10 files changed, 1306 insertions, 16 deletions
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am
index 9c3b47364..3ba283bb7 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.am
+++ b/src/libcharon/plugins/tnc_imv/Makefile.am
@@ -1,11 +1,9 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = -rdynamic
 
-libstrongswan_tnc_imv_la_LIBADD = -ltnc
-
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
 else
@@ -13,7 +11,9 @@ plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
 endif
 
 libstrongswan_tnc_imv_la_SOURCES = \
-	tnc_imv_plugin.h tnc_imv_plugin.c
+	tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \
+	tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \
+	tnc_imv_recommendations.h tnc_imv_recommendations.c
 
 libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
index f89b5e03b..0324d2eb9 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.in
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -74,8 +74,10 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_tnc_imv_la_DEPENDENCIES =
-am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo
+libstrongswan_tnc_imv_la_LIBADD =
+am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo tnc_imv.lo \
+	tnc_imv_manager.lo tnc_imv_bind_function.lo \
+	tnc_imv_recommendations.lo
 libstrongswan_tnc_imv_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_imv_la_OBJECTS)
 libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -221,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -273,14 +275,15 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = -rdynamic
-libstrongswan_tnc_imv_la_LIBADD = -ltnc
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
 libstrongswan_tnc_imv_la_SOURCES = \
-	tnc_imv_plugin.h tnc_imv_plugin.c
+	tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \
+	tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \
+	tnc_imv_recommendations.h tnc_imv_recommendations.c
 
 libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -366,7 +369,11 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_bind_function.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_recommendations.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libcharon/plugins/tnc_imv/tnc_imv.c
new file mode 100644
index 000000000..f88b645d6
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (C) 2006 Mike McCauley
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv.h"
+
+#include <dlfcn.h>
+
+#include <debug.h>
+#include <library.h>
+
+typedef struct private_tnc_imv_t private_tnc_imv_t;
+
+/**
+ * Private data of an imv_t object.
+ */
+struct private_tnc_imv_t {
+
+	/**
+	 * Public members of imv_t.
+	 */
+	imv_t public;
+
+	/**
+	 * Path of loaded IMV
+	 */
+	char *path;
+
+	/**
+	 * Name of loaded IMV
+	 */
+	char *name;
+
+	/**
+	 * Handle of loaded IMV
+	 */
+	void *handle;
+
+	/**
+	 * ID of loaded IMV
+	 */
+	TNC_IMVID id;
+
+	/**
+	 * List of message types supported by IMC
+	 */
+	TNC_MessageTypeList supported_types;
+
+	/**
+	 * Number of supported message types
+	 */
+	TNC_UInt32 type_count;
+};
+
+METHOD(imv_t, set_id, void,
+	private_tnc_imv_t *this, TNC_IMVID id)
+{
+	this->id = id;
+}
+
+METHOD(imv_t, get_id, TNC_IMVID,
+	private_tnc_imv_t *this)
+{
+	return this->id;
+}
+
+METHOD(imv_t, get_name, char*,
+	private_tnc_imv_t *this)
+{
+	return this->name;
+}
+
+METHOD(imv_t, set_message_types, void,
+	private_tnc_imv_t *this, TNC_MessageTypeList supported_types,
+							 TNC_UInt32 type_count)
+{
+	/* Free an existing MessageType list */
+	free(this->supported_types);
+	this->supported_types = NULL;
+
+	/* Store the new MessageType list */
+	this->type_count = type_count;
+	if (type_count && supported_types)
+	{
+		size_t size = type_count * sizeof(TNC_MessageType);
+
+		this->supported_types = malloc(size);
+		memcpy(this->supported_types, supported_types, size);
+	}
+	DBG2(DBG_TNC, "IMV %u supports %u message types", this->id, type_count);
+}
+
+METHOD(imv_t, type_supported, bool,
+	private_tnc_imv_t *this, TNC_MessageType message_type)
+{
+	TNC_VendorID msg_vid, vid;
+	TNC_MessageSubtype msg_subtype, subtype;
+	int i;
+
+	msg_vid = (message_type >> 8) & TNC_VENDORID_ANY;
+	msg_subtype = message_type & TNC_SUBTYPE_ANY;
+
+	for (i = 0; i < this->type_count; i++)
+	{
+		vid = (this->supported_types[i] >> 8) & TNC_VENDORID_ANY;
+		subtype = this->supported_types[i] & TNC_SUBTYPE_ANY;
+
+		if (this->supported_types[i] == message_type
+		|| (subtype == TNC_SUBTYPE_ANY
+			&& (msg_vid == vid || vid == TNC_VENDORID_ANY))
+		|| (vid == TNC_VENDORID_ANY
+			&& (msg_subtype == subtype || subtype == TNC_SUBTYPE_ANY)))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(imv_t, destroy, void,
+	private_tnc_imv_t *this)
+{
+	dlclose(this->handle);
+	free(this->supported_types);
+	free(this->name);
+	free(this->path);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_t* tnc_imv_create(char *name, char *path)
+{
+	private_tnc_imv_t *this;
+
+	INIT(this,
+		.public = {
+			.set_id = _set_id,
+			.get_id = _get_id,
+			.get_name = _get_name,
+			.set_message_types = _set_message_types,
+			.type_supported = _type_supported,
+			.destroy = _destroy,
+		},
+		.name = name,
+		.path = path,
+	);
+
+	this->handle = dlopen(path, RTLD_LAZY);
+	if (!this->handle)
+	{
+		DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror());
+		free(this);
+		return NULL;
+	}
+
+	this->public.initialize = dlsym(this->handle, "TNC_IMV_Initialize");
+	if (!this->public.initialize)
+	{
+		DBG1(DBG_TNC, "could not resolve TNC_IMV_Initialize in %s: %s\n",
+					   path, dlerror());
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+	this->public.notify_connection_change =
+						dlsym(this->handle, "TNC_IMV_NotifyConnectionChange");
+	this->public.solicit_recommendation =
+						dlsym(this->handle, "TNC_IMV_SolicitRecommendation");
+	if (!this->public.solicit_recommendation)
+	{
+		DBG1(DBG_TNC, "could not resolve TNC_IMV_SolicitRecommendation in %s: %s\n",
+					   path, dlerror());
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+	this->public.receive_message =
+						dlsym(this->handle, "TNC_IMV_ReceiveMessage");
+	this->public.batch_ending =
+						dlsym(this->handle, "TNC_IMV_BatchEnding");
+	this->public.terminate =
+						dlsym(this->handle, "TNC_IMV_Terminate");
+	this->public.provide_bind_function =
+						dlsym(this->handle, "TNC_IMV_ProvideBindFunction");
+	if (!this->public.provide_bind_function)
+	{
+		DBG1(DBG_TNC, "could not resolve TNC_IMV_ProvideBindFunction in %s: %s\n",
+					  path, dlerror());
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.h b/src/libcharon/plugins/tnc_imv/tnc_imv.h
new file mode 100644
index 000000000..75939e54c
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imv_t tnc_imv
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_H_
+#define TNC_IMV_H_
+
+#include <tnc/imv/imv.h>
+
+/**
+ * Create an Integrity Measurement Verifier.
+ *
+ * @param name			name of the IMV
+ * @param filename		path to the dynamic IMV library
+ * @return				instance of the imv_t interface
+ */
+imv_t* tnc_imv_create(char *name, char *filename);
+
+#endif /** TNC_IMV_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
new file mode 100644
index 000000000..0ea52f08e
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2006 Mike McCauley
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+#define TNC_IMCID_ANY	0xffff
+
+/**
+ * Called by the IMV to inform a TNCS about the set of message types the IMV
+ * is able to receive
+ */
+TNC_Result TNC_TNCS_ReportMessageTypes(TNC_IMVID imv_id,
+									   TNC_MessageTypeList supported_types,
+									   TNC_UInt32 type_count)
+{
+	return charon->imvs->set_message_types(charon->imvs, imv_id,
+										   supported_types, type_count);
+}
+
+/**
+ * Called by the IMV to ask a TNCS to retry an Integrity Check Handshake
+ */
+TNC_Result TNC_TNCS_RequestHandshakeRetry(TNC_IMVID imv_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_RetryReason reason)
+{
+	return charon->tnccs->request_handshake_retry(charon->tnccs, FALSE, imv_id,
+												  connection_id, reason);
+}
+
+/**
+ * Called by the IMV when an IMV-IMC message is to be sent
+ */
+TNC_Result TNC_TNCS_SendMessage(TNC_IMVID imv_id,
+								TNC_ConnectionID connection_id,
+								TNC_BufferReference msg,
+								TNC_UInt32 msg_len,
+								TNC_MessageType msg_type)
+{
+	return charon->tnccs->send_message(charon->tnccs, TNC_IMCID_ANY, imv_id,
+									   connection_id, msg, msg_len, msg_type);
+}
+
+/**
+ * Called by the IMV to deliver its IMV Action Recommendation and IMV Evaluation
+ * Result to the TNCS
+ */
+TNC_Result TNC_TNCS_ProvideRecommendation(TNC_IMVID imv_id,
+								TNC_ConnectionID connection_id,
+								TNC_IMV_Action_Recommendation recommendation,
+								TNC_IMV_Evaluation_Result evaluation)
+{
+	return charon->tnccs->provide_recommendation(charon->tnccs, imv_id,
+							connection_id, recommendation, evaluation);
+}
+
+/**
+ * Called by the IMV to get the value of an attribute associated with a
+ * connection or with the TNCS as a whole.
+ */
+TNC_Result TNC_TNCS_GetAttribute(TNC_IMVID imv_id,
+								 TNC_ConnectionID connection_id,
+								 TNC_AttributeID attribute_id,
+								 TNC_UInt32 buffer_len,
+								 TNC_BufferReference buffer,
+								 TNC_UInt32 *out_value_len)
+{
+	return charon->tnccs->get_attribute(charon->tnccs, imv_id, connection_id,
+							attribute_id, buffer_len, buffer, out_value_len);
+}
+
+/**
+ * Called by the IMV to set the value of an attribute associated with a
+ * connection or with the TNCS as a whole.
+ */
+TNC_Result TNC_TNCS_SetAttribute(TNC_IMVID imv_id,
+								 TNC_ConnectionID connection_id,
+								 TNC_AttributeID attribute_id,
+								 TNC_UInt32 buffer_len,
+								 TNC_BufferReference buffer)
+{
+	return charon->tnccs->set_attribute(charon->tnccs, imv_id, connection_id,
+										attribute_id, buffer_len, buffer);
+}
+
+/**
+ * Called by the IMV when it needs a function pointer
+ */
+TNC_Result TNC_TNCS_BindFunction(TNC_IMVID id,
+								 char *function_name,
+								 void **function_pointer)
+{
+	if (streq(function_name, "TNC_TNCS_ReportMessageTypes"))
+	{
+		*function_pointer = (void*)TNC_TNCS_ReportMessageTypes;
+	}
+	else if (streq(function_name, "TNC_TNCS_RequestHandshakeRetry"))
+	{
+		*function_pointer = (void*)TNC_TNCS_RequestHandshakeRetry;
+	}
+	else if (streq(function_name, "TNC_TNCS_SendMessage"))
+	{
+		*function_pointer = (void*)TNC_TNCS_SendMessage;
+	}
+	else if (streq(function_name, "TNC_TNCS_ProvideRecommendation"))
+	{
+		*function_pointer = (void*)TNC_TNCS_ProvideRecommendation;
+	}
+	else if (streq(function_name, "TNC_TNCS_GetAttribute"))
+	{
+		*function_pointer = (void*)TNC_TNCS_GetAttribute;
+	}
+	else if (streq(function_name, "TNC_TNCS_SetAttribute"))
+	{
+		*function_pointer = (void*)TNC_TNCS_SetAttribute;
+	}
+	else
+	{
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
+	return TNC_RESULT_SUCCESS;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
new file mode 100644
index 000000000..559de86d0
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) 2006 Mike McCauley
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv_manager.h"
+#include "tnc_imv_recommendations.h"
+
+#include <tnc/imv/imv_manager.h>
+#include <tnc/tncifimv.h>
+
+#include <debug.h>
+#include <daemon.h>
+#include <threading/mutex.h>
+
+typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
+
+
+/**
+ * Private data of an imv_manager_t object.
+ */
+struct private_tnc_imv_manager_t {
+
+	/**
+	 * Public members of imv_manager_t.
+	 */
+	imv_manager_t public;
+
+	/**
+	 * Linked list of IMVs
+	 */
+	linked_list_t *imvs;
+
+	/**
+	 * Next IMV ID to be assigned
+	 */
+	TNC_IMVID next_imv_id;
+
+	/**
+	 * Policy defining how to derive final recommendation from individual ones
+	 */
+	recommendation_policy_t policy;
+};
+
+METHOD(imv_manager_t, add, bool,
+	private_tnc_imv_manager_t *this, imv_t *imv)
+{
+	TNC_Version version;
+
+	/* Initialize the IMV module */
+	imv->set_id(imv, this->next_imv_id);
+	if (imv->initialize(imv->get_id(imv), TNC_IFIMV_VERSION_1,
+		TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS)
+	{
+		DBG1(DBG_TNC, "IMV \"%s\" failed to initialize", imv->get_name(imv));
+		return FALSE;
+	}
+	this->imvs->insert_last(this->imvs, imv);
+	this->next_imv_id++;
+
+	if (imv->provide_bind_function(imv->get_id(imv), TNC_TNCS_BindFunction)
+			!= TNC_RESULT_SUCCESS)
+	{
+		DBG1(DBG_TNC, "IMV \"%s\" could failed to obtain bind function",
+					   imv->get_name(imv));
+		this->imvs->remove_last(this->imvs, (void**)&imv);
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+METHOD(imv_manager_t, remove_, imv_t*,
+	private_tnc_imv_manager_t *this, TNC_IMVID id)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (id == imv->get_id(imv))
+		{
+			this->imvs->remove_at(this->imvs, enumerator);
+			return imv;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return NULL;
+}
+
+METHOD(imv_manager_t, get_recommendation_policy, recommendation_policy_t,
+	private_tnc_imv_manager_t *this)
+{
+	return this->policy;
+}
+
+METHOD(imv_manager_t, create_recommendations, recommendations_t*,
+	private_tnc_imv_manager_t *this)
+{
+	return tnc_imv_recommendations_create(this->imvs);
+}
+
+METHOD(imv_manager_t, enforce_recommendation, bool,
+	private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec)
+{
+	char *group;
+	identification_t *id;
+	ike_sa_t *ike_sa;
+	auth_cfg_t *auth;
+
+	switch (rec)
+	{
+		case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+			DBG1(DBG_TNC, "TNC recommendation is allow");
+			group = "allow";
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+			DBG1(DBG_TNC, "TNC recommendation is isolate");
+			group = "isolate";
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+		default:
+			DBG1(DBG_TNC, "TNC recommendation is none");
+			return FALSE;
+	}
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
+	{
+		auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+		id = identification_create_from_string(group);
+		auth->add(auth, AUTH_RULE_GROUP, id);
+		DBG1(DBG_TNC, "TNC added group membership '%s'", group);
+	}
+	return TRUE;
+}
+
+
+METHOD(imv_manager_t, notify_connection_change, void,
+	private_tnc_imv_manager_t *this, TNC_ConnectionID id,
+									 TNC_ConnectionState state)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (imv->notify_connection_change)
+		{
+			imv->notify_connection_change(imv->get_id(imv), id, state);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imv_manager_t, set_message_types, TNC_Result,
+	private_tnc_imv_manager_t *this, TNC_IMVID id,
+									 TNC_MessageTypeList supported_types,
+									 TNC_UInt32 type_count)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+	TNC_Result result = TNC_RESULT_FATAL;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (id == imv->get_id(imv))
+		{
+			imv->set_message_types(imv, supported_types, type_count);
+			result = TNC_RESULT_SUCCESS;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return result;
+}
+
+METHOD(imv_manager_t, solicit_recommendation, void,
+	private_tnc_imv_manager_t *this, TNC_ConnectionID id)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		imv->solicit_recommendation(imv->get_id(imv), id);
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imv_manager_t, receive_message, void,
+	private_tnc_imv_manager_t *this, TNC_ConnectionID connection_id,
+									 TNC_BufferReference message,
+									 TNC_UInt32 message_len,
+									 TNC_MessageType message_type)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (imv->receive_message && imv->type_supported(imv, message_type))
+		{
+			imv->receive_message(imv->get_id(imv), connection_id,
+								 message, message_len, message_type);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imv_manager_t, batch_ending, void,
+	private_tnc_imv_manager_t *this, TNC_ConnectionID id)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (imv->batch_ending)
+		{
+			imv->batch_ending(imv->get_id(imv), id);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imv_manager_t, destroy, void,
+	private_tnc_imv_manager_t *this)
+{
+	imv_t *imv;
+
+	while (this->imvs->remove_last(this->imvs, (void**)&imv) == SUCCESS)
+	{
+		if (imv->terminate &&
+			imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully",
+						   imv->get_name(imv));
+		}
+		imv->destroy(imv);
+	}
+	this->imvs->destroy(this->imvs);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_manager_t* tnc_imv_manager_create(void)
+{
+	private_tnc_imv_manager_t *this;
+	recommendation_policy_t policy;
+
+	INIT(this,
+		.public = {
+			.add = _add,
+			.remove = _remove_, /* avoid name conflict with stdio.h */
+			.get_recommendation_policy = _get_recommendation_policy,
+			.create_recommendations = _create_recommendations,
+			.enforce_recommendation = _enforce_recommendation,
+			.notify_connection_change = _notify_connection_change,
+			.set_message_types = _set_message_types,
+			.solicit_recommendation = _solicit_recommendation,
+			.receive_message = _receive_message,
+			.batch_ending = _batch_ending,
+			.destroy = _destroy,
+		},
+		.imvs = linked_list_create(),
+		.next_imv_id = 1,
+	);
+	policy = enum_from_name(recommendation_policy_names,
+				lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imv.recommendation_policy", "default"));
+	this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT;
+	DBG1(DBG_TNC, "TNC recommendation policy is '%N'",
+				   recommendation_policy_names, this->policy);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h
new file mode 100644
index 000000000..2fe9e7ae3
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imv_manager tnc_imv_manager
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_MANAGER_H_
+#define TNC_IMV_MANAGER_H_
+
+#include <tnc/imv/imv_manager.h>
+
+/**
+ * Create an IMV manager instance.
+ */
+imv_manager_t *tnc_imv_manager_create();
+
+#endif /** TNC_IMV_MANAGER_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
index 5b3d3892d..f238f01ea 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
@@ -14,15 +14,137 @@
  */
 
 #include "tnc_imv_plugin.h"
+#include "tnc_imv_manager.h"
+#include "tnc_imv.h"
 
-#include <libtnctncs.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
 
 #include <daemon.h>
+#include <utils/lexparser.h>
+
+/**
+ * load IMVs from a configuration file
+ */
+static bool load_imvs(char *filename)
+{
+	int fd, line_nr = 0;
+	chunk_t src, line;
+	struct stat sb;
+	void *addr;
+
+	DBG1(DBG_TNC, "loading IMVs from '%s'", filename);
+	fd = open(filename, O_RDONLY);
+	if (fd == -1)
+	{
+		DBG1(DBG_TNC, "opening configuration file '%s' failed: %s", filename,
+			 strerror(errno));
+		return FALSE;
+	}
+	if (fstat(fd, &sb) == -1)
+	{
+		DBG1(DBG_LIB, "getting file size of '%s' failed: %s", filename,
+			 strerror(errno));
+		close(fd);
+		return FALSE;
+	}
+	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+	if (addr == MAP_FAILED)
+	{
+		DBG1(DBG_LIB, "mapping '%s' failed: %s", filename, strerror(errno));
+		close(fd);
+		return FALSE;
+	}
+	src = chunk_create(addr, sb.st_size);
+
+	while (fetchline(&src, &line))
+	{
+		char *name, *path;
+		chunk_t token;
+		imv_t *imv;
+
+		line_nr++;
+
+		/* skip comments or empty lines */
+		if (*line.ptr == '#' || !eat_whitespace(&line))
+		{
+			continue;
+		}
+
+		/* determine keyword */
+		if (!extract_token(&token, ' ', &line))
+		{
+			DBG1(DBG_TNC, "line %d: keyword must be followed by a space",
+						   line_nr);
+			return FALSE;
+		}
+
+		/* only interested in IMVs */
+		if (!match("IMV", &token))
+		{
+			continue;
+		}
+
+		/* advance to the IMV name and extract it */
+		if (!extract_token(&token, '"', &line) ||
+			!extract_token(&token, '"', &line))
+		{
+			DBG1(DBG_TNC, "line %d: IMV name must be set in double quotes",
+						   line_nr);
+			return FALSE;
+		}
+
+		/* copy the IMV name */
+		name = malloc(token.len + 1);
+		memcpy(name, token.ptr, token.len);
+		name[token.len] = '\0';
+
+		/* advance to the IMV path and extract it */
+		if (!eat_whitespace(&line))
+		{
+			DBG1(DBG_TNC, "line %d: IMV path is missing", line_nr);
+			free(name);
+			return FALSE;
+		}
+		if (!extract_token(&token, ' ', &line))
+		{
+			token = line;
+		}
+
+		/* copy the IMV path */
+		path = malloc(token.len + 1);
+		memcpy(path, token.ptr, token.len);
+		path[token.len] = '\0';
+
+		/* load and register IMV instance */
+		imv = tnc_imv_create(name, path);
+		if (!imv)
+		{
+			free(name);
+			free(path);
+			return FALSE;
+		}
+		if (!charon->imvs->add(charon->imvs, imv))
+		{
+			imv->destroy(imv);
+			return FALSE;
+		}
+		DBG1(DBG_TNC, "IMV %u \"%s\" loaded from '%s'", imv->get_id(imv),
+														name, path);
+	}
+	munmap(addr, sb.st_size);
+	close(fd);
+	return TRUE;
+}
 
 METHOD(plugin_t, destroy, void,
 	tnc_imv_plugin_t *this)
 {
-	libtnc_tncs_Terminate();
+	charon->imvs->destroy(charon->imvs);
 	free(this);
 }
 
@@ -42,13 +164,18 @@ plugin_t *tnc_imv_plugin_create()
 
 	tnc_config = lib->settings->get_str(lib->settings,
 					"charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config");
-	if (libtnc_tncs_Initialize(tnc_config) != TNC_RESULT_SUCCESS)
+
+	/* Create IMV manager */
+	charon->imvs = tnc_imv_manager_create();
+
+	/* Load IMVs and abort if not all instances initalize successfully */
+	if (!load_imvs(tnc_config))
 	{
+		charon->imvs->destroy(charon->imvs);
+		charon->imvs = NULL;
 		free(this);
-		DBG1(DBG_TNC, "TNC IMV initialization failed");
 		return NULL;
 	}
-
 	return &this->plugin;
 }
 
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
new file mode 100644
index 000000000..5cc6b0ced
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
@@ -0,0 +1,415 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <debug.h>
+#include <daemon.h>
+#include <tnc/tncifimv.h>
+#include <tnc/imv/imv.h>
+#include <tnc/imv/imv_recommendations.h>
+
+typedef struct private_tnc_imv_recommendations_t private_tnc_imv_recommendations_t;
+typedef struct recommendation_entry_t recommendation_entry_t;
+
+/**
+ * Recommendation entry
+ */
+struct recommendation_entry_t {
+
+	/**
+	 * IMV ID
+	 */
+	TNC_IMVID id;
+
+	/**
+	 * Received a recommendation message from this IMV?
+	 */
+	bool have_recommendation;
+
+	/**
+	 * Action Recommendation provided by IMV instance
+	 */
+	TNC_IMV_Action_Recommendation rec;
+
+	/**
+	 * Evaluation Result provided by IMV instance
+	 */
+	TNC_IMV_Evaluation_Result eval;
+
+	/**
+	 * Reason string provided by IMV instance
+	 */
+	chunk_t reason;
+
+	/**
+	 * Reason language provided by IMV instance
+	 */
+	chunk_t reason_language;
+};
+
+/**
+ * Private data of a recommendations_t object.
+ */
+struct private_tnc_imv_recommendations_t {
+
+	/**
+	 * Public members of recommendations_t.
+	 */
+	recommendations_t public;
+
+	/**
+	 * list of recommendations and evaluations provided by IMVs
+	 */
+	linked_list_t *recs;
+
+	/**
+	 * Preferred language for remediation messages
+	 */
+	chunk_t preferred_language;
+};
+
+METHOD(recommendations_t, provide_recommendation, TNC_Result,
+	private_tnc_imv_recommendations_t* this, TNC_IMVID id,
+											 TNC_IMV_Action_Recommendation rec,
+											 TNC_IMV_Evaluation_Result eval)
+{
+	enumerator_t *enumerator;
+	recommendation_entry_t *entry;
+	bool found = FALSE;
+
+	DBG2(DBG_TNC, "IMV %u provides recommendation '%N' and evaluation '%N'", id,
+		 TNC_IMV_Action_Recommendation_names, rec,
+		 TNC_IMV_Evaluation_Result_names, eval);
+
+	enumerator = this->recs->create_enumerator(this->recs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->id == id)
+		{
+			found = TRUE;
+			entry->have_recommendation = TRUE;
+			entry->rec = rec;
+			entry->eval = eval;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found ? TNC_RESULT_SUCCESS : TNC_RESULT_FATAL;
+}
+
+METHOD(recommendations_t, have_recommendation, bool,
+	private_tnc_imv_recommendations_t *this, TNC_IMV_Action_Recommendation *rec,
+											 TNC_IMV_Evaluation_Result *eval)
+{
+	enumerator_t *enumerator;
+	recommendation_entry_t *entry;
+	recommendation_policy_t policy;
+	TNC_IMV_Action_Recommendation final_rec;
+	TNC_IMV_Evaluation_Result final_eval;
+	bool first = TRUE, incomplete = FALSE;
+
+	*rec = final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+	*eval = final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+
+	if (this->recs->get_count(this->recs) == 0)
+	{
+		DBG1(DBG_TNC, "there are no IMVs to make a recommendation");
+		return TRUE;
+	}
+	policy = charon->imvs->get_recommendation_policy(charon->imvs);
+
+	enumerator = this->recs->create_enumerator(this->recs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (!entry->have_recommendation)
+		{
+			incomplete = TRUE;
+			break;
+		}
+		if (first)
+		{
+			final_rec = entry->rec;
+			final_eval = entry->eval;
+			first = FALSE;
+			continue;
+		}
+		switch (policy)
+		{
+			case RECOMMENDATION_POLICY_DEFAULT:
+				switch (entry->rec)
+				{
+					case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+						final_rec = entry->rec;
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+						if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS)
+						{
+							final_rec = entry->rec;
+						};
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+						if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+						{
+							final_rec = entry->rec;
+						};
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+						break;
+				}
+				switch (entry->eval)
+				{
+					case TNC_IMV_EVALUATION_RESULT_ERROR:
+						final_eval = entry->eval;
+						break;
+					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+						if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+						if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR &&
+							final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
+						if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
+						break;
+				}
+				break;
+
+			case RECOMMENDATION_POLICY_ALL:
+				if (entry->rec != final_rec)
+				{
+					final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+				}
+				if (entry->eval != final_eval)
+				{
+					final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+				}
+				break;
+
+			case RECOMMENDATION_POLICY_ANY:
+				switch (entry->rec)
+				{
+					case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+						final_rec = entry->rec;
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+						if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
+						{
+							final_rec = entry->rec;
+						};
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+						if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+						{
+							final_rec = entry->rec;
+						};
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+						break;
+				}
+				switch (entry->eval)
+				{
+					case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
+						final_eval = entry->eval;
+						break;
+					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+						if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+						if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT &&
+							final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_ERROR:
+						if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
+						break;
+				}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (incomplete)
+	{
+		return FALSE;
+	}
+	*rec = final_rec;
+	*eval = final_eval;
+	return TRUE;
+}
+
+METHOD(recommendations_t, get_preferred_language, chunk_t,
+	private_tnc_imv_recommendations_t *this)
+{
+	return this->preferred_language;
+}
+
+METHOD(recommendations_t, set_preferred_language, void,
+	private_tnc_imv_recommendations_t *this, chunk_t pref_lang)
+{
+	free(this->preferred_language.ptr);
+	this->preferred_language = chunk_clone(pref_lang);
+}
+
+METHOD(recommendations_t, set_reason_string, TNC_Result,
+	private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason)
+{
+	enumerator_t *enumerator;
+	recommendation_entry_t *entry;
+	bool found = FALSE;
+
+	DBG2(DBG_TNC, "IMV %u is setting reason string to '%.*s'",
+		 id, reason.len, reason.ptr);
+
+	enumerator = this->recs->create_enumerator(this->recs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->id == id)
+		{
+			found = TRUE;
+			free(entry->reason.ptr);
+			entry->reason = chunk_clone(reason);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER;
+}
+
+METHOD(recommendations_t, set_reason_language, TNC_Result,
+	private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason_lang)
+{
+	enumerator_t *enumerator;
+	recommendation_entry_t *entry;
+	bool found = FALSE;
+
+	DBG2(DBG_TNC, "IMV %u is setting reason language to '%.*s'",
+		 id, reason_lang.len, reason_lang.ptr);
+
+	enumerator = this->recs->create_enumerator(this->recs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->id == id)
+		{
+			found = TRUE;
+			free(entry->reason_language.ptr);
+			entry->reason_language = chunk_clone(reason_lang);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER;
+}
+
+/**
+ * Enumerate reason and reason_language, not recommendation entries
+ */
+static bool reason_filter(void *null, recommendation_entry_t **entry,
+						 TNC_IMVID *id, void *i2, chunk_t *reason, void *i3,
+						 chunk_t *reason_language)
+{
+	if ((*entry)->reason.len)
+	{
+		*id = (*entry)->id;
+		*reason = (*entry)->reason;
+		*reason_language = (*entry)->reason_language;
+		return TRUE;
+	}
+	else
+	{
+		return FALSE;
+	}
+}
+
+METHOD(recommendations_t, create_reason_enumerator, enumerator_t*,
+	private_tnc_imv_recommendations_t *this)
+{
+	return enumerator_create_filter(this->recs->create_enumerator(this->recs),
+					(void*)reason_filter, NULL, NULL);
+}
+
+METHOD(recommendations_t, destroy, void,
+	private_tnc_imv_recommendations_t *this)
+{
+	recommendation_entry_t *entry;
+
+	while (this->recs->remove_last(this->recs, (void**)&entry) == SUCCESS)
+	{
+		free(entry->reason.ptr);
+		free(entry->reason_language.ptr);
+		free(entry);
+	}
+	this->recs->destroy(this->recs);
+	free(this->preferred_language.ptr);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+recommendations_t* tnc_imv_recommendations_create(linked_list_t *imv_list)
+{
+	private_tnc_imv_recommendations_t *this;
+	recommendation_entry_t *entry;
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	INIT(this,
+		.public = {
+			.provide_recommendation = _provide_recommendation,
+			.have_recommendation = _have_recommendation,
+			.get_preferred_language = _get_preferred_language,
+			.set_preferred_language = _set_preferred_language,
+			.set_reason_string = _set_reason_string,
+			.set_reason_language = _set_reason_language,
+			.create_reason_enumerator = _create_reason_enumerator,
+			.destroy = _destroy,
+		},
+		.recs = linked_list_create(),
+	);
+
+	enumerator = imv_list->create_enumerator(imv_list);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		entry = malloc_thing(recommendation_entry_t);
+		entry->id = imv->get_id(imv);
+		entry->have_recommendation = FALSE;
+		entry->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+		entry->eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+		entry->reason = chunk_empty;
+		entry->reason_language = chunk_empty;
+		this->recs->insert_last(this->recs, entry);
+	}
+	enumerator->destroy(enumerator);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
new file mode 100644
index 000000000..6d65a2521
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imv_manager tnc_imv_manager
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_RECOMMENDATIONS_H_
+#define TNC_IMV_RECOMMENDATIONS_H_
+
+#include <tnc/imv/imv_recommendations.h>
+#include <utils/linked_list.h>
+
+/**
+ * Create an IMV empty recommendations instance
+ */
+recommendations_t *tnc_imv_recommendations_create();
+
+#endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/