+			free(buf);
+			return FALSE;
 		}
 		if (len == 0)
 		{
 			break;
 		}
 		total += len;
-		if (total == sizeof(buf))
+		if (total == bufsize)
+		{
+			bufsize *= 2;
+			tmp = realloc(buf, bufsize);
+			if (!tmp)
+			{
+				free(buf);
+				return FALSE;
+			}
+			buf = tmp;
+		}
+	}
+	if (total == 0)
+	{
+		free(buf);
+		buf = NULL;
+	}
+	else if (total < bufsize)
+	{
+		buf = realloc(buf, total);
+	}
+	*out = chunk_create(buf, total);
+	return TRUE;
+}
+
+/**
+ * Implementation for mmap()ed chunks
+ */
+typedef struct {
+	/* public chunk interface */
+	chunk_t public;
+	/* FD of open file */
+	int fd;
+	/* mmap() address */
+	void *map;
+	/* size of map */
+	size_t len;
+	/* do we write? */
+	bool wr;
+} mmaped_chunk_t;
+
+/**
+ * See header.
+ */
+chunk_t *chunk_map(char *path, bool wr)
+{
+	mmaped_chunk_t *chunk;
+	struct stat sb;
+	int tmp;
+
+	INIT(chunk,
+		.fd = open(path, wr ? O_RDWR : O_RDONLY),
+		.wr = wr,
+	);
+
+	if (chunk->fd == -1)
+	{
+		free(chunk);
+		return NULL;
+	}
+	if (fstat(chunk->fd, &sb) == -1)
+	{
+		tmp = errno;
+		chunk_unmap(&chunk->public);
+		errno = tmp;
+		return NULL;
+	}
+#ifdef HAVE_MMAP
+	chunk->len = sb.st_size;
+	/* map non-empty files only, as mmap() complains otherwise */
+	if (chunk->len)
+	{
+		/* in read-only mode, we allow writes, but don't sync to disk */
+		chunk->map = mmap(NULL, chunk->len, PROT_READ | PROT_WRITE,
+						  wr ? MAP_SHARED : MAP_PRIVATE, chunk->fd, 0);
+		if (chunk->map == MAP_FAILED)
 		{
-			DBG1(DBG_LIB, "buffer too small to read from file descriptor");
-			return chunk_empty;
+			tmp = errno;
+			chunk_unmap(&chunk->public);
+			errno = tmp;
+			return NULL;
 		}
 	}
-	return chunk_clone(chunk_create(buf, total));
+	chunk->public = chunk_create(chunk->map, chunk->len);
+#else /* !HAVE_MMAP */
+	if (!chunk_from_fd(chunk->fd, &chunk->public))
+	{
+		tmp = errno;
+		chunk_unmap(&chunk->public);
+		errno = tmp;
+		return NULL;
+	}
+	chunk->map = chunk->public.ptr;
+	chunk->len = chunk->public.len;
+#endif /* !HAVE_MMAP */
+	return &chunk->public;
 }
 
+/**
+ * See header.
+ */
+bool chunk_unmap(chunk_t *public)
+{
+	mmaped_chunk_t *chunk;
+	bool ret = FALSE;
+	int tmp = 0;
+
+	chunk = (mmaped_chunk_t*)public;
+#ifdef HAVE_MMAP
+	if (chunk->map && chunk->map != MAP_FAILED)
+	{
+		ret = munmap(chunk->map, chunk->len) == 0;
+		tmp = errno;
+	}
+#else /* !HAVE_MMAP */
+	if (chunk->wr)
+	{
+		if (lseek(chunk->fd, 0, SEEK_SET) != -1)
+		{
+			int len, total = 0;
+
+			ret = TRUE;
+			while (total < chunk->len)
+			{
+				len = write(chunk->fd, chunk->map + total, chunk->len - total);
+				if (len <= 0)
+				{
+					ret = FALSE;
+					break;
+				}
+				total += len;
+			}
+		}
+		tmp = errno;
+	}
+	else
+	{
+		ret = TRUE;
+	}
+	free(chunk->map);
+#endif /* !HAVE_MMAP */
+	close(chunk->fd);
+	free(chunk);
+	errno = tmp;
+
+	return ret;
+}
 
 /** hex conversion digits */
 static char hexdig_upper[] = "0123456789ABCDEF";
diff --git a/src/libstrongswan/utils/chunk.h b/src/libstrongswan/utils/chunk.h
index d3751da70..33f66caec 100644
--- a/src/libstrongswan/utils/chunk.h
+++ b/src/libstrongswan/utils/chunk.h
@@ -90,22 +90,52 @@ void chunk_split(chunk_t chunk, const char *mode, ...);
 /**
  * Write the binary contents of a chunk_t to a file
  *
+ * If the write fails, errno is set appropriately.
+ *
  * @param chunk			contents to write to file
  * @param path			path where file is written to
- * @param label			label specifying file type
  * @param mask			file mode creation mask
  * @param force			overwrite existing file by force
  * @return				TRUE if write operation was successful
  */
-bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force);
+bool chunk_write(chunk_t chunk, char *path, mode_t mask, bool force);
 
 /**
  * Store data read from FD into a chunk
  *
+ * On error, errno is set appropriately.
+ *
  * @param fd			file descriptor to read from
- * @return				chunk or chunk_empty on failure
+ * @param chunk			chunk receiving allocated buffer
+ * @return				TRUE if successful, FALSE on failure
+ */
+bool chunk_from_fd(int fd, chunk_t *chunk);
+
+/**
+ * mmap() a file to a chunk
+ *
+ * The returned chunk structure is allocated from heap, but it must be freed
+ * through chunk_unmap(). A user may alter the chunk ptr or len, but must pass
+ * the chunk pointer returned from chunk_map() to chunk_unmap() after use.
+ *
+ * On error, errno is set appropriately.
+ *
+ * @param path			path of file to map
+ * @param wr			TRUE to sync writes to disk
+ * @return				mapped chunk, NULL on error
+ */
+chunk_t *chunk_map(char *path, bool wr);
+
+/**
+ * munmap() a chunk previously mapped with chunk_map()
+ *
+ * When unmapping a writeable map, the return value should be checked to
+ * ensure changes landed on disk.
+ *
+ * @param chunk			pointer returned from chunk_map()
+ * @return				TRUE of changes written back to file
  */
-chunk_t chunk_from_fd(int fd);
+bool chunk_unmap(chunk_t *chunk);
 
 /**
  * Convert a chunk of data to hex encoding.
@@ -191,17 +221,17 @@ static inline void chunk_clear(chunk_t *chunk)
 /**
  * Initialize a chunk using a char array
  */
-#define chunk_from_chars(...) ((chunk_t){(char[]){__VA_ARGS__}, sizeof((char[]){__VA_ARGS__})})
+#define chunk_from_chars(...) ((chunk_t){(u_char[]){__VA_ARGS__}, sizeof((u_char[]){__VA_ARGS__})})
 
 /**
  * Initialize a chunk to point to a thing
  */
-#define chunk_from_thing(thing) chunk_create((char*)&(thing), sizeof(thing))
+#define chunk_from_thing(thing) chunk_create((u_char*)&(thing), sizeof(thing))
 
 /**
  * Initialize a chunk from a string, not containing 0-terminator
  */
-#define chunk_from_str(str) ({char *x = (str); chunk_create(x, strlen(x));})
+#define chunk_from_str(str) ({char *x = (str); chunk_create((u_char*)x, strlen(x));})
 
 /**
  * Allocate a chunk on the heap
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 9c43ad570..e7eb63bc6 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -332,8 +332,13 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 		buf += written;
 		len -= written;
 
+		written = 0;
 		chunk_printable(data, &printable, '?');
-		written = snprintf(buf, len, "%.*s", (int)printable.len, printable.ptr);
+		if (printable.ptr)
+		{
+			written = snprintf(buf, len, "%.*s", (int)printable.len,
+							   printable.ptr);
+		}
 		chunk_free(&printable);
 		if (written < 0 || written >= len)
 		{
diff --git a/src/libstrongswan/utils/integrity_checker.c b/src/libstrongswan/utils/integrity_checker.c
index d59a76232..b66df02e7 100644
--- a/src/libstrongswan/utils/integrity_checker.c
+++ b/src/libstrongswan/utils/integrity_checker.c
@@ -22,7 +22,6 @@
 #include <fcntl.h>
 #include <errno.h>
 #include <unistd.h>
-#include <sys/mman.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
@@ -61,40 +60,17 @@ METHOD(integrity_checker_t, build_file, u_int32_t,
 	private_integrity_checker_t *this, char *file, size_t *len)
 {
 	u_int32_t checksum;
-	chunk_t contents;
-	struct stat sb;
-	void *addr;
-	int fd;
+	chunk_t *contents;
 
-	fd = open(file, O_RDONLY);
-	if (fd == -1)
+	contents = chunk_map(file, FALSE);
+	if (!contents)
 	{
 		DBG1(DBG_LIB, "  opening '%s' failed: %s", file, strerror(errno));
 		return 0;
 	}
-
-	if (fstat(fd, &sb) == -1)
-	{
-		DBG1(DBG_LIB, "  getting file size of '%s' failed: %s", file,
-			 strerror(errno));
-		close(fd);
-		return 0;
-	}
-
-	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		DBG1(DBG_LIB, "  mapping '%s' failed: %s", file, strerror(errno));
-		close(fd);
-		return 0;
-	}
-
-	*len = sb.st_size;
-	contents = chunk_create(addr, sb.st_size);
-	checksum = chunk_hash_static(contents);
-
-	munmap(addr, sb.st_size);
-	close(fd);
+	*len = contents->len;
+	checksum = chunk_hash_static(*contents);
+	chunk_unmap(contents);
 
 	return checksum;
 }
@@ -318,4 +294,3 @@ integrity_checker_t *integrity_checker_create(char *checksum_library)
 	}
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 725e04f7c..82eadcb97 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -59,6 +59,21 @@ struct private_leak_detective_t {
 	 * public functions
 	 */
 	leak_detective_t public;
+
+	/**
+	 * Registered report() function
+	 */
+	leak_detective_report_cb_t report_cb;
+
+	/**
+	 * Registered report() summary function
+	 */
+	leak_detective_summary_cb_t report_scb;
+
+	/**
+	 * Registered user data for callbacks
+	 */
+	void *report_data;
 };
 
 /**
@@ -318,9 +333,16 @@ HOOK(size_t, size, const void *ptr)
  */
 static bool register_hooks()
 {
+	static bool once = FALSE;
 	malloc_zone_t *zone;
 	void *page;
 
+	if (once)
+	{
+		return TRUE;
+	}
+	once = TRUE;
+
 	zone = malloc_default_zone();
 	if (zone->version != MALLOC_ZONE_VERSION)
 	{
@@ -461,7 +483,7 @@ static void* real_realloc(void *ptr, size_t size)
 static bool register_hooks()
 {
 	void *buf = real_malloc(8);
-	real_realloc(buf, 16);
+	buf = real_realloc(buf, 16);
 	real_free(buf);
 	return TRUE;
 }
@@ -477,7 +499,7 @@ static bool register_hooks()
 char *whitelist[] = {
 	/* backtraces, including own */
 	"backtrace_create",
-	"safe_strerror",
+	"strerror_safe",
 	/* pthread stuff */
 	"pthread_create",
 	"pthread_setspecific",
@@ -565,7 +587,12 @@ char *whitelist[] = {
  */
 static void init_static_allocations()
 {
+	struct tm tm;
+	time_t t = 0;
+
 	tzset();
+	gmtime_r(&t, &tm);
+	localtime_r(&t, &tm);
 }
 
 /**
@@ -599,7 +626,8 @@ static bool equals(backtrace_t *a, backtrace_t *b)
  * Summarize and print backtraces
  */
 static int print_traces(private_leak_detective_t *this,
-						FILE *out, int thresh, int thresh_count,
+						leak_detective_report_cb_t cb, void *user,
+						int thresh, int thresh_count,
 						bool detailed, int *whitelisted, size_t *sum)
 {
 	int leaks = 0;
@@ -652,16 +680,20 @@ static int print_traces(private_leak_detective_t *this,
 		leaks++;
 	}
 	lock->unlock(lock);
+
 	enumerator = entries->create_enumerator(entries);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		if (out &&
-			(!thresh || entry->bytes >= thresh) &&
-			(!thresh_count || entry->count >= thresh_count))
+		if (cb)
 		{
-			fprintf(out, "%d bytes total, %d allocations, %d bytes average:\n",
-					entry->bytes, entry->count, entry->bytes / entry->count);
-			entry->backtrace->log(entry->backtrace, out, detailed);
+			if (!thresh || entry->bytes >= thresh)
+			{
+				if (!thresh_count || entry->count >= thresh_count)
+				{
+					this->report_cb(this->report_data, entry->count,
+									entry->bytes, entry->backtrace, detailed);
+				}
+			}
 		}
 		entry->backtrace->destroy(entry->backtrace);
 		free(entry);
@@ -681,38 +713,30 @@ METHOD(leak_detective_t, report, void,
 		int leaks, whitelisted = 0;
 		size_t sum = 0;
 
-		leaks = print_traces(this, stderr, 0, 0, detailed, &whitelisted, &sum);
-		switch (leaks)
+		leaks = print_traces(this, this->report_cb, this->report_data,
+							 0, 0, detailed, &whitelisted, &sum);
+		if (this->report_scb)
 		{
-			case 0:
-				fprintf(stderr, "No leaks detected");
-				break;
-			case 1:
-				fprintf(stderr, "One leak detected");
-				break;
-			default:
-				fprintf(stderr, "%d leaks detected, %zu bytes", leaks, sum);
-				break;
+			this->report_scb(this->report_data, leaks, sum, whitelisted);
 		}
-		fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted);
-	}
-	else
-	{
-		fprintf(stderr, "Leak detective disabled\n");
 	}
 }
 
+METHOD(leak_detective_t, set_report_cb, void,
+	private_leak_detective_t *this, leak_detective_report_cb_t cb,
+	leak_detective_summary_cb_t scb, void *user)
+{
+	this->report_cb = cb;
+	this->report_scb = scb;
+	this->report_data = user;
+}
+
 METHOD(leak_detective_t, leaks, int,
 	private_leak_detective_t *this)
 {
-	if (lib->leak_detective)
-	{
-		int leaks, whitelisted = 0;
+	int whitelisted = 0;
 
-		leaks = print_traces(this, NULL, 0, 0, FALSE, &whitelisted, NULL);
-		return leaks;
-	}
-	return 0;
+	return print_traces(this, NULL, NULL, 0, 0, FALSE, &whitelisted, NULL);
 }
 
 METHOD(leak_detective_t, set_state, bool,
@@ -722,22 +746,26 @@ METHOD(leak_detective_t, set_state, bool,
 }
 
 METHOD(leak_detective_t, usage, void,
-	private_leak_detective_t *this, FILE *out)
+	private_leak_detective_t *this, leak_detective_report_cb_t cb,
+	leak_detective_summary_cb_t scb, void *user)
 {
 	bool detailed;
-	int thresh, thresh_count;
+	int thresh, thresh_count, leaks, whitelisted = 0;
 	size_t sum = 0;
 
 	thresh = lib->settings->get_int(lib->settings,
-					"libstrongswan.leak_detective.usage_threshold", 10240);
+						"%s.leak_detective.usage_threshold", 10240, lib->ns);
 	thresh_count = lib->settings->get_int(lib->settings,
-					"libstrongswan.leak_detective.usage_threshold_count", 0);
+						"%s.leak_detective.usage_threshold_count", 0, lib->ns);
 	detailed = lib->settings->get_bool(lib->settings,
-					"libstrongswan.leak_detective.detailed", TRUE);
+						"%s.leak_detective.detailed", TRUE, lib->ns);
 
-	print_traces(this, out, thresh, thresh_count, detailed, NULL, &sum);
-
-	fprintf(out, "Total memory usage: %zu\n", sum);
+	leaks = print_traces(this, cb, user, thresh, thresh_count,
+						 detailed, &whitelisted, &sum);
+	if (scb)
+	{
+		scb(user, leaks, sum, whitelisted);
+	}
 }
 
 /**
@@ -924,6 +952,7 @@ METHOD(leak_detective_t, destroy, void,
 	lock->destroy(lock);
 	thread_disabled->destroy(thread_disabled);
 	free(this);
+	first_header.next = NULL;
 }
 
 /*
@@ -936,8 +965,9 @@ leak_detective_t *leak_detective_create()
 	INIT(this,
 		.public = {
 			.report = _report,
-			.leaks = _leaks,
+			.set_report_cb = _set_report_cb,
 			.usage = _usage,
+			.leaks = _leaks,
 			.set_state = _set_state,
 			.destroy = _destroy,
 		},
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
index 7a29e81d7..3fd0b8c93 100644
--- a/src/libstrongswan/utils/leak_detective.h
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -24,6 +24,30 @@
 typedef struct leak_detective_t leak_detective_t;
 
 #include <library.h>
+#include <utils/backtrace.h>
+
+/**
+ * Callback function to report leak/usage information
+ *
+ * @param user			user specific data
+ * @param count			number of allocations
+ * @param bytes			total size of allocations
+ * @param bt			backtrace of allocation
+ * @param detailed		TRUE to show a detailed backtrace
+ */
+typedef void (*leak_detective_report_cb_t)(void *user, int count, size_t bytes,
+										   backtrace_t *bt, bool detailed);
+
+/**
+ * Callback function to report leak/usage summary information
+ *
+ * @param user			user specific data
+ * @param count			total number of allocations
+ * @param bytes			total size of all reported allocations
+ * @param whitelisted	number of allocations suppressed by whitelist
+ */
+typedef void (*leak_detective_summary_cb_t)(void* user, int count, size_t bytes,
+										    int whitelisted);
 
 /**
  * Leak detective finds leaks and bad frees using malloc hooks.
@@ -36,25 +60,39 @@ typedef struct leak_detective_t leak_detective_t;
 struct leak_detective_t {
 
 	/**
-	 * Report leaks to stderr.
+	 * Report leaks to the registered callback functions.
 	 *
 	 * @param detailed 		TRUE to resolve line/filename of leak (slow)
 	 */
 	void (*report)(leak_detective_t *this, bool detailed);
 
 	/**
-	 * Number of detected leaks.
+	 * Report current memory usage to out.
+	 * Set callback functions invoked during a report().
 	 *
-	 * @return				number of leaks
+	 * @param cb			callback invoked for each detected leak
+	 * @param scb			summary callback invoked at end of report
+	 * @param user			user data to supply to callbacks
 	 */
-	int (*leaks)(leak_detective_t *this);
+	void (*set_report_cb)(leak_detective_t *this, leak_detective_report_cb_t cb,
+						  leak_detective_summary_cb_t scb, void *user);
 
 	/**
-	 * Report current memory usage to out.
+	 * Report current memory usage using a callbacks.
+	 *
+	 * @param cb			callback invoked for each allocation
+	 * @param scb			summary callback invoked at end of usage report
+	 * @param user			user data supplied to callbacks
+	 */
+	void (*usage)(leak_detective_t *this, leak_detective_report_cb_t cb,
+				  leak_detective_summary_cb_t scb, void *user);
+
+	/**
+	 * Number of detected leaks.
 	 *
-	 * @param out			target to write usage report to
+	 * @return				number of leaks
 	 */
-	void (*usage)(leak_detective_t *this, FILE *out);
+	int (*leaks)(leak_detective_t *this);
 
 	/**
 	 * Enable/disable leak detective hooks for the current thread.
diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
index d00abef20..c79d4b87a 100644
--- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
+++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
@@ -122,10 +122,14 @@ size_t print_in_hook(printf_hook_data_t *data, char *fmt, ...)
 
 	if (written > data->n)
 	{
-		written = data->n;
+		data->q += data->n;
+		data->n = 0;
+	}
+	else
+	{
+		data->q += written;
+		data->n -= written;
 	}
-	data->q += written;
-	data->n += written;
 	return written;
 }
 
@@ -725,12 +729,6 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap)
 
 						switch (ch)
 						{
-							case 'P':
-							{
-								/* Upper case pointer */
-								flags |= FL_UPPER;
-								/* fall through */
-							}
 							case 'p':
 							{
 								/* Pointer */
diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c b/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c
index 8fd1aed4a..5efe1d990 100644
--- a/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c
+++ b/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c
@@ -19,10 +19,10 @@
 #include <utils/utils.h>
 #include <utils/debug.h>
 
-#include <printf.h>
 #include <stdio.h>
 #include <stdarg.h>
 #include <string.h>
+#include <printf.h>
 
 typedef struct private_printf_hook_t private_printf_hook_t;
 typedef struct printf_hook_handler_t printf_hook_handler_t;
diff --git a/src/libstrongswan/utils/settings.c b/src/libstrongswan/utils/settings.c
index 809ca10ab..490490a1e 100644
--- a/src/libstrongswan/utils/settings.c
+++ b/src/libstrongswan/utils/settings.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2014 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -20,7 +20,6 @@
 #include <stdio.h>
 #include <errno.h>
 #include <limits.h>
-#include <libgen.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
@@ -31,6 +30,8 @@
 
 #include "settings.h"
 
+#include "collections/array.h"
+#include "collections/hashtable.h"
 #include "collections/linked_list.h"
 #include "threading/rwlock.h"
 #include "utils/debug.h"
@@ -78,14 +79,19 @@ struct section_t {
 	char *name;
 
 	/**
+	 * fallback sections, as section_t
+	 */
+	array_t *fallbacks;
+
+	/**
 	 * subsections, as section_t
 	 */
-	linked_list_t *sections;
+	array_t *sections;
 
 	/**
 	 * key value pairs, as kv_t
 	 */
-	linked_list_t *kv;
+	array_t *kv;
 };
 
 /**
@@ -134,8 +140,6 @@ static section_t *section_create(char *name)
 	section_t *this;
 	INIT(this,
 		.name = strdupnull(name),
-		.sections = linked_list_create(),
-		.kv = linked_list_create(),
 	);
 	return this;
 }
@@ -145,37 +149,73 @@ static section_t *section_create(char *name)
  */
 static void section_destroy(section_t *this)
 {
-	this->kv->destroy_function(this->kv, (void*)kv_destroy);
-	this->sections->destroy_function(this->sections, (void*)section_destroy);
+	array_destroy_function(this->sections, (void*)section_destroy, NULL);
+	array_destroy_function(this->kv, (void*)kv_destroy, NULL);
+	array_destroy(this->fallbacks);
 	free(this->name);
 	free(this);
 }
 
 /**
- * Purge contents of a section
+ * Purge contents of a section, returns if section can be safely removed.
  */
-static void section_purge(section_t *this)
+static bool section_purge(section_t *this)
 {
-	this->kv->destroy_function(this->kv, (void*)kv_destroy);
-	this->kv = linked_list_create();
-	this->sections->destroy_function(this->sections, (void*)section_destroy);
-	this->sections = linked_list_create();
+	section_t *current;
+	int i;
+
+	array_destroy_function(this->kv, (void*)kv_destroy, NULL);
+	this->kv = NULL;
+	/* we ensure sections used as fallback, or configured with fallbacks (or
+	 * having any such subsections) are not removed */
+	for (i = array_count(this->sections) - 1; i >= 0; i--)
+	{
+		array_get(this->sections, i, &current);
+		if (section_purge(current))
+		{
+			array_remove(this->sections, i, NULL);
+			section_destroy(current);
+		}
+	}
+	return !this->fallbacks && !array_count(this->sections);
 }
 
 /**
  * callback to find a section by name
  */
-static bool section_find(section_t *this, char *name)
+static int section_find(const void *a, const void *b)
 {
-	return streq(this->name, name);
+	const char *key = a;
+	const section_t *item = b;
+	return strcmp(key, item->name);
+}
+
+/**
+ * callback to sort sections by name
+ */
+static int section_sort(const void *a, const void *b, void *user)
+{
+	const section_t *sa = a, *sb = b;
+	return strcmp(sa->name, sb->name);
 }
 
 /**
  * callback to find a kv pair by key
  */
-static bool kv_find(kv_t *this, char *key)
+static int kv_find(const void *a, const void *b)
+{
+	const char *key = a;
+	const kv_t *item = b;
+	return strcmp(key, item->key);
+}
+
+/**
+ * callback to sort kv pairs by key
+ */
+static int kv_sort(const void *a, const void *b, void *user)
 {
-	return streq(this->key, key);
+	const kv_t *kva = a, *kvb = b;
+	return strcmp(kva->key, kvb->key);
 }
 
 /**
@@ -184,17 +224,16 @@ static bool kv_find(kv_t *this, char *key)
 static bool print_key(char *buf, int len, char *start, char *key, va_list args)
 {
 	va_list copy;
+	char *pos = start;
 	bool res;
-	char *pos;
 
 	va_copy(copy, args);
-	while (start < key)
+	while (TRUE)
 	{
-		pos = strchr(start, '%');
+		pos = memchr(pos, '%', key - pos);
 		if (!pos)
 		{
-			start += strlen(start) + 1;
-			continue;
+			break;
 		}
 		pos++;
 		switch (*pos)
@@ -215,11 +254,7 @@ static bool print_key(char *buf, int len, char *start, char *key, va_list args)
 				DBG1(DBG_CFG, "settings with %%%c not supported!", *pos);
 				break;
 		}
-		start = pos;
-		if (*start)
-		{
-			start++;
-		}
+		pos++;
 	}
 	res = vsnprintf(buf, len, key, copy) < len;
 	va_end(copy);
@@ -251,14 +286,17 @@ static section_t *find_section_buffered(section_t *section,
 	{
 		return NULL;
 	}
-	if (section->sections->find_first(section->sections,
-									  (linked_list_match_t)section_find,
-									  (void**)&found, buf) != SUCCESS)
+	if (!strlen(buf))
+	{
+		found = section;
+	}
+	else if (array_bsearch(section->sections, buf, section_find, &found) == -1)
 	{
 		if (ensure)
 		{
 			found = section_create(buf);
-			section->sections->insert_last(section->sections, found);
+			array_insert_create(&section->sections, ARRAY_TAIL, found);
+			array_sort(section->sections, section_sort, NULL);
 		}
 	}
 	if (found && pos)
@@ -269,10 +307,74 @@ static section_t *find_section_buffered(section_t *section,
 }
 
 /**
- * Find a section by a given key (thread-safe).
+ * Find all sections via a given key considering fallbacks, using buffered key,
+ * reusable buffer.
+ */
+static void find_sections_buffered(section_t *section, char *start, char *key,
+						va_list args, char *buf, int len, array_t **sections)
+{
+	section_t *found = NULL, *fallback;
+	char *pos;
+	int i;
+
+	if (!section)
+	{
+		return;
+	}
+	pos = strchr(key, '.');
+	if (pos)
+	{
+		*pos = '\0';
+	}
+	if (!print_key(buf, len, start, key, args))
+	{
+		return;
+	}
+	if (pos)
+	{	/* restore so we can follow fallbacks */
+		*pos = '.';
+	}
+	if (!strlen(buf))
+	{
+		found = section;
+	}
+	else
+	{
+		array_bsearch(section->sections, buf, section_find, &found);
+	}
+	if (found)
+	{
+		if (pos)
+		{
+			find_sections_buffered(found, start, pos+1, args, buf, len,
+								   sections);
+		}
+		else
+		{
+			array_insert_create(sections, ARRAY_TAIL, found);
+			for (i = 0; i < array_count(found->fallbacks); i++)
+			{
+				array_get(found->fallbacks, i, &fallback);
+				array_insert_create(sections, ARRAY_TAIL, fallback);
+			}
+		}
+	}
+	if (section->fallbacks)
+	{
+		for (i = 0; i < array_count(section->fallbacks); i++)
+		{
+			array_get(section->fallbacks, i, &fallback);
+			find_sections_buffered(fallback, start, key, args, buf, len,
+								   sections);
+		}
+	}
+}
+
+/**
+ * Ensure that the section with the given key exists (thread-safe).
  */
-static section_t *find_section(private_settings_t *this, section_t *section,
-							   char *key, va_list args)
+static section_t *ensure_section(private_settings_t *this, section_t *section,
+								 const char *key, va_list args)
 {
 	char buf[128], keybuf[512];
 	section_t *found;
@@ -281,42 +383,101 @@ static section_t *find_section(private_settings_t *this, section_t *section,
 	{
 		return NULL;
 	}
-	this->lock->read_lock(this->lock);
+	/* we might have to change the tree */
+	this->lock->write_lock(this->lock);
 	found = find_section_buffered(section, keybuf, keybuf, args, buf,
-								  sizeof(buf), FALSE);
+								  sizeof(buf), TRUE);
 	this->lock->unlock(this->lock);
 	return found;
 }
 
 /**
- * Ensure that the section with the given key exists (thread-safe).
+ * Find a section by a given key with its fallbacks (not thread-safe!).
+ * Sections are returned in depth-first order (array is allocated). NULL is
+ * returned if no sections are found.
  */
-static section_t *ensure_section(private_settings_t *this, section_t *section,
-								 char *key, va_list args)
+static array_t *find_sections(private_settings_t *this, section_t *section,
+							  char *key, va_list args)
 {
 	char buf[128], keybuf[512];
-	section_t *found;
+	array_t *sections = NULL;
 
 	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
 	{
 		return NULL;
 	}
-	/* we might have to change the tree */
+	find_sections_buffered(section, keybuf, keybuf, args, buf,
+						   sizeof(buf), &sections);
+	return sections;
+}
+
+/**
+ * Check if the given fallback section already exists
+ */
+static bool fallback_exists(section_t *section, section_t *fallback)
+{
+	if (section == fallback)
+	{
+		return TRUE;
+	}
+	else if (section->fallbacks)
+	{
+		section_t *existing;
+		int i;
+
+		for (i = 0; i < array_count(section->fallbacks); i++)
+		{
+			array_get(section->fallbacks, i, &existing);
+			if (existing == fallback)
+			{
+				return TRUE;
+			}
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Ensure that the section with the given key exists and add the given fallback
+ * section (thread-safe).
+ */
+static void add_fallback_to_section(private_settings_t *this,
+							section_t *section, const char *key, va_list args,
+							section_t *fallback)
+{
+	char buf[128], keybuf[512];
+	section_t *found;
+
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
+	{
+		return;
+	}
 	this->lock->write_lock(this->lock);
 	found = find_section_buffered(section, keybuf, keybuf, args, buf,
 								  sizeof(buf), TRUE);
+	if (!fallback_exists(found, fallback))
+	{
+		/* to ensure sections referred to as fallback are not purged, we create
+		 * the array there too */
+		if (!fallback->fallbacks)
+		{
+			fallback->fallbacks = array_create(0, 0);
+		}
+		array_insert_create(&found->fallbacks, ARRAY_TAIL, fallback);
+	}
 	this->lock->unlock(this->lock);
-	return found;
 }
 
 /**
  * Find the key/value pair for a key, using buffered key, reusable buffer
  * If "ensure" is TRUE, the sections (and key/value pair) are created if they
  * don't exist.
+ * Fallbacks are only considered if "ensure" is FALSE.
  */
 static kv_t *find_value_buffered(section_t *section, char *start, char *key,
 								 va_list args, char *buf, int len, bool ensure)
 {
+	int i;
 	char *pos;
 	kv_t *kv = NULL;
 	section_t *found = NULL;
@@ -330,25 +491,40 @@ static kv_t *find_value_buffered(section_t *section, char *start, char *key,
 	if (pos)
 	{
 		*pos = '\0';
-		pos++;
-
 		if (!print_key(buf, len, start, key, args))
 		{
 			return NULL;
 		}
-		if (section->sections->find_first(section->sections,
-										  (linked_list_match_t)section_find,
-										  (void**)&found, buf) != SUCCESS)
+		/* restore so we can retry for fallbacks */
+		*pos = '.';
+		if (!strlen(buf))
+		{
+			found = section;
+		}
+		else if (array_bsearch(section->sections, buf, section_find,
+							   &found) == -1)
 		{
-			if (!ensure)
+			if (ensure)
 			{
-				return NULL;
+				found = section_create(buf);
+				array_insert_create(&section->sections, ARRAY_TAIL, found);
+				array_sort(section->sections, section_sort, NULL);
+			}
+		}
+		if (found)
+		{
+			kv = find_value_buffered(found, start, pos+1, args, buf, len,
+									 ensure);
+		}
+		if (!kv && !ensure && section->fallbacks)
+		{
+			for (i = 0; !kv && i < array_count(section->fallbacks); i++)
+			{
+				array_get(section->fallbacks, i, &found);
+				kv = find_value_buffered(found, start, key, args, buf, len,
+										 ensure);
 			}
-			found = section_create(buf);
-			section->sections->insert_last(section->sections, found);
 		}
-		return find_value_buffered(found, start, pos, args, buf, len,
-								   ensure);
 	}
 	else
 	{
@@ -356,13 +532,22 @@ static kv_t *find_value_buffered(section_t *section, char *start, char *key,
 		{
 			return NULL;
 		}
-		if (section->kv->find_first(section->kv, (linked_list_match_t)kv_find,
-									(void**)&kv, buf) != SUCCESS)
+		if (array_bsearch(section->kv, buf, kv_find, &kv) == -1)
 		{
 			if (ensure)
 			{
 				kv = kv_create(buf, NULL);
-				section->kv->insert_last(section->kv, kv);
+				array_insert_create(&section->kv, ARRAY_TAIL, kv);
+				array_sort(section->kv, kv_sort, NULL);
+			}
+			else if (section->fallbacks)
+			{
+				for (i = 0; !kv && i < array_count(section->fallbacks); i++)
+				{
+					array_get(section->fallbacks, i, &found);
+					kv = find_value_buffered(found, start, key, args, buf, len,
+											 ensure);
+				}
 			}
 		}
 	}
@@ -429,7 +614,7 @@ static void set_value(private_settings_t *this, section_t *section,
 }
 
 METHOD(settings_t, get_str, char*,
-	   private_settings_t *this, char *key, char *def, ...)
+	private_settings_t *this, char *key, char *def, ...)
 {
 	char *value;
 	va_list args;
@@ -470,7 +655,7 @@ inline bool settings_value_as_bool(char *value, bool def)
 }
 
 METHOD(settings_t, get_bool, bool,
-	   private_settings_t *this, char *key, bool def, ...)
+	private_settings_t *this, char *key, bool def, ...)
 {
 	char *value;
 	va_list args;
@@ -500,7 +685,7 @@ inline int settings_value_as_int(char *value, int def)
 }
 
 METHOD(settings_t, get_int, int,
-	   private_settings_t *this, char *key, int def, ...)
+	private_settings_t *this, char *key, int def, ...)
 {
 	char *value;
 	va_list args;
@@ -530,7 +715,7 @@ inline double settings_value_as_double(char *value, double def)
 }
 
 METHOD(settings_t, get_double, double,
-	   private_settings_t *this, char *key, double def, ...)
+	private_settings_t *this, char *key, double def, ...)
 {
 	char *value;
 	va_list args;
@@ -576,7 +761,7 @@ inline u_int32_t settings_value_as_time(char *value, u_int32_t def)
 }
 
 METHOD(settings_t, get_time, u_int32_t,
-	   private_settings_t *this, char *key, u_int32_t def, ...)
+	private_settings_t *this, char *key, u_int32_t def, ...)
 {
 	char *value;
 	va_list args;
@@ -588,7 +773,7 @@ METHOD(settings_t, get_time, u_int32_t,
 }
 
 METHOD(settings_t, set_str, void,
-	   private_settings_t *this, char *key, char *value, ...)
+	private_settings_t *this, char *key, char *value, ...)
 {
 	va_list args;
 	va_start(args, value);
@@ -597,7 +782,7 @@ METHOD(settings_t, set_str, void,
 }
 
 METHOD(settings_t, set_bool, void,
-	   private_settings_t *this, char *key, bool value, ...)
+	private_settings_t *this, char *key, bool value, ...)
 {
 	va_list args;
 	va_start(args, value);
@@ -606,7 +791,7 @@ METHOD(settings_t, set_bool, void,
 }
 
 METHOD(settings_t, set_int, void,
-	   private_settings_t *this, char *key, int value, ...)
+	private_settings_t *this, char *key, int value, ...)
 {
 	char val[16];
 	va_list args;
@@ -619,7 +804,7 @@ METHOD(settings_t, set_int, void,
 }
 
 METHOD(settings_t, set_double, void,
-	   private_settings_t *this, char *key, double value, ...)
+	private_settings_t *this, char *key, double value, ...)
 {
 	char val[64];
 	va_list args;
@@ -632,7 +817,7 @@ METHOD(settings_t, set_double, void,
 }
 
 METHOD(settings_t, set_time, void,
-	   private_settings_t *this, char *key, u_int32_t value, ...)
+	private_settings_t *this, char *key, u_int32_t value, ...)
 {
 	char val[16];
 	va_list args;
@@ -645,7 +830,7 @@ METHOD(settings_t, set_time, void,
 }
 
 METHOD(settings_t, set_default_str, bool,
-	   private_settings_t *this, char *key, char *value, ...)
+	private_settings_t *this, char *key, char *value, ...)
 {
 	char *old;
 	va_list args;
@@ -665,63 +850,143 @@ METHOD(settings_t, set_default_str, bool,
 }
 
 /**
+ * Data for enumerators
+ */
+typedef struct {
+	/** settings_t instance */
+	private_settings_t *settings;
+	/** sections to enumerate */
+	array_t *sections;
+	/** sections/keys that were already enumerated */
+	hashtable_t *seen;
+} enumerator_data_t;
+
+/**
+ * Destroy enumerator data
+ */
+static void enumerator_destroy(enumerator_data_t *this)
+{
+	this->settings->lock->unlock(this->settings->lock);
+	this->seen->destroy(this->seen);
+	array_destroy(this->sections);
+	free(this);
+}
+
+/**
  * Enumerate section names, not sections
  */
-static bool section_filter(void *null, section_t **in, char **out)
+static bool section_filter(hashtable_t *seen, section_t **in, char **out)
 {
 	*out = (*in)->name;
+	if (seen->get(seen, *out))
+	{
+		return FALSE;
+	}
+	seen->put(seen, *out, *out);
 	return TRUE;
 }
 
+/**
+ * Enumerate sections of the given section
+ */
+static enumerator_t *section_enumerator(section_t *section,
+										enumerator_data_t *data)
+{
+	return enumerator_create_filter(array_create_enumerator(section->sections),
+				(void*)section_filter, data->seen, NULL);
+}
+
 METHOD(settings_t, create_section_enumerator, enumerator_t*,
-	   private_settings_t *this, char *key, ...)
+	private_settings_t *this, char *key, ...)
 {
-	section_t *section;
+	enumerator_data_t *data;
+	array_t *sections;
 	va_list args;
 
+	this->lock->read_lock(this->lock);
 	va_start(args, key);
-	section = find_section(this, this->top, key, args);
+	sections = find_sections(this, this->top, key, args);
 	va_end(args);
 
-	if (!section)
+	if (!sections)
 	{
+		this->lock->unlock(this->lock);
 		return enumerator_create_empty();
 	}
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(
-				section->sections->create_enumerator(section->sections),
-				(void*)section_filter, this->lock, (void*)this->lock->unlock);
+	INIT(data,
+		.settings = this,
+		.sections = sections,
+		.seen = hashtable_create(hashtable_hash_str, hashtable_equals_str, 8),
+	);
+	return enumerator_create_nested(array_create_enumerator(sections),
+					(void*)section_enumerator, data, (void*)enumerator_destroy);
 }
 
 /**
  * Enumerate key and values, not kv_t entries
  */
-static bool kv_filter(void *null, kv_t **in, char **key,
+static bool kv_filter(hashtable_t *seen, kv_t **in, char **key,
 					  void *none, char **value)
 {
 	*key = (*in)->key;
+	if (seen->get(seen, *key))
+	{
+		return FALSE;
+	}
 	*value = (*in)->value;
+	seen->put(seen, *key, *key);
 	return TRUE;
 }
 
+/**
+ * Enumerate key/value pairs of the given section
+ */
+static enumerator_t *kv_enumerator(section_t *section, enumerator_data_t *data)
+{
+	return enumerator_create_filter(array_create_enumerator(section->kv),
+					(void*)kv_filter, data->seen, NULL);
+}
+
 METHOD(settings_t, create_key_value_enumerator, enumerator_t*,
-	   private_settings_t *this, char *key, ...)
+	private_settings_t *this, char *key, ...)
 {
-	section_t *section;
+	enumerator_data_t *data;
+	array_t *sections;
 	va_list args;
 
+	this->lock->read_lock(this->lock);
 	va_start(args, key);
-	section = find_section(this, this->top, key, args);
+	sections = find_sections(this, this->top, key, args);
 	va_end(args);
 
-	if (!section)
+	if (!sections)
 	{
+		this->lock->unlock(this->lock);
 		return enumerator_create_empty();
 	}
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(
-					section->kv->create_enumerator(section->kv),
-					(void*)kv_filter, this->lock, (void*)this->lock->unlock);
+	INIT(data,
+		.settings = this,
+		.sections = sections,
+		.seen = hashtable_create(hashtable_hash_str, hashtable_equals_str, 8),
+	);
+	return enumerator_create_nested(array_create_enumerator(sections),
+					(void*)kv_enumerator, data, (void*)enumerator_destroy);
+}
+
+METHOD(settings_t, add_fallback, void,
+	private_settings_t *this, const char *key, const char *fallback, ...)
+{
+	section_t *section;
+	va_list args;
+
+	/* find/create the fallback */
+	va_start(args, fallback);
+	section = ensure_section(this, this->top, fallback, args);
+	va_end(args);
+
+	va_start(args, fallback);
+	add_fallback_to_section(this, this->top, key, args, section);
+	va_end(args);
 }
 
 /**
@@ -881,15 +1146,15 @@ static bool parse_section(linked_list_t *contents, char *file, int level,
 							 section->name);
 						continue;
 					}
-					if (section->sections->find_first(section->sections,
-											(linked_list_match_t)section_find,
-											(void**)&sub, key) != SUCCESS)
+					if (array_bsearch(section->sections, key, section_find,
+									  &sub) == -1)
 					{
 						sub = section_create(key);
 						if (parse_section(contents, file, level, &inner, sub))
 						{
-							section->sections->insert_last(section->sections,
-														   sub);
+							array_insert_create(&section->sections, ARRAY_TAIL,
+												sub);
+							array_sort(section->sections, section_sort, NULL);
 							continue;
 						}
 						section_destroy(sub);
@@ -916,12 +1181,11 @@ static bool parse_section(linked_list_t *contents, char *file, int level,
 							 section->name);
 						continue;
 					}
-					if (section->kv->find_first(section->kv,
-								(linked_list_match_t)kv_find,
-								(void**)&kv, key) != SUCCESS)
+					if (array_bsearch(section->kv, key, kv_find, &kv) == -1)
 					{
 						kv = kv_create(key, value);
-						section->kv->insert_last(section->kv, kv);
+						array_insert_create(&section->kv, ARRAY_TAIL, kv);
+						array_sort(section->kv, kv_sort, NULL);
 					}
 					else
 					{	/* replace with the most recently read value */
@@ -1037,8 +1301,7 @@ static bool parse_files(linked_list_t *contents, char *file, int level,
 	}
 	else
 	{	/* base relative paths to the directory of the current file */
-		char *dir = strdup(file);
-		dir = dirname(dir);
+		char *dir = path_dirname(file);
 		if (snprintf(pat, sizeof(pat), "%s/%s", dir, pattern) >= sizeof(pat))
 		{
 			DBG1(DBG_LIB, "include pattern too long, ignored");
@@ -1092,37 +1355,37 @@ static void section_extend(section_t *base, section_t *extension)
 	section_t *sec;
 	kv_t *kv;
 
-	enumerator = extension->sections->create_enumerator(extension->sections);
+	enumerator = array_create_enumerator(extension->sections);
 	while (enumerator->enumerate(enumerator, (void**)&sec))
 	{
 		section_t *found;
-		if (base->sections->find_first(base->sections,
-					(linked_list_match_t)section_find, (void**)&found,
-					sec->name) == SUCCESS)
+		if (array_bsearch(base->sections, sec->name, section_find,
+			&found) != -1)
 		{
 			section_extend(found, sec);
 		}
 		else
 		{
-			extension->sections->remove_at(extension->sections, enumerator);
-			base->sections->insert_last(base->sections, sec);
+			array_remove_at(extension->sections, enumerator);
+			array_insert_create(&base->sections, ARRAY_TAIL, sec);
+			array_sort(base->sections, section_sort, NULL);
 		}
 	}
 	enumerator->destroy(enumerator);
 
-	enumerator = extension->kv->create_enumerator(extension->kv);
+	enumerator = array_create_enumerator(extension->kv);
 	while (enumerator->enumerate(enumerator, (void**)&kv))
 	{
 		kv_t *found;
-		if (base->kv->find_first(base->kv, (linked_list_match_t)kv_find,
-					(void**)&found, kv->key) == SUCCESS)
+		if (array_bsearch(base->kv, kv->key, kv_find, &found) != -1)
 		{
 			found->value = kv->value;
 		}
 		else
 		{
-			extension->kv->remove_at(extension->kv, enumerator);
-			base->kv->insert_last(base->kv, kv);
+			array_remove_at(extension->kv, enumerator);
+			array_insert_create(&base->kv, ARRAY_TAIL, kv);
+			array_sort(base->kv, kv_sort, NULL);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -1179,13 +1442,13 @@ static bool load_files_internal(private_settings_t *this, section_t *parent,
 }
 
 METHOD(settings_t, load_files, bool,
-	   private_settings_t *this, char *pattern, bool merge)
+	private_settings_t *this, char *pattern, bool merge)
 {
 	return load_files_internal(this, this->top, pattern, merge);
 }
 
 METHOD(settings_t, load_files_section, bool,
-	   private_settings_t *this, char *pattern, bool merge, char *key, ...)
+	private_settings_t *this, char *pattern, bool merge, char *key, ...)
 {
 	section_t *section;
 	va_list args;
@@ -1202,7 +1465,7 @@ METHOD(settings_t, load_files_section, bool,
 }
 
 METHOD(settings_t, destroy, void,
-	   private_settings_t *this)
+	private_settings_t *this)
 {
 	section_destroy(this->top);
 	this->contents->destroy_function(this->contents, (void*)free);
@@ -1232,6 +1495,7 @@ settings_t *settings_create(char *file)
 			.set_default_str = _set_default_str,
 			.create_section_enumerator = _create_section_enumerator,
 			.create_key_value_enumerator = _create_key_value_enumerator,
+			.add_fallback = _add_fallback,
 			.load_files = _load_files,
 			.load_files_section = _load_files_section,
 			.destroy = _destroy,
diff --git a/src/libstrongswan/utils/settings.h b/src/libstrongswan/utils/settings.h
index df0c534e9..46403c4d3 100644
--- a/src/libstrongswan/utils/settings.h
+++ b/src/libstrongswan/utils/settings.h
@@ -269,6 +269,31 @@ struct settings_t {
 												 char *section, ...);
 
 	/**
+	 * Add a fallback for the given section.
+	 *
+	 * Example: When the fallback 'section-two' is configured for
+	 * 'section-one.two' any failed lookup for a section or key in
+	 * 'section-one.two' will result in a lookup for the same section/key
+	 * in 'section-two'.
+	 *
+	 * @note Lookups are depth-first and currently strictly top-down.
+	 * For instance, if app.sec had lib1.sec as fallback and lib1 had lib2 as
+	 * fallback the keys/sections in lib2.sec would not be considered.  But if
+	 * app had lib3 as fallback the contents of lib3.sec would (as app is passed
+	 * during the initial lookup).  In the last example the order during
+	 * enumerations would be app.sec, lib1.sec, lib3.sec.
+	 *
+	 * @note Additional arguments will be applied to both section format
+	 * strings so they must be compatible.
+	 *
+	 * @param section	section for which a fallback is configured, printf style
+	 * @param fallback	fallback section, printf style
+	 * @param ...		argument list for section and fallback
+	 */
+	void (*add_fallback)(settings_t *this, const char *section,
+						 const char *fallback, ...);
+
+	/**
 	 * Load settings from the files matching the given pattern.
 	 *
 	 * If merge is TRUE, existing sections are extended, existing values
diff --git a/src/libstrongswan/utils/test.c b/src/libstrongswan/utils/test.c
new file mode 100644
index 000000000..7de5a7661
--- /dev/null
+++ b/src/libstrongswan/utils/test.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test.h"
+
+#include <library.h>
+
+/**
+ * A collection of testable functions
+ */
+hashtable_t *testable_functions;
+
+/*
+ * Described in header.
+ */
+void testable_function_register(char *name, void *fn)
+{
+	if (testable_functions)
+	{
+		bool old = FALSE;
+		if (lib->leak_detective)
+		{
+			old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
+		}
+		if (fn)
+		{
+			testable_functions->put(testable_functions, name, fn);
+		}
+		else
+		{
+			testable_functions->remove(testable_functions, name);
+		}
+		if (lib->leak_detective)
+		{
+			lib->leak_detective->set_state(lib->leak_detective, old);
+		}
+	}
+}
diff --git a/src/libstrongswan/utils/test.h b/src/libstrongswan/utils/test.h
new file mode 100644
index 000000000..5b7289244
--- /dev/null
+++ b/src/libstrongswan/utils/test.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup test test
+ * @{ @ingroup utils
+ */
+
+#ifndef TEST_H_
+#define TEST_H_
+
+#include "collections/hashtable.h"
+
+/**
+ * Collection of testable functions.
+ *
+ * @note Is initialized only if libtest is loaded.
+ */
+extern hashtable_t *testable_functions;
+
+/**
+ * Register a (possibly static) function so that it can be called from tests.
+ *
+ * @param name		name (namespace/function)
+ * @param fn		function to register (set to NULL to unregister)
+ */
+void testable_function_register(char *name, void *fn);
+
+/**
+ * Macro to automatically register/unregister a function that can be called
+ * from tests.
+ *
+ * @note The constructor has a priority set so that it runs after the
+ * constructor that creates the hashtable.  The destructor, on the other hand,
+ * does not have a priority set, as test coverage would report that function as
+ * untested otherwise.
+ *
+ * @param ns		namespace
+ * @param fn		function to register
+ */
+#define EXPORT_FUNCTION_FOR_TESTS(ns, fn) \
+static void testable_function_register_##fn() __attribute__ ((constructor(2000))); \
+static void testable_function_register_##fn() \
+{ \
+	testable_function_register(#ns "/" #fn, fn); \
+} \
+static void testable_function_unregister_##fn() __attribute__ ((destructor)); \
+static void testable_function_unregister_##fn() \
+{ \
+	testable_function_register(#ns "/" #fn, NULL); \
+}
+
+/**
+ * Import a registered function so that it can be called from tests.
+ *
+ * @note If the imported function is static (or no conflicting header files
+ * are included) ret can be prefixed with static to declare the function static.
+ *
+ * @note We allocate an arbitrary amount of stack space, hopefully enough for
+ * all arguments.
+ *
+ * @param ns		namespace of the function
+ * @param name		name of the function
+ * @param ret		return type of the function
+ * @param ...		arguments of the function
+ */
+#define IMPORT_FUNCTION_FOR_TESTS(ns, name, ret, ...) \
+ret name(__VA_ARGS__) \
+{ \
+	void (*fn)() = NULL; \
+	if (testable_functions) \
+	{ \
+		fn = testable_functions->get(testable_functions, #ns "/" #name); \
+	} \
+	if (fn) \
+	{ \
+		void *args = __builtin_apply_args(); \
+		__builtin_return(__builtin_apply(fn, args, 16*sizeof(void*))); \
+	} \
+	test_fail_msg(__FILE__, __LINE__, "function " #name " (" #ns ") not found"); \
+	__builtin_return(NULL); \
+}
+
+#endif /** TEST_H_ @}*/
diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c
index 266fb4357..fe80edb82 100644
--- a/src/libstrongswan/utils/utils.c
+++ b/src/libstrongswan/utils/utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2014 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,8 +14,7 @@
  * for more details.
  */
 
-#include "utils.h"
-
+#define _GNU_SOURCE /* for memrchr */
 #include <sys/stat.h>
 #include <string.h>
 #include <stdio.h>
@@ -27,6 +26,8 @@
 #include <time.h>
 #include <pthread.h>
 
+#include "utils.h"
+
 #include "collections/enumerator.h"
 #include "utils/debug.h"
 #include "utils/chunk.h"
@@ -102,7 +103,7 @@ void memwipe_noinline(void *ptr, size_t n)
  */
 void *memstr(const void *haystack, const char *needle, size_t n)
 {
-	unsigned const char *pos = haystack;
+	const u_char *pos = haystack;
 	size_t l;
 
 	if (!haystack || !needle || (l = strlen(needle)) == 0)
@@ -122,6 +123,28 @@ void *memstr(const void *haystack, const char *needle, size_t n)
 /**
  * Described in header.
  */
+void *utils_memrchr(const void *s, int c, size_t n)
+{
+	const u_char *pos;
+
+	if (!s || !n)
+	{
+		return NULL;
+	}
+
+	for (pos = s + n - 1; pos >= (u_char*)s; pos--)
+	{
+		if (*pos == (u_char)c)
+		{
+			return (void*)pos;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Described in header.
+ */
 char* translate(char *str, const char *from, const char *to)
 {
 	char *pos = str;
@@ -144,6 +167,115 @@ char* translate(char *str, const char *from, const char *to)
 /**
  * Described in header.
  */
+char* strreplace(const char *str, const char *search, const char *replace)
+{
+	size_t len, slen, rlen, count = 0;
+	char *res, *pos, *found, *dst;
+
+	if (!str || !*str || !search || !*search || !replace)
+	{
+		return (char*)str;
+	}
+	slen = strlen(search);
+	rlen = strlen(replace);
+	if (slen != rlen)
+	{
+		for (pos = (char*)str; (pos = strstr(pos, search)); pos += slen)
+		{
+			found = pos;
+			count++;
+		}
+		if (!count)
+		{
+			return (char*)str;
+		}
+		len = (found - str) + strlen(found) + count * (rlen - slen);
+	}
+	else
+	{
+		len = strlen(str);
+	}
+	found = strstr(str, search);
+	if (!found)
+	{
+		return (char*)str;
+	}
+	dst = res = malloc(len + 1);
+	pos = (char*)str;
+	do
+	{
+		len = found - pos;
+		memcpy(dst, pos, len);
+		dst += len;
+		memcpy(dst, replace, rlen);
+		dst += rlen;
+		pos = found + slen;
+	}
+	while ((found = strstr(pos, search)));
+	strcpy(dst, pos);
+	return res;
+}
+
+/**
+ * Described in header.
+ */
+char* path_dirname(const char *path)
+{
+	char *pos;
+
+	pos = path ? strrchr(path, '/') : NULL;
+
+	if (pos && !pos[1])
+	{	/* if path ends with slashes we have to look beyond them */
+		while (pos > path && *pos == '/')
+		{	/* skip trailing slashes */
+			pos--;
+		}
+		pos = memrchr(path, '/', pos - path + 1);
+	}
+	if (!pos)
+	{
+		return strdup(".");
+	}
+	while (pos > path && *pos == '/')
+	{	/* skip superfluous slashes */
+		pos--;
+	}
+	return strndup(path, pos - path + 1);
+}
+
+/**
+ * Described in header.
+ */
+char* path_basename(const char *path)
+{
+	char *pos, *trail = NULL;
+
+	if (!path || !*path)
+	{
+		return strdup(".");
+	}
+	pos = strrchr(path, '/');
+	if (pos && !pos[1])
+	{	/* if path ends with slashes we have to look beyond them */
+		while (pos > path && *pos == '/')
+		{	/* skip trailing slashes */
+			pos--;
+		}
+		if (pos == path && *pos == '/')
+		{	/* contains only slashes */
+			return strdup("/");
+		}
+		trail = pos + 1;
+		pos = memrchr(path, '/', trail - path);
+	}
+	pos = pos ? pos + 1 : (char*)path;
+	return trail ? strndup(pos, trail - pos) : strdup(pos);
+}
+
+/**
+ * Described in header.
+ */
 bool mkdir_p(const char *path, mode_t mode)
 {
 	int len;
@@ -251,84 +383,6 @@ char* tty_escape_get(int fd, tty_escape_t escape)
 	return "";
 }
 
-/**
- * The size of the thread-specific error buffer
- */
-#define STRERROR_BUF_LEN 256
-
-/**
- * Key to store thread-specific error buffer
- */
-static pthread_key_t strerror_buf_key;
-
-/**
- * Only initialize the key above once
- */
-static pthread_once_t strerror_buf_key_once = PTHREAD_ONCE_INIT;
-
-/**
- * Create the key used for the thread-specific error buffer
- */
-static void create_strerror_buf_key()
-{
-	pthread_key_create(&strerror_buf_key, free);
-}
-
-/**
- * Retrieve the error buffer assigned to the current thread (or create it)
- */
-static inline char *get_strerror_buf()
-{
-	char *buf;
-
-	pthread_once(&strerror_buf_key_once, create_strerror_buf_key);
-	buf = pthread_getspecific(strerror_buf_key);
-	if (!buf)
-	{
-		buf = malloc(STRERROR_BUF_LEN);
-		pthread_setspecific(strerror_buf_key, buf);
-	}
-	return buf;
-}
-
-#ifdef HAVE_STRERROR_R
-/*
- * Described in header.
- */
-const char *safe_strerror(int errnum)
-{
-	char *buf = get_strerror_buf(), *msg;
-
-#ifdef STRERROR_R_CHAR_P
-	/* char* version which may or may not return the original buffer */
-	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN);
-#else
-	/* int version returns 0 on success */
-	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN) ? "Unknown error" : buf;
-#endif
-	return msg;
-}
-#else /* HAVE_STRERROR_R */
-/* we actually wan't to call strerror(3) below */
-#undef strerror
-/*
- * Described in header.
- */
-const char *safe_strerror(int errnum)
-{
-	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
-	char *buf = get_strerror_buf();
-
-	/* use a mutex to ensure calling strerror(3) is thread-safe */
-	pthread_mutex_lock(&mutex);
-	strncpy(buf, strerror(errnum), STRERROR_BUF_LEN);
-	pthread_mutex_unlock(&mutex);
-	buf[STRERROR_BUF_LEN - 1] = '\0';
-	return buf;
-}
-#endif /* HAVE_STRERROR_R */
-
-
 #ifndef HAVE_CLOSEFROM
 /**
  * Described in header.
@@ -570,7 +624,7 @@ int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 		"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
 	};
 	time_t *time = *((time_t**)(args[0]));
-	bool utc = *((bool*)(args[1]));;
+	bool utc = *((int*)(args[1]));
 	struct tm t;
 
 	if (*time == UNDEFINED_TIME)
diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h
index cda7edf08..a55e7d831 100644
--- a/src/libstrongswan/utils/utils.h
+++ b/src/libstrongswan/utils/utils.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2014 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -30,6 +30,7 @@
 #include <string.h>
 
 #include "enum.h"
+#include "utils/strerror.h"
 
 /**
  * strongSwan program return codes
@@ -464,6 +465,20 @@ static inline void memwipe(void *ptr, size_t n)
 void *memstr(const void *haystack, const char *needle, size_t n);
 
 /**
+ * Replacement for memrchr(3) if it is not provided by the C library.
+ *
+ * @param s		start of the memory area to search
+ * @param c		character to search
+ * @param n		length of memory area to search
+ * @return		pointer to the found character or NULL
+ */
+void *utils_memrchr(const void *s, int c, size_t n);
+
+#ifndef HAVE_MEMRCHR
+#define memrchr(s,c,n) utils_memrchr(s,c,n)
+#endif
+
+/**
  * Translates the characters in the given string, searching for characters
  * in 'from' and mapping them to characters in 'to'.
  * The two characters sets 'from' and 'to' must contain the same number of
@@ -472,36 +487,59 @@ void *memstr(const void *haystack, const char *needle, size_t n);
 char *translate(char *str, const char *from, const char *to);
 
 /**
- * Creates a directory and all required parent directories.
+ * Replaces all occurrences of search in the given string with replace.
  *
- * @param path		path to the new directory
- * @param mode		permissions of the new directory/directories
- * @return			TRUE on success
+ * Allocates memory only if anything is replaced in the string.  The original
+ * string is also returned if any of the arguments are invalid (e.g. if search
+ * is empty or any of them are NULL).
+ *
+ * @param str		original string
+ * @param search	string to search for and replace
+ * @param replace	string to replace found occurrences with
+ * @return			allocated string, if anything got replaced, str otherwise
  */
-bool mkdir_p(const char *path, mode_t mode);
+char *strreplace(const char *str, const char *search, const char *replace);
 
 /**
- * Thread-safe wrapper around strerror and strerror_r.
+ * Like dirname(3) returns the directory part of the given null-terminated
+ * pathname, up to but not including the final '/' (or '.' if no '/' is found).
+ * Trailing '/' are not counted as part of the pathname.
  *
- * This is required because the first is not thread-safe (on some platforms)
- * and the second uses two different signatures (POSIX/GNU) and is impractical
- * to use anyway.
+ * The difference is that it does this in a thread-safe manner (i.e. it does not
+ * use static buffers) and does not modify the original path.
  *
- * @param errnum	error code (i.e. errno)
- * @return			error message
+ * @param path		original pathname
+ * @return			allocated directory component
  */
-const char *safe_strerror(int errnum);
+char *path_dirname(const char *path);
 
 /**
- * Replace usages of strerror(3) with thread-safe variant.
+ * Like basename(3) returns the filename part of the given null-terminated path,
+ * i.e. the part following the final '/' (or '.' if path is empty or NULL).
+ * Trailing '/' are not counted as part of the pathname.
+ *
+ * The difference is that it does this in a thread-safe manner (i.e. it does not
+ * use static buffers) and does not modify the original path.
+ *
+ * @param path		original pathname
+ * @return			allocated filename component
  */
-#define strerror(errnum) safe_strerror(errnum)
+char *path_basename(const char *path);
+
+/**
+ * Creates a directory and all required parent directories.
+ *
+ * @param path		path to the new directory
+ * @param mode		permissions of the new directory/directories
+ * @return			TRUE on success
+ */
+bool mkdir_p(const char *path, mode_t mode);
 
 #ifndef HAVE_CLOSEFROM
 /**
  * Close open file descriptors greater than or equal to lowfd.
  *
- * @param lowfd		start closing file descriptoros from here
+ * @param lowfd		start closing file descriptors from here
  */
 void closefrom(int lowfd);
 #endif
diff --git a/src/libstrongswan/utils/utils/strerror.c b/src/libstrongswan/utils/utils/strerror.c
new file mode 100644
index 000000000..95e463f5f
--- /dev/null
+++ b/src/libstrongswan/utils/utils/strerror.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2012-2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <pthread.h>
+
+#include "strerror.h"
+
+/**
+ * The size of the thread-specific error buffer
+ */
+#define STRERROR_BUF_LEN 256
+
+/**
+ * Key to store thread-specific error buffer
+ */
+static pthread_key_t strerror_buf_key;
+
+/**
+ * Only initialize the key above once
+ */
+static pthread_once_t strerror_buf_key_once = PTHREAD_ONCE_INIT;
+
+/**
+ * Create the key used for the thread-specific error buffer
+ */
+static void create_strerror_buf_key()
+{
+	pthread_key_create(&strerror_buf_key, free);
+}
+
+/**
+ * Retrieve the error buffer assigned to the current thread (or create it)
+ */
+static inline char *get_strerror_buf()
+{
+	char *buf;
+
+	pthread_once(&strerror_buf_key_once, create_strerror_buf_key);
+	buf = pthread_getspecific(strerror_buf_key);
+	if (!buf)
+	{
+		buf = malloc(STRERROR_BUF_LEN);
+		pthread_setspecific(strerror_buf_key, buf);
+	}
+	return buf;
+}
+
+#ifdef HAVE_STRERROR_R
+/*
+ * Described in header.
+ */
+const char *strerror_safe(int errnum)
+{
+	char *buf = get_strerror_buf(), *msg;
+
+#ifdef STRERROR_R_CHAR_P
+	/* char* version which may or may not return the original buffer */
+	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN);
+#else
+	/* int version returns 0 on success */
+	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN) ? "Unknown error" : buf;
+#endif
+	return msg;
+}
+#else /* HAVE_STRERROR_R */
+/* we actually wan't to call strerror(3) below */
+#undef strerror
+/*
+ * Described in header.
+ */
+const char *strerror_safe(int errnum)
+{
+	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+	char *buf = get_strerror_buf();
+
+	/* use a mutex to ensure calling strerror(3) is thread-safe */
+	pthread_mutex_lock(&mutex);
+	strncpy(buf, strerror(errnum), STRERROR_BUF_LEN);
+	pthread_mutex_unlock(&mutex);
+	buf[STRERROR_BUF_LEN - 1] = '\0';
+	return buf;
+}
+#endif /* HAVE_STRERROR_R */
diff --git a/src/libstrongswan/utils/utils/strerror.h b/src/libstrongswan/utils/utils/strerror.h
new file mode 100644
index 000000000..2cb76f12e
--- /dev/null
+++ b/src/libstrongswan/utils/utils/strerror.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2012-2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @{ @ingroup utils
+ */
+
+#ifndef STRERROR_H_
+#define STRERROR_H_
+
+/**
+ * Thread-safe wrapper around strerror and strerror_r.
+ *
+ * This is required because the first is not thread-safe (on some platforms)
+ * and the second uses two different signatures (POSIX/GNU) and is impractical
+ * to use anyway.
+ *
+ * @param errnum	error code (i.e. errno)
+ * @return			error message
+ */
+const char *strerror_safe(int errnum);
+
+/**
+ * Replace usages of strerror(3) with thread-safe variant.
+ */
+#define strerror(errnum) strerror_safe(errnum)
+
+#endif /** STRERROR_H_ @}*/
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index 5e8660a41..87ae2a63d 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 6d33d843d..6b51e7593 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -471,6 +471,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
 		.application = application,
 		.purpose = purpose,
 	);
+	lib->settings->add_fallback(lib->settings, "%s.tls", "libtls", lib->ns);
 
 	this->crypto = tls_crypto_create(&this->public, cache);
 	this->alert = tls_alert_create();
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 12aa049a2..cc73ebaeb 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -711,7 +711,8 @@ static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
 	int i, remaining = 0;
 	char *token, *config;
 
-	config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL);
+	config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
+									lib->ns);
 	if (config)
 	{
 		for (i = 0; i < *count; i++)
@@ -765,7 +766,8 @@ static void filter_cipher_config_suites(private_tls_crypto_t *this,
 	int i, remaining = 0;
 	char *token, *config;
 
-	config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL);
+	config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
+									lib->ns);
 	if (config)
 	{
 		for (i = 0; i < *count; i++)
@@ -830,7 +832,8 @@ static void filter_mac_config_suites(private_tls_crypto_t *this,
 	int i, remaining = 0;
 	char *token, *config;
 
-	config = lib->settings->get_str(lib->settings, "libtls.mac", NULL);
+	config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
+									lib->ns);
 	if (config)
 	{
 		for (i = 0; i < *count; i++)
@@ -879,7 +882,8 @@ static void filter_specific_config_suites(private_tls_crypto_t *this,
 	int i, remaining = 0, suite;
 	char *token, *config;
 
-	config = lib->settings->get_str(lib->settings, "libtls.suites", NULL);
+	config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
+									lib->ns);
 	if (config)
 	{
 		for (i = 0; i < *count; i++)
diff --git a/src/libtnccs/Android.mk b/src/libtnccs/Android.mk
index 4d2803a97..68f85c252 100644
--- a/src/libtnccs/Android.mk
+++ b/src/libtnccs/Android.mk
@@ -35,7 +35,6 @@ endif
 # build libtncif ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libtls \
 	$(strongswan_PATH)/src/libtncif \
 	$(strongswan_PATH)/src/libstrongswan
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index bacea4346..745850ac1 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -270,8 +270,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -339,6 +337,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -427,12 +430,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -447,6 +454,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in
index 79f91f72f..1f839853c 100644
--- a/src/libtnccs/plugins/tnc_imc/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imc/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc.c b/src/libtnccs/plugins/tnc_imc/tnc_imc.c
index 7c52ab384..2d556d9d9 100644
--- a/src/libtnccs/plugins/tnc_imc/tnc_imc.c
+++ b/src/libtnccs/plugins/tnc_imc/tnc_imc.c
@@ -302,7 +302,7 @@ METHOD(imc_t, destroy, void,
 	private_tnc_imc_t *this)
 {
 	if (this->handle && lib->settings->get_bool(lib->settings,
-		"libtnccs.plugins.tnc-imc.dlclose", TRUE))
+		"%s.plugins.tnc-imc.dlclose", TRUE, lib->ns))
 	{
 		dlclose(this->handle);
 	}
diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc_manager.c b/src/libtnccs/plugins/tnc_imc/tnc_imc_manager.c
index 311598fa9..459b6d710 100644
--- a/src/libtnccs/plugins/tnc_imc/tnc_imc_manager.c
+++ b/src/libtnccs/plugins/tnc_imc/tnc_imc_manager.c
@@ -224,7 +224,7 @@ METHOD(imc_manager_t, get_preferred_language, char*,
 	private_tnc_imc_manager_t *this)
 {
 	return lib->settings->get_str(lib->settings,
-				"libtnccs.plugins.tnc-imc.preferred_language", "en");
+				"%s.plugins.tnc-imc.preferred_language", "en", lib->ns);
 }
 
 METHOD(imc_manager_t, notify_connection_change, void,
diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in
index 20087a7a2..45c3569ac 100644
--- a/src/libtnccs/plugins/tnc_imv/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv.c b/src/libtnccs/plugins/tnc_imv/tnc_imv.c
index ebf904513..ab2e55253 100644
--- a/src/libtnccs/plugins/tnc_imv/tnc_imv.c
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.c
@@ -298,7 +298,7 @@ METHOD(imv_t, destroy, void,
 	private_tnc_imv_t *this)
 {
 	if (this->handle && lib->settings->get_bool(lib->settings,
-				"libtnccs.plugins.tnc-imv.dlclose", TRUE))
+				"%s.plugins.tnc-imv.dlclose", TRUE, lib->ns))
 	{
 		dlclose(this->handle);
 	}
diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c
index b4f131b5d..56245015b 100644
--- a/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c
@@ -21,7 +21,6 @@
 
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <sys/mman.h>
 #include <unistd.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -461,7 +460,8 @@ imv_manager_t* tnc_imv_manager_create(void)
 
 	policy = enum_from_name(recommendation_policy_names,
 				lib->settings->get_str(lib->settings,
-					"libtnccs.plugins.tnc-imv.recommendation_policy", "default"));
+					"%s.plugins.tnc-imv.recommendation_policy",
+					"default", lib->ns));
 	this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT;
 	DBG1(DBG_TNC, "TNC recommendation policy is '%N'",
 				   recommendation_policy_names, this->policy);
diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
index 776469098..21ed94de2 100644
--- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in
+++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in
index 76b453a0a..7b4d53ed2 100644
--- a/src/libtnccs/plugins/tnccs_11/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_11/Makefile.in
@@ -230,8 +230,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -299,6 +297,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -387,12 +390,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -407,6 +414,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.c b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
index 91854b587..28c5e52b7 100644
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
@@ -662,7 +662,7 @@ tnccs_t* tnccs_11_create(bool is_server,
 		.callback = cb,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.max_msg_len = lib->settings->get_int(lib->settings,
-							"libtnccs.plugins.tnccs-11.max_message_size", 45000),
+						"%s.plugins.tnccs-11.max_message_size", 45000, lib->ns),
 		.ref = 1,
 	);
 
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in
index 0bb3c7314..63010c301 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.in
@@ -231,8 +231,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -300,6 +298,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -388,12 +391,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -408,6 +415,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
index b631ef579..f78b85a68 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
@@ -1063,9 +1063,9 @@ tnccs_t* tnccs_20_create(bool is_server,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.messages = linked_list_create(),
 		.max_batch_len = lib->settings->get_int(lib->settings,
-							"libtnccs.plugins.tnccs-20.max_batch_size", 65522),
+						"%s.plugins.tnccs-20.max_batch_size", 65522, lib->ns),
 		.max_msg_len = lib->settings->get_int(lib->settings,
-							"libtnccs.plugins.tnccs-20.max_message_size", 65490),
+						"%s.plugins.tnccs-20.max_message_size", 65490, lib->ns),
 		.ref = 1,
 	);
 
diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
index d38aa13cc..6a99188ef 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
@@ -220,8 +220,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -289,6 +287,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -377,12 +380,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -397,6 +404,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/libtnccs/tnc/tnc.c b/src/libtnccs/tnc/tnc.c
index 3a5b84596..e002b10e0 100644
--- a/src/libtnccs/tnc/tnc.c
+++ b/src/libtnccs/tnc/tnc.c
@@ -13,14 +13,15 @@
  * for more details.
  */
 
-#include "tnc.h"
-
+#define _GNU_SOURCE /* for stdndup() */
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <sys/mman.h>
 #include <unistd.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <string.h>
+
+#include "tnc.h"
 
 #include <utils/lexparser.h>
 #include <utils/debug.h>
@@ -71,8 +72,10 @@ void libtnccs_init(void)
 		},
 		.ref = 1,
 	);
-
 	tnc = &this->public;
+	lib->settings->add_fallback(lib->settings, "%s.tnc", "libtnccs", lib->ns);
+	lib->settings->add_fallback(lib->settings, "%s.plugins", "libtnccs.plugins",
+								lib->ns);
 }
 
 /**
@@ -94,10 +97,8 @@ void libtnccs_deinit(void)
 static bool load_imcvs_from_config(char *filename, bool is_imc)
 {
 	bool success = FALSE;
-	int fd, line_nr = 0;
-	chunk_t src, line;
-	struct stat sb;
-	void *addr;
+	int line_nr = 0;
+	chunk_t *src, line;
 	char *label;
 
 	if (!filename || !*filename)
@@ -108,30 +109,15 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 	label = is_imc ? "IMC" : "IMV";
 
 	DBG1(DBG_TNC, "loading %ss from '%s'", label, filename);
-	fd = open(filename, O_RDONLY);
-	if (fd == -1)
+	src = chunk_map(filename, FALSE);
+	if (!src)
 	{
 		DBG1(DBG_TNC, "opening configuration file '%s' failed: %s", filename,
 			 strerror(errno));
 		return FALSE;
 	}
-	if (fstat(fd, &sb) == -1)
-	{
-		DBG1(DBG_LIB, "getting file size of '%s' failed: %s", filename,
-			 strerror(errno));
-		close(fd);
-		return FALSE;
-	}
-	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		DBG1(DBG_LIB, "mapping '%s' failed: %s", filename, strerror(errno));
-		close(fd);
-		return FALSE;
-	}
-	src = chunk_create(addr, sb.st_size);
 
-	while (fetchline(&src, &line))
+	while (fetchline(src, &line))
 	{
 		char *name, *path;
 		chunk_t token;
@@ -201,8 +187,7 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 			break;
 		}
 	}
-	munmap(addr, sb.st_size);
-	close(fd);
+	chunk_unmap(src);
 	return success;
 }
 
@@ -266,10 +251,9 @@ bool tnc_manager_register(plugin_t *plugin, plugin_feature_t *feature,
 		{
 			load_imcvs_from_config(
 						lib->settings->get_str(lib->settings,
-									"libtnccs.tnc_config", "/etc/tnc_config"),
+								"%s.tnc.tnc_config", "/etc/tnc_config", lib->ns),
 						is_imc);
 		}
 	}
 	return TRUE;
 }
-
diff --git a/src/libtncif/Android.mk b/src/libtncif/Android.mk
index 13ce6e11a..36d3f4c33 100644
--- a/src/libtncif/Android.mk
+++ b/src/libtncif/Android.mk
@@ -13,7 +13,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(libtncif_la_SOURCES))
 # build libtncif ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libstrongswan
 
 LOCAL_CFLAGS := $(strongswan_CFLAGS)
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index b8c83491f..66ac31127 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -182,8 +182,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -251,6 +249,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -339,12 +342,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -359,6 +366,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 244df091f..08033c461 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -234,8 +234,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -303,6 +301,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -391,12 +394,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -411,6 +418,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/manager/main.c b/src/manager/main.c
index 5c845b157..b6169082f 100644
--- a/src/manager/main.c
+++ b/src/manager/main.c
@@ -34,7 +34,7 @@ int main (int arc, char *argv[])
 	bool debug;
 	int threads, timeout;
 
-	library_init(NULL);
+	library_init(NULL, "manager");
 	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "manager.load", PLUGINS)))
 	{
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 385bb8e70..5452a419a 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -223,8 +223,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -292,6 +290,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -380,12 +383,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -400,6 +407,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/medsrv/main.c b/src/medsrv/main.c
index 6f08b97e5..745fcc359 100644
--- a/src/medsrv/main.c
+++ b/src/medsrv/main.c
@@ -33,7 +33,7 @@ int main(int arc, char *argv[])
 	char *uri;
 	int timeout, threads;
 
-	library_init(NULL);
+	library_init(NULL, "medsrv");
 	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "medsrv.load", PLUGINS)))
 	{
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index e9023b820..b5e00bee6 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -214,8 +214,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -283,6 +281,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,12 +374,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -391,6 +398,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 7074d44be..8862e9ab0 100644
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -29,6 +29,7 @@
 #include <getopt.h>
 #include <ctype.h>
 #include <time.h>
+#include <errno.h>
 
 #include <library.h>
 #include <utils/debug.h>
@@ -228,7 +229,7 @@ int main(int argc, char **argv)
 
 	/* initialize library */
 	atexit(library_deinit);
-	if (!library_init(NULL))
+	if (!library_init(NULL, "openac"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
@@ -515,11 +516,18 @@ int main(int argc, char **argv)
 		/* write the attribute certificate to file */
 		if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk))
 		{
-			if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
+			if (chunk_write(attr_chunk, outfile, 0022, TRUE))
 			{
+				DBG1(DBG_APP, "  written attribute cert file '%s' (%d bytes)",
+						 outfile, attr_chunk.len);
 				write_serial(serial);
 				status = 0;
 			}
+			else
+			{
+				DBG1(DBG_APP, "  writing attribute cert file '%s' failed: %s",
+					 outfile, strerror(errno));
+			}
 		}
 	}
 	else
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 1101366d1..461d958da 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -231,8 +231,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -300,6 +298,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -388,12 +391,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -408,6 +415,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/pki/command.c b/src/pki/command.c
index 984da59b4..b6966ee0b 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -29,7 +29,7 @@
 /**
  * Registered commands.
  */
-command_t cmds[MAX_COMMANDS];
+static command_t cmds[MAX_COMMANDS];
 
 /**
  * active command.
@@ -55,12 +55,12 @@ static options_t *options;
 /**
  * Global options used by all subcommands
  */
-static struct option command_opts[MAX_COMMANDS > MAX_OPTIONS ?: MAX_OPTIONS];
+static struct option command_opts[MAX_COMMANDS > MAX_OPTIONS ? MAX_COMMANDS : MAX_OPTIONS];
 
 /**
  * Global optstring used by all subcommands
  */
-static char command_optstring[(MAX_COMMANDS > MAX_OPTIONS ?: MAX_OPTIONS) * 3];
+static char command_optstring[(MAX_COMMANDS > MAX_OPTIONS ? MAX_COMMANDS : MAX_OPTIONS) * 3];
 
 /**
  * Build command_opts/command_optstr for the active command
@@ -140,23 +140,37 @@ void command_register(command_t command)
 {
 	int i;
 
+	if (registered == MAX_COMMANDS)
+	{
+		fprintf(stderr, "unable to register command, please increase "
+				"MAX_COMMANDS\n");
+		return;
+	}
+
 	cmds[registered] = command;
 	/* append default options, but not to --help */
 	if (!active)
 	{
 		for (i = 0; i < countof(cmds[registered].options) - 1; i++)
 		{
-			if (cmds[registered].options[i].name)
+			if (!cmds[registered].options[i].name)
 			{
-				continue;
+				break;
 			}
+		}
+		if (i > countof(cmds[registered].options) - 3)
+		{
+			fprintf(stderr, "command '%s' registered too many options, please "
+					"increase MAX_OPTIONS\n", command.cmd);
+		}
+		else
+		{
 			cmds[registered].options[i++] = (command_option_t) {
 				"debug",	'v', 1, "set debug level, default: 1"
 			};
 			cmds[registered].options[i++] = (command_option_t) {
 				"options",	'+', 1, "read command line options from file"
 			};
-			break;
 		}
 	}
 	registered++;
@@ -260,4 +274,3 @@ int command_dispatch(int c, char *v[])
 	}
 	return command_usage(c > 1 ? "invalid operation" : NULL);
 }
-
diff --git a/src/pki/command.h b/src/pki/command.h
index 1a884fb73..737f4658d 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -22,12 +22,12 @@
 #define COMMAND_H_
 
 /**
- * Maximum number of commands.
+ * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 10
+#define MAX_COMMANDS 11
 
 /**
- * Maximum number of options in a command (+1)
+ * Maximum number of options in a command (+3)
  */
 #define MAX_OPTIONS 32
 
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 000f63d1a..d5c33b89f 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -14,6 +14,7 @@
  */
 
 #include <time.h>
+#include <errno.h>
 
 #include "pki.h"
 
@@ -382,7 +383,12 @@ static int issue()
 		{
 			chunk_t chunk;
 
-			chunk = chunk_from_fd(0);
+			if (!chunk_from_fd(0, &chunk))
+			{
+				fprintf(stderr, "%s: ", strerror(errno));
+				error = "reading certificate request failed";
+				goto end;
+			}
 			cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
 										  CERT_PKCS10_REQUEST,
 										  BUILD_BLOB, chunk, BUILD_END);
@@ -425,7 +431,12 @@ static int issue()
 		{
 			chunk_t chunk;
 
-			chunk = chunk_from_fd(0);
+			if (!chunk_from_fd(0, &chunk))
+			{
+				fprintf(stderr, "%s: ", strerror(errno));
+				error = "reading public key failed";
+				goto end;
+			}
 			public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
 										 BUILD_BLOB, chunk, BUILD_END);
 			free(chunk.ptr);
@@ -562,4 +573,3 @@ static void __attribute__ ((constructor))reg()
 		}
 	});
 }
-
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index 353670e32..64bb3cc2c 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -13,6 +13,8 @@
  * for more details.
  */
 
+#include <errno.h>
+
 #include "pki.h"
 
 #include <credentials/certificates/certificate.h>
@@ -89,7 +91,11 @@ static int keyid()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading input failed: %s\n", strerror(errno));
+			return 1;
+		}
 		cred = lib->creds->create(lib->creds, type, subtype,
 								  BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
@@ -165,4 +171,3 @@ static void __attribute__ ((constructor))reg()
 		}
 	});
 }
-
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 2261e44ff..077c1ef3e 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -22,6 +22,7 @@
 #include <selectors/traffic_selector.h>
 
 #include <time.h>
+#include <errno.h>
 
 /**
  * Print public key information
@@ -510,7 +511,11 @@ static int print()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading input failed: %s\n", strerror(errno));
+			return 1;
+		}
 		cred = lib->creds->create(lib->creds, type, subtype,
 								  BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index 7f88055ef..260044c4e 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -13,6 +13,8 @@
  * for more details.
  */
 
+#include <errno.h>
+
 #include "pki.h"
 
 #include <credentials/certificates/certificate.h>
@@ -108,7 +110,11 @@ static int pub()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading input failed: %s\n", strerror(errno));
+			return 1;
+		}
 		cred = lib->creds->create(lib->creds, type, subtype,
 								  BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
@@ -186,4 +192,3 @@ static void __attribute__ ((constructor))reg()
 		}
 	});
 }
-
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 628463e7b..5b2c128b7 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -16,6 +16,7 @@
  */
 
 #include <time.h>
+#include <errno.h>
 
 #include "pki.h"
 
@@ -118,7 +119,12 @@ static int req()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading private key failed: %s\n", strerror(errno));
+			error = "";
+			goto end;
+		}
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
 									 BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 6bf0b1353..c28c9c291 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -14,6 +14,7 @@
  */
 
 #include <time.h>
+#include <errno.h>
 
 #include "pki.h"
 
@@ -273,7 +274,12 @@ static int self()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "%s: ", strerror(errno));
+			error = "reading private key failed";
+			goto end;
+		}
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
 									 BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index 96b2b5065..f30dda94d 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -13,6 +13,8 @@
  * for more details.
  */
 
+#include <errno.h>
+
 #include "pki.h"
 
 #include <credentials/certificates/certificate.h>
@@ -57,7 +59,11 @@ static int verify()
 	{
 		chunk_t chunk;
 
-		chunk = chunk_from_fd(0);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading certificate failed: %s\n", strerror(errno));
+			return 1;
+		}
 		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 								  BUILD_BLOB, chunk, BUILD_END);
 		free(chunk.ptr);
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index ecba4a9b3..edbde85b5 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -170,8 +170,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -239,6 +237,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -327,12 +330,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -347,6 +354,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 9effd9b15..3fad1ae8a 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-ISSUE" 8 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-ISSUE" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
diff --git a/src/pki/pki.c b/src/pki/pki.c
index ecc0702cd..eb614dd7f 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -168,7 +168,7 @@ static void remove_callback()
 int main(int argc, char *argv[])
 {
 	atexit(library_deinit);
-	if (!library_init(NULL))
+	if (!library_init(NULL, "pki"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
diff --git a/src/pool/Makefile.am b/src/pool/Makefile.am
index 8b429a4ba..b8d662e57 100644
--- a/src/pool/Makefile.am
+++ b/src/pool/Makefile.am
@@ -1,3 +1,5 @@
+if USE_ATTR_SQL
+
 ipsec_PROGRAMS = pool
 
 pool_SOURCES = \
@@ -14,3 +16,8 @@ AM_CPPFLAGS = \
 pool_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la
+
+endif USE_ATTR_SQL
+
+templatesdir = $(pkgdatadir)/templates/database/sql
+dist_templates_DATA = mysql.sql sqlite.sql
diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in
index f8db9ae33..63489034f 100644
--- a/src/pool/Makefile.in
+++ b/src/pool/Makefile.in
@@ -14,6 +14,7 @@
 
 @SET_MAKE@
 
+
 VPATH = @srcdir@
 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
@@ -78,10 +79,10 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-ipsec_PROGRAMS = pool$(EXEEXT)
+@USE_ATTR_SQL_TRUE@ipsec_PROGRAMS = pool$(EXEEXT)
 subdir = src/pool
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
+	$(top_srcdir)/depcomp $(dist_templates_DATA)
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -99,14 +100,16 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(templatesdir)"
 PROGRAMS = $(ipsec_PROGRAMS)
-am_pool_OBJECTS = pool.$(OBJEXT) pool_attributes.$(OBJEXT) \
-	pool_usage.$(OBJEXT)
+am__pool_SOURCES_DIST = pool.c pool_attributes.c pool_attributes.h \
+	pool_usage.h pool_usage.c
+@USE_ATTR_SQL_TRUE@am_pool_OBJECTS = pool.$(OBJEXT) \
+@USE_ATTR_SQL_TRUE@	pool_attributes.$(OBJEXT) \
+@USE_ATTR_SQL_TRUE@	pool_usage.$(OBJEXT)
 pool_OBJECTS = $(am_pool_OBJECTS)
-pool_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la
+@USE_ATTR_SQL_TRUE@pool_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -146,12 +149,40 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
 SOURCES = $(pool_SOURCES)
-DIST_SOURCES = $(pool_SOURCES)
+DIST_SOURCES = $(am__pool_SOURCES_DIST)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+DATA = $(dist_templates_DATA)
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
 # Read a list of newline-separated strings from the standard input,
 # and print each of them once, without duplicates.  Input order is
@@ -186,8 +217,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -255,6 +284,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -343,12 +377,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -363,6 +401,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -373,19 +412,21 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-pool_SOURCES = \
-	pool.c pool_attributes.c pool_attributes.h \
-	pool_usage.h pool_usage.c
+@USE_ATTR_SQL_TRUE@pool_SOURCES = \
+@USE_ATTR_SQL_TRUE@	pool.c pool_attributes.c pool_attributes.h \
+@USE_ATTR_SQL_TRUE@	pool_usage.h pool_usage.c
 
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
-	-DPLUGINS=\""${pool_plugins}\""
+@USE_ATTR_SQL_TRUE@AM_CPPFLAGS = \
+@USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libstrongswan \
+@USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libhydra \
+@USE_ATTR_SQL_TRUE@	-DPLUGINS=\""${pool_plugins}\""
 
-pool_LDADD = \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la
+@USE_ATTR_SQL_TRUE@pool_LDADD = \
+@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la
 
+templatesdir = $(pkgdatadir)/templates/database/sql
+dist_templates_DATA = mysql.sql sqlite.sql
 all: all-am
 
 .SUFFIXES:
@@ -513,6 +554,27 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
+install-dist_templatesDATA: $(dist_templates_DATA)
+	@$(NORMAL_INSTALL)
+	@list='$(dist_templates_DATA)'; test -n "$(templatesdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(templatesdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(templatesdir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(templatesdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(templatesdir)" || exit $$?; \
+	done
+
+uninstall-dist_templatesDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_templates_DATA)'; test -n "$(templatesdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(templatesdir)'; $(am__uninstall_files_from_dir)
 
 ID: $(am__tagged_files)
 	$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -598,9 +660,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(PROGRAMS)
+all-am: Makefile $(PROGRAMS) $(DATA)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(templatesdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -656,7 +718,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS
+install-data-am: install-dist_templatesDATA install-ipsecPROGRAMS
 
 install-dvi: install-dvi-am
 
@@ -702,7 +764,7 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-ipsecPROGRAMS
+uninstall-am: uninstall-dist_templatesDATA uninstall-ipsecPROGRAMS
 
 .MAKE: install-am install-strip
 
@@ -711,17 +773,19 @@ uninstall-am: uninstall-ipsecPROGRAMS
 	distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+	install-data-am install-dist_templatesDATA install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-am uninstall uninstall-am uninstall-ipsecPROGRAMS
+	tags tags-am uninstall uninstall-am \
+	uninstall-dist_templatesDATA uninstall-ipsecPROGRAMS
 
 
-pool.o :	$(top_builddir)/config.status
+@USE_ATTR_SQL_TRUE@pool.o :	$(top_builddir)/config.status
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/pool/mysql.sql b/src/pool/mysql.sql
new file mode 100644
index 000000000..1b437593d
--- /dev/null
+++ b/src/pool/mysql.sql
@@ -0,0 +1,281 @@
+
+DROP TABLE IF EXISTS `identities`;
+CREATE TABLE `identities` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(4) unsigned NOT NULL,
+  `data` varbinary(64) NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE (`type`, `data`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `child_configs`;
+CREATE TABLE `child_configs` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `name` varchar(32) collate utf8_unicode_ci NOT NULL,
+  `lifetime` mediumint(8) unsigned NOT NULL default '1500',
+  `rekeytime` mediumint(8) unsigned NOT NULL default '1200',
+  `jitter` mediumint(8) unsigned NOT NULL default '60',
+  `updown` varchar(128) collate utf8_unicode_ci default NULL,
+  `hostaccess` tinyint(1) unsigned NOT NULL default '0',
+  `mode` tinyint(4) unsigned NOT NULL default '2',
+  `start_action` tinyint(4) unsigned NOT NULL default '0',
+  `dpd_action` tinyint(4) unsigned NOT NULL default '0',
+  `close_action` tinyint(4) unsigned NOT NULL default '0',
+  `ipcomp` tinyint(4) unsigned NOT NULL default '0',
+  `reqid` mediumint(8) unsigned NOT NULL default '0',
+  PRIMARY KEY (`id`),
+  INDEX (`name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `child_config_traffic_selector`;
+CREATE TABLE `child_config_traffic_selector` (
+  `child_cfg` int(10) unsigned NOT NULL,
+  `traffic_selector` int(10) unsigned NOT NULL,
+  `kind` tinyint(3) unsigned NOT NULL,
+  INDEX (`child_cfg`, `traffic_selector`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `proposals`;
+CREATE TABLE `proposals` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `proposal` varchar(128) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `child_config_proposal`;
+CREATE TABLE `child_config_proposal` (
+  `child_cfg` int(10) unsigned NOT NULL,
+  `prio` smallint(5) unsigned NOT NULL,
+  `prop` int(10) unsigned NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `ike_configs`;
+CREATE TABLE `ike_configs` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `certreq` tinyint(3) unsigned NOT NULL default '1',
+  `force_encap` tinyint(1) NOT NULL default '0',
+  `local` varchar(128) collate utf8_unicode_ci NOT NULL,
+  `remote` varchar(128) collate utf8_unicode_ci NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `ike_config_proposal`;
+CREATE TABLE `ike_config_proposal` (
+  `ike_cfg` int(10) unsigned NOT NULL,
+  `prio` smallint(5) unsigned NOT NULL,
+  `prop` int(10) unsigned NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `peer_configs`;
+CREATE TABLE `peer_configs` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `name` varchar(32) collate utf8_unicode_ci NOT NULL,
+  `ike_version` tinyint(3) unsigned NOT NULL default '2',
+  `ike_cfg` int(10) unsigned NOT NULL,
+  `local_id` varchar(64) collate utf8_unicode_ci NOT NULL,
+  `remote_id` varchar(64) collate utf8_unicode_ci NOT NULL,
+  `cert_policy` tinyint(3) unsigned NOT NULL default '1',
+  `uniqueid` tinyint(3) unsigned NOT NULL default '0',
+  `auth_method` tinyint(3) unsigned NOT NULL default '1',
+  `eap_type` tinyint(3) unsigned NOT NULL default '0',
+  `eap_vendor` smallint(5) unsigned NOT NULL default '0',
+  `keyingtries` tinyint(3) unsigned NOT NULL default '3',
+  `rekeytime` mediumint(8) unsigned NOT NULL default '7200',
+  `reauthtime` mediumint(8) unsigned NOT NULL default '0',
+  `jitter` mediumint(8) unsigned NOT NULL default '180',
+  `overtime` mediumint(8) unsigned NOT NULL default '300',
+  `mobike` tinyint(1) NOT NULL default '1',
+  `dpd_delay` mediumint(8) unsigned NOT NULL default '120',
+  `virtual` varchar(40) default NULL,
+  `pool` varchar(32) default NULL,
+  `mediation` tinyint(1) NOT NULL default '0',
+  `mediated_by` int(10) unsigned NOT NULL default '0',
+  `peer_id` int(10) unsigned NOT NULL default '0',
+  PRIMARY KEY (`id`),
+  INDEX (`name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `peer_config_child_config`;
+CREATE TABLE `peer_config_child_config` (
+  `peer_cfg` int(10) unsigned NOT NULL,
+  `child_cfg` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`peer_cfg`, `child_cfg`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `traffic_selectors`;
+CREATE TABLE `traffic_selectors` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL default '7',
+  `protocol` smallint(5) unsigned NOT NULL default '0',
+  `start_addr` varbinary(16) default NULL,
+  `end_addr` varbinary(16) default NULL,
+  `start_port` smallint(5) unsigned NOT NULL default '0',
+  `end_port` smallint(5) unsigned NOT NULL default '65535',
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS certificates;
+CREATE TABLE certificates (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL,
+  `keytype` tinyint(3) unsigned NOT NULL,
+  `data` BLOB NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS certificate_identity;
+CREATE TABLE certificate_identity (
+  `certificate` int(10) unsigned NOT NULL,
+  `identity` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`certificate`, `identity`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS private_keys;
+CREATE TABLE private_keys (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL,
+  `data` BLOB NOT NULL,
+  PRIMARY KEY  (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS private_key_identity;
+CREATE TABLE private_key_identity (
+  `private_key` int(10) unsigned NOT NULL,
+  `identity` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`private_key`, `identity`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS shared_secrets;
+CREATE TABLE shared_secrets (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL,
+  `data` varbinary(256) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS shared_secret_identity;
+CREATE TABLE shared_secret_identity (
+  `shared_secret` int(10) unsigned NOT NULL,
+  `identity` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`shared_secret`, `identity`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS certificate_authorities;
+CREATE TABLE certificate_authorities (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `certificate` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS certificate_distribution_points;
+CREATE TABLE certificate_distribution_points (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `ca` int(10) unsigned NOT NULL,
+  `type` tinyint(3) unsigned NOT NULL,
+  `uri` varchar(256) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS pools;
+CREATE TABLE pools (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `name` varchar(32) NOT NULL,
+  `start` varbinary(16) NOT NULL,
+  `end` varbinary(16) NOT NULL,
+  `timeout` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE (`name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS addresses;
+CREATE TABLE addresses (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `pool` int(10) unsigned NOT NULL,
+  `address` varbinary(16) NOT NULL,
+  `identity` int(10) unsigned NOT NULL DEFAULT 0,
+  `acquired` int(10) unsigned NOT NULL DEFAULT 0,
+  `released` int(10) unsigned NOT NULL DEFAULT 1,
+  PRIMARY KEY (`id`),
+  INDEX (`pool`),
+  INDEX (`identity`),
+  INDEX (`address`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+DROP TABLE IF EXISTS leases;
+CREATE TABLE leases (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `address` int(10) unsigned NOT NULL,
+  `identity` int(10) unsigned NOT NULL,
+  `acquired` int(10) unsigned NOT NULL,
+  `released` int(10) unsigned DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+DROP TABLE IF EXISTS attribute_pools;
+CREATE TABLE attribute_pools (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `name` varchar(32) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+DROP TABLE IF EXISTS attributes;
+CREATE TABLE attributes (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `identity` int(10) unsigned NOT NULL default '0',
+  `pool` int(10) unsigned NOT NULL default '0',
+  `type` int(10) unsigned NOT NULL,
+  `value` varbinary(16) NOT NULL,
+  PRIMARY KEY (`id`),
+  INDEX (`identity`),
+  INDEX (`pool`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+DROP TABLE IF EXISTS ike_sas;
+CREATE TABLE ike_sas (
+  `local_spi` varbinary(8) NOT NULL,
+  `remote_spi` varbinary(8) NOT NULL,
+  `id` int(10) unsigned NOT NULL,
+  `initiator` tinyint(1) NOT NULL,
+  `local_id_type` tinyint(3) NOT NULL,
+  `local_id_data` varbinary(64) DEFAULT NULL,
+  `remote_id_type` tinyint(3) NOT NULL,
+  `remote_id_data` varbinary(64) DEFAULT NULL,
+  `host_family` tinyint(3) NOT NULL,
+  `local_host_data` varbinary(16) NOT NULL,
+  `remote_host_data` varbinary(16) NOT NULL,
+  `lastuse` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+  PRIMARY KEY (`local_spi`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS logs;
+CREATE TABLE logs (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `local_spi` varbinary(8) NOT NULL,
+  `signal` tinyint(3) NOT NULL,
+  `level` tinyint(3) NOT NULL,
+  `msg` varchar(256) NOT NULL,
+  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
diff --git a/src/pool/pool.c b/src/pool/pool.c
index 05043cd8c..265974860 100644
--- a/src/pool/pool.c
+++ b/src/pool/pool.c
@@ -1212,7 +1212,7 @@ int main(int argc, char *argv[])
 	atexit(library_deinit);
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "pool"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
@@ -1227,11 +1227,16 @@ int main(int argc, char *argv[])
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
-
-	uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL);
+	/* TODO: make database URI or setting key configurable via command line */
+	uri = lib->settings->get_str(lib->settings,
+			"pool.database",
+			lib->settings->get_str(lib->settings,
+				"charon.plugins.attr-sql.database",
+				lib->settings->get_str(lib->settings,
+					"libhydra.plugins.attr-sql.database", NULL)));
 	if (!uri)
 	{
-		fprintf(stderr, "database URI libhydra.plugins.attr-sql.database not set.\n");
+		fprintf(stderr, "database URI pool.database not set.\n");
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 	db = lib->db->create(lib->db, uri);
diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/src/pool/sqlite.sql
index 2917fc3fc..78012630b 100644
--- a/testing/hosts/default/etc/ipsec.d/tables.sql
+++ b/src/pool/sqlite.sql
@@ -1,4 +1,4 @@
-/* strongSwan SQLite database */
+
 
 DROP TABLE IF EXISTS identities;
 CREATE TABLE identities (
@@ -8,13 +8,14 @@ CREATE TABLE identities (
   UNIQUE (type, data)
 );
 
+
 DROP TABLE IF EXISTS child_configs;
 CREATE TABLE child_configs (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
   name TEXT NOT NULL,
-  lifetime INTEGER NOT NULL DEFAULT '1200',
-  rekeytime INTEGER NOT NULL DEFAULT '1020',
-  jitter INTEGER NOT NULL DEFAULT '180',
+  lifetime INTEGER NOT NULL DEFAULT '1500',
+  rekeytime INTEGER NOT NULL DEFAULT '1200',
+  jitter INTEGER NOT NULL DEFAULT '60',
   updown TEXT DEFAULT NULL,
   hostaccess INTEGER NOT NULL DEFAULT '0',
   mode INTEGER NOT NULL DEFAULT '2',
@@ -29,6 +30,7 @@ CREATE INDEX child_configs_name ON child_configs (
   name
 );
 
+
 DROP TABLE IF EXISTS child_config_traffic_selector;
 CREATE TABLE child_config_traffic_selector (
   child_cfg INTEGER NOT NULL,
@@ -46,6 +48,7 @@ CREATE TABLE proposals (
   proposal TEXT NOT NULL
 );
 
+
 DROP TABLE IF EXISTS child_config_proposal;
 CREATE TABLE child_config_proposal (
   child_cfg INTEGER NOT NULL,
@@ -53,6 +56,7 @@ CREATE TABLE child_config_proposal (
   prop INTEGER NOT NULL
 );
 
+
 DROP TABLE IF EXISTS ike_configs;
 CREATE TABLE ike_configs (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -62,6 +66,7 @@ CREATE TABLE ike_configs (
   remote TEXT NOT NULL
 );
 
+
 DROP TABLE IF EXISTS ike_config_proposal;
 CREATE TABLE ike_config_proposal (
   ike_cfg INTEGER NOT NULL,
@@ -69,6 +74,7 @@ CREATE TABLE ike_config_proposal (
   prop INTEGER NOT NULL
 );
 
+
 DROP TABLE IF EXISTS peer_configs;
 CREATE TABLE peer_configs (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -82,9 +88,9 @@ CREATE TABLE peer_configs (
   auth_method INTEGER NOT NULL DEFAULT '1',
   eap_type INTEGER NOT NULL DEFAULT '0',
   eap_vendor INTEGER NOT NULL DEFAULT '0',
-  keyingtries INTEGER NOT NULL DEFAULT '1',
-  rekeytime INTEGER NOT NULL DEFAULT '0',
-  reauthtime INTEGER NOT NULL DEFAULT '3600',
+  keyingtries INTEGER NOT NULL DEFAULT '3',
+  rekeytime INTEGER NOT NULL DEFAULT '7200',
+  reauthtime INTEGER NOT NULL DEFAULT '0',
   jitter INTEGER NOT NULL DEFAULT '180',
   overtime INTEGER NOT NULL DEFAULT '300',
   mobike INTEGER NOT NULL DEFAULT '1',
@@ -100,6 +106,7 @@ CREATE INDEX peer_configs_name ON peer_configs (
   name
 );
 
+
 DROP TABLE IF EXISTS peer_config_child_config;
 CREATE TABLE peer_config_child_config (
   peer_cfg INTEGER NOT NULL,
@@ -107,6 +114,7 @@ CREATE TABLE peer_config_child_config (
   PRIMARY KEY (peer_cfg, child_cfg)
 );
 
+
 DROP TABLE IF EXISTS traffic_selectors;
 CREATE TABLE traffic_selectors (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -118,6 +126,7 @@ CREATE TABLE traffic_selectors (
   end_port INTEGER NOT NULL DEFAULT '65535'
 );
 
+
 DROP TABLE IF EXISTS certificates;
 CREATE TABLE certificates (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -126,6 +135,7 @@ CREATE TABLE certificates (
   data BLOB NOT NULL
 );
 
+
 DROP TABLE IF EXISTS certificate_identity;
 CREATE TABLE certificate_identity (
   certificate INTEGER NOT NULL,
@@ -133,6 +143,7 @@ CREATE TABLE certificate_identity (
   PRIMARY KEY (certificate, identity)
 );
 
+
 DROP TABLE IF EXISTS private_keys;
 CREATE TABLE private_keys (
   id INTEGER NOT NULL  PRIMARY KEY AUTOINCREMENT,
@@ -140,6 +151,7 @@ CREATE TABLE private_keys (
   data BLOB NOT NULL
 );
 
+
 DROP TABLE IF EXISTS private_key_identity;
 CREATE TABLE private_key_identity (
   private_key INTEGER NOT NULL,
@@ -147,6 +159,7 @@ CREATE TABLE private_key_identity (
   PRIMARY KEY (private_key, identity)
 );
 
+
 DROP TABLE IF EXISTS shared_secrets;
 CREATE TABLE shared_secrets (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -154,6 +167,7 @@ CREATE TABLE shared_secrets (
   data BLOB NOT NULL
 );
 
+
 DROP TABLE IF EXISTS shared_secret_identity;
 CREATE TABLE shared_secret_identity (
   shared_secret INTEGER NOT NULL,
@@ -161,12 +175,14 @@ CREATE TABLE shared_secret_identity (
   PRIMARY KEY (shared_secret, identity)
 );
 
+
 DROP TABLE IF EXISTS certificate_authorities;
 CREATE TABLE certificate_authorities (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
   certificate INTEGER NOT NULL
 );
 
+
 DROP TABLE IF EXISTS certificate_distribution_points;
 CREATE TABLE certificate_distribution_points (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -175,18 +191,15 @@ CREATE TABLE certificate_distribution_points (
   uri TEXT NOT NULL
 );
 
+
 DROP TABLE IF EXISTS pools;
 CREATE TABLE pools (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  name TEXT NOT NULL,
+  name TEXT NOT NULL UNIQUE,
   start BLOB NOT NULL,
   end BLOB NOT NULL,
   timeout INTEGER NOT NULL
 );
-DROP INDEX IF EXISTS pools_name;
-CREATE INDEX pools_name ON pools (
-  name
-);
 
 DROP TABLE IF EXISTS addresses;
 CREATE TABLE addresses (
diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in
index b82f0f496..61dff904e 100644
--- a/src/pt-tls-client/Makefile.in
+++ b/src/pt-tls-client/Makefile.in
@@ -187,8 +187,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -256,6 +254,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -344,12 +347,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -364,6 +371,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c
index e7d75f078..90edb0c8e 100644
--- a/src/pt-tls-client/pt-tls-client.c
+++ b/src/pt-tls-client/pt-tls-client.c
@@ -166,7 +166,7 @@ static void init()
 			PLUGIN_PROVIDE(CUSTOM, "pt-tls-client"),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
 	};
-	library_init(NULL);
+	library_init(NULL, "pt-tls-client");
 	libtnccs_init();
 
 	dbg = dbg_pt_tls;
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 39b601f8e..06354da5f 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -214,8 +214,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -283,6 +281,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,12 +374,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -391,6 +398,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 1267370ba..d7abcb423 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -24,6 +24,7 @@
 #include <time.h>
 #include <limits.h>
 #include <syslog.h>
+#include <errno.h>
 
 #include <library.h>
 #include <utils/debug.h>
@@ -486,7 +487,7 @@ int main(int argc, char **argv)
 	err_t ugh = NULL;
 
 	/* initialize library */
-	if (!library_init(NULL))
+	if (!library_init(NULL, "scepclient"))
 	{
 		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
@@ -975,9 +976,10 @@ int main(int argc, char **argv)
 		{	/* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
 
 			DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
-			if (!chunk_write(scep_response, ca_path, "ca cert",  0022, force))
+			if (!chunk_write(scep_response, ca_path, 0022, force))
 			{
-				exit_scepclient("could not write ca cert file '%s'", ca_path);
+				exit_scepclient("could not write ca cert file '%s': %s",
+								ca_path, strerror(errno));
 			}
 		}
 		else
@@ -1031,10 +1033,10 @@ int main(int argc, char **argv)
 				}
 
 				if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
-					!chunk_write(encoding, path,
-								 ca_cert ? "ca cert" : "ra cert", 0022, force))
+					!chunk_write(encoding, path, 0022, force))
 				{
-					exit_scepclient("could not write cert file '%s'", path);
+					exit_scepclient("could not write cert file '%s': %s",
+									path, strerror(errno));
 				}
 				chunk_free(&encoding);
 			}
@@ -1149,9 +1151,10 @@ int main(int argc, char **argv)
 
 		join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10);
 
-		if (!chunk_write(pkcs10_encoding, path, "pkcs10",  0022, force))
+		if (!chunk_write(pkcs10_encoding, path, 0022, force))
 		{
-			exit_scepclient("could not write pkcs10 file '%s'", path);
+			exit_scepclient("could not write pkcs10 file '%s': %s",
+							path, strerror(errno));
 		}
 		filetype_out &= ~PKCS10;   /* delete PKCS10 flag */
 	}
@@ -1172,9 +1175,10 @@ int main(int argc, char **argv)
 
 		DBG2(DBG_APP, "building pkcs1 object:");
 		if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
-			!chunk_write(pkcs1, path, "pkcs1", 0066, force))
+			!chunk_write(pkcs1, path, 0066, force))
 		{
-			exit_scepclient("could not write pkcs1 file '%s'", path);
+			exit_scepclient("could not write pkcs1 file '%s': %s",
+							path, strerror(errno));
 		}
 		filetype_out &= ~PKCS1;   /* delete PKCS1 flag */
 	}
@@ -1236,9 +1240,10 @@ int main(int argc, char **argv)
 		{
 			exit_scepclient("encoding certificate failed");
 		}
-		if (!chunk_write(encoding, path, "self-signed cert", 0022, force))
+		if (!chunk_write(encoding, path, 0022, force))
 		{
-			exit_scepclient("could not write self-signed cert file '%s'", path);
+			exit_scepclient("could not write self-signed cert file '%s': %s",
+							path, strerror(errno));
 		}
 		chunk_free(&encoding);
 		filetype_out &= ~CERT_SELF;   /* delete CERT_SELF flag */
@@ -1300,9 +1305,10 @@ int main(int argc, char **argv)
 
 		join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7);
 
-		if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force))
+		if (!chunk_write(pkcs7, path, 0022, force))
 		{
-			exit_scepclient("could not write pkcs7 file '%s'", path);
+			exit_scepclient("could not write pkcs7 file '%s': %s",
+							path, strerror(errno));
 		}
 		filetype_out &= ~PKCS7;   /* delete PKCS7 flag */
 	}
@@ -1460,9 +1466,10 @@ int main(int argc, char **argv)
 					exit_scepclient("multiple certs received, only first stored");
 				}
 				if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
-					!chunk_write(encoding, path, "requested cert", 0022, force))
+					!chunk_write(encoding, path, 0022, force))
 				{
-					exit_scepclient("could not write cert file '%s'", path);
+					exit_scepclient("could not write cert file '%s': %s",
+									path, strerror(errno));
 				}
 				chunk_free(&encoding);
 				stored = TRUE;
diff --git a/src/starter/Android.mk b/src/starter/Android.mk
index 91575c9ba..c2260be51 100644
--- a/src/starter/Android.mk
+++ b/src/starter/Android.mk
@@ -14,7 +14,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(starter_SOURCES))
 # build starter ----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libstrongswan \
 	$(strongswan_PATH)/src/stroke
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 405d92a3f..7a9154d84 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -211,8 +211,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -280,6 +278,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,12 +371,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -388,6 +395,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 06eb142bd..33916c95c 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -419,10 +419,10 @@ int main (int argc, char **argv)
 	bool attach_gdb = FALSE;
 	bool load_warning = FALSE;
 
-	library_init(NULL);
+	library_init(NULL, "starter");
 	atexit(library_deinit);
 
-	libhydra_init("starter");
+	libhydra_init();
 	atexit(libhydra_deinit);
 
 	/* parse command line */
diff --git a/src/stroke/Android.mk b/src/stroke/Android.mk
index 320314c4d..2accb522d 100644
--- a/src/stroke/Android.mk
+++ b/src/stroke/Android.mk
@@ -10,7 +10,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(stroke_SOURCES))
 # build stroke -----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libstrongswan
 
 LOCAL_CFLAGS := $(strongswan_CFLAGS)
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 8e6ebd572..0b285285b 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -186,8 +186,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -255,6 +253,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -343,12 +346,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -363,6 +370,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 75f014516..69c8ea2a4 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -480,7 +480,7 @@ int main(int argc, char *argv[])
 	const stroke_token_t *token;
 	int res = 0;
 
-	library_init(NULL);
+	library_init(NULL, "stroke");
 	atexit(library_deinit);
 
 	if (argc < 2)
diff --git a/src/strongswan.conf b/src/strongswan.conf
deleted file mode 100644
index 0d82dedfa..000000000
--- a/src/strongswan.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# strongswan.conf - strongSwan configuration file
-
-charon {
-
-	# number of worker threads in charon
-	threads = 16
-
-	# send strongswan vendor ID?
-	# send_vendor_id = yes
-
-	plugins {
-
-		sql {
-			# loglevel to log into sql database
-			loglevel = -1
-
-			# URI to the database
-			# database = sqlite:///path/to/file.db
-			# database = mysql://user:password@localhost/database
-		}
-	}
-
-	# ...
-}
-
-pluto {
-
-}
-
-libstrongswan {
-
-	#  set to no, the DH exponent size is optimized
-	#  dh_exponent_ansi_x9_42 = no
-}
diff --git a/test-driver b/test-driver
deleted file mode 100755
index 32bf39e83..000000000
--- a/test-driver
+++ /dev/null
@@ -1,127 +0,0 @@
-#! /bin/sh
-# test-driver - basic testsuite driver script.
-
-scriptversion=2012-06-27.10; # UTC
-
-# Copyright (C) 2011-2013 Free Software Foundation, Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# This file is maintained in Automake, please report
-# bugs to <bug-automake@gnu.org> or send patches to
-# <automake-patches@gnu.org>.
-
-# Make unconditional expansion of undefined variables an error.  This
-# helps a lot in preventing typo-related bugs.
-set -u
-
-usage_error ()
-{
-  echo "$0: $*" >&2
-  print_usage >&2
-  exit 2
-}
-
-print_usage ()
-{
-  cat <<END
-Usage:
-  test-driver --test-name=NAME --log-file=PATH --trs-file=PATH
-              [--expect-failure={yes|no}] [--color-tests={yes|no}]
-              [--enable-hard-errors={yes|no}] [--] TEST-SCRIPT
-The '--test-name', '--log-file' and '--trs-file' options are mandatory.
-END
-}
-
-# TODO: better error handling in option parsing (in particular, ensure
-# TODO: $log_file, $trs_file and $test_name are defined).
-test_name= # Used for reporting.
-log_file=  # Where to save the output of the test script.
-trs_file=  # Where to save the metadata of the test run.
-expect_failure=no
-color_tests=no
-enable_hard_errors=yes
-while test $# -gt 0; do
-  case $1 in
-  --help) print_usage; exit $?;;
-  --version) echo "test-driver $scriptversion"; exit $?;;
-  --test-name) test_name=$2; shift;;
-  --log-file) log_file=$2; shift;;
-  --trs-file) trs_file=$2; shift;;
-  --color-tests) color_tests=$2; shift;;
-  --expect-failure) expect_failure=$2; shift;;
-  --enable-hard-errors) enable_hard_errors=$2; shift;;
-  --) shift; break;;
-  -*) usage_error "invalid option: '$1'";;
-  esac
-  shift
-done
-
-if test $color_tests = yes; then
-  # Keep this in sync with 'lib/am/check.am:$(am__tty_colors)'.
-  red='' # Red.
-  grn='' # Green.
-  lgn='' # Light green.
-  blu='' # Blue.
-  mgn='' # Magenta.
-  std=''     # No color.
-else
-  red= grn= lgn= blu= mgn= std=
-fi
-
-do_exit='rm -f $log_file $trs_file; (exit $st); exit $st'
-trap "st=129; $do_exit" 1
-trap "st=130; $do_exit" 2
-trap "st=141; $do_exit" 13
-trap "st=143; $do_exit" 15
-
-# Test script is run here.
-"$@" >$log_file 2>&1
-estatus=$?
-if test $enable_hard_errors = no && test $estatus -eq 99; then
-  estatus=1
-fi
-
-case $estatus:$expect_failure in
-  0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
-  0:*)   col=$grn res=PASS  recheck=no  gcopy=no;;
-  77:*)  col=$blu res=SKIP  recheck=no  gcopy=yes;;
-  99:*)  col=$mgn res=ERROR recheck=yes gcopy=yes;;
-  *:yes) col=$lgn res=XFAIL recheck=no  gcopy=yes;;
-  *:*)   col=$red res=FAIL  recheck=yes gcopy=yes;;
-esac
-
-# Report outcome to console.
-echo "${col}${res}${std}: $test_name"
-
-# Register the test result, and other relevant metadata.
-echo ":test-result: $res" > $trs_file
-echo ":global-test-result: $res" >> $trs_file
-echo ":recheck: $recheck" >> $trs_file
-echo ":copy-in-global-log: $gcopy" >> $trs_file
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC"
-# time-stamp-end: "; # UTC"
-# End:
diff --git a/testing/Makefile.am b/testing/Makefile.am
index 305bf7f72..0195c8951 100644
--- a/testing/Makefile.am
+++ b/testing/Makefile.am
@@ -1,4 +1,4 @@
-EXTRA_DIST = do-tests make-testing start-testing stop-testing \
+EXTRA_DIST = do-tests make-testing ssh start-testing stop-testing \
              testing.conf ssh_config config hosts images scripts tests \
 			 README
 
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 85f118703..21858672b 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -131,8 +131,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -200,6 +198,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -288,12 +291,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -308,6 +315,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -318,7 +326,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-EXTRA_DIST = do-tests make-testing start-testing stop-testing \
+EXTRA_DIST = do-tests make-testing ssh start-testing stop-testing \
              testing.conf ssh_config config hosts images scripts tests \
 			 README
 
diff --git a/testing/config/kernel/config-3.12 b/testing/config/kernel/config-3.12
new file mode 100644
index 000000000..948891962
--- /dev/null
+++ b/testing/config/kernel/config-3.12
@@ -0,0 +1,2022 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.12.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+# CONFIG_FHANDLE is not set
+# CONFIG_AUDIT is not set
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_MICROCODE_INTEL_EARLY is not set
+# CONFIG_MICROCODE_AMD_EARLY is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZBUD is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_NET_MPLS_GSO is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ATMEL_SSC is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_ARM_AT91_ETHER is not set
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+# CONFIG_SH_ETH is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+# CONFIG_SERIAL_ST_ASC is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PTP_1588_CLOCK_PCH is not set
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+CONFIG_GPIO_DEVRES=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+
+#
+# Texas Instruments thermal drivers
+#
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_DJ is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_AM335X_PHY_USB is not set
+# CONFIG_SAMSUNG_USB2PHY is not set
+# CONFIG_SAMSUNG_USB3PHY is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_WRITECOUNT is not set
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kernel/config-3.13 b/testing/config/kernel/config-3.13
new file mode 100644
index 000000000..78d8f2218
--- /dev/null
+++ b/testing/config/kernel/config-3.13
@@ -0,0 +1,2047 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.13.2 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+# CONFIG_FHANDLE is not set
+# CONFIG_AUDIT is not set
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_MICROCODE_INTEL_EARLY is not set
+# CONFIG_MICROCODE_AMD_EARLY is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZBUD is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_NET_MPLS_GSO is not set
+# CONFIG_HSR is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ATMEL_SSC is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Host Driver
+#
+# CONFIG_INTEL_MIC_HOST is not set
+
+#
+# Intel MIC Card Driver
+#
+# CONFIG_INTEL_MIC_CARD is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_ARM_AT91_ETHER is not set
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+# CONFIG_SH_ETH is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PTP_1588_CLOCK_PCH is not set
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+
+#
+# Texas Instruments thermal drivers
+#
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO_TPKBD is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_DJ is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_SAMSUNG_USB2PHY is not set
+# CONFIG_SAMSUNG_USB3PHY is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_PHY_EXYNOS_MIPI_VIDEO is not set
+# CONFIG_POWERCAP is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_WRITECOUNT is not set
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/hosts/default/etc/pts/data.sql b/testing/hosts/default/etc/pts/data.sql
deleted file mode 100644
index 241a99645..000000000
--- a/testing/hosts/default/etc/pts/data.sql
+++ /dev/null
@@ -1,1060 +0,0 @@
-/* Products */
-
-INSERT INTO products (			/*  1 */
-  name
-) VALUES (
- 'Debian 6.0 i686'
-);
-
-INSERT INTO products (			/*  2 */
-  name
-) VALUES (
- 'Debian 6.0 x86_64'
-);
-
-INSERT INTO products (			/*  3 */
-  name
-) VALUES (
- 'Debian 7.0 i686'
-);
-
-INSERT INTO products (			/*  4 */
-  name
-) VALUES (
- 'Debian 7.0 x86_64'
-);
-
-INSERT INTO products (			/*  5 */
-  name
-) VALUES (
- 'Debian 8.0 i686'
-);
-
-INSERT INTO products (			/*  6 */
-  name
-) VALUES (
- 'Debian 8.0 x86_64'
-);
-
-INSERT INTO products (			/*  7 */
-  name
-) VALUES (
- 'Ubuntu 10.04 i686'
-);
-
-INSERT INTO products (			/*  8 */
-  name
-) VALUES (
- 'Ubuntu 10.04 x86_64'
-);
-
-INSERT INTO products (			/*  9 */
-  name
-) VALUES (
- 'Ubuntu 10.10 i686'
-);
-
-INSERT INTO products (			/* 10 */
-  name
-) VALUES (
- 'Ubuntu 10.10 x86_64'
-);
-
-INSERT INTO products (			/* 11 */
-  name
-) VALUES (
- 'Ubuntu 11.04 i686'
-);
-
-INSERT INTO products (			/* 12 */
-  name
-) VALUES (
- 'Ubuntu 11.04 x86_64'
-);
-
-INSERT INTO products (			/* 13 */
-  name
-) VALUES (
- 'Ubuntu 11.10 i686'
-);
-
-INSERT INTO products (			/* 14 */
-  name
-) VALUES (
- 'Ubuntu 11.10 x86_64'
-);
-
-INSERT INTO products (			/* 15 */
-  name
-) VALUES (
- 'Ubuntu 12.04 i686'
-);
-
-INSERT INTO products (			/* 16 */
-  name
-) VALUES (
- 'Ubuntu 12.04 x86_64'
-);
-
-INSERT INTO products (			/* 17 */
-  name
-) VALUES (
- 'Ubuntu 12.10 i686'
-);
-
-INSERT INTO products (			/* 18 */
-  name
-) VALUES (
- 'Ubuntu 12.10 x86_64'
-);
-
-INSERT INTO products (			/* 19 */
-  name
-) VALUES (
- 'Ubuntu 13.04 i686'
-);
-
-INSERT INTO products (			/* 20 */
-  name
-) VALUES (
- 'Ubuntu 13.04 x86_64'
-);
-
-INSERT INTO products (			/* 21 */
-  name
-) VALUES (
- 'Android 4.1.1'
-);
-
-INSERT INTO products (			/* 22 */
-  name
-) VALUES (
- 'Android 4.2.1'
-);
-
-INSERT INTO products (			/* 23 */
-  name
-) VALUES (
- 'Ubuntu 13.10 i686'
-);
-
-INSERT INTO products (			/* 24 */
-  name
-) VALUES (
- 'Ubuntu 13.10 x86_64'
-);
-
-INSERT INTO products (			/* 25 */
-  name
-) VALUES (
- 'Debian 7.1 i686'
-);
-
-INSERT INTO products (			/* 26 */
-  name
-) VALUES (
- 'Debian 7.1 x86_64'
-);
-
-INSERT INTO products (			/* 27 */
-  name
-) VALUES (
- 'Debian 7.2 i686'
-);
-
-INSERT INTO products (			/* 28 */
-  name
-) VALUES (
- 'Debian 7.2 x86_64'
-);
-
-/* Directories */
-
-INSERT INTO directories (		/*  1 */
-  path
-) VALUES (
- '/bin'
-);
-
-INSERT INTO directories (		/*  2 */
-  path
-) VALUES (
- '/etc'
-);
-
-INSERT INTO directories (		/*  3 */
-  path
-) VALUES (
- '/lib'
-);
-
-INSERT INTO directories (		/*  4 */
-  path
-) VALUES (
- '/lib/i386-linux-gnu'
-);
-
-INSERT INTO directories (		/*  5 */
-  path
-) VALUES (
- '/lib/x86_64-linux-gnu'
-);
-
-INSERT INTO directories (		/*  6 */
-  path
-) VALUES (
- '/lib/xtables'
-);
-
-INSERT INTO directories (		/*  7 */
-  path
-) VALUES (
- '/sbin'
-);
-
-INSERT INTO directories (		/*  8 */
-  path
-) VALUES (
- '/usr/bin'
-);
-
-INSERT INTO directories (		/*  9 */
-  path
-) VALUES (
- '/usr/lib'
-);
-
-INSERT INTO directories (		/* 10 */
-  path
-) VALUES (
- '/usr/lib/i386-linux-gnu'
-);
-
-INSERT INTO directories (		/* 11 */
-  path
-) VALUES (
- '/usr/lib/x86_64-linux-gnu'
-);
-
-INSERT INTO directories (		/* 12 */
-  path
-) VALUES (
- '/usr/sbin'
-);
-
-INSERT INTO directories (		/* 13 */
-  path
-) VALUES (
- '/system/bin'
-);
-
-INSERT INTO directories (		/* 14 */
-  path
-) VALUES (
- '/system/lib'
-);
-
-/* Files */
-
-INSERT INTO files (				/*  1 */
-  name, dir
-) VALUES (
- 'libcrypto.so.1.0.0', 5
-);
-
-INSERT INTO files (				/*  2 */
-  name, dir
-) VALUES (
- 'libcrypto.so.1.0.0', 11
-);
-
-INSERT INTO files (				/*  3 */
-  name, dir
-) VALUES (
- 'libssl.so.1.0.0', 5
-);
-
-INSERT INTO files (				/*  4 */
-  name, dir
-) VALUES (
- 'libssl.so.1.0.0', 11
-);
-
-INSERT INTO files (				/*  5 */
-  name, dir
-) VALUES (
-  'openssl', 8
-);
-
-INSERT INTO files (				/*  6 */
-  name, dir
-) VALUES (
-  'tnc_config', 2
-);
-
-/* Algorithms */
-
-INSERT INTO algorithms (
-  id, name
-) VALUES (
-  65536, 'SHA1-IMA' 
-);
-
-INSERT INTO algorithms (
-  id, name
-) VALUES (
-  32768, 'SHA1' 
-);
-
-INSERT INTO algorithms (
-  id, name
-) VALUES (
-  16384, 'SHA256' 
-);
-
-INSERT INTO algorithms (
-  id, name
-) VALUES (
-  8192, 'SHA384' 
-);
-
-/* File Hashes */
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  28, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  28, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  28, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  28, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  28, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  28, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  28, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  28, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  28, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500'
-);
-
-INSERT INTO file_hashes (
-  product, file, algo, hash
-) VALUES (
-  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668'
-);
-
-/* Packages */
-
-INSERT INTO packages (			/*  1 */
-  name
-) VALUES (
- 'libssl-dev'
-);
-
-INSERT INTO packages (			/*  2 */
-  name
-) VALUES (
- 'libssl1.0.0'
-);
-
-INSERT INTO packages (			/*  3 */
-  name
-) VALUES (
- 'libssl1.0.0-dbg'
-);
-
-INSERT INTO packages (			/*  4 */
-  name
-) VALUES (
- 'openssl'
-);
-
-/* Versions */
-
-INSERT INTO versions (
-  package, product, release, time
-) VALUES (
-  1, 28, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
-  package, product, release, time
-) VALUES (
-  2, 28, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
-  package, product, release, time
-) VALUES (
-  3, 28, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
-  package, product, release, time
-) VALUES (
-  4, 28, '1.0.1e-2', 1366531494
-);
-
-/* Components */
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 1, 33  /* ITA TGRUB */
-);
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 2, 33  /* ITA TBOOT */
-);
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 3, 33  /* ITA IMA - Trusted Platform */
-);
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 3, 34  /* ITA IMA - Operating System */
-);
-
-/* Groups */
-
-INSERT INTO groups (			/*  1 */
-  name
-) VALUES (
-  'Default'
-);
-
-INSERT INTO groups (			/*  2 */
-  name, parent
-) VALUES (
-  'Linux', 1
-);
-
-INSERT INTO groups (			/*  3 */
-  name, parent
-) VALUES (
-  'Android', 1
-);
-
-INSERT INTO groups (			/*  4 */
-  name, parent
-) VALUES (
-  'Debian i686', 2
-);
-
-INSERT INTO groups (			/*  5 */
-  name, parent
-) VALUES (
-  'Debian x86_64', 2
-);
-
-INSERT INTO groups (			/*  6 */
-  name, parent
-) VALUES (
-  'Ubuntu i686', 2
-);
-
-INSERT INTO groups (			/*  7 */
-  name, parent
-) VALUES (
-  'Ubuntu x86_64', 2
-);
-
-INSERT INTO groups (			/*  8 */
-  name
-) VALUES (
-  'Reference'
-);
-
-INSERT INTO groups (			/*  9 */
-  name, parent
-) VALUES (
-  'Ref. Android', 8
-);
-
-INSERT INTO groups (			/* 10 */
-  name, parent
-) VALUES (
-  'Ref. Linux', 8
-);
-
-/* Default Product Groups */
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  4, 1
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  4, 3
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  4, 5
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  4, 25
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  4, 27
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  5, 2
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  5, 4
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  5, 6
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  5, 26
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  5, 28
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  6, 9
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  6, 11
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  6, 13
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  6, 15
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  6, 17
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  6, 19
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  6, 23
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  7, 8
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  7, 10
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  7, 12
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  7, 14
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  7, 16
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  7, 18
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  7, 20
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  7, 24
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  3, 21
-);
-
-INSERT INTO groups_product_defaults (
-  group_id, product_id
-) VALUES (
-  3, 22
-);
-
-/* Policies */
-
-INSERT INTO policies (			/*  1 */
-  type, name, rec_fail, rec_noresult
-) VALUES (
-  1, 'Installed Packages', 2, 2
-);
-
-INSERT INTO policies (			/*  2 */
-  type, name, rec_fail, rec_noresult
-) VALUES (
-  2, 'Unknown Source', 2, 2
-);
-
-INSERT INTO policies (			/*  3 */
-  type, name, rec_fail, rec_noresult
-) VALUES (
-  3, 'IP Forwarding Enabled',  1, 1
-);
-
-INSERT INTO policies (			/*  4 */
-  type, name, rec_fail, rec_noresult
-) VALUES (
-  4, 'Default Factory Password Enabled', 1, 1
-);
-
-INSERT INTO policies (			/*  5 */
-  type, name, file, rec_fail, rec_noresult
-) VALUES (
-  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
-);
-
-INSERT INTO policies (			/*  6 */
-  type, name, file, rec_fail, rec_noresult
-) VALUES (
-  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
-);
-
-INSERT INTO policies (			/*  7 */
-  type, name, file, rec_fail, rec_noresult
-) VALUES (
-  6, 'Measure /usr/bin/openssl', 5, 2, 2
-);
-
-INSERT INTO policies (			/*  8 */
-  type, name, rec_fail, rec_noresult
-) VALUES (
-  11, 'No Open TCP Ports', 1, 1
-);
-
-INSERT INTO policies (			/*  9 */
-  type, name, argument, rec_fail, rec_noresult
-) VALUES (
-  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
-);
-
-INSERT INTO policies (			/* 10 */
-  type, name, file, rec_fail, rec_noresult
-) VALUES (
-  7, 'Metadata of /etc/tnc_config', 6, 0, 0
-);
-
-INSERT INTO policies (			/* 11 */
-  type, name, dir, rec_fail, rec_noresult
-) VALUES (
-  8, 'Get /bin', 1, 0, 0
-);
-
-INSERT INTO policies (			/*  12 */
-  type, name, file, rec_fail, rec_noresult
-) VALUES (
-  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
-);
-
-INSERT INTO policies (			/* 13 */
-  type, name, file, rec_fail, rec_noresult
-) VALUES (
-  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
-);
-
-INSERT INTO policies (			/* 14 */
-  type, name, dir, rec_fail, rec_noresult
-) VALUES (
-  8, 'Get /system/bin', 13, 0, 0
-);
-
-INSERT INTO policies (			/* 15 */
-  type, name, dir, rec_fail, rec_noresult
-) VALUES (
-  8, 'Get /system/lib', 14, 0, 0
-);
-
-INSERT INTO policies (          /* 16 */
-  type, name, dir, rec_fail, rec_noresult
-) VALUES (
-  9, 'Measure /bin', 1, 2, 2
-);
-
-INSERT INTO policies (			/* 17 */
-  type, name, argument, rec_fail, rec_noresult
-) VALUES (
-  15, 'SWID Tag IDs', 'R', 2, 2
-);
-
-INSERT INTO policies (			/* 18 */
-  type, name, argument, rec_fail, rec_noresult
-) VALUES (
-  15, 'SWID Tags', '', 2, 2
-);
-
-/* Enforcements */
-
-INSERT INTO enforcements (		/*  1 */
-  policy, group_id, max_age
-) VALUES (
-  1, 1, 86400
-);
-
-INSERT INTO enforcements (		/*  2 */
-  policy, group_id, max_age
-) VALUES (
-  2, 3, 0
-);
-
-INSERT INTO enforcements (		/*  3 */
-  policy, group_id, max_age
-) VALUES (
-  3, 2, 0
-);
-
-INSERT INTO enforcements (		/*  4 */
-  policy, group_id, max_age
-) VALUES (
-  5, 7, 86400
-);
-
-INSERT INTO enforcements (		/*  5 */
-  policy, group_id, max_age
-) VALUES (
-  6, 7, 86400
-);
-
-INSERT INTO enforcements (		/*  6 */
-  policy, group_id, max_age
-) VALUES (
-  7, 2, 86400
-);
-
-INSERT INTO enforcements (		/*  7 */
-  policy, group_id, max_age
-) VALUES (
-  8, 1, 60
-);
-
-INSERT INTO enforcements (		/*  8 */
-  policy, group_id, max_age
-) VALUES (
-  9, 1, 60
-);
-
-INSERT INTO enforcements (		/*  9 */
-  policy, group_id, max_age
-) VALUES (
-  10, 2, 60
-);
-
-INSERT INTO enforcements (		/* 10 */
-  policy, group_id, max_age
-) VALUES (
-  11, 10, 86400
-);
-
-INSERT INTO enforcements (		/* 11 */
-  policy, group_id, max_age
-) VALUES (
-  12, 5, 86400
-);
-
-INSERT INTO enforcements (		/* 12 */
-  policy, group_id, max_age
-) VALUES (
-  13, 5, 86400
-);
-
-INSERT INTO enforcements (		/* 13 */
-  policy, group_id, max_age
-) VALUES (
-  14, 9, 0
-);
-
-INSERT INTO enforcements (		/* 14 */
-  policy, group_id, max_age
-) VALUES (
-  15, 9, 0
-);
-
-/* regids */
-
-INSERT INTO regids (			/*  1 */
-  name
-) VALUES (
- 'regid.1986-12.com.adobe'
-);
-
-INSERT INTO regids (			/*  2 */
-  name
-) VALUES (
- 'regid.1991-06.com.microsoft'
-);
-
-INSERT INTO regids (			/*  3 */
-  name
-) VALUES (
- 'regid.2004-05.com.ubuntu'
-);
-
-INSERT INTO regids (			/*  4 */
-  name
-) VALUES (
- 'regid.1995-04.org.apache'
-);
-
-INSERT INTO regids (			/*  5 */
-  name
-) VALUES (
- 'regid.1999-03.org.debian'
-);
-
-INSERT INTO regids (			/*  6 */
-  name
-) VALUES (
- 'regid.1994-04.org.isc'
-);
-
-INSERT INTO regids (			/*  7 */
-  name
-) VALUES (
- 'regid.1998-12.org.openssl'
-);
-
-INSERT INTO regids (			/*  8 */
-  name
-) VALUES (
- 'regid.1998-01.org.samba'
-);
-
-INSERT INTO regids (			/*  9 */
-  name
-) VALUES (
- 'regid.2002-08.org.sqlite'
-);
-
-INSERT INTO regids (			/* 10 */
-  name
-) VALUES (
- 'regid.2004-03.org.strongswan'
-);
-
-/* Tags */
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  2, 'Windows-8-Pro'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  5, 'apache-2-2-22-13'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  5, 'bind-9-8-4-dfsg'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  5, 'libsqlite-3-7-13-1'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  5, 'libssl-1-0-1e-2'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  5, 'libssl-dev-1-0-1e-2'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  5, 'libssl-doc-1-0-1e-2'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  5, 'openssl-1-0-1e-2'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  5, 'smbclient-3-6-6-6'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  5, 'sqlite-3-7-13-1'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  10, 'strongSwan-5-1-1'
-);
-
diff --git a/testing/hosts/default/etc/pts/tables.sql b/testing/hosts/default/etc/pts/tables.sql
deleted file mode 100644
index a0f3a4e8d..000000000
--- a/testing/hosts/default/etc/pts/tables.sql
+++ /dev/null
@@ -1,256 +0,0 @@
-/* IMV PTS SQLite database */
-
-DROP TABLE IF EXISTS directories;
-CREATE TABLE directories (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  path TEXT NOT NULL
-);
-DROP INDEX IF EXISTS directories_path;
-CREATE INDEX directories_path ON directories (
-  path
-);
-
-DROP TABLE IF EXISTS files;
-CREATE TABLE files (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  dir INTEGER DEFAULT 0 REFERENCES directories(id),
-  name TEXT NOT NULL
-);
-DROP INDEX IF EXISTS files_name;
-CREATE INDEX files_name ON files (
-  name
-);
-
-DROP TABLE IF EXISTS products;
-CREATE TABLE products (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  name TEXT NOT NULL
-);
-DROP INDEX IF EXISTS products_name;
-CREATE INDEX products_name ON products (
-  name
-);
-
-DROP TABLE IF EXISTS algorithms;
-CREATE TABLE algorithms (
-  id INTEGER PRIMARY KEY,
-  name VARCHAR(20) not NULL
-);
-
-DROP TABLE IF EXISTS file_hashes;
-CREATE TABLE file_hashes (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  file INTEGER NOT NULL REFERENCES files(id),
-  product INTEGER NOT NULL REFERENCES products(id),
-  device INTEGER DEFAULT 0,
-  key INTEGER DEFAULT 0 REFERENCES keys(id),
-  algo INTEGER NOT NULL REFERENCES algorithms(id),
-  hash BLOB NOT NULL
-);
-
-DROP TABLE IF EXISTS keys;
-CREATE TABLE keys (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  keyid BLOB NOT NULL,
-  owner TEXT NOT NULL
-);
-DROP INDEX IF EXISTS keys_keyid;
-CREATE INDEX keys_keyid ON keys (
-  keyid
-);
-DROP INDEX IF EXISTS keys_owner;
-CREATE INDEX keys_owner ON keys (
-  owner
-);
-
-DROP TABLE IF EXISTS groups;
-CREATE TABLE groups (
-  id INTEGER NOT NULL PRIMARY KEY,
-  name VARCHAR(50) NOT NULL UNIQUE,
-  parent INTEGER
-);
-
-DROP TABLE IF EXISTS groups_members;
-CREATE TABLE groups_members (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  group_id INTEGER NOT NULL REFERENCES groups(id),
-  device_id INTEGER NOT NULL REFERENCES devices(id),
-  UNIQUE (group_id, device_id)
-);
-
-DROP TABLE IF EXISTS groups_product_defaults;
-CREATE TABLE groups_product_defaults (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  group_id INTEGER NOT NULL REFERENCES groups(id),
-  product_id INTEGER NOT NULL REFERENCES products(id),
-  UNIQUE (group_id, product_id)
-);
-
-DROP TABLE IF EXISTS policies;
-CREATE TABLE policies (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  type INTEGER NOT NULL,
-  name VARCHAR(100) NOT NULL UNIQUE,
-  argument TEXT DEFAULT '' NOT NULL,
-  rec_fail INTEGER NOT NULL,
-  rec_noresult INTEGER NOT NULL,
-  file INTEGER DEFAULT 0 REFERENCES files(id),
-  dir INTEGER DEFAULT 0 REFERENCES directories(id)
-);
-
-DROP TABLE IF EXISTS enforcements;
-CREATE TABLE enforcements (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  policy INTEGER NOT NULL REFERENCES policies(id),
-  group_id INTEGER NOT NULL REFERENCES groups(id),
-  rec_fail INTEGER,
-  rec_noresult INTEGER,
-  max_age INTEGER NOT NULL,
-  UNIQUE (policy, group_id)
-);
-
-DROP TABLE IF EXISTS sessions;
-CREATE TABLE sessions (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  time INTEGER NOT NULL,
-  connection INTEGER NOT NULL,
-  identity INTEGER DEFAULT 0 REFERENCES identities(id),
-  device INTEGER DEFAULT 0 REFERENCES devices(id),
-  product INTEGER DEFAULT 0 REFERENCES products(id),
-  rec INTEGER DEFAULT 3
-);
-
-DROP TABLE IF EXISTS workitems;
-CREATE TABLE workitems (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  session INTEGER NOT NULL REFERENCES sessions(id),
-  enforcement INTEGER NOT NULL REFERENCES enforcements(id),
-  type INTEGER NOT NULL,
-  arg_str TEXT,
-  arg_int INTEGER DEFAULT 0,
-  rec_fail INTEGER NOT NULL,
-  rec_noresult INTEGER NOT NULL,
-  rec_final INTEGER,
-  result TEXT
-);
-DROP INDEX IF EXISTS workitems_session;
-CREATE INDEX workitems_sessions ON workitems (
-  session
-);
-
-DROP TABLE IF EXISTS results;
-CREATE TABLE results (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  session INTEGER NOT NULL REFERENCES measurements(id),
-  policy INTEGER NOT NULL REFERENCES policies(id),
-  rec INTEGER NOT NULL,
-  result TEXT NOT NULL
-);
-DROP INDEX IF EXISTS results_session;
-CREATE INDEX results_session ON results (
-  session
-);
-
-DROP TABLE IF EXISTS components;
-CREATE TABLE components (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  vendor_id INTEGER NOT NULL,
-  name INTEGER NOT NULL,
-  qualifier INTEGER DEFAULT 0
-);
-
-
-DROP TABLE IF EXISTS key_component;
-CREATE TABLE key_component (
-  key INTEGER NOT NULL,
-  component INTEGER NOT NULL,
-  depth INTEGER DEFAULT 0,
-  seq_no INTEGER DEFAULT 0,
-  PRIMARY KEY (key, component)
-);
-
-
-DROP TABLE IF EXISTS component_hashes;
-CREATE TABLE component_hashes (
-  component INTEGER NOT NULL,
-  key INTEGER NOT NULL,
-  seq_no INTEGER NOT NULL,
-  pcr INTEGER NOT NULL,
-  algo INTEGER NOT NULL,
-  hash BLOB NOT NULL,
-  PRIMARY KEY(component, key, seq_no, algo)
-);
-
-DROP TABLE IF EXISTS packages;
-CREATE TABLE packages (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  name TEXT NOT NULL,
-  blacklist INTEGER DEFAULT 0
-);
-DROP INDEX IF EXISTS packages_name;
-CREATE INDEX packages_name ON packages (
-  name
-);
-
-DROP TABLE IF EXISTS versions;
-CREATE TABLE versions (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  package INTEGER NOT NULL REFERENCES packages(id),
-  product INTEGER NOT NULL REFERENCES products(id),
-  release TEXT NOT NULL,
-  security INTEGER DEFAULT 0,
-  blacklist INTEGER DEFAULT 0,
-  time INTEGER DEFAULT 0
-);
-DROP INDEX IF EXISTS versions_release;
-CREATE INDEX versions_release ON versions (
-  release
-);
-DROP INDEX IF EXISTS versions_package_product;
-CREATE INDEX versions_package_product ON versions (
-  package, product
-);
-
-DROP TABLE IF EXISTS devices;
-CREATE TABLE devices (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  description TEXT DEFAULT '',
-  value TEXT NOT NULL,
-  product INTEGER REFERENCES products(id),
-  created INTEGER
-);
-DROP INDEX IF EXISTS devices_id;
-CREATE INDEX devices_value ON devices (
-  value
-);
-
-DROP TABLE IF EXISTS identities;
-CREATE TABLE identities (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  type INTEGER NOT NULL,
-  value BLOB NOT NULL,
-  UNIQUE (type, value)
-);
-
-DROP TABLE IF EXISTS regids;
-CREATE TABLE regids (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  name TEXT NOT NULL
-);
-DROP INDEX IF EXISTS regids_name;
-CREATE INDEX regids_name ON regids (
-  name
-);
-
-DROP TABLE IF EXISTS tags;
-CREATE TABLE tags (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  regid INTEGER NOT NULL REFERENCES regids(id),
-  unique_sw_id TEXT NOT NULL,
-  value TEXT
-);
-DROP INDEX IF EXISTS tags_name;
-CREATE INDEX tags_unique_sw_id ON tags (
-  unique_sw_id
-);
-
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
index 354b48bd7..b6b8854ab 100755
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@@ -68,7 +68,7 @@ do_on_exit graceful_umount $APTCACHE
 log_action "Running debootstrap ($BASEIMGSUITE, $BASEIMGARCH)"
 execute "debootstrap --arch=$BASEIMGARCH --include=$INC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR"
 
-execute "mount -t proc none $LOOPDIR/proc"
+execute "mount -t proc none $LOOPDIR/proc" 0
 do_on_exit graceful_umount $LOOPDIR/proc
 
 for service in $SERVICES
diff --git a/testing/scripts/build-guestkernel b/testing/scripts/build-guestkernel
index 66a9fe7a4..40aa1b4f1 100755
--- a/testing/scripts/build-guestkernel
+++ b/testing/scripts/build-guestkernel
@@ -27,7 +27,7 @@ then
 fi
 
 log_action "Unpacking kernel"
-execute "tar xjf $KERNELTARBALL"
+execute "tar xJf $KERNELTARBALL"
 
 KERNELDIR=$BUILDDIR/$KERNEL
 cd $KERNELDIR
diff --git a/testing/scripts/recipes/003_freeradius.mk b/testing/scripts/recipes/003_freeradius.mk
index 631c8b68a..05ed8b38c 100644
--- a/testing/scripts/recipes/003_freeradius.mk
+++ b/testing/scripts/recipes/003_freeradius.mk
@@ -3,7 +3,7 @@
 PV  = 2.2.1
 PKG = freeradius-server-$(PV)
 TAR = $(PKG).tar.bz2
-SRC = ftp://ftp.freeradius.org/pub/freeradius/$(TAR)
+SRC = ftp://ftp.freeradius.org/pub/freeradius/old/$(TAR)
 
 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
 
diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk
index cf24e1e26..960eba79f 100644
--- a/testing/scripts/recipes/010_tkm.mk
+++ b/testing/scripts/recipes/010_tkm.mk
@@ -2,7 +2,7 @@
 
 PKG = tkm
 SRC = http://git.codelabs.ch/git/$(PKG).git
-REV = v0.1
+REV = v0.1.1
 
 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
 
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index 85f80fe5b..438e6668a 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -79,7 +79,9 @@ CONFIG_OPTS = \
 	--enable-cmd \
 	--enable-libipsec \
 	--enable-kernel-libipsec \
-	--enable-tkm
+	--enable-tkm \
+	--enable-ntru \
+	--enable-lookip
 
 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
 
diff --git a/testing/ssh b/testing/ssh
new file mode 100755
index 000000000..95d064c15
--- /dev/null
+++ b/testing/ssh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+SSHCONF="-F $DIR/ssh_config"
+
+if [ $# == 0 ]
+then
+	echo "$0 <host>"
+	exit 1
+fi
+
+host=$1
+echo "$host" | grep -q "^\([0-9]\+\.\|[0-9a-fA-F]\+:\).*"
+if [ $? -eq 0 ]
+then
+	# assume we got an ip address
+	ip=$host
+else
+	pos='$1'
+	echo "$host" | grep -q ".*1$"
+	if [ $? -eq 0 ]
+	then
+		# {host}1, use second address
+		pos='$2'
+		host=`echo "$host" | sed -n -e "s/1$//p"`
+	fi
+	ip="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, "{ print ${pos} }" | awk '{ print $1 }'`"
+	if [ -z $ip ]
+	then
+		echo "Host '$host' unknown"
+		exit 1
+	fi
+fi
+
+shift
+exec ssh $SSHCONF -q root@$ip $@
diff --git a/testing/testing.conf b/testing/testing.conf
index 21055b85a..8e0c81e53 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -24,14 +24,14 @@ fi
 : ${TESTDIR=/srv/strongswan-testing}
 
 # Kernel configuration
-: ${KERNELVERSION=3.11.6}
+: ${KERNELVERSION=3.13.2}
 : ${KERNEL=linux-$KERNELVERSION}
-: ${KERNELTARBALL=$KERNEL.tar.bz2}
-: ${KERNELCONFIG=$DIR/../config/kernel/config-3.11}
-: ${KERNELPATCH=ha-3.11-abicompat.patch.bz2}
+: ${KERNELTARBALL=$KERNEL.tar.xz}
+: ${KERNELCONFIG=$DIR/../config/kernel/config-3.13}
+: ${KERNELPATCH=ha-3.13-abicompat.patch.bz2}
 
 # strongSwan version used in tests
-: ${SWANVERSION=5.1.1}
+: ${SWANVERSION=5.1.2}
 
 # Build directory where the guest kernel and images will be built
 : ${BUILDDIR=$TESTDIR/build}
diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat
index fce551c69..2327eb983 100644
--- a/testing/tests/ikev1/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev1/ip-pool-db/pretest.dat
@@ -1,4 +1,4 @@
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
 moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
@@ -10,7 +10,7 @@ dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev1/net2net-ntru-cert/description.txt b/testing/tests/ikev1/net2net-ntru-cert/description.txt
new file mode 100644
index 000000000..638a67110
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ntru-cert/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The key exchange is based on NTRU encryption with a security strength of 256 bits.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-ntru-cert/evaltest.dat b/testing/tests/ikev1/net2net-ntru-cert/evaltest.dat
new file mode 100644
index 000000000..78d2bff53
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ntru-cert/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES
+sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..218c9f155
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="ike 4, lib 4"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha512-ntru256!
+	esp=aes256-sha512!
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f4fd948fd
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+  send_vendor_id = yes
+}
+
+libstrongswan {
+  plugins {
+    ntru {
+      parameter_set = optimum
+    }
+  }
+}
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..ce610b6a3
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="ike 4, lib 4"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha512-ntru256!
+	esp=aes256-sha512!
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..f0432ada1
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev1/net2net-ntru-cert/posttest.dat b/testing/tests/ikev1/net2net-ntru-cert/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ntru-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev1/net2net-ntru-cert/pretest.dat b/testing/tests/ikev1/net2net-ntru-cert/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ntru-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-ntru-cert/test.conf b/testing/tests/ikev1/net2net-ntru-cert/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ntru-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/rw-ntru-psk/description.txt b/testing/tests/ikev1/rw-ntru-psk/description.txt
new file mode 100644
index 000000000..40cdd18e3
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/description.txt
@@ -0,0 +1,13 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
+192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on strong
+preshared keys (PSKs).
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 mode-config payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order. 
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev1/rw-ntru-psk/evaltest.dat b/testing/tests/ikev1/rw-ntru-psk/evaltest.dat
new file mode 100644
index 000000000..562213572
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/evaltest.dat
@@ -0,0 +1,22 @@
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw-carol.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+moon:: ipsec statusall 2> /dev/null::rw-dave.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::ESP
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..315aa1073
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes128-sha256-ntru128!
+	esp=aes128-sha256!
+	authby=psk
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3e6d33ad9
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..079ea723e
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..c168b51b2
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes192-sha384-ntru192!
+	esp=aes192-sha384!
+	authby=psk
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..3c355de51
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+moon.strongswan.org dave@strongswan.org  : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..079ea723e
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2194db582
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes128-sha256-ntru128,aes192-sha384-ntru192!
+	esp=aes128-sha256,aes192-sha384!
+	authby=psk
+
+conn rw-carol
+	also=rw
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
+
+conn rw-dave
+	also=rw
+	right=PH_IP_DAVE
+	rightid=dave@strongswan.org
+	auto=add
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=moon.strongswan.org
+	leftfirewall=yes
+	rightsourceip=10.3.0.0/28
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..a9e89c038
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720
+
+moon.strongswan.org dave@strongswan.org  : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..079ea723e
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev1/rw-ntru-psk/posttest.dat b/testing/tests/ikev1/rw-ntru-psk/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-ntru-psk/pretest.dat b/testing/tests/ikev1/rw-ntru-psk/pretest.dat
new file mode 100644
index 000000000..40eaede87
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/rw-ntru-psk/test.conf b/testing/tests/ikev1/rw-ntru-psk/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev1/rw-ntru-psk/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/compress-nat/description.txt b/testing/tests/ikev2/compress-nat/description.txt
new file mode 100644
index 000000000..1ad94e72f
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/description.txt
@@ -0,0 +1,3 @@
+The peers <b>alice</b> and <b>bob</b> are located behind the NAT routers <b>moon</b> and <b>sun</b>,
+respectively. They both connect to a central gateway <b>carol</b> using IPComp.
+In order to test the IPsec tunnel both peers ping each other and gateway <b>carol</b>.
diff --git a/testing/tests/ikev2/compress-nat/evaltest.dat b/testing/tests/ikev2/compress-nat/evaltest.dat
new file mode 100644
index 000000000..2c5db890a
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/evaltest.dat
@@ -0,0 +1,22 @@
+alice::ipsec status 2> /dev/null::hub.*ESTABLISHED.*alice@strongswan.org.*carol@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::hub.*ESTABLISHED.*bob@strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::hub.*ESTABLISHED.*PH_IP_MOON.*alice@strongswan.org::YES
+carol::ipsec status 2> /dev/null::hub.*ESTABLISHED.*PH_IP_SUN.*bob@strongswan.org::YES
+alice::ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES
+bob::  ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES
+carol::ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES
+carol::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
+carol::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
+alice::ip xfrm state::proto comp spi::YES
+bob::  ip xfrm state::proto comp spi::YES
+carol::ip xfrm state::proto comp spi::YES
+alice::ping -c 1 -s 8184 -p deadbeef PH_IP_CAROL::8192 bytes from PH_IP_CAROL: icmp_req=1::YES
+alice::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES
+alice::ping -c 1 -s 8184 -p deadbeef PH_IP_BOB::8192 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > carol.strongswan.org.*: UDP::YES
+moon::tcpdump::IP carol.strongswan.org.* > moon.strongswan.org.*: UDP::YES
+sun::tcpdump::IP sun.strongswan.org.* > carol.strongswan.org.*: UDP::YES
+sun::tcpdump::IP carol.strongswan.org.* > sun.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..7ecc68f03
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	dpdaction=restart
+	dpddelay=60s
+	leftfirewall=yes
+	lefthostaccess=yes
+
+conn hub
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	rightsubnet=PH_IP_CAROL/32,10.2.0.0/16
+	compress=yes
+	auto=add
diff --git a/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf
new file mode 100644
index 000000000..6ef2c06f4
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	dpdaction=restart
+	dpddelay=60s
+	leftfirewall=yes
+	lefthostaccess=yes
+
+conn hub
+	leftcert=bobCert.pem
+	leftid=bob@strongswan.org
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	rightsubnet=PH_IP_CAROL/32,10.1.0.0/16
+	compress=yes
+	auto=add
diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..23d179b7a
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	dpdaction=clear
+	dpddelay=60s
+
+conn hub
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=%any
+	leftsubnet=0.0.0.0/0
+	rightsubnet=0.0.0.0/0
+	compress=yes
+	auto=add
diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/compress-nat/posttest.dat b/testing/tests/ikev2/compress-nat/posttest.dat
new file mode 100644
index 000000000..b8432a8f2
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/posttest.dat
@@ -0,0 +1,10 @@
+bob::ipsec stop
+alice::ipsec stop
+carol::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::conntrack -F
+sun::conntrack -F
\ No newline at end of file
diff --git a/testing/tests/ikev2/compress-nat/pretest.dat b/testing/tests/ikev2/compress-nat/pretest.dat
new file mode 100644
index 000000000..3211bc574
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/pretest.dat
@@ -0,0 +1,21 @@
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1100-1200
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
+moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16  -j ACCEPT
+sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p udp -j SNAT --to-source PH_IP_SUN:1200-1300
+sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
+sun::iptables -A FORWARD -i eth1 -o eth0 -s 10.2.0.0/16 -j ACCEPT
+sun::iptables -A FORWARD -i eth0 -o eth1 -d 10.2.0.0/16 -j ACCEPT
+carol::ipsec start
+alice::ipsec start
+bob::ipsec start
+carol::expect-connection hub
+alice::expect-connection hub
+bob::expect-connection hub
+alice::ipsec up hub
+bob::ipsec up hub
diff --git a/testing/tests/ikev2/compress-nat/test.conf b/testing/tests/ikev2/compress-nat/test.conf
new file mode 100644
index 000000000..fd0c7f1e3
--- /dev/null
+++ b/testing/tests/ikev2/compress-nat/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-s-b-med.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice carol bob"
diff --git a/testing/tests/ikev2/compress/description.txt b/testing/tests/ikev2/compress/description.txt
index 47829839d..4c60384f0 100644
--- a/testing/tests/ikev2/compress/description.txt
+++ b/testing/tests/ikev2/compress/description.txt
@@ -1,3 +1,4 @@
-This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and
-gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks
-the established tunnel with compression.
+This scenario enables IPComp compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> check
+the established tunnel with compression. The packet sizes of the two pings
+are different because the kernel does not compress small packets.
diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat
index b989a7774..843326ecc 100644
--- a/testing/tests/ikev2/compress/evaltest.dat
+++ b/testing/tests/ikev2/compress/evaltest.dat
@@ -6,7 +6,7 @@ moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
 moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
 moon:: ip xfrm state::proto comp spi::YES
 carol::ip xfrm state::proto comp spi::YES
-carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+carol::ping -n -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+carol::ping -n -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
 moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::moon.strongswan.org >  carol.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
index 7502175e7..78809898b 100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	compress=yes
+	leftfirewall=yes
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
index 85d8c191f..dc937641c 100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
index aa1be047e..718b3c814 100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	compress=yes
+	leftfirewall=yes
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
index 85d8c191f..dc937641c 100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/compress/posttest.dat b/testing/tests/ikev2/compress/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/ikev2/compress/posttest.dat
+++ b/testing/tests/ikev2/compress/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat
index f5aa989fe..29a90355f 100644
--- a/testing/tests/ikev2/compress/pretest.dat
+++ b/testing/tests/ikev2/compress/pretest.dat
@@ -1,3 +1,5 @@
+carol::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt
new file mode 100644
index 000000000..6f18a88cd
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/description.txt
@@ -0,0 +1,13 @@
+An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b> and gateway <b>sun</b>
+is successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+<b>alice</b> pings <b>sun</b>.<br/>
+<b>Note:</b> This scenario also demonstrates two problems with transport-mode and NAT traversal:
+<ol>
+<li>The client <b>venus</b> behind the same NAT as client <b>alice</b> is not able to ping <b>sun</b>
+(even with ICMP explicitly allowed there) because the request arrives unencrypted and thus gets
+dropped when the IPsec policies are consulted (increases the <em>XfrmInTmplMismatch</em> counter
+in <em>/proc/net/xfrm_stat</em>).</li>
+<li>A similar issue arises when <b>venus</b> also establishes an IPsec <b>transport-mode</b> connection to
+<b>sun</b>, due to the conflicting IPsec policies <b>sun</b> declines such a connection.</li>
+</ol>
diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
new file mode 100644
index 000000000..faa9fb265
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
@@ -0,0 +1,12 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
+alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
+venus::ipsec up nat-t::received TS_UNACCEPTABLE notify::YES
+sun::cat /var/log/daemon.log::unable to install policy::YES
+sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
+sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..8679a23a4
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn nat-t
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=192.168.0.2
+	rightid=@sun.strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..11b0b2db9
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=192.168.0.2
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+
+conn nat-t
+	right=%any
+	type=transport
+	auto=add
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..0a2cd80b8
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ICMP
+-A INPUT  -i eth0 -p icmp -j ACCEPT
+-A OUTPUT -o eth0 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..b416b30b8
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn nat-t
+	leftcert=venusCert.pem
+	leftid=venus@strongswan.org
+	leftfirewall=yes
+	right=192.168.0.2
+	rightid=@sun.strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/ikev2/host2host-transport-nat/posttest.dat b/testing/tests/ikev2/host2host-transport-nat/posttest.dat
new file mode 100644
index 000000000..80a3c7b7d
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/posttest.dat
@@ -0,0 +1,6 @@
+alice::ipsec stop
+venus::ipsec stop
+sun::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
new file mode 100644
index 000000000..fe0f17d3d
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
@@ -0,0 +1,12 @@
+alice::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
+moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
+moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16  -j ACCEPT
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+alice::ipsec up nat-t
diff --git a/testing/tests/ikev2/host2host-transport-nat/test.conf b/testing/tests/ikev2/host2host-transport-nat/test.conf
new file mode 100644
index 000000000..8c2facefd
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun alice venus moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat
index fce551c69..2327eb983 100644
--- a/testing/tests/ikev2/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -1,4 +1,4 @@
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
 moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
@@ -10,7 +10,7 @@ dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/ip-split-pools-db/pretest.dat b/testing/tests/ikev2/ip-split-pools-db/pretest.dat
index 5691f0f0d..c5af81b38 100644
--- a/testing/tests/ikev2/ip-split-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-split-pools-db/pretest.dat
@@ -1,4 +1,4 @@
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add pool0 --start 10.3.0.1 --end 10.3.0.1 --timeout 48 2> /dev/null
 moon::ipsec pool --add pool1 --start 10.3.1.1 --end 10.3.1.1 --timeout 48 2> /dev/null
@@ -6,7 +6,7 @@ moon::ipsec pool --status 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
index 3aba87994..bb36a2630 100644
--- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
@@ -1,6 +1,6 @@
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null 
+moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null
 moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
 moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
 moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
@@ -18,7 +18,7 @@ venus::ipsec start
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 alice::ipsec up home
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
index b74c1e07a..8ebfdc740 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
@@ -1,4 +1,4 @@
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
 moon::iptables-restore < /etc/iptables.rules
@@ -7,7 +7,7 @@ alice::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 alice::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 alice::ipsec up home
 alice::sleep 1
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
index e3d8f4a78..466a5eaec 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
@@ -1,6 +1,6 @@
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null 
+moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null
 moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout  48 2> /dev/null
 alice::ip -6 route add default via fec1:\:1
 moon::ipsec start
diff --git a/testing/tests/ikev2/lookip/description.txt b/testing/tests/ikev2/lookip/description.txt
new file mode 100644
index 000000000..0568e4824
--- /dev/null
+++ b/testing/tests/ikev2/lookip/description.txt
@@ -0,0 +1,13 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order.
+<p>
+Using the <b>ipsec lookup</b> tool which communicates with the <b>lookip</b> plugin via a unix
+socket, information about the assigned virtual IP is retrieved. 
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/lookip/evaltest.dat b/testing/tests/ikev2/lookip/evaltest.dat
new file mode 100644
index 000000000..68466172c
--- /dev/null
+++ b/testing/tests/ikev2/lookip/evaltest.dat
@@ -0,0 +1,22 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec lookip --lookup PH_IP_CAROL1 2> /dev/null::192.168.0.100.*rw\[1].*carol@strongswan.org::YES
+moon:: ipsec lookip --lookup PH_IP_DAVE1  2> /dev/null::192.168.0.200.*rw\[2].*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/lookip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/lookip/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..8c6c28bd6
--- /dev/null
+++ b/testing/tests/ikev2/lookip/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/lookip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/lookip/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..72b8a59c0
--- /dev/null
+++ b/testing/tests/ikev2/lookip/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/lookip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/lookip/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..85c48a7bb
--- /dev/null
+++ b/testing/tests/ikev2/lookip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsourceip=10.3.0.0/28
+	auto=add
diff --git a/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c81c5b618
--- /dev/null
+++ b/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown lookip
+}
diff --git a/testing/tests/ikev2/lookip/posttest.dat b/testing/tests/ikev2/lookip/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/ikev2/lookip/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/lookip/pretest.dat b/testing/tests/ikev2/lookip/pretest.dat
new file mode 100644
index 000000000..3864bdac3
--- /dev/null
+++ b/testing/tests/ikev2/lookip/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/lookip/test.conf b/testing/tests/ikev2/lookip/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/lookip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/net2net-ntru-cert/description.txt b/testing/tests/ikev2/net2net-ntru-cert/description.txt
new file mode 100644
index 000000000..638a67110
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-cert/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The key exchange is based on NTRU encryption with a security strength of 256 bits.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-ntru-cert/evaltest.dat b/testing/tests/ikev2/net2net-ntru-cert/evaltest.dat
new file mode 100644
index 000000000..78d2bff53
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-cert/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES
+sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/NTRU_256::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..9da45bcba
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="ike 4, lib 4"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha512-ntru256!
+	esp=aes256-sha512!
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f4fd948fd
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+  send_vendor_id = yes
+}
+
+libstrongswan {
+  plugins {
+    ntru {
+      parameter_set = optimum
+    }
+  }
+}
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..50be98057
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="ike 4, lib 4"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha512-ntru256!
+	esp=aes256-sha512!
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..f0432ada1
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev2/net2net-ntru-cert/posttest.dat b/testing/tests/ikev2/net2net-ntru-cert/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat b/testing/tests/ikev2/net2net-ntru-cert/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-ntru-cert/test.conf b/testing/tests/ikev2/net2net-ntru-cert/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/rw-ntru-psk/description.txt b/testing/tests/ikev2/rw-ntru-psk/description.txt
new file mode 100644
index 000000000..6a42c2bfb
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/description.txt
@@ -0,0 +1,13 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
+192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on strong
+preshared keys (PSKs).
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order. 
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/rw-ntru-psk/evaltest.dat b/testing/tests/ikev2/rw-ntru-psk/evaltest.dat
new file mode 100644
index 000000000..938157cc5
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/evaltest.dat
@@ -0,0 +1,22 @@
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..8c6b77b77
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ntru128!
+	esp=aes128-sha256!
+	authby=psk
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3e6d33ad9
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..079ea723e
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..356acb4a1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha384-ntru192!
+	esp=aes192-sha384!
+	authby=psk
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..3c355de51
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+moon.strongswan.org dave@strongswan.org  : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..079ea723e
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..cdcebc7a8
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ntru128,aes192-sha384-ntru192!
+	esp=aes128-sha256,aes192-sha384!
+	authby=psk
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsourceip=10.3.0.0/28
+	auto=add
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..a9e89c038
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720
+
+moon.strongswan.org dave@strongswan.org  : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..079ea723e
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev2/rw-ntru-psk/posttest.dat b/testing/tests/ikev2/rw-ntru-psk/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-ntru-psk/pretest.dat b/testing/tests/ikev2/rw-ntru-psk/pretest.dat
new file mode 100644
index 000000000..40eaede87
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-ntru-psk/test.conf b/testing/tests/ikev2/rw-ntru-psk/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-psk/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-compress-ikev2/description.txt b/testing/tests/ipv6/rw-compress-ikev2/description.txt
new file mode 100644
index 000000000..da52957f6
--- /dev/null
+++ b/testing/tests/ipv6/rw-compress-ikev2/description.txt
@@ -0,0 +1,10 @@
+This scenario enables IPComp compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two IPv6 ICMP requests from <b>carol</b> to <b>alice</b>
+check the established tunnel with compression. The packet sizes are different
+because the kernel does not compress small packets.<br/>
+<b>Note:</b> The kernel applies IPComp after fragmenting the original packet
+according to the MTU. Also, because <b>alice</b> does not know about the IPsec
+tunnel between <b>moon</b> and <b>carol</b> the response to the first ICMP
+request is fragmented in too large fragments and <b>moon</b> sends back ICMPs
+with type 2 to notify <b>alice</b> about this (Path MTU Discovery).
+The second ping is then answered successfully.
diff --git a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat
new file mode 100644
index 000000000..0a0b1a78f
--- /dev/null
+++ b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat
@@ -0,0 +1,13 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
+moon:: ip xfrm state::proto comp spi::YES
+carol::ip xfrm state::proto comp spi::YES
+# send two pings because the first is lost due to Path MTU Discovery between alice and moon
+carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org::YES
+moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..bd9a9e59f
--- /dev/null
+++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	compress=yes
+	leftfirewall=yes
+
+conn home
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP6_MOON
+	rightsubnet=fec1::/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..c4f9b5b5b
--- /dev/null
+++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	compress=yes
+	leftfirewall=yes
+
+conn rw
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=fec1::/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-compress-ikev2/posttest.dat b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat
new file mode 100644
index 000000000..fdaf44080
--- /dev/null
+++ b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+alice::"ip route del fec0:\:/16 via fec1:\:1"
+carol::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-compress-ikev2/pretest.dat b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat
new file mode 100644
index 000000000..3f6427f50
--- /dev/null
+++ b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+# enable Path MTU Discovery
+moon::ip6tables -I OUTPUT 1 -o eth1 -p icmpv6 --icmpv6-type 2 -j ACCEPT
+alice::"ip route add fec0:\:/16 via fec1:\:1"
+carol::"ip route add fec1:\:/16 via fec0:\:1"
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/ipv6/rw-compress-ikev2/test.conf b/testing/tests/ipv6/rw-compress-ikev2/test.conf
new file mode 100644
index 000000000..4e8d1e9fb
--- /dev/null
+++ b/testing/tests/ipv6/rw-compress-ikev2/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-ip6.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat
index 391785a1c..10a51bc37 100644
--- a/testing/tests/sql/ip-pool-db-expired/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat
index 20b1937b7..639cfd99f 100644
--- a/testing/tests/sql/ip-pool-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat
index 819aca3d9..46f33324c 100644
--- a/testing/tests/sql/ip-pool-db/pretest.dat
+++ b/testing/tests/sql/ip-pool-db/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
index 8b30de8c4..ba3f4d1cb 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat
index e1dcb9d51..6c7633811 100644
--- a/testing/tests/sql/ip-split-pools-db/pretest.dat
+++ b/testing/tests/sql/ip-split-pools-db/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat
index fdd4df5f9..6d56ede09 100644
--- a/testing/tests/sql/multi-level-ca/pretest.dat
+++ b/testing/tests/sql/multi-level-ca/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat
index a1777efb0..b62da613c 100644
--- a/testing/tests/sql/net2net-cert/pretest.dat
+++ b/testing/tests/sql/net2net-cert/pretest.dat
@@ -1,12 +1,12 @@
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 1 
+moon::sleep 1
 moon::ipsec up net-net
diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat
index a1777efb0..b62da613c 100644
--- a/testing/tests/sql/net2net-psk/pretest.dat
+++ b/testing/tests/sql/net2net-psk/pretest.dat
@@ -1,12 +1,12 @@
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 1 
+moon::sleep 1
 moon::ipsec up net-net
diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat
index 8ca573ee5..537aa630b 100644
--- a/testing/tests/sql/net2net-route-pem/pretest.dat
+++ b/testing/tests/sql/net2net-route-pem/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat
index 1c71f0c14..7307aca81 100644
--- a/testing/tests/sql/net2net-start-pem/pretest.dat
+++ b/testing/tests/sql/net2net-start-pem/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat
index fdd4df5f9..6d56ede09 100644
--- a/testing/tests/sql/rw-cert/pretest.dat
+++ b/testing/tests/sql/rw-cert/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
index 8f2387ba1..2a8e460e7 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat
index fdd4df5f9..6d56ede09 100644
--- a/testing/tests/sql/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat
index 587dd7f85..fdb5f1970 100644
--- a/testing/tests/sql/rw-psk-ipv6/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
index fdd4df5f9..6d56ede09 100644
--- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat
index fdd4df5f9..6d56ede09 100644
--- a/testing/tests/sql/rw-rsa-keyid/pretest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat
index fdd4df5f9..6d56ede09 100644
--- a/testing/tests/sql/rw-rsa/pretest.dat
+++ b/testing/tests/sql/rw-rsa/pretest.dat
@@ -1,9 +1,9 @@
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/shunt-policies/pretest.dat b/testing/tests/sql/shunt-policies/pretest.dat
index a1777efb0..b62da613c 100644
--- a/testing/tests/sql/shunt-policies/pretest.dat
+++ b/testing/tests/sql/shunt-policies/pretest.dat
@@ -1,12 +1,12 @@
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 1 
+moon::sleep 1
 moon::ipsec up net-net
diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cc9d6e072
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+  dh_mapping {
+    15 = 1
+    16 = 2
+  }
+}
diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/host2host-responder/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cc9d6e072
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+  dh_mapping {
+    15 = 1
+    16 = 2
+  }
+}
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cc9d6e072
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+  dh_mapping {
+    15 = 1
+    16 = 2
+  }
+}
diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..cc9d6e072
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+  dh_mapping {
+    15 = 1
+    16 = 2
+  }
+}
diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cc9d6e072
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+  dh_mapping {
+    15 = 1
+    16 = 2
+  }
+}
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cc9d6e072
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+  dh_mapping {
+    15 = 1
+    16 = 2
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
index a991d05ea..7541a2adb 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
@@ -5,7 +5,7 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward
 dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
 alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
index e1434e481..0ac88dd8d 100644
--- a/testing/tests/tnc/tnccs-20-os/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -4,13 +4,13 @@ dave::iptables-restore < /etc/iptables.rules
 carol::echo 0 > /proc/sys/net/ipv4/ip_forward
 dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
 moon::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
-moon::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 moon::ipsec start
-carol::ipsec start 
-dave::ipsec start 
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
index 2a53977c0..f7d86ec7f 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
@@ -7,7 +7,7 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward
 dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
 dave::cat /etc/tnc_config
 alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data.sql
-alice::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
 alice::ipsec start
 winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
 carol::ip route add 10.1.0.0/16 via 192.168.0.1
diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat
index 794aef9fb..49ea0416e 100644
--- a/testing/tests/tnc/tnccs-20-pts/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat
@@ -3,13 +3,13 @@ carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
 carol::echo 0 > /proc/sys/net/ipv4/ip_forward
 dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
-moon::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 moon::ipsec start
-dave::ipsec start 
-carol::ipsec start 
+dave::ipsec start
+carol::ipsec start
 dave::sleep 1
 dave::ipsec up home
 carol::ipsec up home