[Pkg-swan-devel] [strongswan] 01/09: New upstream version 5.5.1

Sat Oct 22 19:38:26 UTC 2016

This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch master
in repository strongswan.

commit 25663e04c3ab01ef8dc9f906608282319cfea2db
Author: Yves-Alexis Perez <corsac at debian.org>
Date:   Thu Oct 20 16:18:38 2016 +0200

    New upstream version 5.5.1
---
 Android.common.mk                                  |    2 +-
 Makefile.am                                        |    2 +-
 Makefile.in                                        |    7 +-
 NEWS                                               |   36 +
 conf/Makefile.am                                   |    2 +
 conf/Makefile.in                                   |    7 +-
 conf/options/aikpub2.conf                          |    7 +
 conf/options/aikpub2.opt                           |    2 +
 conf/options/charon-nm.conf                        |    8 +
 conf/options/charon-nm.opt                         |    3 +
 conf/options/charon.conf                           |   15 +-
 conf/options/charon.opt                            |   15 +-
 conf/plugins/kernel-netlink.conf                   |   27 +-
 conf/plugins/kernel-netlink.opt                    |   43 +-
 conf/strongswan.conf.5.main                        |   69 +-
 config.h.in                                        |    5 +-
 configure                                          |  470 ++--
 configure.ac                                       |   54 +-
 init/Makefile.in                                   |    5 +-
 init/systemd-swanctl/Makefile.in                   |    5 +-
 init/systemd/Makefile.in                           |    5 +-
 man/Makefile.in                                    |    5 +-
 man/ipsec.conf.5.in                                |   36 +-
 scripts/Makefile.in                                |    5 +-
 src/Makefile.in                                    |    5 +-
 src/_copyright/Makefile.in                         |    5 +-
 src/_updown/Makefile.in                            |    5 +-
 src/aikgen/Makefile.in                             |    5 +-
 src/aikpub2/Makefile.in                            |    5 +-
 src/charon-cmd/Makefile.in                         |    5 +-
 src/charon-nm/Makefile.am                          |    5 +
 src/charon-nm/Makefile.in                          |   83 +-
 src/charon-nm/nm-strongswan-service.conf           |   15 +
 src/charon-nm/nm/nm_service.c                      |   56 +-
 src/charon-svc/Makefile.in                         |    5 +-
 src/charon-systemd/Makefile.in                     |    5 +-
 src/charon-tkm/Makefile.in                         |    5 +-
 src/charon-tkm/build_common.gpr                    |    3 +-
 src/charon-tkm/src/charon-tkm.c                    |    5 +-
 src/charon/Makefile.in                             |    5 +-
 src/checksum/Makefile.am                           |    9 +
 src/checksum/Makefile.in                           |   65 +-
 src/conftest/Makefile.in                           |    5 +-
 src/dumm/Makefile.in                               |    5 +-
 src/include/Makefile.in                            |    5 +-
 src/include/linux/xfrm.h                           |   22 +
 src/ipsec/Makefile.in                              |    5 +-
 src/ipsec/_ipsec.8                                 |    2 +-
 src/libcharon/Makefile.am                          |    7 -
 src/libcharon/Makefile.in                          |  141 +-
 src/libcharon/bus/bus.c                            |  101 +-
 src/libcharon/bus/bus.h                            |   35 +-
 src/libcharon/bus/listeners/listener.h             |   38 +-
 src/libcharon/config/child_cfg.c                   |   14 +
 src/libcharon/config/child_cfg.h                   |   10 +
 src/libcharon/config/ike_cfg.h                     |    2 +-
 src/libcharon/config/proposal.c                    |  127 +-
 src/libcharon/encoding/message.c                   |    4 +-
 .../encoding/payloads/proposal_substructure.c      |   15 +-
 src/libcharon/plugins/addrblock/Makefile.in        |    5 +-
 src/libcharon/plugins/android_dns/Makefile.in      |    5 +-
 src/libcharon/plugins/android_log/Makefile.in      |    5 +-
 src/libcharon/plugins/attr/Makefile.in             |    5 +-
 src/libcharon/plugins/attr_sql/Makefile.in         |    5 +-
 src/libcharon/plugins/certexpire/Makefile.in       |    5 +-
 src/libcharon/plugins/connmark/Makefile.in         |    5 +-
 src/libcharon/plugins/coupling/Makefile.in         |    5 +-
 src/libcharon/plugins/dhcp/Makefile.in             |    5 +-
 src/libcharon/plugins/dnscert/Makefile.in          |    5 +-
 src/libcharon/plugins/dnscert/dnscert_cred.c       |   19 +-
 src/libcharon/plugins/duplicheck/Makefile.in       |    5 +-
 src/libcharon/plugins/eap_aka/Makefile.in          |    5 +-
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |    5 +-
 src/libcharon/plugins/eap_dynamic/Makefile.in      |    5 +-
 src/libcharon/plugins/eap_gtc/Makefile.in          |    5 +-
 src/libcharon/plugins/eap_identity/Makefile.in     |    5 +-
 src/libcharon/plugins/eap_md5/Makefile.in          |    5 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |    5 +-
 src/libcharon/plugins/eap_peap/Makefile.in         |    5 +-
 src/libcharon/plugins/eap_peap/eap_peap_server.c   |    4 +-
 src/libcharon/plugins/eap_radius/Makefile.in       |    5 +-
 src/libcharon/plugins/eap_sim/Makefile.in          |    5 +-
 src/libcharon/plugins/eap_sim_file/Makefile.in     |    5 +-
 src/libcharon/plugins/eap_sim_pcsc/Makefile.in     |    5 +-
 .../plugins/eap_simaka_pseudonym/Makefile.in       |    5 +-
 .../plugins/eap_simaka_reauth/Makefile.in          |    5 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |    5 +-
 src/libcharon/plugins/eap_tls/Makefile.in          |    5 +-
 src/libcharon/plugins/eap_tnc/Makefile.in          |    5 +-
 src/libcharon/plugins/eap_ttls/Makefile.in         |    5 +-
 src/libcharon/plugins/error_notify/Makefile.in     |    5 +-
 src/libcharon/plugins/ext_auth/Makefile.in         |    5 +-
 src/libcharon/plugins/farp/Makefile.in             |    5 +-
 src/libcharon/plugins/forecast/Makefile.in         |    5 +-
 src/libcharon/plugins/ha/Makefile.in               |    5 +-
 src/libcharon/plugins/ipseckey/Makefile.in         |    5 +-
 src/libcharon/plugins/ipseckey/ipseckey_cred.c     |   28 +-
 src/libcharon/plugins/kernel_iph/Makefile.in       |    5 +-
 src/libcharon/plugins/kernel_libipsec/Makefile.in  |    5 +-
 src/libcharon/plugins/kernel_netlink/Makefile.in   |    5 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |  113 +-
 .../plugins/kernel_netlink/kernel_netlink_net.c    |  190 +-
 src/libcharon/plugins/kernel_pfkey/Makefile.in     |    5 +-
 src/libcharon/plugins/kernel_pfroute/Makefile.in   |    5 +-
 src/libcharon/plugins/kernel_wfp/Makefile.in       |    5 +-
 src/libcharon/plugins/led/Makefile.in              |    5 +-
 src/libcharon/plugins/load_tester/Makefile.in      |    5 +-
 src/libcharon/plugins/lookip/Makefile.in           |    5 +-
 src/libcharon/plugins/maemo/Makefile.am            |   29 -
 src/libcharon/plugins/maemo/Makefile.in            |  830 -------
 src/libcharon/plugins/maemo/maemo_service.c        |  530 -----
 .../plugins/maemo/org.strongswan.charon.service.in |    4 -
 src/libcharon/plugins/medcli/Makefile.in           |    5 +-
 src/libcharon/plugins/medsrv/Makefile.in           |    5 +-
 src/libcharon/plugins/osx_attr/Makefile.in         |    5 +-
 src/libcharon/plugins/p_cscf/Makefile.in           |    5 +-
 src/libcharon/plugins/radattr/Makefile.in          |    5 +-
 src/libcharon/plugins/resolve/Makefile.in          |    5 +-
 src/libcharon/plugins/smp/Makefile.in              |    5 +-
 src/libcharon/plugins/socket_default/Makefile.in   |    5 +-
 src/libcharon/plugins/socket_dynamic/Makefile.in   |    5 +-
 src/libcharon/plugins/socket_win/Makefile.in       |    5 +-
 src/libcharon/plugins/sql/Makefile.in              |    5 +-
 src/libcharon/plugins/stroke/Makefile.in           |    5 +-
 src/libcharon/plugins/stroke/stroke_cred.c         |   12 +-
 src/libcharon/plugins/stroke/stroke_list.c         |    9 +
 src/libcharon/plugins/stroke/stroke_socket.c       |    2 +-
 src/libcharon/plugins/systime_fix/Makefile.in      |    5 +-
 src/libcharon/plugins/tnc_ifmap/Makefile.in        |    5 +-
 src/libcharon/plugins/tnc_pdp/Makefile.in          |    5 +-
 src/libcharon/plugins/uci/Makefile.in              |    5 +-
 src/libcharon/plugins/unity/Makefile.in            |    5 +-
 src/libcharon/plugins/updown/Makefile.in           |    5 +-
 src/libcharon/plugins/vici/Makefile.am             |    1 +
 src/libcharon/plugins/vici/Makefile.in             |    6 +-
 src/libcharon/plugins/vici/README.md               |   13 +
 src/libcharon/plugins/vici/perl/Makefile.in        |    5 +-
 .../plugins/vici/perl/Vici-Session/README.pod      |   15 +
 .../vici/perl/Vici-Session/lib/Vici/Session.pm     |    4 +
 src/libcharon/plugins/vici/python/Makefile.in      |    5 +-
 src/libcharon/plugins/vici/python/vici/session.py  |   11 +
 src/libcharon/plugins/vici/ruby/Makefile.in        |    5 +-
 src/libcharon/plugins/vici/ruby/lib/vici.rb        |    6 +
 src/libcharon/plugins/vici/vici_config.c           |   64 +-
 src/libcharon/plugins/vici/vici_cred.c             |   86 +-
 src/libcharon/plugins/vici/vici_cred.h             |   10 +
 src/libcharon/plugins/vici/vici_plugin.c           |    4 +-
 src/libcharon/plugins/vici/vici_query.c            |   10 +
 src/libcharon/plugins/whitelist/Makefile.in        |    5 +-
 src/libcharon/plugins/xauth_eap/Makefile.in        |    5 +-
 src/libcharon/plugins/xauth_generic/Makefile.in    |    5 +-
 src/libcharon/plugins/xauth_noauth/Makefile.in     |    5 +-
 src/libcharon/plugins/xauth_pam/Makefile.in        |    5 +-
 src/libcharon/sa/child_sa.c                        |   41 +-
 src/libcharon/sa/ike_sa.c                          |   19 +-
 src/libcharon/sa/ikev1/keymat_v1.c                 |   25 +-
 src/libcharon/sa/ikev1/task_manager_v1.c           |   17 +-
 src/libcharon/sa/ikev1/tasks/isakmp_vendor.c       |    3 +
 src/libcharon/sa/ikev1/tasks/quick_mode.c          |   40 +-
 .../sa/ikev2/authenticators/pubkey_authenticator.c |    4 +-
 src/libcharon/sa/ikev2/keymat_v2.c                 |   56 +-
 src/libcharon/sa/ikev2/task_manager_v2.c           |   25 +-
 src/libcharon/sa/ikev2/tasks/child_create.c        |   69 +-
 src/libcharon/sa/ikev2/tasks/ike_init.c            |    8 +-
 src/libcharon/tests/Makefile.in                    |    5 +-
 src/libcharon/tests/libcharon_tests.c              |   17 +
 src/libcharon/tests/suites/test_proposal.c         |  100 +-
 src/libfast/Makefile.in                            |    5 +-
 src/libimcv/Makefile.in                            |    5 +-
 src/libimcv/imv/data.sql                           |   18 +
 src/libimcv/plugins/imc_attestation/Makefile.in    |    5 +-
 src/libimcv/plugins/imc_hcd/Makefile.in            |    5 +-
 src/libimcv/plugins/imc_os/Makefile.in             |    5 +-
 src/libimcv/plugins/imc_scanner/Makefile.in        |    5 +-
 src/libimcv/plugins/imc_swid/Makefile.in           |    5 +-
 src/libimcv/plugins/imc_test/Makefile.in           |    5 +-
 src/libimcv/plugins/imv_attestation/Makefile.in    |    5 +-
 src/libimcv/plugins/imv_hcd/Makefile.in            |    5 +-
 src/libimcv/plugins/imv_os/Makefile.in             |    5 +-
 src/libimcv/plugins/imv_scanner/Makefile.in        |    5 +-
 src/libimcv/plugins/imv_swid/Makefile.in           |    5 +-
 src/libimcv/plugins/imv_test/Makefile.in           |    5 +-
 src/libimcv/pts/pts.c                              |   44 +-
 src/libipsec/Makefile.in                           |    5 +-
 src/libipsec/tests/Makefile.in                     |    5 +-
 src/libpttls/Makefile.in                           |    5 +-
 src/libradius/Makefile.in                          |    5 +-
 src/libsimaka/Makefile.in                          |    5 +-
 src/libstrongswan/Android.mk                       |    2 +-
 src/libstrongswan/Makefile.am                      |   45 +-
 src/libstrongswan/Makefile.in                      |  494 ++--
 src/libstrongswan/asn1/oid.c                       |  969 ++++----
 src/libstrongswan/asn1/oid.h                       |   40 +-
 src/libstrongswan/asn1/oid.txt                     |   11 +-
 src/libstrongswan/credentials/auth_cfg.c           |   11 +-
 src/libstrongswan/credentials/keys/public_key.c    |   64 +-
 src/libstrongswan/credentials/keys/public_key.h    |   26 +-
 .../credentials/sets/auth_cfg_wrapper.c            |    2 +-
 src/libstrongswan/credentials/sets/mem_cred.c      |   38 +-
 src/libstrongswan/crypto/crypto_factory.c          |  110 +-
 src/libstrongswan/crypto/crypto_factory.h          |   42 +-
 src/libstrongswan/crypto/crypto_tester.c           |  155 ++
 src/libstrongswan/crypto/crypto_tester.h           |   32 +
 src/libstrongswan/crypto/diffie_hellman.c          |    5 +-
 src/libstrongswan/crypto/diffie_hellman.h          |    1 +
 src/libstrongswan/crypto/hashers/hasher.c          |   27 +-
 src/libstrongswan/crypto/mgf1/mgf1.c               |  180 --
 src/libstrongswan/crypto/mgf1/mgf1.h               |   77 -
 src/libstrongswan/crypto/mgf1/mgf1_bitspender.c    |  208 --
 .../crypto/proposal/proposal_keywords.c            |    2 +-
 .../crypto/proposal/proposal_keywords_static.c     |  239 +-
 .../crypto/proposal/proposal_keywords_static.txt   |    1 +
 src/libstrongswan/crypto/transform.c               |   10 +-
 src/libstrongswan/crypto/transform.h               |    1 +
 src/libstrongswan/crypto/xofs/mgf1.h               |   47 +
 .../tests/bliss_tests.h => crypto/xofs/xof.c}      |   20 +-
 src/libstrongswan/crypto/xofs/xof.h                |  114 +
 src/libstrongswan/crypto/xofs/xof_bitspender.c     |  213 ++
 .../mgf1_bitspender.h => xofs/xof_bitspender.h}    |   38 +-
 src/libstrongswan/library.c                        |   46 +-
 src/libstrongswan/math/libnttfft/Makefile.am       |   15 +
 .../math/libnttfft}/Makefile.in                    |   50 +-
 .../bliss/bliss_fft.c => math/libnttfft/ntt_fft.c} |   66 +-
 .../bliss/bliss_fft.h => math/libnttfft/ntt_fft.h} |   38 +-
 src/libstrongswan/math/libnttfft/ntt_fft_params.c  |  652 +++++
 src/libstrongswan/math/libnttfft/ntt_fft_params.h  |  115 +
 .../libnttfft/ntt_fft_reduce.h}                    |   35 +-
 src/libstrongswan/math/libnttfft/tests/Makefile.am |   21 +
 .../math/libnttfft}/tests/Makefile.in              |  106 +-
 .../math/libnttfft/tests/ntt_fft_tests.c}          |   26 +-
 .../libnttfft/tests/ntt_fft_tests.h}               |   10 +-
 .../libnttfft/tests/suites/test_ntt_fft.c}         |   78 +-
 src/libstrongswan/plugins/acert/Makefile.in        |    5 +-
 src/libstrongswan/plugins/aes/Makefile.in          |    5 +-
 src/libstrongswan/plugins/aesni/Makefile.in        |    5 +-
 src/libstrongswan/plugins/af_alg/Makefile.in       |    5 +-
 src/libstrongswan/plugins/agent/Makefile.in        |    5 +-
 src/libstrongswan/plugins/bliss/Makefile.am        |   21 +-
 src/libstrongswan/plugins/bliss/Makefile.in        |   42 +-
 src/libstrongswan/plugins/bliss/bliss_fft_params.c |  215 --
 src/libstrongswan/plugins/bliss/bliss_fft_params.h |   75 -
 src/libstrongswan/plugins/bliss/bliss_huffman.c    |    2 +-
 src/libstrongswan/plugins/bliss/bliss_param_set.c  |   24 +-
 src/libstrongswan/plugins/bliss/bliss_param_set.h  |   58 +-
 src/libstrongswan/plugins/bliss/bliss_plugin.c     |   16 +-
 .../plugins/bliss/bliss_private_key.c              |   80 +-
 src/libstrongswan/plugins/bliss/bliss_public_key.c |   42 +-
 src/libstrongswan/plugins/bliss/bliss_public_key.h |    8 +-
 src/libstrongswan/plugins/bliss/bliss_sampler.c    |   17 +-
 src/libstrongswan/plugins/bliss/bliss_sampler.h    |    6 +-
 src/libstrongswan/plugins/bliss/bliss_signature.c  |    6 +-
 src/libstrongswan/plugins/bliss/bliss_signature.h  |    4 +-
 src/libstrongswan/plugins/bliss/bliss_utils.c      |   18 +-
 src/libstrongswan/plugins/bliss/bliss_utils.h      |   28 +-
 src/libstrongswan/plugins/bliss/tests/Makefile.am  |    3 +-
 src/libstrongswan/plugins/bliss/tests/Makefile.in  |   28 +-
 .../plugins/bliss/tests/bliss_tests.h              |    3 +-
 .../bliss/tests/suites/test_bliss_sampler.c        |    6 +-
 .../bliss/tests/suites/test_bliss_signature.c      |    4 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |    5 +-
 src/libstrongswan/plugins/ccm/Makefile.in          |    5 +-
 src/libstrongswan/plugins/chapoly/Makefile.am      |    3 +-
 src/libstrongswan/plugins/chapoly/Makefile.in      |   11 +-
 src/libstrongswan/plugins/chapoly/chapoly_plugin.c |    3 +
 src/libstrongswan/plugins/chapoly/chapoly_xof.c    |  173 ++
 src/libstrongswan/plugins/chapoly/chapoly_xof.h    |   49 +
 src/libstrongswan/plugins/cmac/Makefile.in         |    5 +-
 src/libstrongswan/plugins/constraints/Makefile.in  |    5 +-
 src/libstrongswan/plugins/ctr/Makefile.in          |    5 +-
 src/libstrongswan/plugins/curl/Makefile.in         |    5 +-
 src/libstrongswan/plugins/des/Makefile.in          |    5 +-
 src/libstrongswan/plugins/dnskey/Makefile.in       |    5 +-
 src/libstrongswan/plugins/files/Makefile.in        |    5 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |    5 +-
 src/libstrongswan/plugins/gcm/Makefile.in          |    5 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |    5 +-
 .../plugins/gcrypt/gcrypt_rsa_private_key.c        |   12 +-
 .../plugins/gcrypt/gcrypt_rsa_public_key.c         |   16 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |    5 +-
 src/libstrongswan/plugins/gmp/gmp_plugin.c         |   40 +-
 .../plugins/gmp/gmp_rsa_private_key.c              |   20 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |   24 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |    5 +-
 src/libstrongswan/plugins/keychain/Makefile.in     |    5 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |    5 +-
 src/libstrongswan/plugins/ldap/ldap_fetcher.c      |    3 +-
 src/libstrongswan/plugins/md4/Makefile.in          |    5 +-
 src/libstrongswan/plugins/md5/Makefile.in          |    5 +-
 src/libstrongswan/plugins/mgf1/Makefile.am         |   17 +
 .../plugins/{xcbc => mgf1}/Makefile.in             |   48 +-
 .../{sha3/sha3_plugin.c => mgf1/mgf1_plugin.c}     |   38 +-
 .../plugins/mgf1/mgf1_plugin.h}                    |   24 +-
 src/libstrongswan/plugins/mgf1/mgf1_xof.c          |  285 +++
 src/libstrongswan/plugins/mgf1/mgf1_xof.h          |   49 +
 src/libstrongswan/plugins/mysql/Makefile.in        |    5 +-
 src/libstrongswan/plugins/newhope/Makefile.am      |   33 +
 .../plugins/{unbound => newhope}/Makefile.in       |   89 +-
 src/libstrongswan/plugins/newhope/newhope_ke.c     |  622 +++++
 src/libstrongswan/plugins/newhope/newhope_ke.h     |   50 +
 src/libstrongswan/plugins/newhope/newhope_noise.c  |  160 ++
 src/libstrongswan/plugins/newhope/newhope_noise.h  |   70 +
 .../plugins/newhope/newhope_plugin.c}              |   53 +-
 .../plugins/newhope/newhope_plugin.h}              |   39 +-
 .../plugins/newhope/newhope_reconciliation.c       |  217 ++
 .../plugins/newhope/newhope_reconciliation.h       |   70 +
 .../plugins/newhope/tests/Makefile.am              |   25 +
 .../plugins/newhope}/tests/Makefile.in             |  161 +-
 .../plugins/newhope/tests/newhope_tests.c}         |   26 +-
 .../tests/newhope_tests.h}                         |   13 +-
 .../plugins/newhope/tests/suites/test_newhope_ke.c |  193 ++
 .../newhope/tests/suites/test_newhope_noise.c      |  676 ++++++
 .../tests/suites/test_newhope_reconciliation.c     |  344 +++
 src/libstrongswan/plugins/nonce/Makefile.in        |    5 +-
 src/libstrongswan/plugins/ntru/Makefile.in         |    5 +-
 src/libstrongswan/plugins/ntru/ntru_ke.c           |   13 +-
 src/libstrongswan/plugins/ntru/ntru_param_set.c    |    6 +-
 src/libstrongswan/plugins/ntru/ntru_param_set.h    |   96 +-
 src/libstrongswan/plugins/ntru/ntru_plugin.c       |   14 +-
 src/libstrongswan/plugins/ntru/ntru_poly.c         |   13 +-
 src/libstrongswan/plugins/ntru/ntru_poly.h         |    9 +-
 src/libstrongswan/plugins/ntru/ntru_private_key.c  |   39 +-
 src/libstrongswan/plugins/ntru/ntru_private_key.h  |    3 +-
 src/libstrongswan/plugins/ntru/ntru_public_key.c   |   18 +-
 src/libstrongswan/plugins/ntru/ntru_public_key.h   |    2 +-
 src/libstrongswan/plugins/ntru/ntru_trits.c        |   11 +-
 src/libstrongswan/plugins/ntru/ntru_trits.h        |    8 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |    5 +-
 .../plugins/openssl/openssl_ec_private_key.c       |   25 +-
 .../plugins/openssl/openssl_ec_private_key.h       |   14 +-
 src/libstrongswan/plugins/openssl/openssl_gcm.c    |    6 +-
 src/libstrongswan/plugins/openssl/openssl_pkcs12.c |    4 -
 src/libstrongswan/plugins/openssl/openssl_plugin.c |   70 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |   41 +-
 .../plugins/openssl/openssl_rsa_private_key.h      |   14 +-
 .../plugins/openssl/openssl_rsa_public_key.c       |   12 +-
 src/libstrongswan/plugins/openssl/openssl_util.h   |    7 +
 src/libstrongswan/plugins/padlock/Makefile.in      |    5 +-
 .../plugins/padlock/padlock_sha1_hasher.c          |   11 +-
 src/libstrongswan/plugins/pem/Makefile.in          |    5 +-
 src/libstrongswan/plugins/pgp/Makefile.in          |    5 +-
 src/libstrongswan/plugins/pkcs1/Makefile.in        |    5 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_builder.c    |   72 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c     |    6 +-
 src/libstrongswan/plugins/pkcs11/Makefile.in       |    5 +-
 .../plugins/pkcs11/pkcs11_private_key.c            |  164 +-
 src/libstrongswan/plugins/pkcs12/Makefile.in       |    5 +-
 src/libstrongswan/plugins/pkcs7/Makefile.in        |    5 +-
 src/libstrongswan/plugins/pkcs8/Makefile.in        |    5 +-
 src/libstrongswan/plugins/plugin_feature.c         |   21 +
 src/libstrongswan/plugins/plugin_feature.h         |    6 +
 src/libstrongswan/plugins/pubkey/Makefile.in       |    5 +-
 src/libstrongswan/plugins/random/Makefile.in       |    5 +-
 src/libstrongswan/plugins/rc2/Makefile.in          |    5 +-
 src/libstrongswan/plugins/rdrand/Makefile.in       |    5 +-
 src/libstrongswan/plugins/revocation/Makefile.in   |    5 +-
 .../plugins/revocation/revocation_validator.c      |   35 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |    5 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |    5 +-
 src/libstrongswan/plugins/sha3/Makefile.am         |    5 +-
 src/libstrongswan/plugins/sha3/Makefile.in         |   15 +-
 src/libstrongswan/plugins/sha3/sha3_hasher.c       |  447 +---
 .../plugins/sha3/{sha3_hasher.c => sha3_keccak.c}  |  137 +-
 src/libstrongswan/plugins/sha3/sha3_keccak.h       |   82 +
 src/libstrongswan/plugins/sha3/sha3_plugin.c       |    6 +-
 src/libstrongswan/plugins/sha3/sha3_shake.c        |  143 ++
 src/libstrongswan/plugins/sha3/sha3_shake.h        |   48 +
 src/libstrongswan/plugins/soup/Makefile.in         |    5 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |    5 +-
 src/libstrongswan/plugins/sshkey/Makefile.in       |    5 +-
 src/libstrongswan/plugins/test_vectors/Makefile.am |    2 +
 src/libstrongswan/plugins/test_vectors/Makefile.in |   28 +-
 .../plugins/test_vectors/test_vectors.h            |   15 +
 .../test_vectors/test_vectors/chacha20_xof.c       |   81 +
 .../plugins/test_vectors/test_vectors/sha3.c       |    1 -
 .../plugins/test_vectors/test_vectors/sha3_shake.c |  472 ++++
 .../plugins/test_vectors/test_vectors_plugin.c     |   16 +
 src/libstrongswan/plugins/unbound/Makefile.in      |    5 +-
 .../plugins/unbound/unbound_response.c             |    3 +-
 src/libstrongswan/plugins/unbound/unbound_rr.c     |    2 +
 src/libstrongswan/plugins/winhttp/Makefile.in      |    5 +-
 src/libstrongswan/plugins/x509/Makefile.in         |    5 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |    5 +-
 src/libstrongswan/processing/watcher.c             |  120 +-
 src/libstrongswan/tests/Makefile.in                |    5 +-
 src/libstrongswan/tests/suites/test_auth_cfg.c     |   18 +-
 src/libstrongswan/tests/suites/test_hasher.c       |   50 +-
 src/libstrongswan/tests/suites/test_mgf1.c         |   88 +-
 src/libstrongswan/tests/suites/test_ntru.c         |   16 +-
 src/libstrongswan/tests/suites/test_rsa.c          |    8 +-
 src/libstrongswan/tests/suites/test_utils.c        |   23 +-
 src/libstrongswan/tests/tests.h                    |    4 +-
 src/libstrongswan/utils/leak_detective.c           |   24 +-
 src/libstrongswan/utils/utils.h                    |    6 +-
 src/libstrongswan/utils/utils/byteorder.h          |   42 +
 src/libtls/Makefile.in                             |    5 +-
 src/libtls/tests/Makefile.in                       |    5 +-
 src/libtls/tls_crypto.c                            |   20 +-
 src/libtnccs/Makefile.in                           |    5 +-
 src/libtnccs/plugins/tnc_imc/Makefile.in           |    5 +-
 src/libtnccs/plugins/tnc_imv/Makefile.in           |    5 +-
 src/libtnccs/plugins/tnc_tnccs/Makefile.in         |    5 +-
 src/libtnccs/plugins/tnccs_11/Makefile.in          |    5 +-
 src/libtnccs/plugins/tnccs_20/Makefile.in          |    5 +-
 src/libtnccs/plugins/tnccs_dynamic/Makefile.in     |    5 +-
 src/libtncif/Makefile.in                           |    5 +-
 src/libtpmtss/Makefile.am                          |    5 +-
 src/libtpmtss/Makefile.in                          |   13 +-
 src/libtpmtss/tpm_tss_tss2.c                       |    7 +-
 src/libtpmtss/tpm_tss_tss2_names.c                 |    2 +-
 src/manager/Makefile.in                            |    5 +-
 src/medsrv/Makefile.in                             |    5 +-
 src/pki/Makefile.in                                |    5 +-
 src/pki/commands/issue.c                           |    7 +-
 src/pki/commands/keyid.c                           |   20 +-
 src/pki/commands/print.c                           |   16 +-
 src/pki/commands/pub.c                             |   11 +-
 src/pki/commands/req.c                             |   10 +-
 src/pki/commands/self.c                            |    8 +-
 src/pki/commands/signcrl.c                         |   18 +-
 src/pki/commands/verify.c                          |   18 +-
 src/pki/man/Makefile.in                            |    5 +-
 src/pki/man/pki---issue.1.in                       |    7 +-
 src/pki/man/pki---keyid.1.in                       |    7 +-
 src/pki/man/pki---print.1.in                       |    9 +-
 src/pki/man/pki---pub.1.in                         |    7 +-
 src/pki/man/pki---req.1.in                         |    3 +-
 src/pki/man/pki---self.1.in                        |    3 +-
 src/pki/man/pki---verify.1.in                      |    6 +-
 src/pool/Makefile.in                               |    5 +-
 src/pool/pool.c                                    |   59 +-
 src/pt-tls-client/Makefile.in                      |    5 +-
 src/pt-tls-client/pt-tls-client.c                  |   30 +-
 src/scepclient/Makefile.in                         |    5 +-
 src/starter/Makefile.am                            |    7 +-
 src/starter/Makefile.in                            |   12 +-
 src/starter/confread.c                             |    1 +
 src/starter/ipsec.secrets                          |    1 +
 src/starter/starter.c                              |   66 -
 src/starter/tests/Makefile.in                      |    5 +-
 src/stroke/Makefile.in                             |    5 +-
 src/swanctl/Makefile.am                            |    2 +
 src/swanctl/Makefile.in                            |   12 +-
 src/swanctl/command.h                              |    2 +-
 src/swanctl/commands/flush_certs.c                 |   90 +
 src/swanctl/commands/load_conns.c                  |    2 +-
 src/swanctl/commands/load_creds.c                  |   15 +-
 src/swanctl/swanctl.8.in                           |    7 +-
 src/swanctl/swanctl.conf                           |   17 +-
 src/swanctl/swanctl.conf.5.main                    |   63 +-
 src/swanctl/swanctl.h                              |    6 +
 src/swanctl/swanctl.opt                            |   41 +-
 testing/Makefile.in                                |    5 +-
 testing/config/kernel/config-4.7                   | 2460 +++++++++++++++++++
 testing/config/kernel/config-4.8                   | 2484 ++++++++++++++++++++
 testing/config/kvm/winnetou.xml                    |    5 +
 testing/do-tests                                   |  137 +-
 testing/hosts/default/etc/ssh/sshd_config          |    1 +
 .../etc/apache2/sites-available/000-default.conf   |    3 +
 testing/hosts/winnetou/etc/openssl/generate-crl    |    9 +
 testing/hosts/winnetou/etc/openssl/index.txt       |    9 +-
 testing/hosts/winnetou/etc/openssl/index.txt.old   |    9 +-
 testing/hosts/winnetou/etc/openssl/newcerts/35.pem |   25 +
 testing/hosts/winnetou/etc/openssl/newcerts/36.pem |   25 +
 testing/hosts/winnetou/etc/openssl/newcerts/37.pem |   25 +
 testing/hosts/winnetou/etc/openssl/serial          |    2 +-
 testing/hosts/winnetou/etc/openssl/serial.old      |    2 +-
 .../winnetou/etc/openssl/sha3-rsa/carolCert.pem    |   28 +
 .../winnetou/etc/openssl/sha3-rsa/carolKey.pem     |   39 +
 .../winnetou/etc/openssl/sha3-rsa/daveCert.pem     |   28 +
 .../winnetou/etc/openssl/sha3-rsa/daveKey.pem      |   39 +
 .../winnetou/etc/openssl/sha3-rsa/moonCert.pem     |   28 +
 .../winnetou/etc/openssl/sha3-rsa/moonKey.pem      |   39 +
 .../etc/openssl/sha3-rsa/strongswanCert.pem        |   26 +
 .../etc/openssl/sha3-rsa/strongswanKey.pem         |   39 +
 .../winnetou/etc/openssl/sha3-rsa/sunCert.pem      |   28 +
 .../hosts/winnetou/etc/openssl/sha3-rsa/sunKey.pem |   39 +
 testing/hosts/winnetou/etc/strongswan.conf         |    5 +
 testing/scripts/build-guestimages                  |    4 +
 testing/scripts/recipes/013_strongswan.mk          |    3 +-
 testing/ssh_config                                 |    1 +
 testing/start-testing                              |    5 +
 testing/stop-testing                               |    4 +
 testing/testing.conf                               |    6 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    3 +-
 .../rw-ntru-psk/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-ntru-psk/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-ntru-psk/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf |    1 -
 .../crl-from-cache/hosts/moon/etc/strongswan.conf  |    2 +
 .../ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf   |    1 -
 .../crl-to-cache/hosts/moon/etc/strongswan.conf    |    2 +
 testing/tests/ikev2/default-keys/description.txt   |    8 -
 testing/tests/ikev2/default-keys/evaltest.dat      |    9 -
 .../default-keys/hosts/carol/etc/strongswan.conf   |    9 -
 .../default-keys/hosts/moon/etc/iptables.rules     |   30 -
 .../default-keys/hosts/moon/etc/strongswan.conf    |    9 -
 testing/tests/ikev2/default-keys/posttest.dat      |    8 -
 testing/tests/ikev2/default-keys/pretest.dat       |   20 -
 testing/tests/ikev2/net2net-cert-sha2/evaltest.dat |    4 +-
 .../tests/ikev2/net2net-multicast/description.txt  |    7 +
 testing/tests/ikev2/net2net-multicast/evaltest.dat |   16 +
 .../hosts/moon/etc/ipsec.conf                      |   13 +-
 .../hosts/moon/etc/strongswan.conf                 |   13 +
 .../net2net-multicast/hosts/sun/etc/ipsec.conf     |   23 +
 .../hosts/sun/etc/strongswan.conf                  |   13 +
 testing/tests/ikev2/net2net-multicast/posttest.dat |    2 +
 testing/tests/ikev2/net2net-multicast/pretest.dat  |    7 +
 .../{default-keys => net2net-multicast}/test.conf  |   10 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../tests/ikev2/rw-newhope-bliss/description.txt   |   15 +
 testing/tests/ikev2/rw-newhope-bliss/evaltest.dat  |   26 +
 .../hosts/carol/etc/ipsec.conf                     |   13 +-
 .../etc/ipsec.d/cacerts/strongswan_blissCert.der   |  Bin 0 -> 2086 bytes
 .../hosts/carol/etc/ipsec.d/certs/carolCert.der    |  Bin 0 -> 2175 bytes
 .../hosts/carol/etc/ipsec.d/private/carolKey.der   |  Bin 0 -> 1182 bytes
 .../rw-newhope-bliss/hosts/carol/etc/ipsec.secrets |    3 +
 .../hosts/carol/etc/strongswan.conf                |    7 +
 .../hosts/dave}/etc/ipsec.conf                     |   15 +-
 .../etc/ipsec.d/cacerts/strongswan_blissCert.der   |  Bin 0 -> 2086 bytes
 .../hosts/dave/etc/ipsec.d/certs/daveCert.der      |  Bin 0 -> 2179 bytes
 .../hosts/dave/etc/ipsec.d/private/daveKey.der     |  Bin 0 -> 1310 bytes
 .../rw-newhope-bliss/hosts/dave/etc/ipsec.secrets  |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    7 +
 .../hosts/moon/etc/ipsec.conf                      |   15 +-
 .../etc/ipsec.d/cacerts/strongswan_blissCert.der   |  Bin 0 -> 2086 bytes
 .../hosts/moon/etc/ipsec.d/certs/moonCert.der      |  Bin 0 -> 2200 bytes
 .../hosts/moon/etc/ipsec.d/private/moonKey.der     |  Bin 0 -> 1310 bytes
 .../rw-newhope-bliss/hosts/moon/etc/ipsec.secrets  |    3 +
 .../hosts/moon/etc/strongswan.conf                 |    7 +
 testing/tests/ikev2/rw-newhope-bliss/posttest.dat  |    9 +
 testing/tests/ikev2/rw-newhope-bliss/pretest.dat   |   14 +
 .../{default-keys => rw-newhope-bliss}/test.conf   |    8 +-
 .../rw-ntru-bliss/hosts/carol/etc/strongswan.conf  |    2 +-
 .../rw-ntru-bliss/hosts/dave/etc/strongswan.conf   |    2 +-
 .../rw-ntru-bliss/hosts/moon/etc/strongswan.conf   |    2 +-
 .../rw-ntru-psk/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-ntru-psk/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-ntru-psk/hosts/moon/etc/strongswan.conf     |    2 +-
 testing/tests/ikev2/rw-sig-auth/evaltest.dat       |    4 +-
 .../carol/etc/ipsec.d/certs/carolCert-sha384.pem   |   36 +-
 .../carol/etc/ipsec.d/private/carolKey-aes192.pem  |   52 +-
 .../dave/etc/ipsec.d/certs/daveCert-sha512.pem     |   36 +-
 .../dave/etc/ipsec.d/private/daveKey-aes256.pem    |   52 +-
 .../moon/etc/ipsec.d/certs/moonCert-sha224.pem     |   36 +-
 .../moon/etc/ipsec.d/private/moonKey-aes128.pem    |   52 +-
 .../rw-suite-b/hosts/carol/etc/strongswan.conf     |    2 +-
 .../rw-suite-b/hosts/dave/etc/strongswan.conf      |    2 +-
 .../rw-suite-b/hosts/moon/etc/strongswan.conf      |    2 +-
 testing/tests/swanctl/crl-to-cache/description.txt |    8 +
 testing/tests/swanctl/crl-to-cache/evaltest.dat    |    8 +
 .../crl-to-cache/hosts/carol/etc/strongswan.conf   |   16 +
 .../hosts/carol/etc/swanctl/swanctl.conf           |   23 +
 .../hosts/carol/etc/swanctl/x509/carolCert.pem     |   22 +
 .../crl-to-cache/hosts/moon/etc/strongswan.conf    |   16 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   21 +
 .../hosts/moon/etc/swanctl/x509/moonCert.pem       |   22 +
 testing/tests/swanctl/crl-to-cache/posttest.dat    |    4 +
 testing/tests/swanctl/crl-to-cache/pretest.dat     |    5 +
 .../crl-to-cache}/test.conf                        |    9 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |   11 +-
 .../swanctl/net2net-multicast/description.txt      |    7 +
 .../tests/swanctl/net2net-multicast/evaltest.dat   |   14 +
 .../hosts/moon/etc/strongswan.conf                 |   22 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   35 +
 .../hosts/sun/etc/strongswan.conf                  |   18 +
 .../hosts/sun/etc/swanctl/swanctl.conf             |   35 +
 .../tests/swanctl/net2net-multicast/posttest.dat   |    3 +
 .../tests/swanctl/net2net-multicast/pretest.dat    |    7 +
 .../net2net-multicast}/test.conf                   |   14 +-
 .../swanctl/net2net-sha3-rsa-cert/description.txt  |    8 +
 .../swanctl/net2net-sha3-rsa-cert/evaltest.dat     |    5 +
 .../hosts/moon/etc/strongswan.conf                 |   14 +
 .../hosts/moon/etc/swanctl/rsa/moonKey.pem         |   39 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   33 +
 .../hosts/moon/etc/swanctl/x509/moonCert.pem       |   28 +
 .../moon/etc/swanctl/x509ca/strongswanCert.pem     |   26 +
 .../hosts/sun/etc/strongswan.conf                  |   14 +
 .../hosts/sun/etc/swanctl/rsa/sunKey.pem           |   39 +
 .../hosts/sun/etc/swanctl/swanctl.conf             |   33 +
 .../hosts/sun/etc/swanctl/x509/sunCert.pem         |   28 +
 .../sun/etc/swanctl/x509ca/strongswanCert.pem      |   26 +
 .../swanctl/net2net-sha3-rsa-cert/posttest.dat     |    5 +
 .../swanctl/net2net-sha3-rsa-cert/pretest.dat      |    7 +
 .../net2net-sha3-rsa-cert}/test.conf               |   14 +-
 .../swanctl/rw-eap-tls-sha3-rsa/description.txt    |    8 +
 .../tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat |   10 +
 .../hosts/carol/etc/strongswan.conf                |   18 +
 .../hosts/carol/etc/swanctl/rsa/carolKey.pem       |   39 +
 .../hosts/carol/etc/swanctl/swanctl.conf           |   28 +
 .../hosts/carol/etc/swanctl/x509/carolCert.pem     |   28 +
 .../carol/etc/swanctl/x509ca/strongswanCert.pem    |   26 +
 .../hosts/dave/etc/strongswan.conf                 |   18 +
 .../hosts/dave/etc/swanctl/rsa/daveKey.pem         |   39 +
 .../hosts/dave/etc/swanctl/swanctl.conf            |   28 +
 .../hosts/dave/etc/swanctl/x509/daveCert.pem       |   28 +
 .../dave/etc/swanctl/x509ca/strongswanCert.pem     |   26 +
 .../hosts/moon/etc/strongswan.conf                 |   14 +
 .../hosts/moon/etc/swanctl/rsa/moonKey.pem         |   39 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   26 +
 .../hosts/moon/etc/swanctl/x509/moonCert.pem       |   28 +
 .../moon/etc/swanctl/x509ca/strongswanCert.pem     |   26 +
 .../tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat |    8 +
 .../tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat  |   11 +
 .../rw-eap-tls-sha3-rsa}/test.conf                 |   10 +-
 .../tests/swanctl/rw-newhope-bliss/description.txt |   14 +
 .../tests/swanctl/rw-newhope-bliss/evaltest.dat    |   10 +
 .../hosts/carol/etc/strongswan.conf                |   17 +
 .../hosts/carol/etc/swanctl/bliss/carolKey.der     |  Bin 0 -> 1182 bytes
 .../hosts/carol/etc/swanctl/swanctl.conf           |   29 +
 .../hosts/carol/etc/swanctl/x509/carolCert.der     |  Bin 0 -> 2175 bytes
 .../etc/swanctl/x509ca/strongswan_blissCert.der    |  Bin 0 -> 2086 bytes
 .../hosts/dave/etc/strongswan.conf                 |   17 +
 .../hosts/dave/etc/swanctl/bliss/daveKey.der       |  Bin 0 -> 1310 bytes
 .../hosts/dave/etc/swanctl/swanctl.conf            |   29 +
 .../hosts/dave/etc/swanctl/x509/daveCert.der       |  Bin 0 -> 2179 bytes
 .../etc/swanctl/x509ca/strongswan_blissCert.der    |  Bin 0 -> 2086 bytes
 .../hosts/moon/etc/strongswan.conf                 |   18 +
 .../hosts/moon/etc/swanctl/bliss/moonKey.der       |  Bin 0 -> 1310 bytes
 .../hosts/moon/etc/swanctl/swanctl.conf            |   33 +
 .../hosts/moon/etc/swanctl/x509/moonCert.der       |  Bin 0 -> 2200 bytes
 .../etc/swanctl/x509ca/strongswan_blissCert.der    |  Bin 0 -> 2086 bytes
 .../tests/swanctl/rw-newhope-bliss/posttest.dat    |    8 +
 testing/tests/swanctl/rw-newhope-bliss/pretest.dat |   14 +
 .../rw-newhope-bliss}/test.conf                    |   10 +-
 .../rw-ntru-bliss/hosts/carol/etc/strongswan.conf  |    2 +-
 .../rw-ntru-bliss/hosts/dave/etc/strongswan.conf   |    2 +-
 .../rw-ntru-bliss/hosts/moon/etc/strongswan.conf   |    2 +-
 636 files changed, 18165 insertions(+), 6427 deletions(-)

diff --git a/Android.common.mk b/Android.common.mk
index 1c12487..3447d5b 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.5.0"
+strongswan_VERSION := "5.5.1"
 
diff --git a/Makefile.am b/Makefile.am
index 898b262..64b858d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -21,7 +21,7 @@ nodist_config_include_HEADERS = config.h
 endif
 
 # we leave config files behind intentionally so prevent distcheck from complaining
-distuninstallcheck_listfiles = find . -type f \! -name '*.conf' -print
+distuninstallcheck_listfiles = find . -type f \! -name '*.conf' \! -name '*.secrets' -print
 
 Android.common.mk :	Android.common.mk.in configure.ac
 		$(AM_V_GEN) \
diff --git a/Makefile.in b/Makefile.in
index 2df942a..c85aa44 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -381,7 +381,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -415,8 +414,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -470,6 +467,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -484,7 +483,7 @@ MAINTAINERCLEANFILES = Android.common.mk
 @USE_DEV_HEADERS_TRUE at nodist_config_include_HEADERS = config.h
 
 # we leave config files behind intentionally so prevent distcheck from complaining
-distuninstallcheck_listfiles = find . -type f \! -name '*.conf' -print
+distuninstallcheck_listfiles = find . -type f \! -name '*.conf' \! -name '*.secrets' -print
 all: $(BUILT_SOURCES) config.h
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
diff --git a/NEWS b/NEWS
index db30df1..3a7aba8 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,39 @@
+strongswan-5.5.1
+----------------
+
+- The newhope plugin implements the post-quantum NewHope key exchange algorithm
+  proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
+  Peter Schwabe.
+
+- The libstrongswan crypto factory now offers the registration of Extended
+  Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
+  implemented by the sha3 plugin, ChaCHa20 implemented by the chapoly plugin
+  and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
+  SHA-256 and SHA-512 hash algorithms implemented by the new mgf1 plugin.
+
+- The pki tool, with help of the pkcs1 or openssl plugins, can parse private
+  keys in any of the supported formats without having to know the exact type.
+  So instead of having to specify rsa or ecdsa explicitly the keyword priv may
+  be used to indicate a private key of any type. Similarly, swanctl can load
+  any type of private key from the swanctl/private directory.
+
+- The pki tool can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
+  sha3 and gmp plugins.
+
+- The VICI flush-certs command flushes certificates from the volatile
+  certificate cache. Optionally the type of the certificates to be
+  flushed  (e.g. type = x509_crl) can be specified.
+
+- Setting cache_crls = yes in strongswan.conf the vici plugin saves regular,
+  base and delta CRLs to disk.
+
+- IKE fragmentation is now enabled by default with the default fragment size
+  set to 1280 bytes for both IP address families.
+
+- libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
+  tss2_tcti_finalize().
+
+
 strongswan-5.5.0
 ----------------
 
diff --git a/conf/Makefile.am b/conf/Makefile.am
index b7edaa8..4588b09 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -9,9 +9,11 @@ pluginstemplatedir = $(templatesdir)/plugins
 
 options = \
 	options/aikgen.opt \
+	options/aikpub2.opt \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
+	options/charon-nm.opt \
 	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/imv_policy_manager.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index 6804d91..e6d66a2 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -305,7 +305,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -339,8 +338,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -394,6 +391,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -408,9 +407,11 @@ optionstemplatedir = $(templatesdir)/strongswan.d
 pluginstemplatedir = $(templatesdir)/plugins
 options = \
 	options/aikgen.opt \
+	options/aikpub2.opt \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
+	options/charon-nm.opt \
 	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/imv_policy_manager.opt \
diff --git a/conf/options/aikpub2.conf b/conf/options/aikpub2.conf
new file mode 100644
index 0000000..fd48f2c
--- /dev/null
+++ b/conf/options/aikpub2.conf
@@ -0,0 +1,7 @@
+aikpub2 {
+
+    # Plugins to load in aikpub2 tool.
+    # load =
+
+}
+
diff --git a/conf/options/aikpub2.opt b/conf/options/aikpub2.opt
new file mode 100644
index 0000000..6a755d2
--- /dev/null
+++ b/conf/options/aikpub2.opt
@@ -0,0 +1,2 @@
+aikpub2.load =
+	Plugins to load in aikpub2 tool.
diff --git a/conf/options/charon-nm.conf b/conf/options/charon-nm.conf
new file mode 100644
index 0000000..85d6448
--- /dev/null
+++ b/conf/options/charon-nm.conf
@@ -0,0 +1,8 @@
+charon-nm {
+
+    # Directory from which to load CA certificates if no certificate is
+    # configured.
+    # ca_dir = <default>
+
+}
+
diff --git a/conf/options/charon-nm.opt b/conf/options/charon-nm.opt
new file mode 100644
index 0000000..6372934
--- /dev/null
+++ b/conf/options/charon-nm.opt
@@ -0,0 +1,3 @@
+charon-nm.ca_dir = <default>
+	Directory from which to load CA certificates if no certificate is
+	configured.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 7841125..f72041e 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -7,6 +7,12 @@ charon {
     # Maximum number of half-open IKE_SAs for a single peer IP.
     # block_threshold = 5
 
+    # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+    # be saved under a unique file name derived from the public key of the
+    # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
+    # /etc/swanctl/x509crl (vici), respectively.
+    # cache_crls = no
+
     # Whether relations in validated certificate chains should be cached in
     # memory.
     # cert_cache = yes
@@ -51,10 +57,11 @@ charon {
     # follow_redirects = yes
 
     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
-    # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
-    # address family specific        default values). If specified this limit is
-    # used for both IPv4 and IPv6.
-    # fragment_size = 0
+    # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
+    # to 1280 (use 0 for address family specific default values, which uses a
+    # lower value for IPv4).  If specified this limit is used for both IPv4 and
+    # IPv6.
+    # fragment_size = 1280
 
     # Name of the group the daemon changes to after startup.
     # group =
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 3970012..6e0b37c 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -30,6 +30,12 @@ charon.cert_cache = yes
 	Whether relations in validated certificate chains should be cached in
 	memory.
 
+charon.cache_crls = no
+	Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+	be saved under a unique file name derived from the public key of the
+	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
+	**/etc/swanctl/x509crl** (vici), respectively.
+
 charon.cisco_unity = no
 	Send Cisco Unity vendor ID payload (IKEv1 only).
 
@@ -100,11 +106,12 @@ charon.flush_auth_cfg = no
 charon.follow_redirects = yes
 	Whether to follow IKEv2 redirects (RFC 5685).
 
-charon.fragment_size = 0
+charon.fragment_size = 1280
 	Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
-	when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
-	address family specific	default values). If specified this limit is used
-	for both IPv4 and IPv6.
+	when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
+	to 1280 (use 0 for address family specific default values, which uses a
+	lower value for IPv4).  If specified this limit is used for both IPv4 and
+	IPv6.
 
 charon.group
 	Name of the group the daemon changes to after startup.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 3997dc7..47f7d58 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -46,8 +46,33 @@ kernel-netlink {
     # Netlink message retransmission timeout, 0 to disable retransmissions.
     # timeout = 0
 
-    # Lifetime of XFRM acquire state in kernel.
+    # Lifetime of XFRM acquire state and allocated SPIs in kernel.
     # xfrm_acq_expires = 165
 
+    # XFRM policy hashing threshold configuration for IPv4 and IPv6.
+    spdh_thresh {
+
+        ipv4 {
+
+            # Local subnet XFRM policy hashing threshold for IPv4.
+            # lbits = 32
+
+            # Remote subnet XFRM policy hashing threshold for IPv4.
+            # rbits = 32
+
+        }
+
+        ipv6 {
+
+            # Local subnet XFRM policy hashing threshold for IPv6.
+            # lbits = 128
+
+            # Remote subnet XFRM policy hashing threshold for IPv6.
+            # rbits = 128
+
+        }
+
+    }
+
 }
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 6adefd8..77ba6ea 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -51,6 +51,35 @@ charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
 	traffic, it also prevents the use of a single IPsec SA by more than one
 	traffic selector.
 
+charon.plugins.kernel-netlink.spdh_thresh {}
+	XFRM policy hashing threshold configuration for IPv4 and IPv6.
+
+	XFRM policy hashing threshold configuration for IPv4 and IPv6.
+
+	The section defines hashing thresholds to configure in the kernel during
+	daemon startup. Each address family takes a threshold for the local subnet
+	of an IPsec policy (src in out-policies, dst in in- and forward-policies)
+	and the remote subnet (dst in out-policies, src in in- and
+	forward-policies).
+
+	If the subnet has more or equal net bits than the threshold, the first
+	threshold bits are used to calculate a hash to lookup the policy.
+
+	Policy hashing thresholds are not supported before Linux 3.18 and might
+	conflict with socket policies before Linux 4.8.
+
+charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits = 32
+	Local subnet XFRM policy hashing threshold for IPv4.
+
+charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits = 32
+	Remote subnet XFRM policy hashing threshold for IPv4.
+
+charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits = 128
+	Local subnet XFRM policy hashing threshold for IPv6.
+
+charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits = 128
+	Remote subnet XFRM policy hashing threshold for IPv6.
+
 charon.plugins.kernel-netlink.retries = 0
 	Number of Netlink message retransmissions to send on timeout.
 
@@ -61,8 +90,12 @@ charon.plugins.kernel-netlink.ignore_retransmit_errors = no
 	Whether to ignore errors potentially resulting from a retransmission.
 
 charon.plugins.kernel-netlink.xfrm_acq_expires = 165
-	Lifetime of XFRM acquire state in kernel.
-
-	Lifetime of XFRM acquire state in kernel. The value gets written to
-	/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
-	acquire messages sent.
+	Lifetime of XFRM acquire state and allocated SPIs in kernel.
+
+	Lifetime of XFRM acquire state created by the kernel when traffic matches a
+	trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
+	Indirectly controls the delay between XFRM acquire messages triggered by the
+	kernel for a trap policy. The same value is used as timeout for SPIs
+	allocated by the kernel. The default value equals the default total
+	retransmission timeout for IKE messages, see IKEv2 RETRANSMISSION
+	in **strongswan.conf**(5).
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 3d03f20..c0ecbb7 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -3,6 +3,10 @@
 Plugins to load in ipsec aikgen tool.
 
 .TP
+.BR aikpub2.load " []"
+Plugins to load in aikpub2 tool.
+
+.TP
 .BR attest.database " []"
 File measurement information database URI. If it contains a password, make sure
 to adjust the permissions of the config file accordingly.
@@ -50,6 +54,16 @@ SonicWall boxes).
 Maximum number of half\-open IKE_SAs for a single peer IP.
 
 .TP
+.BR charon.cache_crls " [no]"
+Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should be
+saved under a unique file name derived from the public key of the Certification
+Authority (CA) to
+.RB "" "/etc/ipsec.d/crls" ""
+(stroke) or
+.RB "" "/etc/swanctl/x509crl" ""
+(vici), respectively.
+
+.TP
 .BR charon.cert_cache " [yes]"
 Whether relations in validated certificate chains should be cached in memory.
 
@@ -188,11 +202,11 @@ conflict with plugins that later need access to e.g. the used certificates.
 Whether to follow IKEv2 redirects (RFC 5685).
 
 .TP
-.BR charon.fragment_size " [0]"
+.BR charon.fragment_size " [1280]"
 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
-using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for address
-family specific        default values). If specified this limit is used for both
-IPv4 and IPv6.
+using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280
+(use 0 for address family specific default values, which uses a lower value for
+IPv4).  If specified this limit is used for both IPv4 and IPv6.
 
 .TP
 .BR charon.group " []"
@@ -962,14 +976,51 @@ IPsec SAs in the kernel. While doing so enforces policies for inbound traffic,
 it also prevents the use of a single IPsec SA by more than one traffic selector.
 
 .TP
+.B charon.plugins.kernel-netlink.spdh_thresh
+.br
+XFRM policy hashing threshold configuration for IPv4 and IPv6.
+
+The section defines hashing thresholds to configure in the kernel during daemon
+startup. Each address family takes a threshold for the local subnet of an IPsec
+policy (src in out\-policies, dst in in\- and forward\-policies) and the remote
+subnet (dst in out\-policies, src in in\- and forward\-policies).
+
+If the subnet has more or equal net bits than the threshold, the first threshold
+bits are used to calculate a hash to lookup the policy.
+
+Policy hashing thresholds are not supported before Linux 3.18 and might conflict
+with socket policies before Linux 4.8.
+
+.TP
+.BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits " [32]"
+Local subnet XFRM policy hashing threshold for IPv4.
+
+.TP
+.BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits " [32]"
+Remote subnet XFRM policy hashing threshold for IPv4.
+
+.TP
+.BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits " [128]"
+Local subnet XFRM policy hashing threshold for IPv6.
+
+.TP
+.BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits " [128]"
+Remote subnet XFRM policy hashing threshold for IPv6.
+
+.TP
 .BR charon.plugins.kernel-netlink.timeout " [0]"
 Netlink message retransmission timeout, 0 to disable retransmissions.
 
 .TP
 .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
-Lifetime of XFRM acquire state in kernel. The value gets written to
-/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
-acquire messages sent.
+Lifetime of XFRM acquire state created by the kernel when traffic matches a trap
+policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
+Indirectly controls the delay between XFRM acquire messages triggered by the
+kernel for a trap policy. The same value is used as timeout for SPIs allocated
+by the kernel. The default value equals the default total retransmission timeout
+for IKE messages, see IKEv2 RETRANSMISSION in
+.RB "" "strongswan.conf" "(5)."
+
 
 .TP
 .BR charon.plugins.kernel-pfkey.events_buffer_size " [0]"
@@ -1731,6 +1782,10 @@ Name of the user the daemon changes to after startup.
 Discard certificates with unsupported or unknown critical extensions.
 
 .TP
+.BR charon-nm.ca_dir " [<default>]"
+Directory from which to load CA certificates if no certificate is configured.
+
+.TP
 .B charon-systemd.journal
 .br
 Section to configure native systemd journal logger, very similar to the syslog
diff --git a/config.h.in b/config.h.in
index 1e513da..477cc2b 100644
--- a/config.h.in
+++ b/config.h.in
@@ -248,6 +248,9 @@
 /* have syscall(SYS_gettid) */
 #undef HAVE_SYS_GETTID
 
+/* Define to 1 if you have the <sys/param.h> header file. */
+#undef HAVE_SYS_PARAM_H
+
 /* Define to 1 if you have the <sys/sockio.h> header file. */
 #undef HAVE_SYS_SOCKIO_H
 
@@ -319,7 +322,7 @@
 /* use TrouSerS library libtspi */
 #undef TSS_TROUSERS
 
-/* use TSS 2.0 library libtss2 */
+/* use TSS 2.0 libraries */
 #undef TSS_TSS2
 
 /* using builtin printf for printf hooks */
diff --git a/configure b/configure
index be9df97..52a1971 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.5.0.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.5.1.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.5.0'
-PACKAGE_STRING='strongSwan 5.5.0'
+PACKAGE_VERSION='5.5.1'
+PACKAGE_STRING='strongSwan 5.5.1'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -695,6 +695,8 @@ USE_LIBTNCCS_FALSE
 USE_LIBTNCCS_TRUE
 USE_LIBTNCIF_FALSE
 USE_LIBTNCIF_TRUE
+USE_LIBNTTFFT_FALSE
+USE_LIBNTTFFT_TRUE
 USE_LIBIPSEC_FALSE
 USE_LIBIPSEC_TRUE
 USE_LIBCHARON_FALSE
@@ -891,8 +893,6 @@ USE_SQL_FALSE
 USE_SQL_TRUE
 USE_SMP_FALSE
 USE_SMP_TRUE
-USE_MAEMO_FALSE
-USE_MAEMO_TRUE
 USE_ANDROID_LOG_FALSE
 USE_ANDROID_LOG_TRUE
 USE_ANDROID_DNS_FALSE
@@ -913,6 +913,8 @@ USE_STROKE_FALSE
 USE_STROKE_TRUE
 USE_BLISS_FALSE
 USE_BLISS_TRUE
+USE_NEWHOPE_FALSE
+USE_NEWHOPE_TRUE
 USE_NTRU_FALSE
 USE_NTRU_TRUE
 USE_AF_ALG_FALSE
@@ -985,6 +987,8 @@ USE_GMP_FALSE
 USE_GMP_TRUE
 USE_FIPS_PRF_FALSE
 USE_FIPS_PRF_TRUE
+USE_MGF1_FALSE
+USE_MGF1_TRUE
 USE_SHA3_FALSE
 USE_SHA3_TRUE
 USE_SHA2_FALSE
@@ -1061,9 +1065,6 @@ nm_LIBS
 nm_CFLAGS
 pcsclite_LIBS
 pcsclite_CFLAGS
-dbusservicedir
-maemo_LIBS
-maemo_CFLAGS
 MYSQLCFLAG
 MYSQLCONFIG
 MYSQLLIB
@@ -1075,6 +1076,8 @@ gtk_LIBS
 gtk_CFLAGS
 json_LIBS
 json_CFLAGS
+tss2_LIBS
+tss2_CFLAGS
 systemd_journal_LIBS
 systemd_journal_CFLAGS
 systemd_daemon_LIBS
@@ -1306,6 +1309,8 @@ enable_gmp
 enable_hmac
 enable_md4
 enable_md5
+enable_mgf1
+enable_newhope
 enable_nonce
 enable_ntru
 enable_openssl
@@ -1422,7 +1427,6 @@ enable_ha
 enable_led
 enable_load_tester
 enable_lookip
-enable_maemo
 enable_radattr
 enable_systime_fix
 enable_test_vectors
@@ -1506,12 +1510,12 @@ systemd_daemon_CFLAGS
 systemd_daemon_LIBS
 systemd_journal_CFLAGS
 systemd_journal_LIBS
+tss2_CFLAGS
+tss2_LIBS
 json_CFLAGS
 json_LIBS
 gtk_CFLAGS
 gtk_LIBS
-maemo_CFLAGS
-maemo_LIBS
 pcsclite_CFLAGS
 pcsclite_LIBS
 nm_CFLAGS
@@ -2068,7 +2072,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.5.0 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.5.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -2139,7 +2143,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.5.0:";;
+     short | recursive ) echo "Configuration of strongSwan 5.5.1:";;
    esac
   cat <<\_ACEOF
 
@@ -2166,6 +2170,8 @@ Optional Features:
   --disable-hmac          disable HMAC crypto implementation plugin.
   --enable-md4            enable MD4 software implementation plugin.
   --disable-md5           disable MD5 software implementation plugin.
+  --enable-mgf1           enable the MGF1 software implementation plugin.
+  --enable-newhope        enable New Hope crypto plugin.
   --disable-nonce         disable nonce generation plugin.
   --enable-ntru           enables the NTRU crypto plugin.
   --enable-openssl        enables the OpenSSL crypto plugin.
@@ -2317,7 +2323,6 @@ Optional Features:
   --enable-load-tester    enable load testing plugin for IKEv2 daemon.
   --enable-lookip         enable fast virtual IP lookup and notification
                           plugin.
-  --enable-maemo          enable Maemo specific plugin.
   --enable-radattr        enable plugin to inject and process custom RADIUS
                           attributes as IKEv2 client.
   --enable-systime-fix    enable plugin to handle cert lifetimes with invalid
@@ -2516,13 +2521,12 @@ Some influential environment variables:
               C compiler flags for systemd_journal, overriding pkg-config
   systemd_journal_LIBS
               linker flags for systemd_journal, overriding pkg-config
+  tss2_CFLAGS C compiler flags for tss2, overriding pkg-config
+  tss2_LIBS   linker flags for tss2, overriding pkg-config
   json_CFLAGS C compiler flags for json, overriding pkg-config
   json_LIBS   linker flags for json, overriding pkg-config
   gtk_CFLAGS  C compiler flags for gtk, overriding pkg-config
   gtk_LIBS    linker flags for gtk, overriding pkg-config
-  maemo_CFLAGS
-              C compiler flags for maemo, overriding pkg-config
-  maemo_LIBS  linker flags for maemo, overriding pkg-config
   pcsclite_CFLAGS
               C compiler flags for pcsclite, overriding pkg-config
   pcsclite_LIBS
@@ -2600,7 +2604,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.5.0
+strongSwan configure 5.5.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3122,7 +3126,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.5.0, which was
+It was created by strongSwan $as_me 5.5.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3985,7 +3989,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.5.0'
+ VERSION='5.5.1'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -5084,6 +5088,38 @@ fi
 
 	enabled_by_default=${enabled_by_default}" md5"
 
+# Check whether --enable-mgf1 was given.
+if test "${enable_mgf1+set}" = set; then :
+  enableval=$enable_mgf1; mgf1_given=true
+		if test x$enableval = xyes; then
+			mgf1=true
+		 else
+			mgf1=false
+		fi
+else
+  mgf1=false
+		mgf1_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" mgf1"
+
+# Check whether --enable-newhope was given.
+if test "${enable_newhope+set}" = set; then :
+  enableval=$enable_newhope; newhope_given=true
+		if test x$enableval = xyes; then
+			newhope=true
+		 else
+			newhope=false
+		fi
+else
+  newhope=false
+		newhope_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" newhope"
+
 # Check whether --enable-nonce was given.
 if test "${enable_nonce+set}" = set; then :
   enableval=$enable_nonce; nonce_given=true
@@ -6949,22 +6985,6 @@ fi
 
 	disabled_by_default=${disabled_by_default}" lookip"
 
-# Check whether --enable-maemo was given.
-if test "${enable_maemo+set}" = set; then :
-  enableval=$enable_maemo; maemo_given=true
-		if test x$enableval = xyes; then
-			maemo=true
-		 else
-			maemo=false
-		fi
-else
-  maemo=false
-		maemo_given=false
-
-fi
-
-	disabled_by_default=${disabled_by_default}" maemo"
-
 # Check whether --enable-radattr was given.
 if test "${enable_radattr+set}" = set; then :
   enableval=$enable_radattr; radattr_given=true
@@ -17992,6 +18012,10 @@ if test x$aikpub2 = xtrue; then
 	tss_tss2=true
 fi
 
+if test x$ntru = xtrue -o x$bliss = xtrue; then
+	mgf1=true
+fi
+
 # ===========================================
 #  check required libraries and header files
 # ===========================================
@@ -18676,64 +18700,52 @@ fi
 
 
 
-# uClibc requires explicit -latomic for __atomic_* operations
+# Some architectures require explicit -latomic for __atomic_* operations
+# AC_SEARCH_LIBS() does not work when checking built-ins due to conflicting types
 LIBS=""
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing __atomic_load" >&5
-$as_echo_n "checking for library containing __atomic_load... " >&6; }
-if ${ac_cv_search___atomic_load+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_func_search_save_LIBS=$LIBS
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing __atomic_and_fetch" >&5
+$as_echo_n "checking for library containing __atomic_and_fetch... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char __atomic_load ();
 int
 main ()
 {
-return __atomic_load ();
+int x; __atomic_and_fetch(&x, 1, __ATOMIC_RELAXED);
   ;
   return 0;
 }
 _ACEOF
-for ac_lib in '' atomic; do
-  if test -z "$ac_lib"; then
-    ac_res="none required"
-  else
-    ac_res=-l$ac_lib
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-  fi
-  if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_search___atomic_load=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext
-  if ${ac_cv_search___atomic_load+:} false; then :
-  break
-fi
-done
-if ${ac_cv_search___atomic_load+:} false; then :
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: none required" >&5
+$as_echo "none required" >&6; }
+else
+  LIBS="-latomic";
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
+int
+main ()
+{
+int x; __atomic_and_fetch(&x, 1, __ATOMIC_RELAXED);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: -latomic" >&5
+$as_echo "-latomic" >&6; }; ATOMICLIB=$LIBS
 else
-  ac_cv_search___atomic_load=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search___atomic_load" >&5
-$as_echo "$ac_cv_search___atomic_load" >&6; }
-ac_res=$ac_cv_search___atomic_load
-if test "$ac_res" != no; then :
-  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-  ATOMICLIB=$LIBS
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
 
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 
 
 LIBS=$saved_LIBS
@@ -19046,7 +19058,7 @@ else
 fi
 
 
-for ac_header in sys/sockio.h sys/syscall.h glob.h net/if_tun.h
+for ac_header in sys/sockio.h sys/syscall.h sys/param.h glob.h net/if_tun.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@@ -20715,54 +20727,103 @@ $as_echo "#define TSS_TROUSERS /**/" >>confdefs.h
 fi
 
 if test x$tss_tss2 = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ltss2" >&5
-$as_echo_n "checking for main in -ltss2... " >&6; }
-if ${ac_cv_lib_tss2_main+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ltss2  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
 
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for tss2" >&5
+$as_echo_n "checking for tss2... " >&6; }
 
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_tss2_main=yes
+if test -n "$tss2_CFLAGS"; then
+    pkg_cv_tss2_CFLAGS="$tss2_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tcti-socket\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "tcti-socket") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_tss2_CFLAGS=`$PKG_CONFIG --cflags "tcti-socket" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
-  ac_cv_lib_tss2_main=no
+  pkg_failed=yes
 fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+ else
+    pkg_failed=untried
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tss2_main" >&5
-$as_echo "$ac_cv_lib_tss2_main" >&6; }
-if test "x$ac_cv_lib_tss2_main" = xyes; then :
-  LIBS="$LIBS"
+if test -n "$tss2_LIBS"; then
+    pkg_cv_tss2_LIBS="$tss2_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tcti-socket\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "tcti-socket") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_tss2_LIBS=`$PKG_CONFIG --libs "tcti-socket" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
-  as_fn_error $? "TTS 2.0 library libtss2 not found" "$LINENO" 5
+  pkg_failed=yes
 fi
+ else
+    pkg_failed=untried
+fi
+
 
-	ac_fn_c_check_header_mongrel "$LINENO" "tss2/tpm20.h" "ac_cv_header_tss2_tpm20_h" "$ac_includes_default"
-if test "x$ac_cv_header_tss2_tpm20_h" = xyes; then :
 
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
 else
-  as_fn_error $? "TSS 2.0 header tss2/tpm20.h not found!" "$LINENO" 5
+        _pkg_short_errors_supported=no
 fi
+        if test $_pkg_short_errors_supported = yes; then
+	        tss2_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "tcti-socket" 2>&1`
+        else
+	        tss2_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "tcti-socket" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$tss2_PKG_ERRORS" >&5
 
+	as_fn_error $? "Package requirements (tcti-socket) were not met:
 
+$tss2_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables tss2_CFLAGS
+and tss2_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables tss2_CFLAGS
+and tss2_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	tss2_CFLAGS=$pkg_cv_tss2_CFLAGS
+	tss2_LIBS=$pkg_cv_tss2_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
 
 $as_echo "#define TSS_TSS2 /**/" >>confdefs.h
 
 fi
+
+
+fi
+
 if test x$imv_swid = xtrue; then
 
 pkg_failed=no
@@ -21795,104 +21856,6 @@ fi
 
 fi
 
-if test x$maemo = xtrue; then
-
-pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for maemo" >&5
-$as_echo_n "checking for maemo... " >&6; }
-
-if test -n "$maemo_CFLAGS"; then
-    pkg_cv_maemo_CFLAGS="$maemo_CFLAGS"
- elif test -n "$PKG_CONFIG"; then
-    if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"glib-2.0 gthread-2.0 libosso osso-af-settings\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
-  pkg_cv_maemo_CFLAGS=`$PKG_CONFIG --cflags "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
-		      test "x$?" != "x0" && pkg_failed=yes
-else
-  pkg_failed=yes
-fi
- else
-    pkg_failed=untried
-fi
-if test -n "$maemo_LIBS"; then
-    pkg_cv_maemo_LIBS="$maemo_LIBS"
- elif test -n "$PKG_CONFIG"; then
-    if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"glib-2.0 gthread-2.0 libosso osso-af-settings\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
-  pkg_cv_maemo_LIBS=`$PKG_CONFIG --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
-		      test "x$?" != "x0" && pkg_failed=yes
-else
-  pkg_failed=yes
-fi
- else
-    pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        maemo_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
-        else
-	        maemo_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$maemo_PKG_ERRORS" >&5
-
-	as_fn_error $? "Package requirements (glib-2.0 gthread-2.0 libosso osso-af-settings) were not met:
-
-$maemo_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables maemo_CFLAGS
-and maemo_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details." "$LINENO" 5
-elif test $pkg_failed = untried; then
-     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables maemo_CFLAGS
-and maemo_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5; }
-else
-	maemo_CFLAGS=$pkg_cv_maemo_CFLAGS
-	maemo_LIBS=$pkg_cv_maemo_LIBS
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-
-fi
-
-
-	dbusservicedir="/usr/share/dbus-1/system-services"
-
-fi
-
 if test x$eap_sim_pcsc = xtrue; then
 
 pkg_failed=no
@@ -23088,6 +23051,20 @@ if test x$md5 = xtrue; then
 
 	fi
 
+if test x$mgf1 = xtrue; then
+		s_plugins=${s_plugins}" mgf1"
+		charon_plugins=${charon_plugins}" mgf1"
+		scepclient_plugins=${scepclient_plugins}" mgf1"
+		pki_plugins=${pki_plugins}" mgf1"
+		scripts_plugins=${scripts_plugins}" mgf1"
+		medsrv_plugins=${medsrv_plugins}" mgf1"
+		attest_plugins=${attest_plugins}" mgf1"
+		nm_plugins=${nm_plugins}" mgf1"
+		cmd_plugins=${cmd_plugins}" mgf1"
+		aikgen_plugins=${aikgen_plugins}" mgf1"
+
+	fi
+
 if test x$rdrand = xtrue; then
 		s_plugins=${s_plugins}" rdrand"
 		charon_plugins=${charon_plugins}" rdrand"
@@ -23428,6 +23405,15 @@ if test x$ntru = xtrue; then
 
 	fi
 
+if test x$newhope = xtrue; then
+		s_plugins=${s_plugins}" newhope"
+		charon_plugins=${charon_plugins}" newhope"
+		scripts_plugins=${scripts_plugins}" newhope"
+		nm_plugins=${nm_plugins}" newhope"
+		cmd_plugins=${cmd_plugins}" newhope"
+
+	fi
+
 if test x$bliss = xtrue; then
 		s_plugins=${s_plugins}" bliss"
 		charon_plugins=${charon_plugins}" bliss"
@@ -23943,12 +23929,6 @@ if test x$radattr = xtrue; then
 
 	fi
 
-if test x$maemo = xtrue; then
-		c_plugins=${c_plugins}" maemo"
-		charon_plugins=${charon_plugins}" maemo"
-
-	fi
-
 if test x$uci = xtrue; then
 		c_plugins=${c_plugins}" uci"
 		charon_plugins=${charon_plugins}" uci"
@@ -24120,6 +24100,14 @@ else
   USE_SHA3_FALSE=
 fi
 
+ if test x$mgf1 = xtrue; then
+  USE_MGF1_TRUE=
+  USE_MGF1_FALSE='#'
+else
+  USE_MGF1_TRUE='#'
+  USE_MGF1_FALSE=
+fi
+
  if test x$fips_prf = xtrue; then
   USE_FIPS_PRF_TRUE=
   USE_FIPS_PRF_FALSE='#'
@@ -24408,6 +24396,14 @@ else
   USE_NTRU_FALSE=
 fi
 
+ if test x$newhope = xtrue; then
+  USE_NEWHOPE_TRUE=
+  USE_NEWHOPE_FALSE='#'
+else
+  USE_NEWHOPE_TRUE='#'
+  USE_NEWHOPE_FALSE=
+fi
+
  if test x$bliss = xtrue; then
   USE_BLISS_TRUE=
   USE_BLISS_FALSE='#'
@@ -24491,14 +24487,6 @@ else
   USE_ANDROID_LOG_FALSE=
 fi
 
- if test x$maemo = xtrue; then
-  USE_MAEMO_TRUE=
-  USE_MAEMO_FALSE='#'
-else
-  USE_MAEMO_TRUE='#'
-  USE_MAEMO_FALSE=
-fi
-
  if test x$smp = xtrue; then
   USE_SMP_TRUE=
   USE_SMP_FALSE='#'
@@ -25286,6 +25274,14 @@ else
   USE_LIBIPSEC_FALSE=
 fi
 
+ if test x$bliss = xtrue -o x$newhope = xtrue; then
+  USE_LIBNTTFFT_TRUE=
+  USE_LIBNTTFFT_FALSE='#'
+else
+  USE_LIBNTTFFT_TRUE='#'
+  USE_LIBNTTFFT_FALSE=
+fi
+
  if test x$tnc_tnccs = xtrue -o x$imcv = xtrue; then
   USE_LIBTNCIF_TRUE=
   USE_LIBTNCIF_FALSE='#'
@@ -25625,7 +25621,7 @@ fi
 #  build Makefiles
 # =================
 
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswa [...]
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/ [...]
 
 
 # =================
@@ -25861,6 +25857,10 @@ if test -z "${USE_SHA3_TRUE}" && test -z "${USE_SHA3_FALSE}"; then
   as_fn_error $? "conditional \"USE_SHA3\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_MGF1_TRUE}" && test -z "${USE_MGF1_FALSE}"; then
+  as_fn_error $? "conditional \"USE_MGF1\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_FIPS_PRF_TRUE}" && test -z "${USE_FIPS_PRF_FALSE}"; then
   as_fn_error $? "conditional \"USE_FIPS_PRF\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -26005,6 +26005,10 @@ if test -z "${USE_NTRU_TRUE}" && test -z "${USE_NTRU_FALSE}"; then
   as_fn_error $? "conditional \"USE_NTRU\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_NEWHOPE_TRUE}" && test -z "${USE_NEWHOPE_FALSE}"; then
+  as_fn_error $? "conditional \"USE_NEWHOPE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_BLISS_TRUE}" && test -z "${USE_BLISS_FALSE}"; then
   as_fn_error $? "conditional \"USE_BLISS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -26045,10 +26049,6 @@ if test -z "${USE_ANDROID_LOG_TRUE}" && test -z "${USE_ANDROID_LOG_FALSE}"; then
   as_fn_error $? "conditional \"USE_ANDROID_LOG\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_MAEMO_TRUE}" && test -z "${USE_MAEMO_FALSE}"; then
-  as_fn_error $? "conditional \"USE_MAEMO\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_SMP_TRUE}" && test -z "${USE_SMP_FALSE}"; then
   as_fn_error $? "conditional \"USE_SMP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -26441,6 +26441,10 @@ if test -z "${USE_LIBIPSEC_TRUE}" && test -z "${USE_LIBIPSEC_FALSE}"; then
   as_fn_error $? "conditional \"USE_LIBIPSEC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_LIBNTTFFT_TRUE}" && test -z "${USE_LIBNTTFFT_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LIBNTTFFT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_LIBTNCIF_TRUE}" && test -z "${USE_LIBTNCIF_FALSE}"; then
   as_fn_error $? "conditional \"USE_LIBTNCIF\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -26962,7 +26966,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.5.0, which was
+This file was extended by strongSwan $as_me 5.5.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -27028,7 +27032,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.5.0
+strongSwan config.status 5.5.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -27452,6 +27456,8 @@ do
     "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
     "src/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/include/Makefile" ;;
     "src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;;
+    "src/libstrongswan/math/libnttfft/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/math/libnttfft/Makefile" ;;
+    "src/libstrongswan/math/libnttfft/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/math/libnttfft/tests/Makefile" ;;
     "src/libstrongswan/plugins/aes/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/aes/Makefile" ;;
     "src/libstrongswan/plugins/cmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/cmac/Makefile" ;;
     "src/libstrongswan/plugins/des/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/des/Makefile" ;;
@@ -27462,6 +27468,7 @@ do
     "src/libstrongswan/plugins/sha1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha1/Makefile" ;;
     "src/libstrongswan/plugins/sha2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha2/Makefile" ;;
     "src/libstrongswan/plugins/sha3/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha3/Makefile" ;;
+    "src/libstrongswan/plugins/mgf1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mgf1/Makefile" ;;
     "src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;;
     "src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;;
     "src/libstrongswan/plugins/rdrand/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rdrand/Makefile" ;;
@@ -27505,6 +27512,8 @@ do
     "src/libstrongswan/plugins/ntru/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ntru/Makefile" ;;
     "src/libstrongswan/plugins/bliss/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/bliss/Makefile" ;;
     "src/libstrongswan/plugins/bliss/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/bliss/tests/Makefile" ;;
+    "src/libstrongswan/plugins/newhope/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/newhope/Makefile" ;;
+    "src/libstrongswan/plugins/newhope/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/newhope/tests/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
     "src/libstrongswan/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/tests/Makefile" ;;
     "src/libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libipsec/Makefile" ;;
@@ -27602,7 +27611,6 @@ do
     "src/libcharon/plugins/p_cscf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/p_cscf/Makefile" ;;
     "src/libcharon/plugins/android_dns/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_dns/Makefile" ;;
     "src/libcharon/plugins/android_log/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_log/Makefile" ;;
-    "src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;;
     "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
     "src/libcharon/plugins/vici/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/Makefile" ;;
     "src/libcharon/plugins/vici/ruby/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/ruby/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index 3aa7d91..622c79a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.5.0])
+AC_INIT([strongSwan],[5.5.1])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -136,6 +136,8 @@ ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementa
 ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
 ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
 ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
+ARG_ENABL_SET([mgf1],           [enable the MGF1 software implementation plugin.])
+ARG_ENABL_SET([newhope],        [enable New Hope crypto plugin.])
 ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
 ARG_ENABL_SET([ntru],           [enables the NTRU crypto plugin.])
 ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
@@ -261,7 +263,6 @@ ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
 ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
 ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
 ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
-ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
 ARG_ENABL_SET([radattr],        [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.])
 ARG_ENABL_SET([systime-fix],    [enable plugin to handle cert lifetimes with invalid system time gracefully.])
 ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
@@ -465,6 +466,10 @@ if test x$aikpub2 = xtrue; then
 	tss_tss2=true
 fi
 
+if test x$ntru = xtrue -o x$bliss = xtrue; then
+	mgf1=true
+fi
+
 # ===========================================
 #  check required libraries and header files
 # ===========================================
@@ -500,9 +505,20 @@ LIBS=$DLLIB
 AC_SEARCH_LIBS(pthread_create, pthread, [PTHREADLIB=$LIBS])
 AC_SUBST(PTHREADLIB)
 
-# uClibc requires explicit -latomic for __atomic_* operations
+# Some architectures require explicit -latomic for __atomic_* operations
+# AC_SEARCH_LIBS() does not work when checking built-ins due to conflicting types
 LIBS=""
-AC_SEARCH_LIBS(__atomic_load, atomic, [ATOMICLIB=$LIBS])
+AC_MSG_CHECKING(for library containing __atomic_and_fetch)
+AC_LINK_IFELSE(
+	[AC_LANG_PROGRAM([[]], [[int x; __atomic_and_fetch(&x, 1, __ATOMIC_RELAXED);]])],
+	[AC_MSG_RESULT([none required])],
+	[LIBS="-latomic";
+	 AC_LINK_IFELSE(
+		[AC_LANG_PROGRAM([[]], [[int x; __atomic_and_fetch(&x, 1, __ATOMIC_RELAXED);]])],
+		[AC_MSG_RESULT([-latomic]); ATOMICLIB=$LIBS],
+		[AC_MSG_RESULT([no])])
+	]
+)
 AC_SUBST(ATOMICLIB)
 
 LIBS=$saved_LIBS
@@ -617,7 +633,7 @@ AC_CHECK_FUNC([syslog], [
 ])
 AM_CONDITIONAL(USE_SYSLOG, [test "x$syslog" = xtrue])
 
-AC_CHECK_HEADERS(sys/sockio.h sys/syscall.h glob.h net/if_tun.h)
+AC_CHECK_HEADERS(sys/sockio.h sys/syscall.h sys/param.h glob.h net/if_tun.h)
 AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
 AC_CHECK_HEADERS([netinet/ip6.h linux/fib_rules.h], [], [],
 [
@@ -977,10 +993,11 @@ if test x$tss_trousers = xtrue; then
 fi
 
 if test x$tss_tss2 = xtrue; then
-	AC_CHECK_LIB([tss2],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([TTS 2.0 library libtss2 not found])],[])
-	AC_CHECK_HEADER([tss2/tpm20.h],,[AC_MSG_ERROR([TSS 2.0 header tss2/tpm20.h not found!])])
-	AC_DEFINE([TSS_TSS2], [], [use TSS 2.0 library libtss2])
+	PKG_CHECK_MODULES(tss2, [tcti-socket], [AC_DEFINE([TSS_TSS2], [], [use TSS 2.0 libraries])])
+	AC_SUBST(tss2_CFLAGS)
+	AC_SUBST(tss2_LIBS)
 fi
+
 if test x$imv_swid = xtrue; then
 	PKG_CHECK_MODULES(json, [json-c], [],
 		[PKG_CHECK_MODULES(json, [json])])
@@ -1127,14 +1144,6 @@ if test x$android_dns = xtrue; then
 	AC_SUBST(DLLIB)
 fi
 
-if test x$maemo = xtrue; then
-	PKG_CHECK_MODULES(maemo, [glib-2.0 gthread-2.0 libosso osso-af-settings])
-	AC_SUBST(maemo_CFLAGS)
-	AC_SUBST(maemo_LIBS)
-	dbusservicedir="/usr/share/dbus-1/system-services"
-	AC_SUBST(dbusservicedir)
-fi
-
 if test x$eap_sim_pcsc = xtrue; then
 	PKG_CHECK_MODULES(pcsclite, [libpcsclite])
 	AC_SUBST(pcsclite_CFLAGS)
@@ -1323,6 +1332,7 @@ ADD_PLUGIN([sha3],                 [s charon scepclient pki scripts medsrv attes
 ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([md4],                  [s charon scepclient pki nm cmd])
 ADD_PLUGIN([md5],                  [s charon scepclient pki scripts attest nm cmd aikgen])
+ADD_PLUGIN([mgf1],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([rdrand],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([random],               [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([nonce],                [s charon nm cmd aikgen])
@@ -1357,6 +1367,7 @@ ADD_PLUGIN([ctr],                  [s charon scripts nm cmd])
 ADD_PLUGIN([ccm],                  [s charon scripts nm cmd])
 ADD_PLUGIN([gcm],                  [s charon scripts nm cmd])
 ADD_PLUGIN([ntru],                 [s charon scripts nm cmd])
+ADD_PLUGIN([newhope],              [s charon scripts nm cmd])
 ADD_PLUGIN([bliss],                [s charon pki scripts nm cmd])
 ADD_PLUGIN([curl],                 [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([files],                [s charon scepclient pki scripts nm cmd])
@@ -1433,7 +1444,6 @@ ADD_PLUGIN([led],                  [c charon])
 ADD_PLUGIN([duplicheck],           [c charon])
 ADD_PLUGIN([coupling],             [c charon])
 ADD_PLUGIN([radattr],              [c charon])
-ADD_PLUGIN([maemo],                [c charon])
 ADD_PLUGIN([uci],                  [c charon])
 ADD_PLUGIN([addrblock],            [c charon])
 ADD_PLUGIN([unity],                [c charon])
@@ -1478,6 +1488,7 @@ AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
 AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
 AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
 AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue)
+AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue)
 AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
 AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
 AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
@@ -1514,6 +1525,7 @@ AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
 AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
 AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
 AM_CONDITIONAL(USE_NTRU, test x$ntru = xtrue)
+AM_CONDITIONAL(USE_NEWHOPE, test x$newhope = xtrue)
 AM_CONDITIONAL(USE_BLISS, test x$bliss = xtrue)
 
 #  charon plugins
@@ -1527,7 +1539,6 @@ AM_CONDITIONAL(USE_OSX_ATTR, test x$osx_attr = xtrue)
 AM_CONDITIONAL(USE_P_CSCF, test x$p_cscf = xtrue)
 AM_CONDITIONAL(USE_ANDROID_DNS, test x$android_dns = xtrue)
 AM_CONDITIONAL(USE_ANDROID_LOG, test x$android_log = xtrue)
-AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
 AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
 AM_CONDITIONAL(USE_DNSCERT, test x$dnscert = xtrue)
@@ -1629,6 +1640,7 @@ AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
+AM_CONDITIONAL(USE_LIBNTTFFT, test x$bliss = xtrue -o x$newhope = xtrue)
 AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
 AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
 AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
@@ -1721,6 +1733,8 @@ AC_CONFIG_FILES([
 	src/Makefile
 	src/include/Makefile
 	src/libstrongswan/Makefile
+	src/libstrongswan/math/libnttfft/Makefile
+	src/libstrongswan/math/libnttfft/tests/Makefile
 	src/libstrongswan/plugins/aes/Makefile
 	src/libstrongswan/plugins/cmac/Makefile
 	src/libstrongswan/plugins/des/Makefile
@@ -1731,6 +1745,7 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/sha1/Makefile
 	src/libstrongswan/plugins/sha2/Makefile
 	src/libstrongswan/plugins/sha3/Makefile
+	src/libstrongswan/plugins/mgf1/Makefile
 	src/libstrongswan/plugins/fips_prf/Makefile
 	src/libstrongswan/plugins/gmp/Makefile
 	src/libstrongswan/plugins/rdrand/Makefile
@@ -1774,6 +1789,8 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/ntru/Makefile
 	src/libstrongswan/plugins/bliss/Makefile
 	src/libstrongswan/plugins/bliss/tests/Makefile
+	src/libstrongswan/plugins/newhope/Makefile
+	src/libstrongswan/plugins/newhope/tests/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libstrongswan/tests/Makefile
 	src/libipsec/Makefile
@@ -1871,7 +1888,6 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/p_cscf/Makefile
 	src/libcharon/plugins/android_dns/Makefile
 	src/libcharon/plugins/android_log/Makefile
-	src/libcharon/plugins/maemo/Makefile
 	src/libcharon/plugins/stroke/Makefile
 	src/libcharon/plugins/vici/Makefile
 	src/libcharon/plugins/vici/ruby/Makefile
diff --git a/init/Makefile.in b/init/Makefile.in
index a7c723a..9ae5e47 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -329,7 +329,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -363,8 +362,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -418,6 +415,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/init/systemd-swanctl/Makefile.in b/init/systemd-swanctl/Makefile.in
index ceb0563..190eb8f 100644
--- a/init/systemd-swanctl/Makefile.in
+++ b/init/systemd-swanctl/Makefile.in
@@ -297,7 +297,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -331,8 +330,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -386,6 +383,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index a3a7963..325a4e3 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -297,7 +297,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -331,8 +330,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -386,6 +383,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/man/Makefile.in b/man/Makefile.in
index a473efd..4d04d25 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -303,7 +303,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -337,8 +336,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -392,6 +389,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 54440c0..6f80709 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -247,7 +247,9 @@ can be added at the end.
 If
 .B dh-group
 is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
-Diffie-Hellman exchange.
+Diffie-Hellman exchange (refer to the
+.B esp
+keyword for details).
 .TP
 .BR also " = <name>"
 includes conn section
@@ -410,18 +412,27 @@ exclamation mark
 can be added at the end.
 
 .BR Note :
-As a responder the daemon accepts the first supported proposal received from
-the peer. In order to restrict a responder to only accept specific cipher
-suites, the strict flag
+As a responder, the daemon defaults to selecting the first configured proposal
+that's also supported by the peer. This may be changed via
+.BR strongswan.conf (5)
+to selecting the first acceptable proposal sent by the peer instead. In order to
+restrict a responder to only accept specific cipher suites, the strict flag
 .RB ( ! ,
 exclamation mark) can be used, e.g: aes256-sha512-modp4096!
-.br
+
 If
 .B dh-group
-is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
-Diffie-Hellman exchange.  Valid values for
+is specified, CHILD_SA/Quick Mode rekeying and initial negotiation use a
+separate Diffie-Hellman exchange using the specified group. However, for IKEv2,
+the keys of the CHILD_SA created implicitly with the IKE_SA will always be
+derived from the IKE_SA's key material. So any DH group specified here will only
+apply when the CHILD_SA is later rekeyed or is created with a separate
+CREATE_CHILD_SA exchange.  Therefore, a proposal mismatch might not immediately
+be noticed when the SA is established, but may later cause rekeying to fail.
+
+Valid values for
 .B esnmode
-(IKEv2 only) are
+are
 .B esn
 and
 .BR noesn .
@@ -434,14 +445,15 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked.
 .TP
-.BR fragmentation " = yes | force | " no
+.BR fragmentation " = " yes "  | force | no"
 whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2
 fragmentation as per RFC 7383).  Acceptable values are
-.BR yes ,
+.B yes
+(the default),
 .B force
 and
-.B no
-(the default). Fragmented IKE messages sent by a peer are always accepted
+.BR no .
+Fragmented IKE messages sent by a peer are always accepted
 irrespective of the value of this option. If set to
 .BR yes ,
 and the peer supports it, larger IKE messages will be sent in fragments.
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 0c73dfa..606efcf 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -411,7 +411,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -445,8 +444,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -500,6 +497,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/Makefile.in b/src/Makefile.in
index 5131738..16b1d28 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -367,7 +367,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -401,8 +400,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -456,6 +453,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 5f7d50f..ce9ce1f 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -319,7 +319,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -353,8 +352,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -408,6 +405,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 1d15c0c..37a57af 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -297,7 +297,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -331,8 +330,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -386,6 +383,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in
index 1e2b7dd..149e739 100644
--- a/src/aikgen/Makefile.in
+++ b/src/aikgen/Makefile.in
@@ -320,7 +320,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -354,8 +353,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -409,6 +406,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/aikpub2/Makefile.in b/src/aikpub2/Makefile.in
index adb40e4..62be867 100644
--- a/src/aikpub2/Makefile.in
+++ b/src/aikpub2/Makefile.in
@@ -320,7 +320,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -354,8 +353,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -409,6 +406,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index 098eb94..fb43e4e 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -357,7 +357,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -391,8 +390,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -446,6 +443,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/charon-nm/Makefile.am b/src/charon-nm/Makefile.am
index 6ab7f27..4abfc74 100644
--- a/src/charon-nm/Makefile.am
+++ b/src/charon-nm/Makefile.am
@@ -22,3 +22,8 @@ charon_nm_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(ATOMICLIB) $(DLLIB) ${nm_LIBS}
+
+dbusservicedir = $(sysconfdir)/dbus-1/system.d
+dbusservice_DATA = nm-strongswan-service.conf
+
+EXTRA_DIST = $(dbusservice_DATA)
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 715412a..7f05b35 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -14,6 +14,7 @@
 
 @SET_MAKE@
 
+
 VPATH = @srcdir@
 am__is_gnu_make = { \
   if test -z '$(MAKELEVEL)'; then \
@@ -108,7 +109,8 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)" \
+	"$(DESTDIR)$(dbusservicedir)"
 PROGRAMS = $(ipsec_PROGRAMS)
 am__dirstamp = $(am__leading_dot)dirstamp
 am_charon_nm_OBJECTS = charon-nm.$(OBJEXT) nm/nm_backend.$(OBJEXT) \
@@ -166,6 +168,34 @@ am__can_run_installinfo = \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+DATA = $(dbusservice_DATA)
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
 # Read a list of newline-separated strings from the standard input,
 # and print each of them once, without duplicates.  Input order is
@@ -326,7 +356,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -360,8 +389,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -415,6 +442,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -441,6 +470,9 @@ charon_nm_LDADD = \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(ATOMICLIB) $(DLLIB) ${nm_LIBS}
 
+dbusservicedir = $(sysconfdir)/dbus-1/system.d
+dbusservice_DATA = nm-strongswan-service.conf
+EXTRA_DIST = $(dbusservice_DATA)
 all: all-am
 
 .SUFFIXES:
@@ -583,6 +615,27 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
+install-dbusserviceDATA: $(dbusservice_DATA)
+	@$(NORMAL_INSTALL)
+	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(dbusservicedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dbusservicedir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(dbusservicedir)" || exit $$?; \
+	done
+
+uninstall-dbusserviceDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(dbusservicedir)'; $(am__uninstall_files_from_dir)
 
 ID: $(am__tagged_files)
 	$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -668,9 +721,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(PROGRAMS)
+all-am: Makefile $(PROGRAMS) $(DATA)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(dbusservicedir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -728,7 +781,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS
+install-data-am: install-dbusserviceDATA install-ipsecPROGRAMS
 
 install-dvi: install-dvi-am
 
@@ -774,7 +827,7 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-ipsecPROGRAMS
+uninstall-am: uninstall-dbusserviceDATA uninstall-ipsecPROGRAMS
 
 .MAKE: install-am install-strip
 
@@ -783,14 +836,16 @@ uninstall-am: uninstall-ipsecPROGRAMS
 	distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+	install-data-am install-dbusserviceDATA install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-am uninstall uninstall-am uninstall-ipsecPROGRAMS
+	tags tags-am uninstall uninstall-am uninstall-dbusserviceDATA \
+	uninstall-ipsecPROGRAMS
 
 .PRECIOUS: Makefile
 
diff --git a/src/charon-nm/nm-strongswan-service.conf b/src/charon-nm/nm-strongswan-service.conf
new file mode 100644
index 0000000..a630f34
--- /dev/null
+++ b/src/charon-nm/nm-strongswan-service.conf
@@ -0,0 +1,15 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+	<policy user="root">
+		<allow own="org.freedesktop.NetworkManager.strongswan"/>
+		<allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
+		<allow send_interface="org.freedesktop.NetworkManager.strongswan"/>
+	</policy>
+	<policy context="default">
+		<deny own="org.freedesktop.NetworkManager.strongswan"/>
+		<deny send_destination="org.freedesktop.NetworkManager.strongswan"/>
+	</policy>
+</busconfig>
+
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 5991c24..571c0ed 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -23,7 +23,6 @@
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
 #include <credentials/certificates/x509.h>
-#include <networking/tun_device.h>
 
 #include <stdio.h>
 
@@ -43,8 +42,6 @@ typedef struct {
 	nm_creds_t *creds;
 	/* attribute handler for DNS/NBNS server information */
 	nm_handler_t *handler;
-	/* dummy TUN device */
-	tun_device_t *tun;
 	/* name of the connection */
 	char *name;
 } NMStrongswanPluginPrivate;
@@ -88,19 +85,18 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
 	GValue *val;
 	GHashTable *config;
 	enumerator_t *enumerator;
-	host_t *me;
+	host_t *me, *other;
 	nm_handler_t *handler;
 
 	config = g_hash_table_new(g_str_hash, g_str_equal);
 	handler = priv->handler;
 
-	/* NM requires a tundev, but netkey does not use one. Passing the physical
-	 * interface does not work, as NM fiddles around with it. So we pass a dummy
-	 * TUN device along for NM to play with... */
+	/* NM apparently requires to know the gateway */
 	val = g_slice_new0 (GValue);
-	g_value_init (val, G_TYPE_STRING);
-	g_value_set_string (val, priv->tun->get_name(priv->tun));
-	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
+	g_value_init (val, G_TYPE_UINT);
+	other = ike_sa->get_other_host(ike_sa);
+	g_value_set_uint (val, *(uint32_t*)other->get_address(other).ptr);
+	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY, val);
 
 	/* NM installs this IP address on the interface above, so we use the VIP if
 	 * we got one.
@@ -336,12 +332,6 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		 priv->name);
 	DBG4(DBG_CFG, "%s",
 		 nm_setting_to_string(NM_SETTING(vpn)));
-	if (!priv->tun)
-	{
-		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
-					"Failed to create dummy TUN device.");
-		return FALSE;
-	}
 	address = nm_setting_vpn_get_data_item(vpn, "address");
 	if (!address || !*address)
 	{
@@ -406,7 +396,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	else
 	{
 		/* no certificate defined, fall back to system-wide CA certificates */
-		priv->creds->load_ca_dir(priv->creds, NM_CA_DIR);
+		priv->creds->load_ca_dir(priv->creds, lib->settings->get_str(
+								 lib->settings, "charon-nm.ca_dir", NM_CA_DIR));
 	}
 	if (!gateway)
 	{
@@ -428,6 +419,16 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		{
 			user = identification_create_from_string((char*)str);
 			str = nm_setting_vpn_get_secret(vpn, "password");
+			if (auth_class == AUTH_CLASS_PSK &&
+				strlen(str) < 20)
+			{
+				g_set_error(err, NM_VPN_PLUGIN_ERROR,
+							NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+							"pre-shared key is too short.");
+				gateway->destroy(gateway);
+				user->destroy(user);
+				return FALSE;
+			}
 			priv->creds->set_username_password(priv->creds, user, (char*)str);
 		}
 	}
@@ -538,7 +539,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	ike_cfg = ike_cfg_create(IKEV2, TRUE, encap, "0.0.0.0",
 							 charon->socket->get_port(charon->socket, FALSE),
 							(char*)address, IKEV2_UDP_PORT,
-							 FRAGMENTATION_NO, 0);
+							 FRAGMENTATION_YES, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
 
@@ -722,28 +723,10 @@ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
 	memset(&priv->listener, 0, sizeof(listener_t));
 	priv->listener.child_updown = child_updown;
 	priv->listener.ike_rekey = ike_rekey;
-	priv->tun = tun_device_create(NULL);
 	priv->name = NULL;
 }
 
 /**
- * Destructor
- */
-static void nm_strongswan_plugin_dispose(GObject *obj)
-{
-	NMStrongswanPlugin *plugin;
-	NMStrongswanPluginPrivate *priv;
-
-	plugin = NM_STRONGSWAN_PLUGIN(obj);
-	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
-	if (priv->tun)
-	{
-		priv->tun->destroy(priv->tun);
-		priv->tun = NULL;
-	}
-}
-
-/**
  * Class constructor
  */
 static void nm_strongswan_plugin_class_init(
@@ -756,7 +739,6 @@ static void nm_strongswan_plugin_class_init(
 	parent_class->connect = connect_;
 	parent_class->need_secrets = need_secrets;
 	parent_class->disconnect = disconnect;
-	G_OBJECT_CLASS(strongswan_class)->dispose = nm_strongswan_plugin_dispose;
 }
 
 /**
diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in
index 4afa625..e9cb266 100644
--- a/src/charon-svc/Makefile.in
+++ b/src/charon-svc/Makefile.in
@@ -320,7 +320,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -354,8 +353,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -409,6 +406,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in
index 3dcf3d7..c1aa833 100644
--- a/src/charon-systemd/Makefile.in
+++ b/src/charon-systemd/Makefile.in
@@ -324,7 +324,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -358,8 +357,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -413,6 +410,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index 1eaf46a..30a3ac8 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -267,7 +267,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -301,8 +300,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -356,6 +353,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/charon-tkm/build_common.gpr b/src/charon-tkm/build_common.gpr
index 102f6b7..4595195 100644
--- a/src/charon-tkm/build_common.gpr
+++ b/src/charon-tkm/build_common.gpr
@@ -9,7 +9,8 @@ project Build_Common is
 
    C_Compiler_Switches   := ("-W",
                              "-Wall",
-                             "-Wno-unused-parameter");
+                             "-Wno-unused-parameter",
+                             "-g");
    Ada_Compiler_Switches := ("-gnatwale",
                              "-gnatygAdISuxo",
                              "-gnata",
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 13352e5..4a6d2ae 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -286,7 +286,7 @@ int main(int argc, char *argv[])
 		PLUGIN_REGISTER(PUBKEY, tkm_public_key_load, TRUE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
 			PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
-			PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256),
+			PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_256),
 		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
 			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
 		PLUGIN_CALLBACK(tkm_spi_generator_register, NULL),
@@ -373,6 +373,7 @@ int main(int argc, char *argv[])
 	run();
 
 	unlink_pidfile();
+	free(pidfile_name);
 	status = 0;
 	charon->bus->remove_listener(charon->bus, &listener->listener);
 	listener->destroy(listener);
@@ -382,7 +383,7 @@ int main(int argc, char *argv[])
 deinit:
 	destroy_dh_mapping();
 	libcharon_deinit();
-	library_deinit();
 	tkm_deinit();
+	library_deinit();
 	return status;
 }
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 51f62fc..d07ea5c 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -323,7 +323,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -357,8 +356,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -412,6 +409,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index 87bbf9f..8821090 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -48,6 +48,11 @@ if USE_RADIUS
   libs += $(DESTDIR)$(ipseclibdir)/libradius.so
 endif
 
+if USE_LIBNTTFFT
+  deps += $(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la
+  libs += $(DESTDIR)$(ipseclibdir)/libnttfft.so
+endif
+
 if USE_LIBPTTLS
   deps += $(top_builddir)/src/libpttls/libpttls.la
   libs += $(DESTDIR)$(ipseclibdir)/libpttls.so
@@ -89,6 +94,10 @@ if USE_CMD
   exes += $(DESTDIR)$(sbindir)/charon-cmd
 endif
 
+if USE_SYSTEMD
+  exes += $(DESTDIR)$(sbindir)/charon-systemd
+endif
+
 if USE_SCEPCLIENT
   exes += $(DESTDIR)$(ipsecdir)/scepclient
 endif
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index ef14d12..7644e1b 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -96,27 +96,30 @@ EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
 @USE_TLS_TRUE at am__append_5 = $(DESTDIR)$(ipseclibdir)/libtls.so
 @USE_RADIUS_TRUE at am__append_6 = $(top_builddir)/src/libradius/libradius.la
 @USE_RADIUS_TRUE at am__append_7 = $(DESTDIR)$(ipseclibdir)/libradius.so
- at USE_LIBPTTLS_TRUE@am__append_8 = $(top_builddir)/src/libpttls/libpttls.la
- at USE_LIBPTTLS_TRUE@am__append_9 = $(DESTDIR)$(ipseclibdir)/libpttls.so
- at USE_LIBTPMTSS_TRUE@am__append_10 = $(top_builddir)/src/libtpmtss/libtpmtss.la
- at USE_LIBTPMTSS_TRUE@am__append_11 = $(DESTDIR)$(ipseclibdir)/libtpmtss.so
- at USE_LIBTNCCS_TRUE@am__append_12 = $(top_builddir)/src/libtnccs/libtnccs.la
- at USE_LIBTNCCS_TRUE@am__append_13 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
- at MONOLITHIC_FALSE@@USE_LIBTNCCS_TRUE at am__append_14 = -DT_PLUGINS=\""${t_plugins}\""
- at USE_SIMAKA_TRUE@am__append_15 = $(top_builddir)/src/libsimaka/libsimaka.la
- at USE_SIMAKA_TRUE@am__append_16 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
- at USE_IMCV_TRUE@am__append_17 = $(top_builddir)/src/libimcv/libimcv.la
- at USE_IMCV_TRUE@am__append_18 = $(DESTDIR)$(ipseclibdir)/libimcv.so
- at USE_CHARON_TRUE@am__append_19 = $(top_builddir)/src/libcharon/libcharon.la
- at USE_CHARON_TRUE@am__append_20 = $(DESTDIR)$(ipseclibdir)/libcharon.so
- at USE_CHARON_TRUE@am__append_21 = $(DESTDIR)$(ipsecdir)/charon
- at MONOLITHIC_FALSE@@USE_CHARON_TRUE at am__append_22 = -DC_PLUGINS=\""${c_plugins}\""
- at USE_CMD_TRUE@am__append_23 = $(DESTDIR)$(sbindir)/charon-cmd
- at USE_SCEPCLIENT_TRUE@am__append_24 = $(DESTDIR)$(ipsecdir)/scepclient
- at USE_PKI_TRUE@am__append_25 = $(DESTDIR)$(bindir)/pki
- at USE_SWANCTL_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/swanctl
- at USE_ATTR_SQL_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/pool
- at USE_IMV_ATTESTATION_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/attest
+ at USE_LIBNTTFFT_TRUE@am__append_8 = $(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la
+ at USE_LIBNTTFFT_TRUE@am__append_9 = $(DESTDIR)$(ipseclibdir)/libnttfft.so
+ at USE_LIBPTTLS_TRUE@am__append_10 = $(top_builddir)/src/libpttls/libpttls.la
+ at USE_LIBPTTLS_TRUE@am__append_11 = $(DESTDIR)$(ipseclibdir)/libpttls.so
+ at USE_LIBTPMTSS_TRUE@am__append_12 = $(top_builddir)/src/libtpmtss/libtpmtss.la
+ at USE_LIBTPMTSS_TRUE@am__append_13 = $(DESTDIR)$(ipseclibdir)/libtpmtss.so
+ at USE_LIBTNCCS_TRUE@am__append_14 = $(top_builddir)/src/libtnccs/libtnccs.la
+ at USE_LIBTNCCS_TRUE@am__append_15 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
+ at MONOLITHIC_FALSE@@USE_LIBTNCCS_TRUE at am__append_16 = -DT_PLUGINS=\""${t_plugins}\""
+ at USE_SIMAKA_TRUE@am__append_17 = $(top_builddir)/src/libsimaka/libsimaka.la
+ at USE_SIMAKA_TRUE@am__append_18 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
+ at USE_IMCV_TRUE@am__append_19 = $(top_builddir)/src/libimcv/libimcv.la
+ at USE_IMCV_TRUE@am__append_20 = $(DESTDIR)$(ipseclibdir)/libimcv.so
+ at USE_CHARON_TRUE@am__append_21 = $(top_builddir)/src/libcharon/libcharon.la
+ at USE_CHARON_TRUE@am__append_22 = $(DESTDIR)$(ipseclibdir)/libcharon.so
+ at USE_CHARON_TRUE@am__append_23 = $(DESTDIR)$(ipsecdir)/charon
+ at MONOLITHIC_FALSE@@USE_CHARON_TRUE at am__append_24 = -DC_PLUGINS=\""${c_plugins}\""
+ at USE_CMD_TRUE@am__append_25 = $(DESTDIR)$(sbindir)/charon-cmd
+ at USE_SYSTEMD_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/charon-systemd
+ at USE_SCEPCLIENT_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/scepclient
+ at USE_PKI_TRUE@am__append_28 = $(DESTDIR)$(bindir)/pki
+ at USE_SWANCTL_TRUE@am__append_29 = $(DESTDIR)$(sbindir)/swanctl
+ at USE_ATTR_SQL_TRUE@am__append_30 = $(DESTDIR)$(ipsecdir)/pool
+ at USE_IMV_ATTESTATION_TRUE@am__append_31 = $(DESTDIR)$(ipsecdir)/attest
 subdir = src/checksum
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -388,7 +391,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -422,8 +424,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -477,6 +477,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -497,7 +499,7 @@ CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
-	$(am__append_14) $(am__append_22)
+	$(am__append_16) $(am__append_24)
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
 
@@ -508,14 +510,15 @@ AM_CFLAGS = \
 deps = $(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__append_2) $(am__append_4) $(am__append_6) \
 	$(am__append_8) $(am__append_10) $(am__append_12) \
-	$(am__append_15) $(am__append_17) $(am__append_19)
+	$(am__append_14) $(am__append_17) $(am__append_19) \
+	$(am__append_21)
 libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \
 	$(am__append_5) $(am__append_7) $(am__append_9) \
-	$(am__append_11) $(am__append_13) $(am__append_16) \
-	$(am__append_18) $(am__append_20)
-exes = $(am__append_21) $(am__append_23) $(am__append_24) \
-	$(am__append_25) $(am__append_26) $(am__append_27) \
-	$(am__append_28)
+	$(am__append_11) $(am__append_13) $(am__append_15) \
+	$(am__append_18) $(am__append_20) $(am__append_22)
+exes = $(am__append_23) $(am__append_25) $(am__append_26) \
+	$(am__append_27) $(am__append_28) $(am__append_29) \
+	$(am__append_30) $(am__append_31)
 all: all-am
 
 .SUFFIXES:
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 7b49989..9c55b50 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -337,7 +337,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -371,8 +370,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -426,6 +423,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index d3bb11f..38681f4 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -358,7 +358,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -392,8 +391,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -447,6 +444,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index c909af9..4fa90fd 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -267,7 +267,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -301,8 +300,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -356,6 +353,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h
index 22e61fd..02d5125 100644
--- a/src/include/linux/xfrm.h
+++ b/src/include/linux/xfrm.h
@@ -84,6 +84,8 @@ struct xfrm_replay_state {
 	__u32	bitmap;
 };
 
+#define XFRMA_REPLAY_ESN_MAX	4096
+
 struct xfrm_replay_state_esn {
 	unsigned int	bmp_len;
 	__u32		oseq;
@@ -295,6 +297,9 @@ enum xfrm_attr_type_t {
 	XFRMA_MARK,		/* struct xfrm_mark */
 	XFRMA_TFCPAD,		/* __u32 */
 	XFRMA_REPLAY_ESN_VAL,	/* struct xfrm_replay_esn */
+	XFRMA_SA_EXTRA_FLAGS,	/* __u32 */
+	XFRMA_PROTO,		/* __u8 */
+	XFRMA_ADDRESS_FILTER,	/* struct xfrm_address_filter */
 	__XFRMA_MAX
 
 #define XFRMA_MAX (__XFRMA_MAX - 1)
@@ -323,6 +328,8 @@ enum xfrm_spdattr_type_t {
 	XFRMA_SPD_UNSPEC,
 	XFRMA_SPD_INFO,
 	XFRMA_SPD_HINFO,
+	XFRMA_SPD_IPV4_HTHRESH,
+	XFRMA_SPD_IPV6_HTHRESH,
 	__XFRMA_SPD_MAX
 
 #define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1)
@@ -342,6 +349,11 @@ struct xfrmu_spdhinfo {
 	__u32 spdhmcnt;
 };
 
+struct xfrmu_spdhthresh {
+	__u8 lbits;
+	__u8 rbits;
+};
+
 struct xfrm_usersa_info {
 	struct xfrm_selector		sel;
 	struct xfrm_id			id;
@@ -365,6 +377,8 @@ struct xfrm_usersa_info {
 #define XFRM_STATE_ESN		128
 };
 
+#define XFRM_SA_XFLAG_DONT_ENCAP_DSCP	1
+
 struct xfrm_usersa_id {
 	xfrm_address_t			daddr;
 	__be32				spi;
@@ -469,6 +483,14 @@ struct xfrm_user_mapping {
 	__be16				new_sport;
 };
 
+struct xfrm_address_filter {
+	xfrm_address_t			saddr;
+	xfrm_address_t			daddr;
+	__u16				family;
+	__u8				splen;
+	__u8				dplen;
+};
+
 #ifndef __KERNEL__
 /* backwards compatibility for userspace */
 #define XFRMGRP_ACQUIRE		1
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index c4cb5af..7512472 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -300,7 +300,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -334,8 +333,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -389,6 +386,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index b0acc6c..388a492 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.5.0rc1" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.5.1dr3" "strongSwan"
 .
 .SH NAME
 .
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 550f6eb..e530205 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -513,13 +513,6 @@ if MONOLITHIC
 endif
 endif
 
-if USE_MAEMO
-  SUBDIRS += plugins/maemo
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/maemo/libstrongswan-maemo.la
-endif
-endif
-
 if USE_HA
   SUBDIRS += plugins/ha
 if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 3ea9b80..e82e67b 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -239,60 +239,58 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE at am__append_91 = plugins/android_dns/libstrongswan-android-dns.la
 @USE_ANDROID_LOG_TRUE at am__append_92 = plugins/android_log
 @MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE at am__append_93 = plugins/android_log/libstrongswan-android-log.la
- at USE_MAEMO_TRUE@am__append_94 = plugins/maemo
- at MONOLITHIC_TRUE@@USE_MAEMO_TRUE at am__append_95 = plugins/maemo/libstrongswan-maemo.la
- at USE_HA_TRUE@am__append_96 = plugins/ha
- at MONOLITHIC_TRUE@@USE_HA_TRUE at am__append_97 = plugins/ha/libstrongswan-ha.la
- at USE_KERNEL_PFKEY_TRUE@am__append_98 = plugins/kernel_pfkey
- at MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE at am__append_99 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
- at USE_KERNEL_PFROUTE_TRUE@am__append_100 = plugins/kernel_pfroute
- at MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE at am__append_101 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
- at USE_KERNEL_NETLINK_TRUE@am__append_102 = plugins/kernel_netlink
- at MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE at am__append_103 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
- at USE_KERNEL_LIBIPSEC_TRUE@am__append_104 = plugins/kernel_libipsec
- at MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE at am__append_105 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
- at USE_KERNEL_WFP_TRUE@am__append_106 = plugins/kernel_wfp
- at MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE at am__append_107 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
- at USE_KERNEL_IPH_TRUE@am__append_108 = plugins/kernel_iph
- at MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE at am__append_109 = plugins/kernel_iph/libstrongswan-kernel-iph.la
- at USE_WHITELIST_TRUE@am__append_110 = plugins/whitelist
- at MONOLITHIC_TRUE@@USE_WHITELIST_TRUE at am__append_111 = plugins/whitelist/libstrongswan-whitelist.la
- at USE_LOOKIP_TRUE@am__append_112 = plugins/lookip
- at MONOLITHIC_TRUE@@USE_LOOKIP_TRUE at am__append_113 = plugins/lookip/libstrongswan-lookip.la
- at USE_ERROR_NOTIFY_TRUE@am__append_114 = plugins/error_notify
- at MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE at am__append_115 = plugins/error_notify/libstrongswan-error-notify.la
- at USE_CERTEXPIRE_TRUE@am__append_116 = plugins/certexpire
- at MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE at am__append_117 = plugins/certexpire/libstrongswan-certexpire.la
- at USE_SYSTIME_FIX_TRUE@am__append_118 = plugins/systime_fix
- at MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE at am__append_119 = plugins/systime_fix/libstrongswan-systime-fix.la
- at USE_LED_TRUE@am__append_120 = plugins/led
- at MONOLITHIC_TRUE@@USE_LED_TRUE at am__append_121 = plugins/led/libstrongswan-led.la
- at USE_DUPLICHECK_TRUE@am__append_122 = plugins/duplicheck
- at MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE at am__append_123 = plugins/duplicheck/libstrongswan-duplicheck.la
- at USE_COUPLING_TRUE@am__append_124 = plugins/coupling
- at MONOLITHIC_TRUE@@USE_COUPLING_TRUE at am__append_125 = plugins/coupling/libstrongswan-coupling.la
- at USE_RADATTR_TRUE@am__append_126 = plugins/radattr
- at MONOLITHIC_TRUE@@USE_RADATTR_TRUE at am__append_127 = plugins/radattr/libstrongswan-radattr.la
- at USE_UCI_TRUE@am__append_128 = plugins/uci
- at MONOLITHIC_TRUE@@USE_UCI_TRUE at am__append_129 = plugins/uci/libstrongswan-uci.la
- at USE_ADDRBLOCK_TRUE@am__append_130 = plugins/addrblock
- at MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE at am__append_131 = plugins/addrblock/libstrongswan-addrblock.la
- at USE_UNITY_TRUE@am__append_132 = plugins/unity
- at MONOLITHIC_TRUE@@USE_UNITY_TRUE at am__append_133 = plugins/unity/libstrongswan-unity.la
- at USE_XAUTH_GENERIC_TRUE@am__append_134 = plugins/xauth_generic
- at MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE at am__append_135 = plugins/xauth_generic/libstrongswan-xauth-generic.la
- at USE_XAUTH_EAP_TRUE@am__append_136 = plugins/xauth_eap
- at MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE at am__append_137 = plugins/xauth_eap/libstrongswan-xauth-eap.la
- at USE_XAUTH_PAM_TRUE@am__append_138 = plugins/xauth_pam
- at MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE at am__append_139 = plugins/xauth_pam/libstrongswan-xauth-pam.la
- at USE_XAUTH_NOAUTH_TRUE@am__append_140 = plugins/xauth_noauth
- at MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE at am__append_141 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
- at USE_RESOLVE_TRUE@am__append_142 = plugins/resolve
- at MONOLITHIC_TRUE@@USE_RESOLVE_TRUE at am__append_143 = plugins/resolve/libstrongswan-resolve.la
- at USE_ATTR_TRUE@am__append_144 = plugins/attr
- at MONOLITHIC_TRUE@@USE_ATTR_TRUE at am__append_145 = plugins/attr/libstrongswan-attr.la
- at USE_ATTR_SQL_TRUE@am__append_146 = plugins/attr_sql
- at MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE at am__append_147 = plugins/attr_sql/libstrongswan-attr-sql.la
+ at USE_HA_TRUE@am__append_94 = plugins/ha
+ at MONOLITHIC_TRUE@@USE_HA_TRUE at am__append_95 = plugins/ha/libstrongswan-ha.la
+ at USE_KERNEL_PFKEY_TRUE@am__append_96 = plugins/kernel_pfkey
+ at MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE at am__append_97 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+ at USE_KERNEL_PFROUTE_TRUE@am__append_98 = plugins/kernel_pfroute
+ at MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE at am__append_99 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+ at USE_KERNEL_NETLINK_TRUE@am__append_100 = plugins/kernel_netlink
+ at MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE at am__append_101 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+ at USE_KERNEL_LIBIPSEC_TRUE@am__append_102 = plugins/kernel_libipsec
+ at MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE at am__append_103 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+ at USE_KERNEL_WFP_TRUE@am__append_104 = plugins/kernel_wfp
+ at MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE at am__append_105 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+ at USE_KERNEL_IPH_TRUE@am__append_106 = plugins/kernel_iph
+ at MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE at am__append_107 = plugins/kernel_iph/libstrongswan-kernel-iph.la
+ at USE_WHITELIST_TRUE@am__append_108 = plugins/whitelist
+ at MONOLITHIC_TRUE@@USE_WHITELIST_TRUE at am__append_109 = plugins/whitelist/libstrongswan-whitelist.la
+ at USE_LOOKIP_TRUE@am__append_110 = plugins/lookip
+ at MONOLITHIC_TRUE@@USE_LOOKIP_TRUE at am__append_111 = plugins/lookip/libstrongswan-lookip.la
+ at USE_ERROR_NOTIFY_TRUE@am__append_112 = plugins/error_notify
+ at MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE at am__append_113 = plugins/error_notify/libstrongswan-error-notify.la
+ at USE_CERTEXPIRE_TRUE@am__append_114 = plugins/certexpire
+ at MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE at am__append_115 = plugins/certexpire/libstrongswan-certexpire.la
+ at USE_SYSTIME_FIX_TRUE@am__append_116 = plugins/systime_fix
+ at MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE at am__append_117 = plugins/systime_fix/libstrongswan-systime-fix.la
+ at USE_LED_TRUE@am__append_118 = plugins/led
+ at MONOLITHIC_TRUE@@USE_LED_TRUE at am__append_119 = plugins/led/libstrongswan-led.la
+ at USE_DUPLICHECK_TRUE@am__append_120 = plugins/duplicheck
+ at MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE at am__append_121 = plugins/duplicheck/libstrongswan-duplicheck.la
+ at USE_COUPLING_TRUE@am__append_122 = plugins/coupling
+ at MONOLITHIC_TRUE@@USE_COUPLING_TRUE at am__append_123 = plugins/coupling/libstrongswan-coupling.la
+ at USE_RADATTR_TRUE@am__append_124 = plugins/radattr
+ at MONOLITHIC_TRUE@@USE_RADATTR_TRUE at am__append_125 = plugins/radattr/libstrongswan-radattr.la
+ at USE_UCI_TRUE@am__append_126 = plugins/uci
+ at MONOLITHIC_TRUE@@USE_UCI_TRUE at am__append_127 = plugins/uci/libstrongswan-uci.la
+ at USE_ADDRBLOCK_TRUE@am__append_128 = plugins/addrblock
+ at MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE at am__append_129 = plugins/addrblock/libstrongswan-addrblock.la
+ at USE_UNITY_TRUE@am__append_130 = plugins/unity
+ at MONOLITHIC_TRUE@@USE_UNITY_TRUE at am__append_131 = plugins/unity/libstrongswan-unity.la
+ at USE_XAUTH_GENERIC_TRUE@am__append_132 = plugins/xauth_generic
+ at MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE at am__append_133 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+ at USE_XAUTH_EAP_TRUE@am__append_134 = plugins/xauth_eap
+ at MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE at am__append_135 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+ at USE_XAUTH_PAM_TRUE@am__append_136 = plugins/xauth_pam
+ at MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE at am__append_137 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+ at USE_XAUTH_NOAUTH_TRUE@am__append_138 = plugins/xauth_noauth
+ at MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE at am__append_139 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+ at USE_RESOLVE_TRUE@am__append_140 = plugins/resolve
+ at MONOLITHIC_TRUE@@USE_RESOLVE_TRUE at am__append_141 = plugins/resolve/libstrongswan-resolve.la
+ at USE_ATTR_TRUE@am__append_142 = plugins/attr
+ at MONOLITHIC_TRUE@@USE_ATTR_TRUE at am__append_143 = plugins/attr/libstrongswan-attr.la
+ at USE_ATTR_SQL_TRUE@am__append_144 = plugins/attr_sql
+ at MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE at am__append_145 = plugins/attr_sql/libstrongswan-attr-sql.la
 subdir = src/libcharon
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -370,7 +368,7 @@ libcharon_la_DEPENDENCIES =  \
 	$(am__append_127) $(am__append_129) $(am__append_131) \
 	$(am__append_133) $(am__append_135) $(am__append_137) \
 	$(am__append_139) $(am__append_141) $(am__append_143) \
-	$(am__append_145) $(am__append_147)
+	$(am__append_145)
 am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	attributes/attributes.h attributes/attribute_provider.h \
 	attributes/attribute_handler.h attributes/attribute_manager.c \
@@ -747,16 +745,15 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/eap_tnc plugins/tnc_ifmap plugins/tnc_pdp \
 	plugins/medsrv plugins/medcli plugins/dhcp plugins/osx_attr \
 	plugins/p_cscf plugins/android_dns plugins/android_log \
-	plugins/maemo plugins/ha plugins/kernel_pfkey \
-	plugins/kernel_pfroute plugins/kernel_netlink \
-	plugins/kernel_libipsec plugins/kernel_wfp plugins/kernel_iph \
-	plugins/whitelist plugins/lookip plugins/error_notify \
-	plugins/certexpire plugins/systime_fix plugins/led \
-	plugins/duplicheck plugins/coupling plugins/radattr \
-	plugins/uci plugins/addrblock plugins/unity \
-	plugins/xauth_generic plugins/xauth_eap plugins/xauth_pam \
-	plugins/xauth_noauth plugins/resolve plugins/attr \
-	plugins/attr_sql tests
+	plugins/ha plugins/kernel_pfkey plugins/kernel_pfroute \
+	plugins/kernel_netlink plugins/kernel_libipsec \
+	plugins/kernel_wfp plugins/kernel_iph plugins/whitelist \
+	plugins/lookip plugins/error_notify plugins/certexpire \
+	plugins/systime_fix plugins/led plugins/duplicheck \
+	plugins/coupling plugins/radattr plugins/uci plugins/addrblock \
+	plugins/unity plugins/xauth_generic plugins/xauth_eap \
+	plugins/xauth_pam plugins/xauth_noauth plugins/resolve \
+	plugins/attr plugins/attr_sql tests
 am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
@@ -923,7 +920,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -957,8 +953,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -1012,6 +1006,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -1159,8 +1155,7 @@ libcharon_la_LIBADD =  \
 	$(am__append_123) $(am__append_125) $(am__append_127) \
 	$(am__append_129) $(am__append_131) $(am__append_133) \
 	$(am__append_135) $(am__append_137) $(am__append_139) \
-	$(am__append_141) $(am__append_143) $(am__append_145) \
-	$(am__append_147)
+	$(am__append_141) $(am__append_143) $(am__append_145)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE at SUBDIRS = . $(am__append_6) $(am__append_8) \
 @MONOLITHIC_FALSE@	$(am__append_10) $(am__append_12) \
@@ -1195,8 +1190,7 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_130) $(am__append_132) \
 @MONOLITHIC_FALSE@	$(am__append_134) $(am__append_136) \
 @MONOLITHIC_FALSE@	$(am__append_138) $(am__append_140) \
- at MONOLITHIC_FALSE@	$(am__append_142) $(am__append_144) \
- at MONOLITHIC_FALSE@	$(am__append_146) tests
+ at MONOLITHIC_FALSE@	$(am__append_142) $(am__append_144) tests
 
 # build optional plugins
 ########################
@@ -1233,8 +1227,7 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_130) $(am__append_132) \
 @MONOLITHIC_TRUE@	$(am__append_134) $(am__append_136) \
 @MONOLITHIC_TRUE@	$(am__append_138) $(am__append_140) \
- at MONOLITHIC_TRUE@	$(am__append_142) $(am__append_144) \
- at MONOLITHIC_TRUE@	$(am__append_146) . tests
+ at MONOLITHIC_TRUE@	$(am__append_142) $(am__append_144) . tests
 all: all-recursive
 
 .SUFFIXES:
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index e17d629..6b3cea8 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2015 Tobias Brunner
+ * Copyright (C) 2011-2016 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -208,6 +208,24 @@ static inline void register_logger(private_bus_t *this, debug_t group,
 }
 
 /**
+ * Find the log level of the first registered logger that implements log or
+ * vlog (or both).
+ */
+static bool find_max_levels(log_entry_t *entry, debug_t *group, level_t *level,
+							level_t *vlevel)
+{
+	if (entry->logger->log && *level == LEVEL_SILENT)
+	{
+		*level = entry->levels[*group];
+	}
+	if (entry->logger->vlog && *vlevel == LEVEL_SILENT)
+	{
+		*vlevel = entry->levels[*group];
+	}
+	return *level > LEVEL_SILENT && *vlevel > LEVEL_SILENT;
+}
+
+/**
  * Unregister a logger from all log groups (destroys the log_entry_t)
  */
 static inline void unregister_logger(private_bus_t *this, logger_t *logger)
@@ -240,18 +258,8 @@ static inline void unregister_logger(private_bus_t *this, logger_t *logger)
 			{
 				loggers = this->loggers[group];
 				loggers->remove(loggers, found, NULL);
-
-				if (loggers->get_first(loggers, (void**)&entry) == SUCCESS)
-				{
-					if (entry->logger->log)
-					{
-						level = entry->levels[group];
-					}
-					if (entry->logger->vlog)
-					{
-						vlevel = entry->levels[group];
-					}
-				}
+				loggers->find_first(loggers, (linked_list_match_t)find_max_levels, NULL,
+									&group, &level, &vlevel);
 				set_level(&this->max_level[group], level);
 				set_level(&this->max_vlevel[group], vlevel);
 			}
@@ -593,6 +601,38 @@ METHOD(bus_t, ike_keys, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(bus_t, ike_derived_keys, void,
+	private_bus_t *this, chunk_t sk_ei, chunk_t sk_er, chunk_t sk_ai,
+	chunk_t sk_ar)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_derived_keys)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_derived_keys(entry->listener, ike_sa, sk_ei,
+												 sk_er, sk_ai, sk_ar);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
 METHOD(bus_t, child_keys, void,
 	private_bus_t *this, child_sa_t *child_sa, bool initiator,
 	diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
@@ -625,6 +665,39 @@ METHOD(bus_t, child_keys, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(bus_t, child_derived_keys, void,
+	private_bus_t *this, child_sa_t *child_sa, bool initiator,
+	chunk_t encr_i, chunk_t encr_r, chunk_t integ_i, chunk_t integ_r)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->child_derived_keys)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->child_derived_keys(entry->listener, ike_sa,
+											child_sa, initiator, encr_i, encr_r,
+											integ_i, integ_r);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
 METHOD(bus_t, child_updown, void,
 	private_bus_t *this, child_sa_t *child_sa, bool up)
 {
@@ -1061,7 +1134,9 @@ bus_t *bus_create()
 			.child_state_change = _child_state_change,
 			.message = _message,
 			.ike_keys = _ike_keys,
+			.ike_derived_keys = _ike_derived_keys,
 			.child_keys = _child_keys,
+			.child_derived_keys = _child_derived_keys,
 			.ike_updown = _ike_updown,
 			.ike_rekey = _ike_rekey,
 			.ike_update = _ike_update,
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index 305cbe4..1e810a4 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2015 Tobias Brunner
+ * Copyright (C) 2012-2016 Tobias Brunner
  * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -349,8 +349,8 @@ struct bus_t {
 	 * @param ike_sa	IKE_SA this keymat belongs to
 	 * @param dh		diffie hellman shared secret
 	 * @param dh_other	others DH public value (IKEv1 only)
-	 * @param nonce_i	initiators nonce
-	 * @param nonce_r	responders nonce
+	 * @param nonce_i	initiator's nonce
+	 * @param nonce_r	responder's nonce
 	 * @param rekey		IKE_SA we are rekeying, if any (IKEv2 only)
 	 * @param shared	shared key used for key derivation (IKEv1-PSK only)
 	 */
@@ -359,18 +359,43 @@ struct bus_t {
 					 ike_sa_t *rekey, shared_key_t *shared);
 
 	/**
+	 * IKE_SA derived keys hook.
+	 *
+	 * @param sk_ei		SK_ei, or Ka for IKEv1
+	 * @param sk_er		SK_er
+	 * @param sk_ai		SK_ai, or SKEYID_a for IKEv1
+	 * @param sk_ar		SK_ar
+	 */
+	void (*ike_derived_keys)(bus_t *this, chunk_t sk_ei, chunk_t sk_er,
+							 chunk_t sk_ai, chunk_t sk_ar);
+
+	/**
 	 * CHILD_SA keymat hook.
 	 *
 	 * @param child_sa	CHILD_SA this keymat is used for
 	 * @param initiator	initiator of the CREATE_CHILD_SA exchange
 	 * @param dh		diffie hellman shared secret
-	 * @param nonce_i	initiators nonce
-	 * @param nonce_r	responders nonce
+	 * @param nonce_i	initiator's nonce
+	 * @param nonce_r	responder's nonce
 	 */
 	void (*child_keys)(bus_t *this, child_sa_t *child_sa, bool initiator,
 					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
 
 	/**
+	 * CHILD_SA derived keys hook.
+	 *
+	 * @param child_sa	CHILD_SA these keys are used for
+	 * @param initiator	initiator of the CREATE_CHILD_SA exchange
+	 * @param encr_i	initiator's encryption key
+	 * @param encr_o	responder's encryption key
+	 * @param integ_i	initiator's integrity key
+	 * @param integ_r	responder's integrity key
+	 */
+	void (*child_derived_keys)(bus_t *this, child_sa_t *child_sa,
+							   bool initiator, chunk_t encr_i, chunk_t encr_r,
+							   chunk_t integ_i, chunk_t integ_r);
+
+	/**
 	 * IKE_SA up/down hook.
 	 *
 	 * @param ike_sa	IKE_SA coming up/going down
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index be2726e..be0dfbe 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2015 Tobias Brunner
+ * Copyright (C) 2011-2016 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -84,8 +84,8 @@ struct listener_t {
 	 * @param ike_sa	IKE_SA this keymat belongs to
 	 * @param dh		diffie hellman shared secret
 	 * @param dh_other	others DH public value (IKEv1 only)
-	 * @param nonce_i	initiators nonce
-	 * @param nonce_r	responders nonce
+	 * @param nonce_i	initiator's nonce
+	 * @param nonce_r	responder's nonce
 	 * @param rekey		IKE_SA we are rekeying, if any (IKEv2 only)
 	 * @param shared	shared key used for key derivation (IKEv1-PSK only)
 	 * @return			TRUE to stay registered, FALSE to unregister
@@ -95,14 +95,26 @@ struct listener_t {
 					 ike_sa_t *rekey, shared_key_t *shared);
 
 	/**
+	 * Hook called with derived IKE_SA keys.
+	 *
+	 * @param ike_sa	IKE_SA these keys belong to
+	 * @param sk_ei		SK_ei, or Ka for IKEv1
+	 * @param sk_er		SK_er
+	 * @param sk_ai		SK_ai, or SKEYID_a for IKEv1
+	 * @param sk_ar		SK_ar
+	 */
+	bool (*ike_derived_keys)(listener_t *this, ike_sa_t *ike_sa, chunk_t sk_ei,
+							 chunk_t sk_er, chunk_t sk_ai, chunk_t sk_ar);
+
+	/**
 	 * Hook called with CHILD_SA key material.
 	 *
 	 * @param ike_sa	IKE_SA the child sa belongs to
 	 * @param child_sa	CHILD_SA this keymat is used for
 	 * @param initiator	initiator of the CREATE_CHILD_SA exchange
 	 * @param dh		diffie hellman shared secret
-	 * @param nonce_i	initiators nonce
-	 * @param nonce_r	responders nonce
+	 * @param nonce_i	initiator's nonce
+	 * @param nonce_r	responder's nonce
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
 	bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
@@ -110,6 +122,22 @@ struct listener_t {
 					   chunk_t nonce_i, chunk_t nonce_r);
 
 	/**
+	 * Hook called with derived CHILD_SA keys.
+	 *
+	 * @param ike_sa	IKE_SA the child sa belongs to
+	 * @param child_sa	CHILD_SA these keys are used for
+	 * @param initiator	initiator of the CREATE_CHILD_SA exchange
+	 * @param encr_i	initiator's encryption key
+	 * @param encr_o	responder's encryption key
+	 * @param integ_i	initiator's integrity key
+	 * @param integ_r	responder's integrity key
+	 */
+	bool (*child_derived_keys)(listener_t *this, ike_sa_t *ike_sa,
+							   child_sa_t *child_sa, bool initiator,
+							   chunk_t encr_i, chunk_t encr_r,
+							   chunk_t integ_i, chunk_t integ_r);
+
+	/**
 	 * Hook called if an IKE_SA gets up or down.
 	 *
 	 * @param ike_sa	IKE_SA coming up/going down
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 76d7f2c..6a9c342 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -154,6 +154,11 @@ struct private_child_cfg_t {
 	bool install_policy;
 
 	/**
+	 * Install outbound FWD policies
+	 */
+	bool fwd_out_policy;
+
+	/**
 	 * anti-replay window size
 	 */
 	uint32_t replay_window;
@@ -564,6 +569,12 @@ METHOD(child_cfg_t, install_policy, bool,
 	return this->install_policy;
 }
 
+METHOD(child_cfg_t, install_fwd_out_policy, bool,
+	private_child_cfg_t *this)
+{
+	return this->fwd_out_policy;
+}
+
 #define LT_PART_EQUALS(a, b) ({ a.life == b.life && a.rekey == b.rekey && a.jitter == b.jitter; })
 #define LIFETIME_EQUALS(a, b) ({ LT_PART_EQUALS(a.time, b.time) && LT_PART_EQUALS(a.bytes, b.bytes) && LT_PART_EQUALS(a.packets, b.packets); })
 
@@ -613,6 +624,7 @@ METHOD(child_cfg_t, equals, bool,
 		this->replay_window == other->replay_window &&
 		this->proxy_mode == other->proxy_mode &&
 		this->install_policy == other->install_policy &&
+		this->fwd_out_policy == other->fwd_out_policy &&
 		streq(this->updown, other->updown) &&
 		streq(this->interface, other->interface);
 }
@@ -673,6 +685,7 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 			.set_replay_window = _set_replay_window,
 			.use_proxy_mode = _use_proxy_mode,
 			.install_policy = _install_policy,
+			.install_fwd_out_policy = _install_fwd_out_policy,
 			.equals = _equals,
 			.get_ref = _get_ref,
 			.destroy = _destroy,
@@ -695,6 +708,7 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 		.manual_prio = data->priority,
 		.interface = strdupnull(data->interface),
 		.install_policy = !data->suppress_policies,
+		.fwd_out_policy = data->fwd_out_policies,
 		.refcount = 1,
 		.proposals = linked_list_create(),
 		.my_ts = linked_list_create(),
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index e736b27..b85bfd9 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -284,6 +284,14 @@ struct child_cfg_t {
 	bool (*install_policy)(child_cfg_t *this);
 
 	/**
+	 * Check whether outbound FWD IPsec policies should be installed.
+	 *
+	 * @return				TRUE, if outbound FWD policies should be installed
+	 *						FALSE, otherwise
+	 */
+	bool (*install_fwd_out_policy)(child_cfg_t *this);
+
+	/**
 	 * Check if two child_cfg objects are equal.
 	 *
 	 * @param other			candidate to check for equality against this
@@ -346,6 +354,8 @@ struct child_cfg_create_t {
 	bool hostaccess;
 	/** Don't install IPsec policies */
 	bool suppress_policies;
+	/** Install outbound FWD IPsec policies to bypass drop policies */
+	bool fwd_out_policies;
 };
 
 /**
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index 5655a34..afcb772 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -256,7 +256,7 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 						  fragmentation_t fragmentation, uint8_t dscp);
 
 /**
- * Determine the address family of the local or remtoe address(es).  If multiple
+ * Determine the address family of the local or remote address(es).  If multiple
  * families are configured AF_UNSPEC is returned.  %any is ignored (%any4|6 are
  * not though).
  *
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index a83acec..011c0b8 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -420,24 +420,40 @@ static const struct {
 };
 
 /**
+ * Remove all entries of the given transform type
+ */
+static void remove_transform(private_proposal_t *this, transform_type_t type)
+{
+	enumerator_t *e;
+	entry_t *entry;
+
+	e = array_create_enumerator(this->transforms);
+	while (e->enumerate(e, &entry))
+	{
+		if (entry->type == type)
+		{
+			array_remove_at(this->transforms, e);
+		}
+	}
+	e->destroy(e);
+}
+
+/**
  * Checks the proposal read from a string.
  */
-static void check_proposal(private_proposal_t *this)
+static bool check_proposal(private_proposal_t *this)
 {
 	enumerator_t *e;
 	entry_t *entry;
 	uint16_t alg, ks;
-	bool all_aead = TRUE;
+	bool all_aead = TRUE, any_aead = FALSE, any_enc = FALSE;
 	int i;
 
 	if (this->protocol == PROTO_IKE)
 	{
-		e = create_enumerator(this, PSEUDO_RANDOM_FUNCTION);
-		if (!e->enumerate(e, &alg, &ks))
-		{
-			/* No explicit PRF found. We assume the same algorithm as used
-			 * for integrity checking */
-			e->destroy(e);
+		if (!get_algorithm(this, PSEUDO_RANDOM_FUNCTION, NULL, NULL))
+		{	/* No explicit PRF found. We assume the same algorithm as used
+			 * for integrity checking. */
 			e = create_enumerator(this, INTEGRITY_ALGORITHM);
 			while (e->enumerate(e, &alg, &ks))
 			{
@@ -451,8 +467,13 @@ static void check_proposal(private_proposal_t *this)
 					}
 				}
 			}
+			e->destroy(e);
+		}
+		if (!get_algorithm(this, PSEUDO_RANDOM_FUNCTION, NULL, NULL))
+		{
+			DBG1(DBG_CFG, "a PRF algorithm is mandatory in IKE proposals");
+			return FALSE;
 		}
-		e->destroy(e);
 		/* remove MODP_NONE from IKE proposal */
 		e = array_create_enumerator(this->transforms);
 		while (e->enumerate(e, &entry))
@@ -463,48 +484,103 @@ static void check_proposal(private_proposal_t *this)
 			}
 		}
 		e->destroy(e);
+		if (!get_algorithm(this, DIFFIE_HELLMAN_GROUP, NULL, NULL))
+		{
+			DBG1(DBG_CFG, "a DH group is mandatory in IKE proposals");
+			return FALSE;
+		}
+	}
+	else
+	{	/* remove PRFs from ESP/AH proposals */
+		remove_transform(this, PSEUDO_RANDOM_FUNCTION);
 	}
 
-	if (this->protocol == PROTO_ESP)
+	if (this->protocol == PROTO_IKE || this->protocol == PROTO_ESP)
 	{
 		e = create_enumerator(this, ENCRYPTION_ALGORITHM);
 		while (e->enumerate(e, &alg, &ks))
 		{
-			if (!encryption_algorithm_is_aead(alg))
+			any_enc = TRUE;
+			if (encryption_algorithm_is_aead(alg))
 			{
-				all_aead = FALSE;
-				break;
+				any_aead = TRUE;
+				continue;
 			}
+			all_aead = FALSE;
 		}
 		e->destroy(e);
 
-		if (all_aead)
+		if (!any_enc)
+		{
+			DBG1(DBG_CFG, "an encryption algorithm is mandatory in %N proposals",
+				 protocol_id_names, this->protocol);
+			return FALSE;
+		}
+		else if (any_aead && !all_aead)
 		{
-			/* if all encryption algorithms in the proposal are AEADs,
+			DBG1(DBG_CFG, "classic and combined-mode (AEAD) encryption "
+				 "algorithms can't be contained in the same %N proposal",
+				 protocol_id_names, this->protocol);
+			return FALSE;
+		}
+		else if (all_aead)
+		{	/* if all encryption algorithms in the proposal are AEADs,
 			 * we MUST NOT propose any integrity algorithms */
-			e = array_create_enumerator(this->transforms);
-			while (e->enumerate(e, &entry))
+			remove_transform(this, INTEGRITY_ALGORITHM);
+		}
+	}
+	else
+	{	/* AES-GMAC is parsed as encryption algorithm, so we map that to the
+		 * proper integrity algorithm */
+		e = array_create_enumerator(this->transforms);
+		while (e->enumerate(e, &entry))
+		{
+			if (entry->type == ENCRYPTION_ALGORITHM)
 			{
-				if (entry->type == INTEGRITY_ALGORITHM)
+				if (entry->alg == ENCR_NULL_AUTH_AES_GMAC)
 				{
-					array_remove_at(this->transforms, e);
+					entry->type = INTEGRITY_ALGORITHM;
+					ks = entry->key_size;
+					entry->key_size = 0;
+					switch (ks)
+					{
+						case 128:
+							entry->alg = AUTH_AES_128_GMAC;
+							continue;
+						case 192:
+							entry->alg = AUTH_AES_192_GMAC;
+							continue;
+						case 256:
+							entry->alg = AUTH_AES_256_GMAC;
+							continue;
+						default:
+							break;
+					}
 				}
+				/* remove all other encryption algorithms */
+				array_remove_at(this->transforms, e);
 			}
-			e->destroy(e);
+		}
+		e->destroy(e);
+
+		if (!get_algorithm(this, INTEGRITY_ALGORITHM, NULL, NULL))
+		{
+			DBG1(DBG_CFG, "an integrity algorithm is mandatory in AH "
+				 "proposals");
+			return FALSE;
 		}
 	}
 
 	if (this->protocol == PROTO_AH || this->protocol == PROTO_ESP)
 	{
-		e = create_enumerator(this, EXTENDED_SEQUENCE_NUMBERS);
-		if (!e->enumerate(e, NULL, NULL))
+		if (!get_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NULL, NULL))
 		{	/* ESN not specified, assume not supported */
 			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 		}
-		e->destroy(e);
 	}
 
 	array_compress(this->transforms);
+	return TRUE;
 }
 
 /**
@@ -842,6 +918,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case NTRU_128_BIT:
 			case NTRU_192_BIT:
 			case NTRU_256_BIT:
+			case NH_128_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;
 			default:
@@ -999,13 +1076,11 @@ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs
 	}
 	enumerator->destroy(enumerator);
 
-	if (failed)
+	if (failed || !check_proposal(this))
 	{
 		destroy(this);
 		return NULL;
 	}
 
-	check_proposal(this);
-
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 1fd6442..50dab9e 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -535,7 +535,7 @@ static payload_rule_t aggressive_i_rules[] = {
 	{PLV1_NAT_D,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{PLV1_NAT_D_DRAFT_00_03,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{PLV1_ID,						0,	1,						FALSE,	FALSE},
-	{PLV1_CERTIFICATE,				0,	1,						TRUE,	FALSE},
+	{PLV1_CERTIFICATE,				0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
 	{PLV1_SIGNATURE,				0,	1,						TRUE,	FALSE},
 	{PLV1_HASH,						0,	1,						TRUE,	FALSE},
 	{PLV1_FRAGMENT,					0,	1,						FALSE,	TRUE},
@@ -575,7 +575,7 @@ static payload_rule_t aggressive_r_rules[] = {
 	{PLV1_NAT_D,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{PLV1_NAT_D_DRAFT_00_03,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{PLV1_ID,						0,	1,						FALSE,	FALSE},
-	{PLV1_CERTIFICATE,				0,	1,						FALSE,	FALSE},
+	{PLV1_CERTIFICATE,				0,	MAX_CERT_PAYLOADS,		FALSE,	FALSE},
 	{PLV1_SIGNATURE,				0,	1,						FALSE,	FALSE},
 	{PLV1_HASH,						0,	1,						FALSE,	FALSE},
 	{PLV1_FRAGMENT,					0,	1,						FALSE,	TRUE},
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index 1a435a8..55641e1 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -1360,18 +1360,21 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this,
 	enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
 	if (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
-		transid = get_ikev1_transid_from_alg(INTEGRITY_ALGORITHM, alg);
 		alg = get_ikev1_auth_from_alg(alg);
-		if (transid && alg)
+		if (alg)
 		{
-			if (!transform)
+			transid = get_ikev1_transid_from_alg(INTEGRITY_ALGORITHM, alg);
+			if (!transform && transid)
 			{
 				transform = transform_substructure_create_type(
 								PLV1_TRANSFORM_SUBSTRUCTURE, number, transid);
 			}
-			transform->add_transform_attribute(transform,
-				transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
-									TATTR_PH2_AUTH_ALGORITHM, alg));
+			if (transform)
+			{
+				transform->add_transform_attribute(transform,
+					transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+										TATTR_PH2_AUTH_ALGORITHM, alg));
+			}
 		}
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 3b49a85..7917d45 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 5f6ecbf..3560d36 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index bee30d9..9d3f2f5 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in
index 607fe3f..4b900d1 100644
--- a/src/libcharon/plugins/attr/Makefile.in
+++ b/src/libcharon/plugins/attr/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in
index d533a56..077e2f3 100644
--- a/src/libcharon/plugins/attr_sql/Makefile.in
+++ b/src/libcharon/plugins/attr_sql/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 31e7861..30873fa 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/connmark/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in
index c312821..3c9ba80 100644
--- a/src/libcharon/plugins/connmark/Makefile.in
+++ b/src/libcharon/plugins/connmark/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index a71d755..61dd852 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 843d05e..856ebaa 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index 5f035ba..fd47162 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/dnscert/dnscert_cred.c b/src/libcharon/plugins/dnscert/dnscert_cred.c
index 7902526..d32794c 100644
--- a/src/libcharon/plugins/dnscert/dnscert_cred.c
+++ b/src/libcharon/plugins/dnscert/dnscert_cred.c
@@ -70,6 +70,8 @@ typedef struct {
 	enumerator_t *inner;
 	/** response of the DNS resolver which contains the CERTs */
 	resolver_response_t *response;
+	/** most recently enumerated certificate */
+	certificate_t *cert;
 } cert_enumerator_t;
 
 METHOD(enumerator_t, cert_enumerator_enumerate, bool,
@@ -101,17 +103,17 @@ METHOD(enumerator_t, cert_enumerator_enumerate, bool,
 		/* Try to parse PEM certificate container. Both x509 and PGP should
 		 * presumably come as PEM encoded certs. */
 		certificate = cur_crt->get_certificate(cur_crt);
-		*cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_ANY,
-								   BUILD_BLOB_PEM, certificate,
-								   BUILD_END);
-		if (*cert == NULL)
+		DESTROY_IF(this->cert);
+		this->cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_ANY,
+										BUILD_BLOB_PEM, certificate,
+										BUILD_END);
+		cur_crt->destroy(cur_crt);
+		if (!this->cert)
 		{
-			DBG1(DBG_CFG, "  unable to parse certificate, skipping",
-				 cur_crt->get_cert_type(cur_crt));
-			cur_crt->destroy(cur_crt);
+			DBG1(DBG_CFG, "  unable to parse certificate, skipping");
 			continue;
 		}
-		cur_crt->destroy(cur_crt);
+		*cert = this->cert;
 		return TRUE;
 	}
 	return FALSE;
@@ -120,6 +122,7 @@ METHOD(enumerator_t, cert_enumerator_enumerate, bool,
 METHOD(enumerator_t, cert_enumerator_destroy, void,
 	cert_enumerator_t *this)
 {
+	DESTROY_IF(this->cert);
 	this->inner->destroy(this->inner);
 	this->response->destroy(this->response);
 	free(this);
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 9e3133b..866af82 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -360,7 +360,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -394,8 +393,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -449,6 +446,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 8ac12c1..6ff71c2 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 7dc9003..eabe0b4 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index f81d54f..e6877f7 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index f11d860..a1ebc2b 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index e9755aa..e2431fe 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 82ba96d..2a47218 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index c3b31cd..42c0795 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 2a01a36..23d9d1d 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c
index 7f8348e..d51d0d0 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_server.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_server.c
@@ -211,7 +211,7 @@ METHOD(tls_application_t, process, status_t,
 	{
 		DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N]",
 								eap_code_short_names, code);
-
+		in->destroy(in);
 		/* if EAP_SUCCESS check if to continue phase2 with EAP-TNC */
 		return (this->phase2_result == EAP_SUCCESS && code == EAP_SUCCESS) ?
 			   start_phase2_tnc(this) : FAILED;
@@ -250,6 +250,7 @@ METHOD(tls_application_t, process, status_t,
 			{
 				DBG1(DBG_IKE, "%N method not available",
 							   eap_type_names, EAP_IDENTITY);
+				in->destroy(in);
 				return FAILED;
 			}
 		}
@@ -258,6 +259,7 @@ METHOD(tls_application_t, process, status_t,
 		{
 
 			DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_IDENTITY);
+			in->destroy(in);
 			return FAILED;
 		}
 
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index cdba38c..7d0614d 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index f1b8adb..ba20c08 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 40ff9f2..5d93852 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 354c7a1..8d0cd71 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -356,7 +356,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -390,8 +389,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -445,6 +442,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 4e3105f..60b7ef3 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -356,7 +356,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -390,8 +389,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -445,6 +442,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 2d5747e..8608587 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index a491899..4cf739e 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index c912f9f..d125c13 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index efef3af..c32671a 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 6f39b84..20a3dd8 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index d3fd2a1..96c6a63 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -361,7 +361,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -395,8 +394,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -450,6 +447,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in
index c49c55f..1178d65 100644
--- a/src/libcharon/plugins/ext_auth/Makefile.in
+++ b/src/libcharon/plugins/ext_auth/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 4674a78..f37ca65 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in
index d29134f..2f78e77 100644
--- a/src/libcharon/plugins/forecast/Makefile.in
+++ b/src/libcharon/plugins/forecast/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 420b8bd..2be7ee4 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index 38a63ea..971b72c 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.c b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
index 6c041ce..ff50d8a 100644
--- a/src/libcharon/plugins/ipseckey/ipseckey_cred.c
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
@@ -57,6 +57,8 @@ typedef struct {
 	time_t notAfter;
 	/* identity to which the IPSECKEY belongs */
 	identification_t *identity;
+	/** most recently enumerated certificate */
+	certificate_t *cert;
 } cert_enumerator_t;
 
 METHOD(enumerator_t, cert_enumerator_enumerate, bool,
@@ -91,28 +93,27 @@ METHOD(enumerator_t, cert_enumerator_enumerate, bool,
 		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
 									BUILD_BLOB_DNSKEY, key,
 									BUILD_END);
+		cur_ipseckey->destroy(cur_ipseckey);
 		if (!public)
 		{
 			DBG1(DBG_CFG, "  failed to create public key from IPSECKEY");
-			cur_ipseckey->destroy(cur_ipseckey);
 			continue;
 		}
-
-		*cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
-								   CERT_TRUSTED_PUBKEY,
-								   BUILD_PUBLIC_KEY, public,
-								   BUILD_SUBJECT, this->identity,
-								   BUILD_NOT_BEFORE_TIME, this->notBefore,
-								   BUILD_NOT_AFTER_TIME, this->notAfter,
-								   BUILD_END);
-		if (*cert == NULL)
+		DESTROY_IF(this->cert);
+		this->cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+										CERT_TRUSTED_PUBKEY,
+										BUILD_PUBLIC_KEY, public,
+										BUILD_SUBJECT, this->identity,
+										BUILD_NOT_BEFORE_TIME, this->notBefore,
+										BUILD_NOT_AFTER_TIME, this->notAfter,
+										BUILD_END);
+		public->destroy(public);
+		if (!this->cert)
 		{
 			DBG1(DBG_CFG, "  failed to create certificate from IPSECKEY");
-			cur_ipseckey->destroy(cur_ipseckey);
-			public->destroy(public);
 			continue;
 		}
-		cur_ipseckey->destroy(cur_ipseckey);
+		*cert = this->cert;
 		return TRUE;
 	}
 	return FALSE;
@@ -121,6 +122,7 @@ METHOD(enumerator_t, cert_enumerator_enumerate, bool,
 METHOD(enumerator_t, cert_enumerator_destroy, void,
 	cert_enumerator_t *this)
 {
+	DESTROY_IF(this->cert);
 	this->inner->destroy(this->inner);
 	this->response->destroy(this->response);
 	free(this);
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in
index 19e7701..a2c8d22 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.in
+++ b/src/libcharon/plugins/kernel_iph/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index 9bfdb95..011ec3f 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in
index 2435dea..b2df52a 100644
--- a/src/libcharon/plugins/kernel_netlink/Makefile.in
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.in
@@ -392,7 +392,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -426,8 +425,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -481,6 +478,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 9c2a7c3..f3846ec 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1245,7 +1245,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
  */
 static void format_mark(char *buf, int buflen, mark_t mark)
 {
-	if (mark.value)
+	if (mark.value | mark.mask)
 	{
 		snprintf(buf, buflen, " (mark %u/0x%08x)", mark.value, mark.mask);
 	}
@@ -1256,7 +1256,7 @@ static void format_mark(char *buf, int buflen, mark_t mark)
  */
 static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
 {
-	if (mark.value)
+	if (mark.value | mark.mask)
 	{
 		struct xfrm_mark *xmrk;
 
@@ -2528,6 +2528,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 			 id->dir, markstr, cur_priority, use_count);
 		return SUCCESS;
 	}
+	policy->reqid = assigned_sa->sa->cfg.reqid;
 
 	if (this->policy_update)
 	{
@@ -2720,6 +2721,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 			return SUCCESS;
 		}
 		current->used_by->get_first(current->used_by, (void**)&mapping);
+		current->reqid = mapping->sa->cfg.reqid;
 
 		DBG2(DBG_KNL, "updating policy %R === %R %N%s [priority %u, "
 			 "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names, id->dir,
@@ -3044,6 +3046,110 @@ METHOD(kernel_ipsec_t, destroy, void,
 	free(this);
 }
 
+/**
+ * Get the currently configured SPD hashing thresholds for an address family
+ */
+static bool get_spd_hash_thresh(private_kernel_netlink_ipsec_t *this,
+								int type, uint8_t *lbits, uint8_t *rbits)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr, *out;
+	struct xfrmu_spdhthresh *thresh;
+	struct rtattr *rta;
+	size_t len, rtasize;
+	bool success = FALSE;
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = &request.hdr;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETSPDINFO;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(uint32_t));
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSPDINFO:
+				{
+					rta = XFRM_RTA(hdr, uint32_t);
+					rtasize = XFRM_PAYLOAD(hdr, uint32_t);
+					while (RTA_OK(rta, rtasize))
+					{
+						if (rta->rta_type == type &&
+							RTA_PAYLOAD(rta) == sizeof(*thresh))
+						{
+							thresh = RTA_DATA(rta);
+							*lbits = thresh->lbits;
+							*rbits = thresh->rbits;
+							success = TRUE;
+							break;
+						}
+						rta = RTA_NEXT(rta, rtasize);
+					}
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "getting SPD hash threshold failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+		free(out);
+	}
+	return success;
+}
+
+/**
+ * Configure SPD hashing threshold for an address family
+ */
+static void setup_spd_hash_thresh(private_kernel_netlink_ipsec_t *this,
+								  char *key, int type, uint8_t def)
+{
+	struct xfrmu_spdhthresh *thresh;
+	struct nlmsghdr *hdr;
+	netlink_buf_t request;
+	uint8_t lbits, rbits;
+
+	if (!get_spd_hash_thresh(this, type, &lbits, &rbits))
+	{
+		return;
+	}
+	memset(&request, 0, sizeof(request));
+
+	hdr = &request.hdr;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_NEWSPDINFO;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(uint32_t));
+
+	thresh = netlink_reserve(hdr, sizeof(request), type, sizeof(*thresh));
+	thresh->lbits = lib->settings->get_int(lib->settings,
+							"%s.plugins.kernel-netlink.spdh_thresh.%s.lbits",
+							def, lib->ns, key);
+	thresh->rbits = lib->settings->get_int(lib->settings,
+							"%s.plugins.kernel-netlink.spdh_thresh.%s.rbits",
+							def, lib->ns, key);
+	if (thresh->lbits != lbits || thresh->rbits != rbits)
+	{
+		if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "setting SPD hash threshold failed");
+		}
+	}
+}
+
 /*
  * Described in header.
  */
@@ -3114,6 +3220,9 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		return NULL;
 	}
 
+	setup_spd_hash_thresh(this, "ipv4", XFRMA_SPD_IPV4_HTHRESH, 32);
+	setup_spd_hash_thresh(this, "ipv6", XFRMA_SPD_IPV6_HTHRESH, 128);
+
 	if (register_for_events)
 	{
 		struct sockaddr_nl addr;
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
index 93c2ccc..0132f72 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -702,6 +702,54 @@ static void addr_map_entry_remove(hashtable_t *map, addr_entry_t *addr,
 }
 
 /**
+ * Check if an address or net (addr with prefix net bits) is in
+ * subnet (net with net_len net bits)
+ */
+static bool addr_in_subnet(chunk_t addr, int prefix, chunk_t net, int net_len)
+{
+	static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+	int byte = 0;
+
+	if (net_len == 0)
+	{	/* any address matches a /0 network */
+		return TRUE;
+	}
+	if (addr.len != net.len || net_len > 8 * net.len || prefix < net_len)
+	{
+		return FALSE;
+	}
+	/* scan through all bytes in network order */
+	while (net_len > 0)
+	{
+		if (net_len < 8)
+		{
+			return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
+		}
+		else
+		{
+			if (addr.ptr[byte] != net.ptr[byte])
+			{
+				return FALSE;
+			}
+			byte++;
+			net_len -= 8;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Check if the given address is in subnet (net with net_len net bits)
+ */
+static bool host_in_subnet(host_t *host, chunk_t net, int net_len)
+{
+	chunk_t addr;
+
+	addr = host->get_address(host);
+	return addr_in_subnet(addr, addr.len * 8, net, net_len);
+}
+
+/**
  * Determine the type or scope of the given unicast IP address.  This is not
  * the same thing returned in rtm_scope/ifa_scope.
  *
@@ -837,7 +885,8 @@ static bool is_address_better(private_kernel_netlink_net_t *this,
 }
 
 /**
- * Get a non-virtual IP address on the given interface.
+ * Get a non-virtual IP address on the given interfaces and optionally in a
+ * given subnet.
  *
  * If a candidate address is given, we first search for that address and if not
  * found return the address as above.
@@ -845,19 +894,21 @@ static bool is_address_better(private_kernel_netlink_net_t *this,
  *
  * this->lock must be held when calling this function.
  */
-static host_t *get_interface_address(private_kernel_netlink_net_t *this,
-									 int ifindex, int family, host_t *dest,
-									 host_t *candidate)
+static host_t *get_matching_address(private_kernel_netlink_net_t *this,
+									int *ifindex, int family, chunk_t net,
+									uint8_t mask, host_t *dest,
+									host_t *candidate)
 {
+	enumerator_t *ifaces, *addrs;
 	iface_entry_t *iface;
-	enumerator_t *addrs;
 	addr_entry_t *addr, *best = NULL;
+	bool candidate_matched = FALSE;
 
-	if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_index,
-								 (void**)&iface, &ifindex) == SUCCESS)
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
 	{
-		if (iface->usable)
-		{	/* only use interfaces not excluded by config */
+		if (iface->usable && (!ifindex || iface->ifindex == *ifindex))
+		{	/* only use matching interfaces not excluded by config */
 			addrs = iface->addrs->create_enumerator(iface->addrs);
 			while (addrs->enumerate(addrs, &addr))
 			{
@@ -866,9 +917,14 @@ static host_t *get_interface_address(private_kernel_netlink_net_t *this,
 				{	/* ignore virtual IP addresses and ensure family matches */
 					continue;
 				}
+				if (net.ptr && !host_in_subnet(addr->ip, net, mask))
+				{	/* optionally match a subnet */
+					continue;
+				}
 				if (candidate && candidate->ip_equals(candidate, addr->ip))
 				{	/* stop if we find the candidate */
 					best = addr;
+					candidate_matched = TRUE;
 					break;
 				}
 				else if (!best || is_address_better(this, best, addr, dest))
@@ -877,12 +933,50 @@ static host_t *get_interface_address(private_kernel_netlink_net_t *this,
 				}
 			}
 			addrs->destroy(addrs);
+			if (ifindex || candidate_matched)
+			{
+				break;
+			}
 		}
 	}
+	ifaces->destroy(ifaces);
 	return best ? best->ip->clone(best->ip) : NULL;
 }
 
 /**
+ * Get a non-virtual IP address on the given interface.
+ *
+ * If a candidate address is given, we first search for that address and if not
+ * found return the address as above.
+ * Returned host is a clone, has to be freed by caller.
+ *
+ * this->lock must be held when calling this function.
+ */
+static host_t *get_interface_address(private_kernel_netlink_net_t *this,
+									 int ifindex, int family, host_t *dest,
+									 host_t *candidate)
+{
+	return get_matching_address(this, &ifindex, family, chunk_empty, 0, dest,
+								candidate);
+}
+
+/**
+ * Get a non-virtual IP address in the given subnet.
+ *
+ * If a candidate address is given, we first search for that address and if not
+ * found return the address as above.
+ * Returned host is a clone, has to be freed by caller.
+ *
+ * this->lock must be held when calling this function.
+ */
+static host_t *get_subnet_address(private_kernel_netlink_net_t *this,
+								  int family, chunk_t net, uint8_t mask,
+								  host_t *dest, host_t *candidate)
+{
+	return get_matching_address(this, NULL, family, net, mask, dest, candidate);
+}
+
+/**
  * callback function that raises the delayed roam event
  */
 static job_requeue_t roam_event(private_kernel_netlink_net_t *this)
@@ -1528,51 +1622,16 @@ static char *get_interface_name_by_index(private_kernel_netlink_net_t *this,
 }
 
 /**
- * check if an address or net (addr with prefix net bits) is in
- * subnet (net with net_len net bits)
- */
-static bool addr_in_subnet(chunk_t addr, int prefix, chunk_t net, int net_len)
-{
-	static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
-	int byte = 0;
-
-	if (net_len == 0)
-	{	/* any address matches a /0 network */
-		return TRUE;
-	}
-	if (addr.len != net.len || net_len > 8 * net.len || prefix < net_len)
-	{
-		return FALSE;
-	}
-	/* scan through all bytes in network order */
-	while (net_len > 0)
-	{
-		if (net_len < 8)
-		{
-			return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
-		}
-		else
-		{
-			if (addr.ptr[byte] != net.ptr[byte])
-			{
-				return FALSE;
-			}
-			byte++;
-			net_len -= 8;
-		}
-	}
-	return TRUE;
-}
-
-/**
  * Store information about a route retrieved via RTNETLINK
  */
 typedef struct {
 	chunk_t gtw;
-	chunk_t src;
+	chunk_t pref_src;
 	chunk_t dst;
+	chunk_t src;
 	host_t *src_host;
 	uint8_t dst_len;
+	uint8_t src_len;
 	uint32_t table;
 	uint32_t oif;
 	uint32_t priority;
@@ -1626,9 +1685,11 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
 	if (route)
 	{
 		route->gtw = chunk_empty;
-		route->src = chunk_empty;
+		route->pref_src = chunk_empty;
 		route->dst = chunk_empty;
 		route->dst_len = msg->rtm_dst_len;
+		route->src = chunk_empty;
+		route->src_len = msg->rtm_src_len;
 		route->table = msg->rtm_table;
 		route->oif = 0;
 		route->priority = 0;
@@ -1637,6 +1698,7 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
 	{
 		INIT(route,
 			.dst_len = msg->rtm_dst_len,
+			.src_len = msg->rtm_src_len,
 			.table = msg->rtm_table,
 		);
 	}
@@ -1646,7 +1708,7 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
 		switch (rta->rta_type)
 		{
 			case RTA_PREFSRC:
-				route->src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+				route->pref_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
 				break;
 			case RTA_GATEWAY:
 				route->gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
@@ -1654,6 +1716,9 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
 			case RTA_DST:
 				route->dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
 				break;
+			case RTA_SRC:
+				route->src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+				break;
 			case RTA_OIF:
 				if (RTA_PAYLOAD(rta) == sizeof(route->oif))
 				{
@@ -1790,10 +1855,10 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 				{	/* route destination does not contain dest */
 					continue;
 				}
-				if (route->src.ptr)
+				if (route->pref_src.ptr)
 				{	/* verify source address, if any */
 					host_t *src = host_create_from_chunk(msg->rtm_family,
-														 route->src, 0);
+														 route->pref_src, 0);
 					if (src && is_known_vip(this, src))
 					{	/* ignore routes installed by us */
 						src->destroy(src);
@@ -1863,12 +1928,29 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 			best = best ?: route;
 			continue;
 		}
+		if (route->src.ptr)
+		{	/* no src, but a source selector, try to find a matching address */
+			route->src_host = get_subnet_address(this, msg->rtm_family,
+											route->src, route->src_len, dest,
+											candidate);
+			if (route->src_host)
+			{	/* we handle this address the same as the one above */
+				if (!candidate ||
+					 candidate->ip_equals(candidate, route->src_host))
+				{
+					best = route;
+					break;
+				}
+				best = best ?: route;
+				continue;
+			}
+		}
 		if (route->oif)
 		{	/* no src, but an interface - get address from it */
 			route->src_host = get_interface_address(this, route->oif,
 											msg->rtm_family, dest, candidate);
 			if (route->src_host)
-			{	/* we handle this address the same as the one above */
+			{	/* more of the same */
 				if (!candidate ||
 					 candidate->ip_equals(candidate, route->src_host))
 				{
@@ -1913,9 +1995,9 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 		if (best || routes->get_first(routes, (void**)&best) == SUCCESS)
 		{
 			addr = host_create_from_chunk(msg->rtm_family, best->gtw, 0);
-			if (iface && route->oif)
+			if (iface && best->oif)
 			{
-				*iface = get_interface_name_by_index(this, route->oif);
+				*iface = get_interface_name_by_index(this, best->oif);
 			}
 		}
 		if (!addr && !match_net)
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
index 8866f13..d00e8b3 100644
--- a/src/libcharon/plugins/kernel_pfkey/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in
index 1c3f491..fb1520d 100644
--- a/src/libcharon/plugins/kernel_pfroute/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
index e002b4f..2adb924 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.in
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -361,7 +361,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -395,8 +394,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -450,6 +447,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index e0c2cba..857e629 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 856bdd8..f5f3df6 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -363,7 +363,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -397,8 +396,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -452,6 +449,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 69aa379..00258c3 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -359,7 +359,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -393,8 +392,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -448,6 +445,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am
deleted file mode 100644
index 02c283f..0000000
--- a/src/libcharon/plugins/maemo/Makefile.am
+++ /dev/null
@@ -1,29 +0,0 @@
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
-	${maemo_CFLAGS} \
-	$(PLUGIN_CFLAGS)
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-maemo.la
-else
-plugin_LTLIBRARIES = libstrongswan-maemo.la
-endif
-
-libstrongswan_maemo_la_SOURCES = \
-	maemo_plugin.h maemo_plugin.c \
-	maemo_service.h maemo_service.c
-
-libstrongswan_maemo_la_LDFLAGS = -module -avoid-version
-libstrongswan_maemo_la_LIBADD  = ${maemo_LIBS}
-
-dbusservice_DATA = org.strongswan.charon.service
-
-org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in
-	$(AM_V_GEN) \
-	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@
-
-EXTRA_DIST = org.strongswan.charon.service.in
-CLEANFILES = $(dbusservice_DATA)
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
deleted file mode 100644
index 78525bf..0000000
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ /dev/null
@@ -1,830 +0,0 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
- at SET_MAKE@
-
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcharon/plugins/maemo
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/split-package-version.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-am__installdirs = "$(DESTDIR)$(plugindir)" \
-	"$(DESTDIR)$(dbusservicedir)"
-LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-libstrongswan_maemo_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
-am_libstrongswan_maemo_la_OBJECTS = maemo_plugin.lo maemo_service.lo
-libstrongswan_maemo_la_OBJECTS = $(am_libstrongswan_maemo_la_OBJECTS)
-AM_V_lt = $(am__v_lt_ at AM_V@)
-am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 = 
-libstrongswan_maemo_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_maemo_la_LDFLAGS) \
-	$(LDFLAGS) -o $@
- at MONOLITHIC_FALSE@am_libstrongswan_maemo_la_rpath = -rpath \
- at MONOLITHIC_FALSE@	$(plugindir)
- at MONOLITHIC_TRUE@am_libstrongswan_maemo_la_rpath =
-AM_V_P = $(am__v_P_ at AM_V@)
-am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_ at AM_V@)
-am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_ at AM_V@)
-am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_ at AM_V@)
-am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC      " $@;
-am__v_CC_1 = 
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD    " $@;
-am__v_CCLD_1 = 
-SOURCES = $(libstrongswan_maemo_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_maemo_la_SOURCES)
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-DATA = $(dbusservice_DATA)
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates.  Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
-  BEGIN { nonempty = 0; } \
-  { items[$$0] = 1; nonempty = 1; } \
-  END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique.  This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
-  list='$(am__tagged_files)'; \
-  unique=`for i in $$list; do \
-    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-  done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
-am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AR = @AR@
-ATOMICLIB = @ATOMICLIB@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BFDLIB = @BFDLIB@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
-COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-EASY_INSTALL = @EASY_INSTALL@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GEM = @GEM@
-GENHTML = @GENHTML@
-GPERF = @GPERF@
-GPRBUILD = @GPRBUILD@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LCOV = @LCOV@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OPENSSL_LIB = @OPENSSL_LIB@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
-PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
-PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
-PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
-PTHREADLIB = @PTHREADLIB@
-PYTHON = @PYTHON@
-PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-PY_TEST = @PY_TEST@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYGEMDIR = @RUBYGEMDIR@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-UNWINDLIB = @UNWINDLIB@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-aikgen_plugins = @aikgen_plugins@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-charon_natt_port = @charon_natt_port@
-charon_plugins = @charon_plugins@
-charon_udp_port = @charon_udp_port@
-clearsilver_LIBS = @clearsilver_LIBS@
-cmd_plugins = @cmd_plugins@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-dev_headers = @dev_headers@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-fips_mode = @fips_mode@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsec_script = @ipsec_script@
-ipsec_script_upper = @ipsec_script_upper@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-json_CFLAGS = @json_CFLAGS@
-json_LIBS = @json_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libiptc_CFLAGS = @libiptc_CFLAGS@
-libiptc_LIBS = @libiptc_LIBS@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-nm_plugins = @nm_plugins@
-oldincludedir = @oldincludedir@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-runstatedir = @runstatedir@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-strongswan_options = @strongswan_options@
-swanctldir = @swanctldir@
-sysconfdir = @sysconfdir@
-systemd_CFLAGS = @systemd_CFLAGS@
-systemd_LIBS = @systemd_LIBS@
-systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
-systemd_daemon_LIBS = @systemd_daemon_LIBS@
-systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
-systemd_journal_LIBS = @systemd_journal_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-t_plugins = @t_plugins@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
-	${maemo_CFLAGS} \
-	$(PLUGIN_CFLAGS)
-
- at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-maemo.la
- at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-maemo.la
-libstrongswan_maemo_la_SOURCES = \
-	maemo_plugin.h maemo_plugin.c \
-	maemo_service.h maemo_service.c
-
-libstrongswan_maemo_la_LDFLAGS = -module -avoid-version
-libstrongswan_maemo_la_LIBADD = ${maemo_LIBS}
-dbusservice_DATA = org.strongswan.charon.service
-EXTRA_DIST = org.strongswan.charon.service.in
-CLEANFILES = $(dbusservice_DATA)
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; \
-	locs=`for p in $$list; do echo $$p; done | \
-	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
-	      sort -u`; \
-	test -z "$$locs" || { \
-	  echo rm -f $${locs}; \
-	  rm -f $${locs}; \
-	}
-
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; \
-	locs=`for p in $$list; do echo $$p; done | \
-	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
-	      sort -u`; \
-	test -z "$$locs" || { \
-	  echo rm -f $${locs}; \
-	  rm -f $${locs}; \
-	}
-
-libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) $(EXTRA_libstrongswan_maemo_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/maemo_plugin.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/maemo_service.Plo at am__quote@
-
-.c.o:
- at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
- at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
- at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
- at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
- at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
- at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
- at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
- at am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
- at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-install-dbusserviceDATA: $(dbusservice_DATA)
-	@$(NORMAL_INSTALL)
-	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(dbusservicedir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; \
-	done | $(am__base_list) | \
-	while read files; do \
-	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dbusservicedir)'"; \
-	  $(INSTALL_DATA) $$files "$(DESTDIR)$(dbusservicedir)" || exit $$?; \
-	done
-
-uninstall-dbusserviceDATA:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
-	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	dir='$(DESTDIR)$(dbusservicedir)'; $(am__uninstall_files_from_dir)
-
-ID: $(am__tagged_files)
-	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	set x; \
-	here=`pwd`; \
-	$(am__define_uniq_tagged_files); \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: ctags-am
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	$(am__define_uniq_tagged_files); \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
-
-cscopelist-am: $(am__tagged_files)
-	list='$(am__tagged_files)'; \
-	case "$(srcdir)" in \
-	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
-	  *) sdir=$(subdir)/$(srcdir) ;; \
-	esac; \
-	for i in $$list; do \
-	  if test -f "$$i"; then \
-	    echo "$(subdir)/$$i"; \
-	  else \
-	    echo "$$sdir/$$i"; \
-	  fi; \
-	done >> $(top_builddir)/cscope.files
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES) $(DATA)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(dbusservicedir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-
-clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-dbusserviceDATA install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	cscopelist-am ctags ctags-am distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-dbusserviceDATA \
-	install-dvi install-dvi-am install-exec install-exec-am \
-	install-html install-html-am install-info install-info-am \
-	install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
-	uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES
-
-.PRECIOUS: Makefile
-
-
-org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in
-	$(AM_V_GEN) \
-	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
deleted file mode 100644
index 3e5861b..0000000
--- a/src/libcharon/plugins/maemo/maemo_service.c
+++ /dev/null
@@ -1,530 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <glib.h>
-#include <libosso.h>
-#include <sys/stat.h>
-
-#include "maemo_service.h"
-
-#include <daemon.h>
-#include <credentials/sets/mem_cred.h>
-#include <processing/jobs/callback_job.h>
-
-#define OSSO_STATUS_NAME	"status"
-#define OSSO_STATUS_SERVICE	"org.strongswan."OSSO_STATUS_NAME
-#define OSSO_STATUS_OBJECT	"/org/strongswan/"OSSO_STATUS_NAME
-#define OSSO_STATUS_IFACE	"org.strongswan."OSSO_STATUS_NAME
-
-#define OSSO_CHARON_NAME	"charon"
-#define OSSO_CHARON_SERVICE	"org.strongswan."OSSO_CHARON_NAME
-#define OSSO_CHARON_OBJECT	"/org/strongswan/"OSSO_CHARON_NAME
-#define OSSO_CHARON_IFACE	"org.strongswan."OSSO_CHARON_NAME
-
-#define MAEMO_COMMON_CA_DIR	"/etc/certs/common-ca"
-#define MAEMO_USER_CA_DIR	"/home/user/.maemosec-certs/wifi-ca"
-/* there is also an smime-ca and an ssl-ca sub-directory and the same for
- * ...-user, which store end user/server certificates */
-
-typedef enum {
-	VPN_STATUS_DISCONNECTED,
-	VPN_STATUS_CONNECTING,
-	VPN_STATUS_CONNECTED,
-	VPN_STATUS_AUTH_FAILED,
-	VPN_STATUS_CONNECTION_FAILED,
-} vpn_status_t;
-
-typedef struct private_maemo_service_t private_maemo_service_t;
-
-/**
- * private data of maemo service
- */
-struct private_maemo_service_t {
-
-	/**
-	 * public interface
-	 */
-	maemo_service_t public;
-
-	/**
-	 * credentials
-	 */
-	mem_cred_t *creds;
-
-	/**
-	 * Glib main loop for a thread, handles DBUS calls
-	 */
-	GMainLoop *loop;
-
-	/**
-	 * Context for OSSO
-	 */
-	osso_context_t *context;
-
-	/**
-	 * Current IKE_SA
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Status of the current connection
-	 */
-	vpn_status_t status;
-
-	/**
-	 * Name of the current connection
-	 */
-	gchar *current;
-
-};
-
-static gint change_status(private_maemo_service_t *this, int status)
-{
-	osso_rpc_t retval;
-	gint res;
-	this->status = status;
-	res = osso_rpc_run (this->context, OSSO_STATUS_SERVICE, OSSO_STATUS_OBJECT,
-						OSSO_STATUS_IFACE, "StatusChanged", &retval,
-						DBUS_TYPE_INT32, status,
-						DBUS_TYPE_INVALID);
-	return res;
-}
-
-METHOD(listener_t, ike_updown, bool,
-	   private_maemo_service_t *this, ike_sa_t *ike_sa, bool up)
-{
-	/* this callback is only registered during initiation, so if the IKE_SA
-	 * goes down we assume an authentication error */
-	if (this->ike_sa == ike_sa && !up)
-	{
-		change_status(this, VPN_STATUS_AUTH_FAILED);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(listener_t, ike_state_change, bool,
-	   private_maemo_service_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
-{
-	/* this call back is only registered during initiation */
-	if (this->ike_sa == ike_sa && state == IKE_DESTROYING)
-	{
-		change_status(this, VPN_STATUS_CONNECTION_FAILED);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(listener_t, child_updown, bool,
-	   private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-	   bool up)
-{
-	if (this->ike_sa == ike_sa)
-	{
-		if (up)
-		{
-			/* disable hooks registered to catch initiation failures */
-			this->public.listener.ike_updown = NULL;
-			this->public.listener.ike_state_change = NULL;
-			change_status(this, VPN_STATUS_CONNECTED);
-		}
-		else
-		{
-			change_status(this, VPN_STATUS_CONNECTION_FAILED);
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-METHOD(listener_t, ike_rekey, bool,
-	   private_maemo_service_t *this, ike_sa_t *old, ike_sa_t *new)
-{
-	if (this->ike_sa == old)
-	{
-		this->ike_sa = new;
-	}
-	return TRUE;
-}
-
-/**
- * load all CA certificates in the given directory
- */
-static void load_ca_dir(private_maemo_service_t *this, char *dir)
-{
-	enumerator_t *enumerator;
-	char *rel, *abs;
-	struct stat st;
-
-	enumerator = enumerator_create_directory(dir);
-	if (enumerator)
-	{
-		while (enumerator->enumerate(enumerator, &rel, &abs, &st))
-		{
-			if (rel[0] != '.')
-			{
-				if (S_ISREG(st.st_mode))
-				{
-					certificate_t *cert;
-					cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
-											  CERT_X509, BUILD_FROM_FILE, abs,
-											  BUILD_END);
-					if (!cert)
-					{
-						DBG1(DBG_CFG, "loading CA certificate '%s' failed",
-							 abs);
-						continue;
-					}
-					DBG2(DBG_CFG, "loaded CA certificate '%Y'",
-						 cert->get_subject(cert));
-					this->creds->add_cert(this->creds, TRUE, cert);
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-}
-
-static void disconnect(private_maemo_service_t *this)
-{
-	ike_sa_t *ike_sa;
-	u_int id;
-
-	if (!this->current)
-	{
-		return;
-	}
-
-	/* avoid status updates, as this is called from the Glib main loop */
-	charon->bus->remove_listener(charon->bus, &this->public.listener);
-
-	ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager,
-													  this->current, FALSE);
-	if (ike_sa)
-	{
-		id = ike_sa->get_unique_id(ike_sa);
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		charon->controller->terminate_ike(charon->controller, id,
-										  NULL, NULL, 0);
-	}
-	this->current = (g_free(this->current), NULL);
-	this->status = VPN_STATUS_DISCONNECTED;
-}
-
-static gboolean initiate_connection(private_maemo_service_t *this,
-									GArray *arguments)
-{
-	gint i;
-	gchar *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL;
-	identification_t *gateway = NULL, *user = NULL;
-	ike_sa_t *ike_sa;
-	ike_cfg_t *ike_cfg;
-	peer_cfg_t *peer_cfg;
-	child_cfg_t *child_cfg;
-	traffic_selector_t *ts;
-	auth_cfg_t *auth;
-	certificate_t *cert;
-	peer_cfg_create_t peer = {
-		.cert_policy = CERT_SEND_IF_ASKED,
-		.unique = UNIQUE_REPLACE,
-		.keyingtries = 1,
-		.rekey_time = 36000, /* 10h */
-		.jitter_time = 600, /* 10min */
-		.over_time = 600, /* 10min */
-	};
-	child_cfg_create_t child = {
-		.lifetime = {
-			.time = {
-				.life = 10800, /* 3h */
-				.rekey = 10200, /* 2h50min */
-				.jitter = 300 /* 5min */
-			},
-		},
-		.mode = MODE_TUNNEL,
-	};
-
-	if (this->status == VPN_STATUS_CONNECTED ||
-		this->status == VPN_STATUS_CONNECTING)
-	{
-		DBG1(DBG_CFG, "currently connected to '%s', disconnecting first",
-			 this->current);
-		disconnect (this);
-	}
-
-	if (arguments->len != 5)
-	{
-		DBG1(DBG_CFG, "wrong number of arguments: %d", arguments->len);
-		return FALSE;
-	}
-
-	for (i = 0; i < arguments->len; i++)
-	{
-		osso_rpc_t *arg = &g_array_index(arguments, osso_rpc_t, i);
-		if (arg->type != DBUS_TYPE_STRING)
-		{
-			DBG1(DBG_CFG, "invalid argument [%d]: %d", i, arg->type);
-			return FALSE;
-		}
-		switch (i)
-		{
-			case 0: /* name */
-				this->current = (g_free(this->current), NULL);
-				this->current = g_strdup(arg->value.s);
-				break;
-			case 1: /* hostname */
-				hostname = arg->value.s;
-				break;
-			case 2: /* CA certificate path */
-				cacert = arg->value.s;
-				break;
-			case 3: /* username */
-				username = arg->value.s;
-				break;
-			case 4: /* password */
-				password = arg->value.s;
-				break;
-		}
-	}
-
-	DBG1(DBG_CFG, "received initiate for connection '%s'", this->current);
-
-	this->creds->clear(this->creds);
-
-	if (cacert && !streq(cacert, ""))
-	{
-		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-								  BUILD_FROM_FILE, cacert, BUILD_END);
-		if (cert)
-		{
-			this->creds->add_cert(this->creds, TRUE, cert);
-		}
-		else
-		{
-			DBG1(DBG_CFG, "failed to load CA certificate");
-		}
-		/* if this is a server cert we could use the cert subject as id */
-	}
-	else
-	{
-		load_ca_dir(this, MAEMO_COMMON_CA_DIR);
-		load_ca_dir(this, MAEMO_USER_CA_DIR);
-	}
-
-	gateway = identification_create_from_string(hostname);
-	DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway);
-
-	{
-		shared_key_t *shared_key;
-		chunk_t secret = chunk_create(password, strlen(password));
-		user = identification_create_from_string(username);
-		shared_key = shared_key_create(SHARED_EAP, chunk_clone(secret));
-		this->creds->add_shared(this->creds, shared_key, user->clone(user),
-								NULL);
-	}
-
-	ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0",
-							 charon->socket->get_port(charon->socket, FALSE),
-							 hostname, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
-	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
-
-	peer_cfg = peer_cfg_create(this->current, ike_cfg, &peer);
-	peer_cfg->add_virtual_ip(peer_cfg,  host_create_from_string("0.0.0.0", 0));
-
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-	auth->add(auth, AUTH_RULE_IDENTITY, user);
-	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
-	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-
-	child_cfg = child_cfg_create(this->current, &child);
-	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
-	child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
-											 0, "255.255.255.255", 65535);
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
-	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-
-	/* get us an IKE_SA */
-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
-														peer_cfg);
-	if (!ike_sa)
-	{
-		peer_cfg->destroy(peer_cfg);
-		this->status = VPN_STATUS_CONNECTION_FAILED;
-		return FALSE;
-	}
-	if (!ike_sa->get_peer_cfg(ike_sa))
-	{
-		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
-	}
-	peer_cfg->destroy(peer_cfg);
-
-	/* store the IKE_SA, so we can track its progress */
-	this->ike_sa = ike_sa;
-	this->status = VPN_STATUS_CONNECTING;
-	this->public.listener.ike_updown = _ike_updown;
-	this->public.listener.ike_state_change = _ike_state_change;
-	charon->bus->add_listener(charon->bus, &this->public.listener);
-
-	/* get an additional reference because initiate consumes one */
-	child_cfg->get_ref(child_cfg);
-	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
-	{
-		DBG1(DBG_CFG, "failed to initiate tunnel");
-		charon->bus->remove_listener(charon->bus, &this->public.listener);
-		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-													ike_sa);
-		this->status = VPN_STATUS_CONNECTION_FAILED;
-		return FALSE;
-	}
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	return TRUE;
-}
-
-/**
- * Callback for libosso dbus wrapper
- */
-static gint dbus_req_handler(const gchar *interface, const gchar *method,
-							 GArray *arguments, private_maemo_service_t *this,
-							 osso_rpc_t *retval)
-{
-	if (streq(method, "Start"))
-	{	/* void start (void), dummy function to start charon as root */
-		return OSSO_OK;
-	}
-	else if (streq(method, "Connect"))
-	{	/* bool connect (name, host, cert, user, pass) */
-		retval->value.b = initiate_connection(this, arguments);
-		retval->type = DBUS_TYPE_BOOLEAN;
-	}
-	else if (streq(method, "Disconnect"))
-	{	/* void disconnect (void) */
-		disconnect(this);
-	}
-	else
-	{
-		return OSSO_ERROR;
-	}
-	return OSSO_OK;
-}
-
-/**
- * Main loop to handle D-BUS messages.
- */
-static job_requeue_t run(private_maemo_service_t *this)
-{
-	this->loop = g_main_loop_new(NULL, FALSE);
-	g_main_loop_run(this->loop);
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Cancel the GLib Main Event Loop
- */
-static bool cancel(private_maemo_service_t *this)
-{
-	if (this->loop)
-	{
-		if (g_main_loop_is_running(this->loop))
-		{
-			g_main_loop_quit(this->loop);
-		}
-		g_main_loop_unref(this->loop);
-	}
-	return TRUE;
-}
-
-METHOD(maemo_service_t, destroy, void,
-	   private_maemo_service_t *this)
-{
-	if (this->context)
-	{
-		osso_rpc_unset_cb_f(this->context,
-							OSSO_CHARON_SERVICE,
-							OSSO_CHARON_OBJECT,
-							OSSO_CHARON_IFACE,
-							(osso_rpc_cb_f*)dbus_req_handler,
-							this);
-		osso_deinitialize(this->context);
-	}
-	charon->bus->remove_listener(charon->bus, &this->public.listener);
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
-	this->creds->destroy(this->creds);
-	this->current = (g_free(this->current), NULL);
-	free(this);
-}
-
-/*
- * See header
- */
-maemo_service_t *maemo_service_create()
-{
-	osso_return_t result;
-	private_maemo_service_t *this;
-
-	INIT(this,
-		.public = {
-			.listener = {
-				.ike_updown = _ike_updown,
-				.ike_state_change = _ike_state_change,
-				.child_updown = _child_updown,
-				.ike_rekey = _ike_rekey,
-			},
-			.destroy = _destroy,
-		},
-		.creds = mem_cred_create(),
-	);
-
-	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
-
-	this->context = osso_initialize(OSSO_CHARON_SERVICE, "0.0.1", TRUE, NULL);
-	if (!this->context)
-	{
-		DBG1(DBG_CFG, "failed to initialize OSSO context");
-		destroy(this);
-		return NULL;
-	}
-
-	result = osso_rpc_set_cb_f(this->context,
-							   OSSO_CHARON_SERVICE,
-							   OSSO_CHARON_OBJECT,
-							   OSSO_CHARON_IFACE,
-							   (osso_rpc_cb_f*)dbus_req_handler,
-							   this);
-	if (result != OSSO_OK)
-	{
-		DBG1(DBG_CFG, "failed to set D-BUS callback (%d)", result);
-		destroy(this);
-		return NULL;
-	}
-
-	this->loop = NULL;
-	if (!g_thread_supported())
-	{
-		g_thread_init(NULL);
-	}
-
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
-				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
-
-	return &this->public;
-}
diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service.in b/src/libcharon/plugins/maemo/org.strongswan.charon.service.in
deleted file mode 100644
index 8fa83af..0000000
--- a/src/libcharon/plugins/maemo/org.strongswan.charon.service.in
+++ /dev/null
@@ -1,4 +0,0 @@
-[D-BUS Service]
-Name=org.strongswan.charon
-Exec=/usr/bin/run-standalone.sh @LIBEXECDIR@/ipsec/charon
-User=root
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index fe301a7..eb7efd2 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index d4154fe..3dd849b 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index ec488de..83850fc 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/p_cscf/Makefile.in b/src/libcharon/plugins/p_cscf/Makefile.in
index 67ab4bf..619bff1 100644
--- a/src/libcharon/plugins/p_cscf/Makefile.in
+++ b/src/libcharon/plugins/p_cscf/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index 9b7ab4c..9d227a1 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in
index 38b709e..53af31f 100644
--- a/src/libcharon/plugins/resolve/Makefile.in
+++ b/src/libcharon/plugins/resolve/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 72a168c..d08a6f4 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 112d8d2..dd1da8b 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 9f5f4a2..b6152af 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in
index 1b6b9f6..ed0af93 100644
--- a/src/libcharon/plugins/socket_win/Makefile.in
+++ b/src/libcharon/plugins/socket_win/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index b9cae90..0a4000e 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 9f63cb0..7eacc51 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 929e6fc..77911c7 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -562,7 +562,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 	}
 }
 
-METHOD(stroke_cred_t, cache_cert, void,
+METHOD(credential_set_t, cache_cert, void,
 	private_stroke_cred_t *this, certificate_t *cert)
 {
 	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
@@ -575,10 +575,14 @@ METHOD(stroke_cred_t, cache_cert, void,
 		{
 			char buf[BUF_LEN];
 			chunk_t chunk, hex;
+			bool is_delta_crl;
+
+			is_delta_crl = crl->is_delta_crl(crl, NULL);
 
 			chunk = crl->get_authKeyIdentifier(crl);
 			hex = chunk_to_hex(chunk, NULL, FALSE);
-			snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex.ptr);
+			snprintf(buf, sizeof(buf), "%s/%s%s.crl", CRL_DIR, hex.ptr,
+										is_delta_crl ? "_delta" : "");
 			free(hex.ptr);
 
 			if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
@@ -1497,6 +1501,10 @@ stroke_cred_t *stroke_cred_create(stroke_ca_t *ca)
 		.ca = ca,
 	);
 
+	if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
+	{
+		cachecrl(this, TRUE);
+	}
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 	lib->credmgr->add_set(lib->credmgr, &this->aacerts->set);
 
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 6c5703a..cec2657 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -844,6 +844,7 @@ static void list_algs(FILE *out)
 	integrity_algorithm_t integrity;
 	hash_algorithm_t hash;
 	pseudo_random_function_t prf;
+	ext_out_function_t xof;
 	diffie_hellman_group_t group;
 	rng_quality_t quality;
 	const char *plugin_name;
@@ -891,6 +892,14 @@ static void list_algs(FILE *out)
 		print_alg(out, &len, pseudo_random_function_names, prf, plugin_name);
 	}
 	enumerator->destroy(enumerator);
+	fprintf(out, "\n  xof:       ");
+	len = 13;
+	enumerator = lib->crypto->create_xof_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &xof, &plugin_name))
+	{
+		print_alg(out, &len, ext_out_function_names, xof, plugin_name);
+	}
+	enumerator->destroy(enumerator);
 	fprintf(out, "\n  dh-group:  ");
 	len = 13;
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 4f74836..46de90c 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2011-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index 125e3c1..e219159 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 0ea265e..60618c0 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -356,7 +356,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -390,8 +389,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -445,6 +442,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index f2398c3..2b6c34c 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -357,7 +357,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -391,8 +390,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -446,6 +443,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 84eed9a..2f79391 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index cfc1c5f..fc9bff7 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 612535d..a2dd067 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am
index ca9b499..af0b65c 100644
--- a/src/libcharon/plugins/vici/Makefile.am
+++ b/src/libcharon/plugins/vici/Makefile.am
@@ -2,6 +2,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
 	-I$(top_srcdir)/src/libcharon \
+	-DSWANCTLDIR=\""${swanctldir}\"" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index b943c09..ce15204 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -449,7 +449,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -483,8 +482,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -538,6 +535,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -545,6 +544,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
 	-I$(top_srcdir)/src/libcharon \
+	-DSWANCTLDIR=\""${swanctldir}\"" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index cf5a85a..18a3ef7 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -481,6 +481,19 @@ Load a shared IKE PSK, EAP or XAuth secret into the daemon.
 		errmsg = <error string on failure>
 	}
 
+### flush-certs() ###
+
+Flushes the certificate cache. The optional type argument allows to flush
+only certificates of a given type, e.g. all cached CRLs.
+
+	{
+		type = <certificate type to filter for, X509|X509_AC|X509_CRL|
+												OCSP_RESPONSE|PUBKEY or ANY>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
 ### clear-creds() ###
 
 Clear all loaded certificate, private key and shared key credentials. This
diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in
index e32e966..523868c 100644
--- a/src/libcharon/plugins/vici/perl/Makefile.in
+++ b/src/libcharon/plugins/vici/perl/Makefile.in
@@ -267,7 +267,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -301,8 +300,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -356,6 +353,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/README.pod b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
index de374aa..d197397 100644
--- a/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
@@ -560,6 +560,21 @@ print "----- unload-authority -----\n";
 ($res, $errmsg) = $session->unload_authority(Vici::Message->new(\%vars));
 print $res ? "ok\n" : "failed: $errmsg\n";
 
+=item flush_certs()
+
+flushes the volatile certificate cache. Optionally only a given certificate
+type is flushed.
+
+  my %vars = ( type => 'x509_crl' );
+  my ($res, $errmsg) = $session->flush_certs(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- flush-certs -----\n";
+%vars = ( type => 'x509_crl' );
+($res, $errmsg) = $session->flush_certs(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
 =item clear_creds()
 
 clears all loaded certificate, private key and shared key credentials. This
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
index 7819713..5c09b14 100644
--- a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
@@ -96,6 +96,10 @@ sub load_shared {
     return request_vars_res('load-shared', @_);
 }
 
+sub flush_certs {
+    return request_vars_res('flush-certs', @_);
+}
+
 sub clear_creds {
    return request_res('clear-creds', @_);
 }
diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index 7d1c642..4f1a917 100644
--- a/src/libcharon/plugins/vici/python/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -289,7 +289,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -323,8 +322,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -378,6 +375,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py
index 66de859..5bd4b7c 100644
--- a/src/libcharon/plugins/vici/python/vici/session.py
+++ b/src/libcharon/plugins/vici/python/vici/session.py
@@ -166,6 +166,17 @@ class Session(object):
         """
         self.handler.request("load-shared", secret)
 
+    def flush_certs(self, filter=None):
+        """Flush the volatile certificate cache.
+
+        Flush the certificate stored temporarily in the cache. The filter
+        allows to flush only a certain type of certificates, e.g. CRLs.
+
+        :param filter: flush only certificates of a given type (optional)
+        :type filter: dict
+        """
+        self.handler.request("flush-certs", filter)
+
     def clear_creds(self):
         """Clear credentials loaded over vici.
 
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index aceb28a..e176285 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -267,7 +267,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -301,8 +300,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -356,6 +353,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb
index 018f507..1a95fc3 100644
--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -449,6 +449,12 @@ module Vici
     end
 
     ##
+    # Flush credential cache.
+    def flush_certs((match = nil)
+      check_success(@transp.request("flush-certs", Message.new(match)))
+    end
+
+    ##
     # Clear all loaded credentials.
     def clear_creds()
       check_success(@transp.request("clear-creds"))
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index d919e1d..2110fd3 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -437,6 +437,7 @@ typedef struct {
 	linked_list_t *remote_ts;
 	uint32_t replay_window;
 	bool policies;
+	bool policies_fwd_out;
 	child_cfg_create_t cfg;
 } child_data_t;
 
@@ -462,6 +463,7 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   ipcomp = %u", cfg->ipcomp);
 	DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, cfg->mode);
 	DBG2(DBG_CFG, "   policies = %u", data->policies);
+	DBG2(DBG_CFG, "   policies_fwd_out = %u", data->policies_fwd_out);
 	if (data->replay_window != REPLAY_UNDEFINED)
 	{
 		DBG2(DBG_CFG, "   replay_window = %u", data->replay_window);
@@ -503,7 +505,7 @@ static void free_child_data(child_data_t *data)
  */
 static bool parse_proposal(linked_list_t *list, protocol_id_t proto, chunk_t v)
 {
-	char buf[128];
+	char buf[BUF_LEN];
 	proposal_t *proposal;
 
 	if (!vici_stringify(v, buf, sizeof(buf)))
@@ -566,7 +568,7 @@ CALLBACK(parse_ah_proposal, bool,
 CALLBACK(parse_ts, bool,
 	linked_list_t *out, chunk_t v)
 {
-	char buf[128], *protoport, *sep, *port = "", *end;
+	char buf[BUF_LEN], *protoport, *sep, *port = "", *end;
 	traffic_selector_t *ts = NULL;
 	struct protoent *protoent;
 	struct servent *svc;
@@ -720,7 +722,7 @@ typedef struct {
  */
 static bool parse_map(enum_map_t *map, int count, int *out, chunk_t v)
 {
-	char buf[128];
+	char buf[BUF_LEN];
 	int i;
 
 	if (!vici_stringify(v, buf, sizeof(buf)))
@@ -1051,7 +1053,7 @@ CALLBACK(parse_auth, bool,
  */
 static bool parse_id(auth_cfg_t *cfg, auth_rule_t rule, chunk_t v)
 {
-	char buf[256];
+	char buf[BUF_LEN];
 
 	if (!vici_stringify(v, buf, sizeof(buf)))
 	{
@@ -1330,31 +1332,32 @@ CALLBACK(child_kv, bool,
 	child_data_t *child, vici_message_t *message, char *name, chunk_t value)
 {
 	parse_rule_t rules[] = {
-		{ "updown",			parse_string,		&child->cfg.updown					},
-		{ "hostaccess",		parse_bool,			&child->cfg.hostaccess				},
-		{ "mode",			parse_mode,			&child->cfg.mode					},
-		{ "policies",		parse_bool,			&child->policies					},
-		{ "replay_window",	parse_uint32,		&child->replay_window				},
-		{ "rekey_time",		parse_time,			&child->cfg.lifetime.time.rekey		},
-		{ "life_time",		parse_time,			&child->cfg.lifetime.time.life		},
-		{ "rand_time",		parse_time,			&child->cfg.lifetime.time.jitter	},
-		{ "rekey_bytes",	parse_bytes,		&child->cfg.lifetime.bytes.rekey	},
-		{ "life_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.life		},
-		{ "rand_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.jitter	},
-		{ "rekey_packets",	parse_uint64,		&child->cfg.lifetime.packets.rekey	},
-		{ "life_packets",	parse_uint64,		&child->cfg.lifetime.packets.life	},
-		{ "rand_packets",	parse_uint64,		&child->cfg.lifetime.packets.jitter	},
-		{ "dpd_action",		parse_action,		&child->cfg.dpd_action				},
-		{ "start_action",	parse_action,		&child->cfg.start_action			},
-		{ "close_action",	parse_action,		&child->cfg.close_action			},
-		{ "ipcomp",			parse_bool,			&child->cfg.ipcomp					},
-		{ "inactivity",		parse_time,			&child->cfg.inactivity				},
-		{ "reqid",			parse_uint32,		&child->cfg.reqid					},
-		{ "mark_in",		parse_mark,			&child->cfg.mark_in					},
-		{ "mark_out",		parse_mark,			&child->cfg.mark_out				},
-		{ "tfc_padding",	parse_tfc,			&child->cfg.tfc						},
-		{ "priority",		parse_uint32,		&child->cfg.priority				},
-		{ "interface",		parse_string,		&child->cfg.interface				},
+		{ "updown",				parse_string,		&child->cfg.updown					},
+		{ "hostaccess",			parse_bool,			&child->cfg.hostaccess				},
+		{ "mode",				parse_mode,			&child->cfg.mode					},
+		{ "policies",			parse_bool,			&child->policies					},
+		{ "policies_fwd_out",	parse_bool,			&child->policies_fwd_out			},
+		{ "replay_window",		parse_uint32,		&child->replay_window				},
+		{ "rekey_time",			parse_time,			&child->cfg.lifetime.time.rekey		},
+		{ "life_time",			parse_time,			&child->cfg.lifetime.time.life		},
+		{ "rand_time",			parse_time,			&child->cfg.lifetime.time.jitter	},
+		{ "rekey_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.rekey	},
+		{ "life_bytes",			parse_bytes,		&child->cfg.lifetime.bytes.life		},
+		{ "rand_bytes",			parse_bytes,		&child->cfg.lifetime.bytes.jitter	},
+		{ "rekey_packets",		parse_uint64,		&child->cfg.lifetime.packets.rekey	},
+		{ "life_packets",		parse_uint64,		&child->cfg.lifetime.packets.life	},
+		{ "rand_packets",		parse_uint64,		&child->cfg.lifetime.packets.jitter	},
+		{ "dpd_action",			parse_action,		&child->cfg.dpd_action				},
+		{ "start_action",		parse_action,		&child->cfg.start_action			},
+		{ "close_action",		parse_action,		&child->cfg.close_action			},
+		{ "ipcomp",				parse_bool,			&child->cfg.ipcomp					},
+		{ "inactivity",			parse_time,			&child->cfg.inactivity				},
+		{ "reqid",				parse_uint32,		&child->cfg.reqid					},
+		{ "mark_in",			parse_mark,			&child->cfg.mark_in					},
+		{ "mark_out",			parse_mark,			&child->cfg.mark_out				},
+		{ "tfc_padding",		parse_tfc,			&child->cfg.tfc						},
+		{ "priority",			parse_uint32,		&child->cfg.priority				},
+		{ "interface",			parse_string,		&child->cfg.interface				},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -1537,6 +1540,7 @@ CALLBACK(children_sn, bool,
 		}
 	}
 	child.cfg.suppress_policies = !child.policies;
+	child.cfg.fwd_out_policies = child.policies_fwd_out;
 
 	check_lifetimes(&child.cfg.lifetime);
 
@@ -1976,7 +1980,7 @@ CALLBACK(config_sn, bool,
 		.send_cert = CERT_SEND_IF_ASKED,
 		.version = IKE_ANY,
 		.remote_port = IKEV2_UDP_PORT,
-		.fragmentation = FRAGMENTATION_NO,
+		.fragmentation = FRAGMENTATION_YES,
 		.unique = UNIQUE_NO,
 		.keyingtries = 1,
 		.rekey_time = LFT_UNDEFINED,
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index 3411b7d..baf285f 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -25,9 +25,16 @@
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/x509.h>
 
+#include <errno.h>
+
 typedef struct private_vici_cred_t private_vici_cred_t;
 
 /**
+ * Directory for saved X.509 CRLs
+ */
+#define CRL_DIR SWANCTLDIR "/x509crl"
+
+/**
  * Private data of an vici_cred_t object.
  */
 struct private_vici_cred_t {
@@ -46,8 +53,54 @@ struct private_vici_cred_t {
 	 * credentials
 	 */
 	mem_cred_t *creds;
+
+	/**
+	 * cache CRLs to disk?
+	 */
+	bool cachecrl;
+
 };
 
+METHOD(credential_set_t, cache_cert, void,
+	private_vici_cred_t *this, certificate_t *cert)
+{
+	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
+	{
+		/* CRLs get written to /etc/swanctl/x509crl/<authkeyId>.crl */
+		crl_t *crl = (crl_t*)cert;
+
+		cert->get_ref(cert);
+		if (this->creds->add_crl(this->creds, crl))
+		{
+			char buf[BUF_LEN];
+			chunk_t chunk, hex;
+			bool is_delta_crl;
+
+			is_delta_crl = crl->is_delta_crl(crl, NULL);
+			chunk = crl->get_authKeyIdentifier(crl);
+			hex = chunk_to_hex(chunk, NULL, FALSE);
+			snprintf(buf, sizeof(buf), "%s/%s%s.crl", CRL_DIR, hex.ptr,
+										is_delta_crl ? "_delta" : "");
+			free(hex.ptr);
+
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
+			{
+				if (chunk_write(chunk, buf, 022, TRUE))
+				{
+					DBG1(DBG_CFG, "  written crl file '%s' (%d bytes)",
+						 buf, chunk.len);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  writing crl file '%s' failed: %s",
+						 buf, strerror(errno));
+				}
+				free(chunk.ptr);
+			}
+		}
+	}
+}
+
 /**
  * Create a (error) reply message
  */
@@ -287,6 +340,24 @@ CALLBACK(clear_creds, vici_message_t*,
 	return create_reply(NULL);
 }
 
+CALLBACK(flush_certs, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	certificate_type_t type = CERT_ANY;
+	x509_flag_t flag = X509_NONE;
+	char *str;
+
+	str = message->get_str(message, NULL, "type");
+	if (str && !enum_from_name(certificate_type_names, str, &type) &&
+			   !vici_cert_info_from_str(str, &type, &flag))
+	{
+		return create_reply("invalid certificate type '%s'", str);
+	}
+	lib->credmgr->flush_cache(lib->credmgr, type);
+
+	return create_reply(NULL);
+}
+
 static void manage_command(private_vici_cred_t *this,
 						   char *name, vici_command_cb_t cb, bool reg)
 {
@@ -300,6 +371,7 @@ static void manage_command(private_vici_cred_t *this,
 static void manage_commands(private_vici_cred_t *this, bool reg)
 {
 	manage_command(this, "clear-creds", clear_creds, reg);
+	manage_command(this, "flush-certs", flush_certs, reg);
 	manage_command(this, "load-cert", load_cert, reg);
 	manage_command(this, "load-key", load_key, reg);
 	manage_command(this, "load-shared", load_shared, reg);
@@ -330,6 +402,13 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 
 	INIT(this,
 		.public = {
+			.set = {
+				.create_private_enumerator = (void*)return_null,
+				.create_cert_enumerator = (void*)return_null,
+				.create_shared_enumerator = (void*)return_null,
+				.create_cdp_enumerator = (void*)return_null,
+				.cache_cert = (void*)_cache_cert,
+			},
 			.add_cert = _add_cert,
 			.destroy = _destroy,
 		},
@@ -337,6 +416,11 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 		.creds = mem_cred_create(),
 	);
 
+	if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
+	{
+		this->cachecrl = TRUE;
+		DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR);
+	}
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 
 	manage_commands(this, TRUE);
diff --git a/src/libcharon/plugins/vici/vici_cred.h b/src/libcharon/plugins/vici/vici_cred.h
index 8359c0e..6ce5147 100644
--- a/src/libcharon/plugins/vici/vici_cred.h
+++ b/src/libcharon/plugins/vici/vici_cred.h
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -23,6 +26,8 @@
 
 #include "vici_dispatcher.h"
 
+#include <credentials/credential_set.h>
+
 typedef struct vici_cred_t vici_cred_t;
 
 /**
@@ -31,6 +36,11 @@ typedef struct vici_cred_t vici_cred_t;
 struct vici_cred_t {
 
 	/**
+	 * Implements credential_set_t
+	 */
+	credential_set_t set;
+
+	/**
 	 * Add a certificate to the certificate store
 	 *
 	 * @param cert	certificate to be added to store
diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c
index ed7c743..1366512 100644
--- a/src/libcharon/plugins/vici/vici_plugin.c
+++ b/src/libcharon/plugins/vici/vici_plugin.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -130,6 +130,7 @@ static bool register_vici(private_vici_plugin_t *this,
 			this->cred = vici_cred_create(this->dispatcher);
 			this->authority = vici_authority_create(this->dispatcher,
 													this->cred);
+			lib->credmgr->add_set(lib->credmgr, &this->cred->set);
 			lib->credmgr->add_set(lib->credmgr, &this->authority->set);
 			this->config = vici_config_create(this->dispatcher, this->authority,
 											  this->cred);
@@ -158,6 +159,7 @@ static bool register_vici(private_vici_plugin_t *this,
 		this->logger->destroy(this->logger);
 		this->attrs->destroy(this->attrs);
 		this->config->destroy(this->config);
+		lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
 		lib->credmgr->remove_set(lib->credmgr, &this->authority->set);
 		this->authority->destroy(this->authority);
 		this->cred->destroy(this->cred);
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 04cea00..828b619 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -1072,6 +1072,7 @@ CALLBACK(get_algorithms, vici_message_t*,
 	integrity_algorithm_t integrity;
 	hash_algorithm_t hash;
 	pseudo_random_function_t prf;
+	ext_out_function_t xof;
 	diffie_hellman_group_t group;
 	rng_quality_t quality;
 	const char *plugin_name;
@@ -1123,6 +1124,15 @@ CALLBACK(get_algorithms, vici_message_t*,
 	enumerator->destroy(enumerator);
 	b->end_section(b);
 
+	b->begin_section(b, "xof");
+	enumerator = lib->crypto->create_xof_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &xof, &plugin_name))
+	{
+		add_algorithm(b, ext_out_function_names, xof, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
 	b->begin_section(b, "dh");
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &group, &plugin_name))
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 47fcf91..2e7bf02 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -360,7 +360,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -394,8 +393,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -449,6 +446,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index 0e88f8e..541bec9 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index e20b46f..50a6c80 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index b8adbbf..e2353a4 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 79c4666..048e4d5 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 8a405d9..e4364de 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -111,12 +111,17 @@ struct private_child_sa_t {
 	 */
 	bool static_reqid;
 
-	/*
+	/**
 	 * Unique CHILD_SA identifier
 	 */
 	uint32_t unique_id;
 
 	/**
+	 * Whether FWD policieis in the outbound direction should be installed
+	 */
+	bool policies_fwd_out;
+
+	/**
 	 * inbound mark used for this child_sa
 	 */
 	mark_t mark_in;
@@ -931,15 +936,19 @@ static status_t install_policies_internal(private_child_sa_t *this,
 		 * policies of two SAs we install them with reduced priority.  As they
 		 * basically act as bypass policies for drop policies we use a higher
 		 * priority than is used for them. */
-		out_id.dir = POLICY_FWD;
-		other_sa->reqid = 0;
-		if (priority == POLICY_PRIORITY_DEFAULT)
+		if (this->policies_fwd_out)
 		{
-			out_policy.prio = POLICY_PRIORITY_ROUTED;
+			out_id.dir = POLICY_FWD;
+			other_sa->reqid = 0;
+			if (priority == POLICY_PRIORITY_DEFAULT)
+			{
+				out_policy.prio = POLICY_PRIORITY_ROUTED;
+			}
+			status |= charon->kernel->add_policy(charon->kernel, &out_id,
+												 &out_policy);
+			/* reset the reqid for any other further policies */
+			other_sa->reqid = this->reqid;
 		}
-		status |= charon->kernel->add_policy(charon->kernel, &out_id, &out_policy);
-		/* reset the reqid for any other further policies */
-		other_sa->reqid = this->reqid;
 	}
 	return status;
 }
@@ -988,14 +997,17 @@ static void del_policies_internal(private_child_sa_t *this,
 		in_id.dir = POLICY_FWD;
 		charon->kernel->del_policy(charon->kernel, &in_id, &in_policy);
 
-		out_id.dir = POLICY_FWD;
-		other_sa->reqid = 0;
-		if (priority == POLICY_PRIORITY_DEFAULT)
+		if (this->policies_fwd_out)
 		{
-			out_policy.prio = POLICY_PRIORITY_ROUTED;
+			out_id.dir = POLICY_FWD;
+			other_sa->reqid = 0;
+			if (priority == POLICY_PRIORITY_DEFAULT)
+			{
+				out_policy.prio = POLICY_PRIORITY_ROUTED;
+			}
+			charon->kernel->del_policy(charon->kernel, &out_id, &out_policy);
+			other_sa->reqid = this->reqid;
 		}
-		charon->kernel->del_policy(charon->kernel, &out_id, &out_policy);
-		other_sa->reqid = this->reqid;
 	}
 }
 
@@ -1443,6 +1455,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		.mark_in = config->get_mark(config, TRUE),
 		.mark_out = config->get_mark(config, FALSE),
 		.install_time = time_monotonic(NULL),
+		.policies_fwd_out = config->install_fwd_out_policy(config),
 	);
 
 	this->config = config;
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 009277d..7b87918 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -921,6 +921,7 @@ METHOD(ike_sa_t, reset, void,
 							this->ike_sa_id->is_initiator(this->ike_sa_id));
 
 	this->task_manager->reset(this->task_manager, 0, 0);
+	this->task_manager->queue_ike(this->task_manager);
 }
 
 METHOD(ike_sa_t, get_keymat, keymat_t*,
@@ -1780,16 +1781,12 @@ METHOD(ike_sa_t, delete_, status_t,
 {
 	switch (this->state)
 	{
-		case IKE_REKEYING:
-			if (this->version == IKEV1)
-			{	/* SA has been reauthenticated, delete */
-				charon->bus->ike_updown(charon->bus, &this->public, FALSE);
-				break;
-			}
-			/* FALL */
 		case IKE_ESTABLISHED:
-			if (time_monotonic(NULL) >= this->stats[STAT_DELETE])
-			{	/* IKE_SA hard lifetime hit */
+		case IKE_REKEYING:
+			if (time_monotonic(NULL) >= this->stats[STAT_DELETE] &&
+				!(this->version == IKEV1 && this->state == IKE_REKEYING))
+			{	/* IKE_SA hard lifetime hit, ignored for reauthenticated
+				 * IKEv1 SAs */
 				charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
 			}
 			this->task_manager->queue_ike_delete(this->task_manager);
@@ -1831,7 +1828,6 @@ METHOD(ike_sa_t, reauth, status_t,
 		DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
 			 get_name(this), this->unique_id);
 		reset(this);
-		this->task_manager->queue_ike(this->task_manager);
 		return this->task_manager->initiate(this->task_manager);
 	}
 	/* we can't reauthenticate as responder when we use EAP or virtual IPs.
@@ -2335,7 +2331,6 @@ METHOD(ike_sa_t, retransmit, status_t,
 						 this->keyingtry + 1, tries);
 					reset(this);
 					resolve_hosts(this);
-					this->task_manager->queue_ike(this->task_manager);
 					return this->task_manager->initiate(this->task_manager);
 				}
 				DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
@@ -2980,7 +2975,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 		.flush_auth_cfg = lib->settings->get_bool(lib->settings,
 								"%s.flush_auth_cfg", FALSE, lib->ns),
 		.fragment_size = lib->settings->get_int(lib->settings,
-								"%s.fragment_size", 0, lib->ns),
+								"%s.fragment_size", 1280, lib->ns),
 		.follow_redirects = lib->settings->get_bool(lib->settings,
 								"%s.follow_redirects", TRUE, lib->ns),
 	);
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index be6b03b..d1d4cbd 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -75,11 +75,6 @@ struct private_keymat_v1_t {
 	hasher_t *hasher;
 
 	/**
-	 * Key used for authentication during main mode
-	 */
-	chunk_t skeyid;
-
-	/**
 	 * Key to derive key material from for non-ISAKMP SAs, rekeying
 	 */
 	chunk_t skeyid_d;
@@ -269,12 +264,12 @@ static bool expand_skeyid_e(chunk_t skeyid_e, size_t key_size, prf_t *prf,
  * Create a simple implementation of the aead_t interface which only encrypts
  * or decrypts data.
  */
-static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e)
+static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e,
+						   chunk_t *ka)
 {
 	private_aead_t *this;
 	uint16_t alg, key_size;
 	crypter_t *crypter;
-	chunk_t ka;
 
 	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg,
 								 &key_size))
@@ -292,17 +287,16 @@ static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e)
 		return NULL;
 	}
 	key_size = crypter->get_key_size(crypter);
-	if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, &ka))
+	if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, ka))
 	{
 		return NULL;
 	}
-	DBG4(DBG_IKE, "encryption key Ka %B", &ka);
-	if (!crypter->set_key(crypter, ka))
+	DBG4(DBG_IKE, "encryption key Ka %B", ka);
+	if (!crypter->set_key(crypter, *ka))
 	{
-		chunk_clear(&ka);
+		chunk_clear(ka);
 		return NULL;
 	}
-	chunk_clear(&ka);
 
 	INIT(this,
 		.aead = {
@@ -392,7 +386,7 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
 	auth_method_t auth, shared_key_t *shared_key)
 {
 	chunk_t g_xy, g_xi, g_xr, dh_me, spi_i, spi_r, nonces, data, skeyid_e;
-	chunk_t skeyid;
+	chunk_t skeyid, ka;
 	uint16_t alg;
 
 	spi_i = chunk_alloca(sizeof(uint64_t));
@@ -550,11 +544,14 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
 	}
 	chunk_clear(&skeyid);
 
-	this->aead = create_aead(proposal, this->prf, skeyid_e);
+	this->aead = create_aead(proposal, this->prf, skeyid_e, &ka);
 	if (!this->aead)
 	{
 		return FALSE;
 	}
+	charon->bus->ike_derived_keys(charon->bus, ka, chunk_empty, this->skeyid_a,
+								  chunk_empty);
+	chunk_clear(&ka);
 	if (!this->hasher && !this->public.create_hasher(&this->public, proposal))
 	{
 		return FALSE;
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index b0c4f5f..3b0c1cf 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -515,13 +515,13 @@ METHOD(task_manager_t, initiate, status_t,
 					new_mid = TRUE;
 					break;
 				}
-				if (activate_task(this, TASK_ISAKMP_DELETE))
+				if (activate_task(this, TASK_QUICK_DELETE))
 				{
 					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
 					break;
 				}
-				if (activate_task(this, TASK_QUICK_DELETE))
+				if (activate_task(this, TASK_ISAKMP_DELETE))
 				{
 					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
@@ -547,6 +547,14 @@ METHOD(task_manager_t, initiate, status_t,
 					break;
 				}
 				break;
+			case IKE_REKEYING:
+				if (activate_task(this, TASK_ISAKMP_DELETE))
+				{
+					exchange = INFORMATIONAL_V1;
+					new_mid = TRUE;
+					break;
+				}
+				break;
 			default:
 				break;
 		}
@@ -1181,7 +1189,7 @@ static status_t process_response(private_task_manager_t *this,
 	}
 	enumerator->destroy(enumerator);
 
-	if (this->initiating.retransmitted)
+	if (this->initiating.retransmitted > 1)
 	{
 		packet_t *packet = NULL;
 		array_get(this->initiating.packets, 0, &packet);
@@ -1661,6 +1669,9 @@ METHOD(task_manager_t, queue_ike_delete, void,
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
 
+	/* cancel any currently active task to get the DELETE done quickly */
+	flush_queue(this, TASK_QUEUE_ACTIVE);
+
 	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
 	while (enumerator->enumerate(enumerator, &child_sa))
 	{
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index f28b83e..dc86fc5 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -102,6 +102,7 @@ static struct {
 	{ "DPD", EXT_DPD, TRUE, 16,
 	  "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00"},
 
+	/* CISCO-UNITY, similar to DPD the last two bytes indicate the version */
 	{ "Cisco Unity", EXT_CISCO_UNITY, FALSE, 16,
 	  "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
 
@@ -190,6 +191,8 @@ static bool is_known_vid(chunk_t data, int i)
 			break;
 		case EXT_MS_WINDOWS:
 			return data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16);
+		case EXT_CISCO_UNITY:
+			return data.len == 16 && memeq(data.ptr, vendor_ids[i].id, 14);
 		default:
 			return chunk_equals(data, chunk_create(vendor_ids[i].id,
 												   vendor_ids[i].len));
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index bbd1cb0..6b89641 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -348,10 +348,6 @@ static bool install(private_quick_mode_t *this)
 									this->initiator, FALSE, FALSE, tsr, tsi);
 		}
 	}
-	chunk_clear(&integ_i);
-	chunk_clear(&integ_r);
-	chunk_clear(&encr_i);
-	chunk_clear(&encr_r);
 
 	if (status_i != SUCCESS || status_o != SUCCESS)
 	{
@@ -361,22 +357,38 @@ static bool install(private_quick_mode_t *this)
 			(status_o != SUCCESS) ? "outbound " : "");
 		tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
 		tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
-		return FALSE;
-	}
-
-	if (this->initiator)
-	{
-		status = this->child_sa->add_policies(this->child_sa, tsi, tsr);
+		status = FAILED;
 	}
 	else
 	{
-		status = this->child_sa->add_policies(this->child_sa, tsr, tsi);
+		if (this->initiator)
+		{
+			status = this->child_sa->add_policies(this->child_sa, tsi, tsr);
+		}
+		else
+		{
+			status = this->child_sa->add_policies(this->child_sa, tsr, tsi);
+		}
+		tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+		tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
+		}
+		else
+		{
+			charon->bus->child_derived_keys(charon->bus, this->child_sa,
+											this->initiator, encr_i, encr_r,
+											integ_i, integ_r);
+		}
 	}
-	tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
-	tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
+	chunk_clear(&integ_i);
+	chunk_clear(&integ_r);
+	chunk_clear(&encr_i);
+	chunk_clear(&encr_r);
+
 	if (status != SUCCESS)
 	{
-		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
 		return FALSE;
 	}
 
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 6fd34e0..592f497 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -161,8 +161,8 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 		if (key_type == KEY_RSA)
 		{
 			signature_scheme_t schemes[] = {
-				SIGN_RSA_EMSA_PKCS1_SHA384,
-				SIGN_RSA_EMSA_PKCS1_SHA256,
+				SIGN_RSA_EMSA_PKCS1_SHA2_384,
+				SIGN_RSA_EMSA_PKCS1_SHA2_256,
 				SIGN_RSA_EMSA_PKCS1_SHA1,
 			}, contained;
 			bool found;
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index e373998..58efdba 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -103,7 +103,7 @@ static bool derive_ike_aead(private_keymat_v2_t *this, uint16_t alg,
 							uint16_t key_size, prf_plus_t *prf_plus)
 {
 	aead_t *aead_i, *aead_r;
-	chunk_t key = chunk_empty;
+	chunk_t sk_ei = chunk_empty, sk_er = chunk_empty;
 	u_int salt_size;
 
 	switch (alg)
@@ -146,23 +146,22 @@ static bool derive_ike_aead(private_keymat_v2_t *this, uint16_t alg,
 	{
 		goto failure;
 	}
-	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_ei))
 	{
 		goto failure;
 	}
-	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
-	if (!aead_i->set_key(aead_i, key))
+	DBG4(DBG_IKE, "Sk_ei secret %B", &sk_ei);
+	if (!aead_i->set_key(aead_i, sk_ei))
 	{
 		goto failure;
 	}
-	chunk_clear(&key);
 
-	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_er))
 	{
 		goto failure;
 	}
-	DBG4(DBG_IKE, "Sk_er secret %B", &key);
-	if (!aead_r->set_key(aead_r, key))
+	DBG4(DBG_IKE, "Sk_er secret %B", &sk_er);
+	if (!aead_r->set_key(aead_r, sk_er))
 	{
 		goto failure;
 	}
@@ -178,11 +177,14 @@ static bool derive_ike_aead(private_keymat_v2_t *this, uint16_t alg,
 		this->aead_out = aead_r;
 	}
 	aead_i = aead_r = NULL;
+	charon->bus->ike_derived_keys(charon->bus, sk_ei, sk_er, chunk_empty,
+								  chunk_empty);
 
 failure:
 	DESTROY_IF(aead_i);
 	DESTROY_IF(aead_r);
-	chunk_clear(&key);
+	chunk_clear(&sk_ei);
+	chunk_clear(&sk_er);
 	return this->aead_in && this->aead_out;
 }
 
@@ -196,7 +198,8 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg,
 	signer_t *signer_i, *signer_r;
 	iv_gen_t *ivg_i, *ivg_r;
 	size_t key_size;
-	chunk_t key = chunk_empty;
+	chunk_t sk_ei = chunk_empty, sk_er = chunk_empty,
+			sk_ai = chunk_empty, sk_ar = chunk_empty;
 
 	signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
 	signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
@@ -220,48 +223,45 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg,
 	/* SK_ai/SK_ar used for integrity protection */
 	key_size = signer_i->get_key_size(signer_i);
 
-	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_ai))
 	{
 		goto failure;
 	}
-	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
-	if (!signer_i->set_key(signer_i, key))
+	DBG4(DBG_IKE, "Sk_ai secret %B", &sk_ai);
+	if (!signer_i->set_key(signer_i, sk_ai))
 	{
 		goto failure;
 	}
-	chunk_clear(&key);
 
-	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_ar))
 	{
 		goto failure;
 	}
-	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
-	if (!signer_r->set_key(signer_r, key))
+	DBG4(DBG_IKE, "Sk_ar secret %B", &sk_ar);
+	if (!signer_r->set_key(signer_r, sk_ar))
 	{
 		goto failure;
 	}
-	chunk_clear(&key);
 
 	/* SK_ei/SK_er used for encryption */
 	key_size = crypter_i->get_key_size(crypter_i);
 
-	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_ei))
 	{
 		goto failure;
 	}
-	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
-	if (!crypter_i->set_key(crypter_i, key))
+	DBG4(DBG_IKE, "Sk_ei secret %B", &sk_ei);
+	if (!crypter_i->set_key(crypter_i, sk_ei))
 	{
 		goto failure;
 	}
-	chunk_clear(&key);
 
-	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_er))
 	{
 		goto failure;
 	}
-	DBG4(DBG_IKE, "Sk_er secret %B", &key);
-	if (!crypter_r->set_key(crypter_r, key))
+	DBG4(DBG_IKE, "Sk_er secret %B", &sk_er);
+	if (!crypter_r->set_key(crypter_r, sk_er))
 	{
 		goto failure;
 	}
@@ -284,9 +284,13 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg,
 	}
 	signer_i = signer_r = NULL;
 	crypter_i = crypter_r = NULL;
+	charon->bus->ike_derived_keys(charon->bus, sk_ei, sk_er, sk_ai, sk_ar);
 
 failure:
-	chunk_clear(&key);
+	chunk_clear(&sk_ai);
+	chunk_clear(&sk_ar);
+	chunk_clear(&sk_ei);
+	chunk_clear(&sk_er);
 	DESTROY_IF(signer_i);
 	DESTROY_IF(signer_r);
 	DESTROY_IF(crypter_i);
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 41a4e1b..60a262f 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -709,7 +709,7 @@ static status_t process_response(private_task_manager_t *this,
 	}
 	enumerator->destroy(enumerator);
 
-	if (this->initiating.retransmitted)
+	if (this->initiating.retransmitted > 1)
 	{
 		packet_t *packet = NULL;
 		array_get(this->initiating.packets, 0, &packet);
@@ -1827,15 +1827,22 @@ METHOD(task_manager_t, queue_dpd, void,
 	if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) &&
 		this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
 	{
-		/* use mobike enabled DPD to detect NAT mapping changes */
-		mobike = ike_mobike_create(this->ike_sa, TRUE);
-		mobike->dpd(mobike);
-		queue_task(this, &mobike->task);
-	}
-	else
-	{
-		queue_task(this, (task_t*)ike_dpd_create(TRUE));
+#ifdef ME
+		peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+		if (cfg->get_peer_id(cfg) ||
+			this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
+#else
+		if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
+#endif
+		{
+			/* use mobike enabled DPD to detect NAT mapping changes */
+			mobike = ike_mobike_create(this->ike_sa, TRUE);
+			mobike->dpd(mobike);
+			queue_task(this, &mobike->task);
+			return;
+		}
 	}
+	queue_task(this, (task_t*)ike_dpd_create(TRUE));
 }
 
 METHOD(task_manager_t, adopt_tasks, void,
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 64a8285..71cb6b8 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -666,10 +666,6 @@ static status_t select_and_install(private_child_create_t *this,
 							FALSE, this->tfcv3, my_ts, other_ts);
 		}
 	}
-	chunk_clear(&integ_i);
-	chunk_clear(&integ_r);
-	chunk_clear(&encr_i);
-	chunk_clear(&encr_r);
 
 	if (status_i != SUCCESS || status_o != SUCCESS)
 	{
@@ -679,41 +675,62 @@ static status_t select_and_install(private_child_create_t *this,
 			(status_o != SUCCESS) ? "outbound " : "");
 		charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_SA_FAILED,
 						   this->child_sa);
-		return FAILED;
-	}
-
-	if (this->initiator)
-	{
-		status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
+		status = FAILED;
 	}
 	else
 	{
-		/* use a copy of the traffic selectors, as the POST hook should not
-		 * change payloads */
-		my_ts = this->tsr->clone_offset(this->tsr,
+		if (this->initiator)
+		{
+			status = this->child_sa->add_policies(this->child_sa,
+												  my_ts, other_ts);
+		}
+		else
+		{
+			/* use a copy of the traffic selectors, as the POST hook should not
+			 * change payloads */
+			my_ts = this->tsr->clone_offset(this->tsr,
 										offsetof(traffic_selector_t, clone));
-		other_ts = this->tsi->clone_offset(this->tsi,
+			other_ts = this->tsi->clone_offset(this->tsi,
 										offsetof(traffic_selector_t, clone));
-		charon->bus->narrow(charon->bus, this->child_sa,
-							NARROW_RESPONDER_POST, my_ts, other_ts);
-		if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
+			charon->bus->narrow(charon->bus, this->child_sa,
+								NARROW_RESPONDER_POST, my_ts, other_ts);
+			if (my_ts->get_count(my_ts) == 0 ||
+				other_ts->get_count(other_ts) == 0)
+			{
+				status = FAILED;
+			}
+			else
+			{
+				status = this->child_sa->add_policies(this->child_sa,
+													  my_ts, other_ts);
+			}
+			my_ts->destroy_offset(my_ts,
+								  offsetof(traffic_selector_t, destroy));
+			other_ts->destroy_offset(other_ts,
+								  offsetof(traffic_selector_t, destroy));
+		}
+		if (status != SUCCESS)
 		{
-			status = FAILED;
+			DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
+			charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_POLICY_FAILED,
+							   this->child_sa);
+			status = NOT_FOUND;
 		}
 		else
 		{
-			status = this->child_sa->add_policies(this->child_sa,
-												   my_ts, other_ts);
+			charon->bus->child_derived_keys(charon->bus, this->child_sa,
+											this->initiator, encr_i, encr_r,
+											integ_i, integ_r);
 		}
-		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
-		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
 	}
+	chunk_clear(&integ_i);
+	chunk_clear(&integ_r);
+	chunk_clear(&encr_i);
+	chunk_clear(&encr_r);
+
 	if (status != SUCCESS)
 	{
-		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
-		charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_POLICY_FAILED,
-						   this->child_sa);
-		return NOT_FOUND;
+		return status;
 	}
 
 	charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 801b6d8..d82e206 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -457,6 +457,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 	}
 	enumerator->destroy(enumerator);
 
+	if (this->proposal)
+	{
+		this->ike_sa->set_proposal(this->ike_sa, this->proposal);
+	}
+
 	if (ke_payload && this->proposal &&
 		this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
@@ -614,7 +619,6 @@ METHOD(task_t, build_r, status_t,
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return FAILED;
 	}
-	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 
 	/* check if we'd have to redirect the client */
 	if (!this->old_sa &&
@@ -651,6 +655,7 @@ METHOD(task_t, build_r, status_t,
 		else
 		{
 			DBG1(DBG_IKE, "no acceptable proposal found");
+			message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		}
 		return FAILED;
 	}
@@ -849,7 +854,6 @@ METHOD(task_t, process_i, status_t,
 		DBG1(DBG_IKE, "peers proposal selection invalid");
 		return FAILED;
 	}
-	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 
 	if (this->dh == NULL ||
 		!this->proposal->has_dh_group(this->proposal, this->dh_group))
diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in
index 7a0d342..7b6beae 100644
--- a/src/libcharon/tests/Makefile.in
+++ b/src/libcharon/tests/Makefile.in
@@ -374,7 +374,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -408,8 +407,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -463,6 +460,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libcharon/tests/libcharon_tests.c
index e25e543..1ef13e9 100644
--- a/src/libcharon/tests/libcharon_tests.c
+++ b/src/libcharon/tests/libcharon_tests.c
@@ -32,6 +32,22 @@ static test_configuration_t tests[] = {
 	{ .suite = NULL, }
 };
 
+static void initialize_logging()
+{
+	int level = LEVEL_SILENT;
+	char *verbosity;
+
+	verbosity = getenv("TESTS_VERBOSITY");
+	if (verbosity)
+	{
+		level = atoi(verbosity);
+	}
+	lib->settings->set_int(lib->settings, "%s.filelog.stderr.default",
+			lib->settings->get_int(lib->settings, "%s.filelog.stderr.default",
+								   level, lib->ns), lib->ns);
+	charon->load_loggers(charon, NULL, TRUE);
+}
+
 static bool test_runner_init(bool init)
 {
 	if (init)
@@ -39,6 +55,7 @@ static bool test_runner_init(bool init)
 		char *plugins, *plugindir;
 
 		libcharon_init();
+		initialize_logging();
 
 		plugins = getenv("TESTS_PLUGINS") ?:
 					lib->settings->get_str(lib->settings,
diff --git a/src/libcharon/tests/suites/test_proposal.c b/src/libcharon/tests/suites/test_proposal.c
index a6226f6..19f4cd1 100644
--- a/src/libcharon/tests/suites/test_proposal.c
+++ b/src/libcharon/tests/suites/test_proposal.c
@@ -18,38 +18,100 @@
 #include <config/proposal.h>
 
 static struct {
+	protocol_id_t proto;
+	char *proposal;
+	char *expected;
+} create_data[] = {
+	{ PROTO_IKE, "", NULL },
+	{ PROTO_IKE, "sha256", NULL },
+	{ PROTO_IKE, "sha256-modp3072", NULL },
+	{ PROTO_IKE, "null-sha256-modp3072", "IKE:NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072" },
+	{ PROTO_IKE, "aes128", NULL },
+	{ PROTO_IKE, "aes128-sha256", NULL },
+	{ PROTO_IKE, "aes128-sha256-modpnone", NULL },
+	{ PROTO_IKE, "aes128-sha256-modp3072", "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072" },
+	{ PROTO_IKE, "aes128-sha256-prfsha384-modp3072", "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_384/MODP_3072" },
+	{ PROTO_IKE, "aes128gcm16-modp3072", NULL },
+	{ PROTO_IKE, "aes128gcm16-prfsha256-modp3072", "IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072" },
+	{ PROTO_IKE, "aes128gcm16-sha256-modp3072", "IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072" },
+	{ PROTO_IKE, "aes128gcm16-aes128-modp3072", NULL },
+	{ PROTO_IKE, "aes128gcm16-aes128-sha256-modp3072", NULL },
+	{ PROTO_ESP, "", NULL },
+	{ PROTO_ESP, "sha256", NULL },
+	{ PROTO_ESP, "aes128-sha256", "ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ" },
+	{ PROTO_ESP, "aes128-sha256-esn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ" },
+	{ PROTO_ESP, "aes128-sha256-noesn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ" },
+	{ PROTO_ESP, "aes128-sha256-esn-noesn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ" },
+	{ PROTO_ESP, "aes128-sha256-prfsha256-modp3072", "ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_3072/NO_EXT_SEQ" },
+	{ PROTO_ESP, "aes128gcm16-aes128-sha256-modp3072", NULL },
+	{ PROTO_ESP, "aes128gmac", "ESP:NULL_AES_GMAC_128/NO_EXT_SEQ" },
+	{ PROTO_AH,  "", NULL },
+	{ PROTO_AH,  "aes128", NULL },
+	{ PROTO_AH,  "aes128-sha256", "AH:HMAC_SHA2_256_128/NO_EXT_SEQ" },
+	{ PROTO_AH,  "sha256-sha1", "AH:HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ" },
+	{ PROTO_AH,  "aes128gmac-sha256", "AH:AES_128_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" },
+	{ PROTO_AH,  "aes128gmac-sha256-prfsha256", "AH:AES_128_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" },
+	{ PROTO_AH,  "aes128gmac-aes256gmac-aes128-sha256", "AH:AES_128_GMAC/AES_256_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" },
+	{ PROTO_AH,  "sha256-esn", "AH:HMAC_SHA2_256_128/EXT_SEQ" },
+	{ PROTO_AH,  "sha256-noesn", "AH:HMAC_SHA2_256_128/NO_EXT_SEQ" },
+	{ PROTO_AH,  "sha256-esn-noesn", "AH:HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ" },
+};
+
+START_TEST(test_create_from_string)
+{
+	proposal_t *proposal;
+	char str[BUF_LEN];
+
+	proposal = proposal_create_from_string(create_data[_i].proto,
+										   create_data[_i].proposal);
+	if (!create_data[_i].expected)
+	{
+		ck_assert(!proposal);
+		return;
+	}
+	snprintf(str, sizeof(str), "%P", proposal);
+	ck_assert_str_eq(create_data[_i].expected, str);
+	proposal->destroy(proposal);
+}
+END_TEST
+
+static struct {
+	protocol_id_t proto;
 	char *self;
 	char *other;
 	char *expected;
 } select_data[] = {
-	{ "aes128", "aes128", "aes128" },
-	{ "aes128", "aes256", NULL },
-	{ "aes128-aes256", "aes256-aes128", "aes128" },
-	{ "aes256-aes128", "aes128-aes256", "aes256" },
-	{ "aes128-aes256-sha1-sha256", "aes256-aes128-sha256-sha1", "aes128-sha1" },
-	{ "aes256-aes128-sha256-sha1", "aes128-aes256-sha1-sha256", "aes256-sha256" },
-	{ "aes128-sha256-modp3072", "aes128-sha256", NULL },
-	{ "aes128-sha256", "aes128-sha256-modp3072", NULL },
-	{ "aes128-sha256-modp3072", "aes128-sha256-modpnone", NULL },
-	{ "aes128-sha256-modpnone", "aes128-sha256-modp3072", NULL },
-	{ "aes128-sha256-modp3072-modpnone", "aes128-sha256", "aes128-sha256" },
-	{ "aes128-sha256", "aes128-sha256-modp3072-modpnone", "aes128-sha256" },
-	{ "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072" },
-	{ "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone" },
+	{ PROTO_ESP, "aes128", "aes128", "aes128" },
+	{ PROTO_ESP, "aes128", "aes256", NULL },
+	{ PROTO_ESP, "aes128-aes256", "aes256-aes128", "aes128" },
+	{ PROTO_ESP, "aes256-aes128", "aes128-aes256", "aes256" },
+	{ PROTO_ESP, "aes128-aes256-sha1-sha256", "aes256-aes128-sha256-sha1", "aes128-sha1" },
+	{ PROTO_ESP, "aes256-aes128-sha256-sha1", "aes128-aes256-sha1-sha256", "aes256-sha256" },
+	{ PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256", NULL },
+	{ PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072", NULL },
+	{ PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256-modpnone", NULL },
+	{ PROTO_ESP, "aes128-sha256-modpnone", "aes128-sha256-modp3072", NULL },
+	{ PROTO_ESP, "aes128-sha256-modp3072-modpnone", "aes128-sha256", "aes128-sha256" },
+	{ PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072-modpnone", "aes128-sha256" },
+	{ PROTO_ESP, "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072" },
+	{ PROTO_ESP, "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone" },
+	{ PROTO_IKE, "aes128-sha256-modp3072", "aes128-sha256-modp3072", "aes128-sha256-modp3072" },
+	{ PROTO_IKE, "aes128-sha256-modp3072", "aes128-sha256-modp3072-modpnone", "aes128-sha256-modp3072" },
+	{ PROTO_IKE, "aes128-sha256-modp3072-modpnone", "aes128-sha256-modp3072", "aes128-sha256-modp3072" },
 };
 
 START_TEST(test_select)
 {
 	proposal_t *self, *other, *selected, *expected;
 
-	self = proposal_create_from_string(PROTO_ESP,
+	self = proposal_create_from_string(select_data[_i].proto,
 									   select_data[_i].self);
-	other = proposal_create_from_string(PROTO_ESP,
+	other = proposal_create_from_string(select_data[_i].proto,
 										select_data[_i].other);
 	selected = self->select(self, other, FALSE);
 	if (select_data[_i].expected)
 	{
-		expected = proposal_create_from_string(PROTO_ESP,
+		expected = proposal_create_from_string(select_data[_i].proto,
 											   select_data[_i].expected);
 		ck_assert(selected);
 		ck_assert_msg(expected->equals(expected, selected), "proposal %P does "
@@ -73,6 +135,10 @@ Suite *proposal_suite_create()
 
 	s = suite_create("proposal");
 
+	tc = tcase_create("create_from_string");
+	tcase_add_loop_test(tc, test_create_from_string, 0, countof(create_data));
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("select");
 	tcase_add_loop_test(tc, test_select, 0, countof(select_data));
 	suite_add_tcase(s, tc);
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 4c489db..79a9d74 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -356,7 +356,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -390,8 +389,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -445,6 +442,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 7983b77..4e5be54 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -525,7 +525,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -559,8 +558,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -614,6 +611,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 6f88e17..fb0db91 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -496,6 +496,18 @@ INSERT INTO products (          /* 83 */
  'Debian 8.5 x86_64'
 );
 
+INSERT INTO products (          /* 84 */
+  name
+) VALUES (
+ 'Debian 8.6 i686'
+);
+
+INSERT INTO products (          /* 85 */
+  name
+) VALUES (
+ 'Debian 8.6 x86_64'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -1093,6 +1105,12 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  5, 85
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   6, 9
 );
 
diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in
index d2b8168..f5c73ef 100644
--- a/src/libimcv/plugins/imc_attestation/Makefile.in
+++ b/src/libimcv/plugins/imc_attestation/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imc_hcd/Makefile.in b/src/libimcv/plugins/imc_hcd/Makefile.in
index 44aaf87..ffc5710 100644
--- a/src/libimcv/plugins/imc_hcd/Makefile.in
+++ b/src/libimcv/plugins/imc_hcd/Makefile.in
@@ -348,7 +348,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -382,8 +381,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -437,6 +434,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 93d532d..4d6eff5 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -348,7 +348,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -382,8 +381,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -437,6 +434,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 44d8279..7e18b3c 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -349,7 +349,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -383,8 +382,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -438,6 +435,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in
index 5eec531..f97a7ba 100644
--- a/src/libimcv/plugins/imc_swid/Makefile.in
+++ b/src/libimcv/plugins/imc_swid/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 508f7fe..95acd4b 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -348,7 +348,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -382,8 +381,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -437,6 +434,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in
index 61b92e0..2be4e15 100644
--- a/src/libimcv/plugins/imv_attestation/Makefile.in
+++ b/src/libimcv/plugins/imv_attestation/Makefile.in
@@ -362,7 +362,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -396,8 +395,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -451,6 +448,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imv_hcd/Makefile.in b/src/libimcv/plugins/imv_hcd/Makefile.in
index 4fdbbf4..1c3d0ac 100644
--- a/src/libimcv/plugins/imv_hcd/Makefile.in
+++ b/src/libimcv/plugins/imv_hcd/Makefile.in
@@ -348,7 +348,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -382,8 +381,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -437,6 +434,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index d2997a9..b119559 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -356,7 +356,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -390,8 +389,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -445,6 +442,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index ffca30c..22eb4ae 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in
index aea48e7..21bbe4a 100644
--- a/src/libimcv/plugins/imv_swid/Makefile.in
+++ b/src/libimcv/plugins/imv_swid/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 30fa3c7..a32a465 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -349,7 +349,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -383,8 +382,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -438,6 +435,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libimcv/pts/pts.c b/src/libimcv/pts/pts.c
index 2ba949e..d771d07 100644
--- a/src/libimcv/pts/pts.c
+++ b/src/libimcv/pts/pts.c
@@ -388,26 +388,29 @@ static void load_aik(private_pts_t *this)
 			DBG1(DBG_PTS, "AIK Blob is not available");
 		}
 
-		/* get AIK public key */
-		if (key_path)
+		/* get AIK public key if no AIK certificate is available */
+		if (!this->aik_cert)
 		{
-			map = chunk_map(key_path, FALSE);
-			if (map)
+			if (key_path)
 			{
-				DBG2(DBG_PTS, "loaded AIK public key from '%s'", key_path);
-				aik_pubkey = chunk_clone(*map);
-				chunk_unmap(map);
+				map = chunk_map(key_path, FALSE);
+				if (map)
+				{
+					DBG2(DBG_PTS, "loaded AIK public key from '%s'", key_path);
+					aik_pubkey = chunk_clone(*map);
+					chunk_unmap(map);
+				}
+				else
+				{
+					DBG1(DBG_PTS, "unable to map AIK public key file '%s': %s",
+								   key_path, strerror(errno));
+				}
 			}
 			else
 			{
-				DBG1(DBG_PTS, "unable to map AIK public key file '%s': %s",
-							   key_path, strerror(errno));
+				DBG1(DBG_PTS, "AIK public key is not available");
 			}
 		}
-		else
-		{
-			DBG1(DBG_PTS, "AIK public key is not available");
-		}
 
 		/* Load AIK item into TPM 1.2 object */
 		tpm_12 = (tpm_tss_trousers_t *)this->tpm;
@@ -716,13 +719,22 @@ METHOD(pts_t, verify_quote_signature, bool,
 					scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
 					break;
 				case HASH_SHA256:
-					scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
+					scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256;
 					break;
 				case HASH_SHA384:
-					scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
+					scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384;
 					break;
 				case HASH_SHA512:
-					scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
+					scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512;
+					break;
+				case HASH_SHA3_256:
+					scheme = SIGN_RSA_EMSA_PKCS1_SHA3_256;
+					break;
+				case HASH_SHA3_384:
+					scheme = SIGN_RSA_EMSA_PKCS1_SHA3_384;
+					break;
+				case HASH_SHA3_512:
+					scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512;
 					break;
 				default:
 					scheme = SIGN_UNKNOWN;
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 19a2577..ea73c60 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -390,7 +390,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -424,8 +423,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -479,6 +476,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libipsec/tests/Makefile.in b/src/libipsec/tests/Makefile.in
index db73e1f..0c1d858 100644
--- a/src/libipsec/tests/Makefile.in
+++ b/src/libipsec/tests/Makefile.in
@@ -346,7 +346,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -380,8 +379,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -435,6 +432,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index a4d4b33..14e4a6b 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index f5a5d12..8106295 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -346,7 +346,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -380,8 +379,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -435,6 +432,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index a7bc8e3..ea053a3 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -349,7 +349,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -383,8 +382,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -438,6 +435,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index da5f34e..0e8f7f3 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -16,7 +16,7 @@ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
 crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
 crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
 crypto/iv/iv_gen_null.c \
-crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
+crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \
 credentials/credential_factory.c credentials/builder.c \
 credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 9be93f1..52ae7c6 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -14,7 +14,7 @@ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
 crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
 crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
 crypto/iv/iv_gen_null.c \
-crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
+crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \
 credentials/credential_factory.c credentials/builder.c \
 credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
@@ -75,7 +75,7 @@ crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
 crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
 crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/iv/iv_gen_null.h \
-crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
+crypto/xofs/xof.h crypto/xofs/xof_bitspender.h crypto/xofs/mgf1.h \
 credentials/credential_factory.h credentials/builder.h \
 credentials/cred_encoding.h credentials/keys/private_key.h \
 credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -220,16 +220,22 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c:	$(srcdir)/crypto/proposal/
 		$(GPERF) -N proposal_get_token_static -m 10 -C -G -c -t -D < \
 												$(srcdir)/crypto/proposal/proposal_keywords_static.txt > $@
 
-
-# build plugins with their own Makefile
-#######################################
-
 if MONOLITHIC
 SUBDIRS =
 else
 SUBDIRS = .
 endif
 
+# build libnttfft used by some plugins
+######################################
+
+if USE_LIBNTTFFT
+  SUBDIRS += math/libnttfft
+endif
+
+# build plugins with their own Makefile
+#######################################
+
 if USE_AF_ALG
   SUBDIRS += plugins/af_alg
 if MONOLITHIC
@@ -580,6 +586,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_MGF1
+  SUBDIRS += plugins/mgf1
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/mgf1/libstrongswan-mgf1.la
+endif
+endif
+
 if USE_NTRU
   SUBDIRS += plugins/ntru
 if MONOLITHIC
@@ -594,6 +607,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_NEWHOPE
+  SUBDIRS += plugins/newhope
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/newhope/libstrongswan-newhope.la
+endif
+endif
+
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 if MONOLITHIC
@@ -604,7 +624,20 @@ endif
 if MONOLITHIC
   SUBDIRS += .
 endif
+
+# build unit tests
+##################
+
 SUBDIRS += tests
+
+if USE_LIBNTTFFT
+  SUBDIRS += math/libnttfft/tests
+endif
+
 if USE_BLISS
   SUBDIRS += plugins/bliss/tests
 endif
+
+if USE_NEWHOPE
+  SUBDIRS += plugins/newhope/tests
+endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index d1b65bd..3eec966 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -123,113 +123,126 @@ host_triplet = @host@
 @USE_BUILTIN_PRINTF_TRUE at am__append_15 = -lm
 @USE_BUILTIN_PRINTF_FALSE@@USE_VSTR_FALSE at am__append_16 = utils/printf_hook/printf_hook_glibc.c
 @USE_LIBCAP_TRUE at am__append_17 = -lcap
- at USE_AF_ALG_TRUE@am__append_18 = plugins/af_alg
- at MONOLITHIC_TRUE@@USE_AF_ALG_TRUE at am__append_19 = plugins/af_alg/libstrongswan-af-alg.la
- at USE_AES_TRUE@am__append_20 = plugins/aes
- at MONOLITHIC_TRUE@@USE_AES_TRUE at am__append_21 = plugins/aes/libstrongswan-aes.la
- at USE_DES_TRUE@am__append_22 = plugins/des
- at MONOLITHIC_TRUE@@USE_DES_TRUE at am__append_23 = plugins/des/libstrongswan-des.la
- at USE_BLOWFISH_TRUE@am__append_24 = plugins/blowfish
- at MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE at am__append_25 = plugins/blowfish/libstrongswan-blowfish.la
- at USE_RC2_TRUE@am__append_26 = plugins/rc2
- at MONOLITHIC_TRUE@@USE_RC2_TRUE at am__append_27 = plugins/rc2/libstrongswan-rc2.la
- at USE_MD4_TRUE@am__append_28 = plugins/md4
- at MONOLITHIC_TRUE@@USE_MD4_TRUE at am__append_29 = plugins/md4/libstrongswan-md4.la
- at USE_MD5_TRUE@am__append_30 = plugins/md5
- at MONOLITHIC_TRUE@@USE_MD5_TRUE at am__append_31 = plugins/md5/libstrongswan-md5.la
- at USE_SHA1_TRUE@am__append_32 = plugins/sha1
- at MONOLITHIC_TRUE@@USE_SHA1_TRUE at am__append_33 = plugins/sha1/libstrongswan-sha1.la
- at USE_SHA2_TRUE@am__append_34 = plugins/sha2
- at MONOLITHIC_TRUE@@USE_SHA2_TRUE at am__append_35 = plugins/sha2/libstrongswan-sha2.la
- at USE_SHA3_TRUE@am__append_36 = plugins/sha3
- at MONOLITHIC_TRUE@@USE_SHA3_TRUE at am__append_37 = plugins/sha3/libstrongswan-sha3.la
- at USE_GMP_TRUE@am__append_38 = plugins/gmp
- at MONOLITHIC_TRUE@@USE_GMP_TRUE at am__append_39 = plugins/gmp/libstrongswan-gmp.la
- at USE_RDRAND_TRUE@am__append_40 = plugins/rdrand
- at MONOLITHIC_TRUE@@USE_RDRAND_TRUE at am__append_41 = plugins/rdrand/libstrongswan-rdrand.la
- at USE_AESNI_TRUE@am__append_42 = plugins/aesni
- at MONOLITHIC_TRUE@@USE_AESNI_TRUE at am__append_43 = plugins/aesni/libstrongswan-aesni.la
- at USE_RANDOM_TRUE@am__append_44 = plugins/random
- at MONOLITHIC_TRUE@@USE_RANDOM_TRUE at am__append_45 = plugins/random/libstrongswan-random.la
- at USE_NONCE_TRUE@am__append_46 = plugins/nonce
- at MONOLITHIC_TRUE@@USE_NONCE_TRUE at am__append_47 = plugins/nonce/libstrongswan-nonce.la
- at USE_HMAC_TRUE@am__append_48 = plugins/hmac
- at MONOLITHIC_TRUE@@USE_HMAC_TRUE at am__append_49 = plugins/hmac/libstrongswan-hmac.la
- at USE_CMAC_TRUE@am__append_50 = plugins/cmac
- at MONOLITHIC_TRUE@@USE_CMAC_TRUE at am__append_51 = plugins/cmac/libstrongswan-cmac.la
- at USE_XCBC_TRUE@am__append_52 = plugins/xcbc
- at MONOLITHIC_TRUE@@USE_XCBC_TRUE at am__append_53 = plugins/xcbc/libstrongswan-xcbc.la
- at USE_X509_TRUE@am__append_54 = plugins/x509
- at MONOLITHIC_TRUE@@USE_X509_TRUE at am__append_55 = plugins/x509/libstrongswan-x509.la
- at USE_REVOCATION_TRUE@am__append_56 = plugins/revocation
- at MONOLITHIC_TRUE@@USE_REVOCATION_TRUE at am__append_57 = plugins/revocation/libstrongswan-revocation.la
- at USE_CONSTRAINTS_TRUE@am__append_58 = plugins/constraints
- at MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE at am__append_59 = plugins/constraints/libstrongswan-constraints.la
- at USE_ACERT_TRUE@am__append_60 = plugins/acert
- at MONOLITHIC_TRUE@@USE_ACERT_TRUE at am__append_61 = plugins/acert/libstrongswan-acert.la
- at USE_PUBKEY_TRUE@am__append_62 = plugins/pubkey
- at MONOLITHIC_TRUE@@USE_PUBKEY_TRUE at am__append_63 = plugins/pubkey/libstrongswan-pubkey.la
- at USE_PKCS1_TRUE@am__append_64 = plugins/pkcs1
- at MONOLITHIC_TRUE@@USE_PKCS1_TRUE at am__append_65 = plugins/pkcs1/libstrongswan-pkcs1.la
- at USE_PKCS7_TRUE@am__append_66 = plugins/pkcs7
- at MONOLITHIC_TRUE@@USE_PKCS7_TRUE at am__append_67 = plugins/pkcs7/libstrongswan-pkcs7.la
- at USE_PKCS8_TRUE@am__append_68 = plugins/pkcs8
- at MONOLITHIC_TRUE@@USE_PKCS8_TRUE at am__append_69 = plugins/pkcs8/libstrongswan-pkcs8.la
- at USE_PKCS12_TRUE@am__append_70 = plugins/pkcs12
- at MONOLITHIC_TRUE@@USE_PKCS12_TRUE at am__append_71 = plugins/pkcs12/libstrongswan-pkcs12.la
- at USE_PGP_TRUE@am__append_72 = plugins/pgp
- at MONOLITHIC_TRUE@@USE_PGP_TRUE at am__append_73 = plugins/pgp/libstrongswan-pgp.la
- at USE_DNSKEY_TRUE@am__append_74 = plugins/dnskey
- at MONOLITHIC_TRUE@@USE_DNSKEY_TRUE at am__append_75 = plugins/dnskey/libstrongswan-dnskey.la
- at USE_SSHKEY_TRUE@am__append_76 = plugins/sshkey
- at MONOLITHIC_TRUE@@USE_SSHKEY_TRUE at am__append_77 = plugins/sshkey/libstrongswan-sshkey.la
- at USE_PEM_TRUE@am__append_78 = plugins/pem
- at MONOLITHIC_TRUE@@USE_PEM_TRUE at am__append_79 = plugins/pem/libstrongswan-pem.la
- at USE_CURL_TRUE@am__append_80 = plugins/curl
- at MONOLITHIC_TRUE@@USE_CURL_TRUE at am__append_81 = plugins/curl/libstrongswan-curl.la
- at USE_FILES_TRUE@am__append_82 = plugins/files
- at MONOLITHIC_TRUE@@USE_FILES_TRUE at am__append_83 = plugins/files/libstrongswan-files.la
- at USE_WINHTTP_TRUE@am__append_84 = plugins/winhttp
- at MONOLITHIC_TRUE@@USE_WINHTTP_TRUE at am__append_85 = plugins/winhttp/libstrongswan-winhttp.la
- at USE_UNBOUND_TRUE@am__append_86 = plugins/unbound
- at MONOLITHIC_TRUE@@USE_UNBOUND_TRUE at am__append_87 = plugins/unbound/libstrongswan-unbound.la
- at USE_SOUP_TRUE@am__append_88 = plugins/soup
- at MONOLITHIC_TRUE@@USE_SOUP_TRUE at am__append_89 = plugins/soup/libstrongswan-soup.la
- at USE_LDAP_TRUE@am__append_90 = plugins/ldap
- at MONOLITHIC_TRUE@@USE_LDAP_TRUE at am__append_91 = plugins/ldap/libstrongswan-ldap.la
- at USE_MYSQL_TRUE@am__append_92 = plugins/mysql
- at MONOLITHIC_TRUE@@USE_MYSQL_TRUE at am__append_93 = plugins/mysql/libstrongswan-mysql.la
- at USE_SQLITE_TRUE@am__append_94 = plugins/sqlite
- at MONOLITHIC_TRUE@@USE_SQLITE_TRUE at am__append_95 = plugins/sqlite/libstrongswan-sqlite.la
- at USE_PADLOCK_TRUE@am__append_96 = plugins/padlock
- at MONOLITHIC_TRUE@@USE_PADLOCK_TRUE at am__append_97 = plugins/padlock/libstrongswan-padlock.la
- at USE_OPENSSL_TRUE@am__append_98 = plugins/openssl
- at MONOLITHIC_TRUE@@USE_OPENSSL_TRUE at am__append_99 = plugins/openssl/libstrongswan-openssl.la
- at USE_GCRYPT_TRUE@am__append_100 = plugins/gcrypt
- at MONOLITHIC_TRUE@@USE_GCRYPT_TRUE at am__append_101 = plugins/gcrypt/libstrongswan-gcrypt.la
- at USE_FIPS_PRF_TRUE@am__append_102 = plugins/fips_prf
- at MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE at am__append_103 = plugins/fips_prf/libstrongswan-fips-prf.la
- at USE_AGENT_TRUE@am__append_104 = plugins/agent
- at MONOLITHIC_TRUE@@USE_AGENT_TRUE at am__append_105 = plugins/agent/libstrongswan-agent.la
- at USE_KEYCHAIN_TRUE@am__append_106 = plugins/keychain
- at MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE at am__append_107 = plugins/keychain/libstrongswan-keychain.la
- at USE_PKCS11_TRUE@am__append_108 = plugins/pkcs11
- at MONOLITHIC_TRUE@@USE_PKCS11_TRUE at am__append_109 = plugins/pkcs11/libstrongswan-pkcs11.la
- at USE_CHAPOLY_TRUE@am__append_110 = plugins/chapoly
- at MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE at am__append_111 = plugins/chapoly/libstrongswan-chapoly.la
- at USE_CTR_TRUE@am__append_112 = plugins/ctr
- at MONOLITHIC_TRUE@@USE_CTR_TRUE at am__append_113 = plugins/ctr/libstrongswan-ctr.la
- at USE_CCM_TRUE@am__append_114 = plugins/ccm
- at MONOLITHIC_TRUE@@USE_CCM_TRUE at am__append_115 = plugins/ccm/libstrongswan-ccm.la
- at USE_GCM_TRUE@am__append_116 = plugins/gcm
- at MONOLITHIC_TRUE@@USE_GCM_TRUE at am__append_117 = plugins/gcm/libstrongswan-gcm.la
- at USE_NTRU_TRUE@am__append_118 = plugins/ntru
- at MONOLITHIC_TRUE@@USE_NTRU_TRUE at am__append_119 = plugins/ntru/libstrongswan-ntru.la
- at USE_BLISS_TRUE@am__append_120 = plugins/bliss
- at MONOLITHIC_TRUE@@USE_BLISS_TRUE at am__append_121 = plugins/bliss/libstrongswan-bliss.la
- at USE_TEST_VECTORS_TRUE@am__append_122 = plugins/test_vectors
- at MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE at am__append_123 = plugins/test_vectors/libstrongswan-test-vectors.la
- at USE_BLISS_TRUE@am__append_124 = plugins/bliss/tests
+
+# build libnttfft used by some plugins
+######################################
+ at USE_LIBNTTFFT_TRUE@am__append_18 = math/libnttfft
+
+# build plugins with their own Makefile
+#######################################
+ at USE_AF_ALG_TRUE@am__append_19 = plugins/af_alg
+ at MONOLITHIC_TRUE@@USE_AF_ALG_TRUE at am__append_20 = plugins/af_alg/libstrongswan-af-alg.la
+ at USE_AES_TRUE@am__append_21 = plugins/aes
+ at MONOLITHIC_TRUE@@USE_AES_TRUE at am__append_22 = plugins/aes/libstrongswan-aes.la
+ at USE_DES_TRUE@am__append_23 = plugins/des
+ at MONOLITHIC_TRUE@@USE_DES_TRUE at am__append_24 = plugins/des/libstrongswan-des.la
+ at USE_BLOWFISH_TRUE@am__append_25 = plugins/blowfish
+ at MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE at am__append_26 = plugins/blowfish/libstrongswan-blowfish.la
+ at USE_RC2_TRUE@am__append_27 = plugins/rc2
+ at MONOLITHIC_TRUE@@USE_RC2_TRUE at am__append_28 = plugins/rc2/libstrongswan-rc2.la
+ at USE_MD4_TRUE@am__append_29 = plugins/md4
+ at MONOLITHIC_TRUE@@USE_MD4_TRUE at am__append_30 = plugins/md4/libstrongswan-md4.la
+ at USE_MD5_TRUE@am__append_31 = plugins/md5
+ at MONOLITHIC_TRUE@@USE_MD5_TRUE at am__append_32 = plugins/md5/libstrongswan-md5.la
+ at USE_SHA1_TRUE@am__append_33 = plugins/sha1
+ at MONOLITHIC_TRUE@@USE_SHA1_TRUE at am__append_34 = plugins/sha1/libstrongswan-sha1.la
+ at USE_SHA2_TRUE@am__append_35 = plugins/sha2
+ at MONOLITHIC_TRUE@@USE_SHA2_TRUE at am__append_36 = plugins/sha2/libstrongswan-sha2.la
+ at USE_SHA3_TRUE@am__append_37 = plugins/sha3
+ at MONOLITHIC_TRUE@@USE_SHA3_TRUE at am__append_38 = plugins/sha3/libstrongswan-sha3.la
+ at USE_GMP_TRUE@am__append_39 = plugins/gmp
+ at MONOLITHIC_TRUE@@USE_GMP_TRUE at am__append_40 = plugins/gmp/libstrongswan-gmp.la
+ at USE_RDRAND_TRUE@am__append_41 = plugins/rdrand
+ at MONOLITHIC_TRUE@@USE_RDRAND_TRUE at am__append_42 = plugins/rdrand/libstrongswan-rdrand.la
+ at USE_AESNI_TRUE@am__append_43 = plugins/aesni
+ at MONOLITHIC_TRUE@@USE_AESNI_TRUE at am__append_44 = plugins/aesni/libstrongswan-aesni.la
+ at USE_RANDOM_TRUE@am__append_45 = plugins/random
+ at MONOLITHIC_TRUE@@USE_RANDOM_TRUE at am__append_46 = plugins/random/libstrongswan-random.la
+ at USE_NONCE_TRUE@am__append_47 = plugins/nonce
+ at MONOLITHIC_TRUE@@USE_NONCE_TRUE at am__append_48 = plugins/nonce/libstrongswan-nonce.la
+ at USE_HMAC_TRUE@am__append_49 = plugins/hmac
+ at MONOLITHIC_TRUE@@USE_HMAC_TRUE at am__append_50 = plugins/hmac/libstrongswan-hmac.la
+ at USE_CMAC_TRUE@am__append_51 = plugins/cmac
+ at MONOLITHIC_TRUE@@USE_CMAC_TRUE at am__append_52 = plugins/cmac/libstrongswan-cmac.la
+ at USE_XCBC_TRUE@am__append_53 = plugins/xcbc
+ at MONOLITHIC_TRUE@@USE_XCBC_TRUE at am__append_54 = plugins/xcbc/libstrongswan-xcbc.la
+ at USE_X509_TRUE@am__append_55 = plugins/x509
+ at MONOLITHIC_TRUE@@USE_X509_TRUE at am__append_56 = plugins/x509/libstrongswan-x509.la
+ at USE_REVOCATION_TRUE@am__append_57 = plugins/revocation
+ at MONOLITHIC_TRUE@@USE_REVOCATION_TRUE at am__append_58 = plugins/revocation/libstrongswan-revocation.la
+ at USE_CONSTRAINTS_TRUE@am__append_59 = plugins/constraints
+ at MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE at am__append_60 = plugins/constraints/libstrongswan-constraints.la
+ at USE_ACERT_TRUE@am__append_61 = plugins/acert
+ at MONOLITHIC_TRUE@@USE_ACERT_TRUE at am__append_62 = plugins/acert/libstrongswan-acert.la
+ at USE_PUBKEY_TRUE@am__append_63 = plugins/pubkey
+ at MONOLITHIC_TRUE@@USE_PUBKEY_TRUE at am__append_64 = plugins/pubkey/libstrongswan-pubkey.la
+ at USE_PKCS1_TRUE@am__append_65 = plugins/pkcs1
+ at MONOLITHIC_TRUE@@USE_PKCS1_TRUE at am__append_66 = plugins/pkcs1/libstrongswan-pkcs1.la
+ at USE_PKCS7_TRUE@am__append_67 = plugins/pkcs7
+ at MONOLITHIC_TRUE@@USE_PKCS7_TRUE at am__append_68 = plugins/pkcs7/libstrongswan-pkcs7.la
+ at USE_PKCS8_TRUE@am__append_69 = plugins/pkcs8
+ at MONOLITHIC_TRUE@@USE_PKCS8_TRUE at am__append_70 = plugins/pkcs8/libstrongswan-pkcs8.la
+ at USE_PKCS12_TRUE@am__append_71 = plugins/pkcs12
+ at MONOLITHIC_TRUE@@USE_PKCS12_TRUE at am__append_72 = plugins/pkcs12/libstrongswan-pkcs12.la
+ at USE_PGP_TRUE@am__append_73 = plugins/pgp
+ at MONOLITHIC_TRUE@@USE_PGP_TRUE at am__append_74 = plugins/pgp/libstrongswan-pgp.la
+ at USE_DNSKEY_TRUE@am__append_75 = plugins/dnskey
+ at MONOLITHIC_TRUE@@USE_DNSKEY_TRUE at am__append_76 = plugins/dnskey/libstrongswan-dnskey.la
+ at USE_SSHKEY_TRUE@am__append_77 = plugins/sshkey
+ at MONOLITHIC_TRUE@@USE_SSHKEY_TRUE at am__append_78 = plugins/sshkey/libstrongswan-sshkey.la
+ at USE_PEM_TRUE@am__append_79 = plugins/pem
+ at MONOLITHIC_TRUE@@USE_PEM_TRUE at am__append_80 = plugins/pem/libstrongswan-pem.la
+ at USE_CURL_TRUE@am__append_81 = plugins/curl
+ at MONOLITHIC_TRUE@@USE_CURL_TRUE at am__append_82 = plugins/curl/libstrongswan-curl.la
+ at USE_FILES_TRUE@am__append_83 = plugins/files
+ at MONOLITHIC_TRUE@@USE_FILES_TRUE at am__append_84 = plugins/files/libstrongswan-files.la
+ at USE_WINHTTP_TRUE@am__append_85 = plugins/winhttp
+ at MONOLITHIC_TRUE@@USE_WINHTTP_TRUE at am__append_86 = plugins/winhttp/libstrongswan-winhttp.la
+ at USE_UNBOUND_TRUE@am__append_87 = plugins/unbound
+ at MONOLITHIC_TRUE@@USE_UNBOUND_TRUE at am__append_88 = plugins/unbound/libstrongswan-unbound.la
+ at USE_SOUP_TRUE@am__append_89 = plugins/soup
+ at MONOLITHIC_TRUE@@USE_SOUP_TRUE at am__append_90 = plugins/soup/libstrongswan-soup.la
+ at USE_LDAP_TRUE@am__append_91 = plugins/ldap
+ at MONOLITHIC_TRUE@@USE_LDAP_TRUE at am__append_92 = plugins/ldap/libstrongswan-ldap.la
+ at USE_MYSQL_TRUE@am__append_93 = plugins/mysql
+ at MONOLITHIC_TRUE@@USE_MYSQL_TRUE at am__append_94 = plugins/mysql/libstrongswan-mysql.la
+ at USE_SQLITE_TRUE@am__append_95 = plugins/sqlite
+ at MONOLITHIC_TRUE@@USE_SQLITE_TRUE at am__append_96 = plugins/sqlite/libstrongswan-sqlite.la
+ at USE_PADLOCK_TRUE@am__append_97 = plugins/padlock
+ at MONOLITHIC_TRUE@@USE_PADLOCK_TRUE at am__append_98 = plugins/padlock/libstrongswan-padlock.la
+ at USE_OPENSSL_TRUE@am__append_99 = plugins/openssl
+ at MONOLITHIC_TRUE@@USE_OPENSSL_TRUE at am__append_100 = plugins/openssl/libstrongswan-openssl.la
+ at USE_GCRYPT_TRUE@am__append_101 = plugins/gcrypt
+ at MONOLITHIC_TRUE@@USE_GCRYPT_TRUE at am__append_102 = plugins/gcrypt/libstrongswan-gcrypt.la
+ at USE_FIPS_PRF_TRUE@am__append_103 = plugins/fips_prf
+ at MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE at am__append_104 = plugins/fips_prf/libstrongswan-fips-prf.la
+ at USE_AGENT_TRUE@am__append_105 = plugins/agent
+ at MONOLITHIC_TRUE@@USE_AGENT_TRUE at am__append_106 = plugins/agent/libstrongswan-agent.la
+ at USE_KEYCHAIN_TRUE@am__append_107 = plugins/keychain
+ at MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE at am__append_108 = plugins/keychain/libstrongswan-keychain.la
+ at USE_PKCS11_TRUE@am__append_109 = plugins/pkcs11
+ at MONOLITHIC_TRUE@@USE_PKCS11_TRUE at am__append_110 = plugins/pkcs11/libstrongswan-pkcs11.la
+ at USE_CHAPOLY_TRUE@am__append_111 = plugins/chapoly
+ at MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE at am__append_112 = plugins/chapoly/libstrongswan-chapoly.la
+ at USE_CTR_TRUE@am__append_113 = plugins/ctr
+ at MONOLITHIC_TRUE@@USE_CTR_TRUE at am__append_114 = plugins/ctr/libstrongswan-ctr.la
+ at USE_CCM_TRUE@am__append_115 = plugins/ccm
+ at MONOLITHIC_TRUE@@USE_CCM_TRUE at am__append_116 = plugins/ccm/libstrongswan-ccm.la
+ at USE_GCM_TRUE@am__append_117 = plugins/gcm
+ at MONOLITHIC_TRUE@@USE_GCM_TRUE at am__append_118 = plugins/gcm/libstrongswan-gcm.la
+ at USE_MGF1_TRUE@am__append_119 = plugins/mgf1
+ at MONOLITHIC_TRUE@@USE_MGF1_TRUE at am__append_120 = plugins/mgf1/libstrongswan-mgf1.la
+ at USE_NTRU_TRUE@am__append_121 = plugins/ntru
+ at MONOLITHIC_TRUE@@USE_NTRU_TRUE at am__append_122 = plugins/ntru/libstrongswan-ntru.la
+ at USE_BLISS_TRUE@am__append_123 = plugins/bliss
+ at MONOLITHIC_TRUE@@USE_BLISS_TRUE at am__append_124 = plugins/bliss/libstrongswan-bliss.la
+ at USE_NEWHOPE_TRUE@am__append_125 = plugins/newhope
+ at MONOLITHIC_TRUE@@USE_NEWHOPE_TRUE at am__append_126 = plugins/newhope/libstrongswan-newhope.la
+ at USE_TEST_VECTORS_TRUE@am__append_127 = plugins/test_vectors
+ at MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE at am__append_128 = plugins/test_vectors/libstrongswan-test-vectors.la
+ at USE_LIBNTTFFT_TRUE@am__append_129 = math/libnttfft/tests
+ at USE_BLISS_TRUE@am__append_130 = plugins/bliss/tests
+ at USE_NEWHOPE_TRUE@am__append_131 = plugins/newhope/tests
 subdir = src/libstrongswan
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -289,25 +302,25 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_19) \
-	$(am__append_21) $(am__append_23) $(am__append_25) \
-	$(am__append_27) $(am__append_29) $(am__append_31) \
-	$(am__append_33) $(am__append_35) $(am__append_37) \
-	$(am__append_39) $(am__append_41) $(am__append_43) \
-	$(am__append_45) $(am__append_47) $(am__append_49) \
-	$(am__append_51) $(am__append_53) $(am__append_55) \
-	$(am__append_57) $(am__append_59) $(am__append_61) \
-	$(am__append_63) $(am__append_65) $(am__append_67) \
-	$(am__append_69) $(am__append_71) $(am__append_73) \
-	$(am__append_75) $(am__append_77) $(am__append_79) \
-	$(am__append_81) $(am__append_83) $(am__append_85) \
-	$(am__append_87) $(am__append_89) $(am__append_91) \
-	$(am__append_93) $(am__append_95) $(am__append_97) \
-	$(am__append_99) $(am__append_101) $(am__append_103) \
-	$(am__append_105) $(am__append_107) $(am__append_109) \
-	$(am__append_111) $(am__append_113) $(am__append_115) \
-	$(am__append_117) $(am__append_119) $(am__append_121) \
-	$(am__append_123)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_20) \
+	$(am__append_22) $(am__append_24) $(am__append_26) \
+	$(am__append_28) $(am__append_30) $(am__append_32) \
+	$(am__append_34) $(am__append_36) $(am__append_38) \
+	$(am__append_40) $(am__append_42) $(am__append_44) \
+	$(am__append_46) $(am__append_48) $(am__append_50) \
+	$(am__append_52) $(am__append_54) $(am__append_56) \
+	$(am__append_58) $(am__append_60) $(am__append_62) \
+	$(am__append_64) $(am__append_66) $(am__append_68) \
+	$(am__append_70) $(am__append_72) $(am__append_74) \
+	$(am__append_76) $(am__append_78) $(am__append_80) \
+	$(am__append_82) $(am__append_84) $(am__append_86) \
+	$(am__append_88) $(am__append_90) $(am__append_92) \
+	$(am__append_94) $(am__append_96) $(am__append_98) \
+	$(am__append_100) $(am__append_102) $(am__append_104) \
+	$(am__append_106) $(am__append_108) $(am__append_110) \
+	$(am__append_112) $(am__append_114) $(am__append_116) \
+	$(am__append_118) $(am__append_120) $(am__append_122) \
+	$(am__append_124) $(am__append_126) $(am__append_128)
 am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
 	bio/bio_writer.c collections/blocking_queue.c \
@@ -323,7 +336,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
 	crypto/transform.c crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c \
 	crypto/iv/iv_gen_seq.c crypto/iv/iv_gen_null.c \
-	crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
+	crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \
 	credentials/credential_factory.c credentials/builder.c \
 	credentials/cred_encoding.c credentials/keys/private_key.c \
 	credentials/keys/public_key.c credentials/keys/shared_key.c \
@@ -409,8 +422,8 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
 	crypto/crypto_tester.lo crypto/diffie_hellman.lo \
 	crypto/aead.lo crypto/transform.lo crypto/iv/iv_gen.lo \
 	crypto/iv/iv_gen_rand.lo crypto/iv/iv_gen_seq.lo \
-	crypto/iv/iv_gen_null.lo crypto/mgf1/mgf1.lo \
-	crypto/mgf1/mgf1_bitspender.lo \
+	crypto/iv/iv_gen_null.lo crypto/xofs/xof.lo \
+	crypto/xofs/xof_bitspender.lo \
 	credentials/credential_factory.lo credentials/builder.lo \
 	credentials/cred_encoding.lo credentials/keys/private_key.lo \
 	credentials/keys/public_key.lo credentials/keys/shared_key.lo \
@@ -539,11 +552,11 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	crypto/crypto_tester.h crypto/diffie_hellman.h crypto/aead.h \
 	crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
 	crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
-	crypto/iv/iv_gen_null.h crypto/mgf1/mgf1.h \
-	crypto/mgf1/mgf1_bitspender.h credentials/credential_factory.h \
-	credentials/builder.h credentials/cred_encoding.h \
-	credentials/keys/private_key.h credentials/keys/public_key.h \
-	credentials/keys/shared_key.h \
+	crypto/iv/iv_gen_null.h crypto/xofs/xof.h \
+	crypto/xofs/xof_bitspender.h crypto/xofs/mgf1.h \
+	credentials/credential_factory.h credentials/builder.h \
+	credentials/cred_encoding.h credentials/keys/private_key.h \
+	credentials/keys/public_key.h credentials/keys/shared_key.h \
 	credentials/certificates/certificate.h \
 	credentials/certificates/x509.h credentials/certificates/ac.h \
 	credentials/certificates/crl.h \
@@ -625,7 +638,7 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
+DIST_SUBDIRS = . math/libnttfft plugins/af_alg plugins/aes plugins/des \
 	plugins/blowfish plugins/rc2 plugins/md4 plugins/md5 \
 	plugins/sha1 plugins/sha2 plugins/sha3 plugins/gmp \
 	plugins/rdrand plugins/aesni plugins/random plugins/nonce \
@@ -638,8 +651,9 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
 	plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \
 	plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \
 	plugins/chapoly plugins/ctr plugins/ccm plugins/gcm \
-	plugins/ntru plugins/bliss plugins/test_vectors tests \
-	plugins/bliss/tests
+	plugins/mgf1 plugins/ntru plugins/bliss plugins/newhope \
+	plugins/test_vectors tests math/libnttfft/tests \
+	plugins/bliss/tests plugins/newhope/tests
 am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp \
 	$(top_srcdir)/ylwrap settings/settings_lexer.c \
 	settings/settings_parser.c settings/settings_parser.h
@@ -808,7 +822,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -842,8 +855,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -897,6 +908,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -915,7 +928,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 	crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
 	crypto/transform.c crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c \
 	crypto/iv/iv_gen_seq.c crypto/iv/iv_gen_null.c \
-	crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
+	crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \
 	credentials/credential_factory.c credentials/builder.c \
 	credentials/cred_encoding.c credentials/keys/private_key.c \
 	credentials/keys/public_key.c credentials/keys/shared_key.c \
@@ -976,7 +989,7 @@ settings/settings_types.h
 @USE_DEV_HEADERS_TRUE at crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
 @USE_DEV_HEADERS_TRUE at crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
 @USE_DEV_HEADERS_TRUE at crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/iv/iv_gen_null.h \
- at USE_DEV_HEADERS_TRUE@crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
+ at USE_DEV_HEADERS_TRUE@crypto/xofs/xof.h crypto/xofs/xof_bitspender.h crypto/xofs/mgf1.h \
 @USE_DEV_HEADERS_TRUE at credentials/credential_factory.h credentials/builder.h \
 @USE_DEV_HEADERS_TRUE at credentials/cred_encoding.h credentials/keys/private_key.h \
 @USE_DEV_HEADERS_TRUE at credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -1021,25 +1034,25 @@ settings/settings_types.h
 libstrongswan_la_LIBADD = $(DLLIB) $(ATOMICLIB) $(BTLIB) $(SOCKLIB) \
 	$(RTLIB) $(BFDLIB) $(UNWINDLIB) $(am__append_2) \
 	$(am__append_4) $(am__append_5) $(am__append_13) \
-	$(am__append_15) $(am__append_17) $(am__append_19) \
-	$(am__append_21) $(am__append_23) $(am__append_25) \
-	$(am__append_27) $(am__append_29) $(am__append_31) \
-	$(am__append_33) $(am__append_35) $(am__append_37) \
-	$(am__append_39) $(am__append_41) $(am__append_43) \
-	$(am__append_45) $(am__append_47) $(am__append_49) \
-	$(am__append_51) $(am__append_53) $(am__append_55) \
-	$(am__append_57) $(am__append_59) $(am__append_61) \
-	$(am__append_63) $(am__append_65) $(am__append_67) \
-	$(am__append_69) $(am__append_71) $(am__append_73) \
-	$(am__append_75) $(am__append_77) $(am__append_79) \
-	$(am__append_81) $(am__append_83) $(am__append_85) \
-	$(am__append_87) $(am__append_89) $(am__append_91) \
-	$(am__append_93) $(am__append_95) $(am__append_97) \
-	$(am__append_99) $(am__append_101) $(am__append_103) \
-	$(am__append_105) $(am__append_107) $(am__append_109) \
-	$(am__append_111) $(am__append_113) $(am__append_115) \
-	$(am__append_117) $(am__append_119) $(am__append_121) \
-	$(am__append_123)
+	$(am__append_15) $(am__append_17) $(am__append_20) \
+	$(am__append_22) $(am__append_24) $(am__append_26) \
+	$(am__append_28) $(am__append_30) $(am__append_32) \
+	$(am__append_34) $(am__append_36) $(am__append_38) \
+	$(am__append_40) $(am__append_42) $(am__append_44) \
+	$(am__append_46) $(am__append_48) $(am__append_50) \
+	$(am__append_52) $(am__append_54) $(am__append_56) \
+	$(am__append_58) $(am__append_60) $(am__append_62) \
+	$(am__append_64) $(am__append_66) $(am__append_68) \
+	$(am__append_70) $(am__append_72) $(am__append_74) \
+	$(am__append_76) $(am__append_78) $(am__append_80) \
+	$(am__append_82) $(am__append_84) $(am__append_86) \
+	$(am__append_88) $(am__append_90) $(am__append_92) \
+	$(am__append_94) $(am__append_96) $(am__append_98) \
+	$(am__append_100) $(am__append_102) $(am__append_104) \
+	$(am__append_106) $(am__append_108) $(am__append_110) \
+	$(am__append_112) $(am__append_114) $(am__append_116) \
+	$(am__append_118) $(am__append_120) $(am__append_122) \
+	$(am__append_124) $(am__append_126) $(am__append_128)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
 	-DPLUGINDIR=\"${plugindir}\" \
@@ -1066,63 +1079,72 @@ MAINTAINERCLEANFILES = \
 $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
 $(srcdir)/crypto/proposal/proposal_keywords_static.c
 
- at MONOLITHIC_FALSE@SUBDIRS = . $(am__append_18) $(am__append_20) \
- at MONOLITHIC_FALSE@	$(am__append_22) $(am__append_24) \
- at MONOLITHIC_FALSE@	$(am__append_26) $(am__append_28) \
- at MONOLITHIC_FALSE@	$(am__append_30) $(am__append_32) \
- at MONOLITHIC_FALSE@	$(am__append_34) $(am__append_36) \
- at MONOLITHIC_FALSE@	$(am__append_38) $(am__append_40) \
- at MONOLITHIC_FALSE@	$(am__append_42) $(am__append_44) \
- at MONOLITHIC_FALSE@	$(am__append_46) $(am__append_48) \
- at MONOLITHIC_FALSE@	$(am__append_50) $(am__append_52) \
- at MONOLITHIC_FALSE@	$(am__append_54) $(am__append_56) \
- at MONOLITHIC_FALSE@	$(am__append_58) $(am__append_60) \
- at MONOLITHIC_FALSE@	$(am__append_62) $(am__append_64) \
- at MONOLITHIC_FALSE@	$(am__append_66) $(am__append_68) \
- at MONOLITHIC_FALSE@	$(am__append_70) $(am__append_72) \
- at MONOLITHIC_FALSE@	$(am__append_74) $(am__append_76) \
- at MONOLITHIC_FALSE@	$(am__append_78) $(am__append_80) \
- at MONOLITHIC_FALSE@	$(am__append_82) $(am__append_84) \
- at MONOLITHIC_FALSE@	$(am__append_86) $(am__append_88) \
- at MONOLITHIC_FALSE@	$(am__append_90) $(am__append_92) \
- at MONOLITHIC_FALSE@	$(am__append_94) $(am__append_96) \
- at MONOLITHIC_FALSE@	$(am__append_98) $(am__append_100) \
- at MONOLITHIC_FALSE@	$(am__append_102) $(am__append_104) \
- at MONOLITHIC_FALSE@	$(am__append_106) $(am__append_108) \
- at MONOLITHIC_FALSE@	$(am__append_110) $(am__append_112) \
- at MONOLITHIC_FALSE@	$(am__append_114) $(am__append_116) \
- at MONOLITHIC_FALSE@	$(am__append_118) $(am__append_120) \
- at MONOLITHIC_FALSE@	$(am__append_122) tests $(am__append_124)
 
-# build plugins with their own Makefile
-#######################################
- at MONOLITHIC_TRUE@SUBDIRS = $(am__append_18) $(am__append_20) \
- at MONOLITHIC_TRUE@	$(am__append_22) $(am__append_24) \
- at MONOLITHIC_TRUE@	$(am__append_26) $(am__append_28) \
- at MONOLITHIC_TRUE@	$(am__append_30) $(am__append_32) \
- at MONOLITHIC_TRUE@	$(am__append_34) $(am__append_36) \
- at MONOLITHIC_TRUE@	$(am__append_38) $(am__append_40) \
- at MONOLITHIC_TRUE@	$(am__append_42) $(am__append_44) \
- at MONOLITHIC_TRUE@	$(am__append_46) $(am__append_48) \
- at MONOLITHIC_TRUE@	$(am__append_50) $(am__append_52) \
- at MONOLITHIC_TRUE@	$(am__append_54) $(am__append_56) \
- at MONOLITHIC_TRUE@	$(am__append_58) $(am__append_60) \
- at MONOLITHIC_TRUE@	$(am__append_62) $(am__append_64) \
- at MONOLITHIC_TRUE@	$(am__append_66) $(am__append_68) \
- at MONOLITHIC_TRUE@	$(am__append_70) $(am__append_72) \
- at MONOLITHIC_TRUE@	$(am__append_74) $(am__append_76) \
- at MONOLITHIC_TRUE@	$(am__append_78) $(am__append_80) \
- at MONOLITHIC_TRUE@	$(am__append_82) $(am__append_84) \
- at MONOLITHIC_TRUE@	$(am__append_86) $(am__append_88) \
- at MONOLITHIC_TRUE@	$(am__append_90) $(am__append_92) \
- at MONOLITHIC_TRUE@	$(am__append_94) $(am__append_96) \
- at MONOLITHIC_TRUE@	$(am__append_98) $(am__append_100) \
- at MONOLITHIC_TRUE@	$(am__append_102) $(am__append_104) \
- at MONOLITHIC_TRUE@	$(am__append_106) $(am__append_108) \
- at MONOLITHIC_TRUE@	$(am__append_110) $(am__append_112) \
- at MONOLITHIC_TRUE@	$(am__append_114) $(am__append_116) \
- at MONOLITHIC_TRUE@	$(am__append_118) $(am__append_120) \
- at MONOLITHIC_TRUE@	$(am__append_122) . tests $(am__append_124)
+# build unit tests
+##################
+ at MONOLITHIC_FALSE@SUBDIRS = . $(am__append_18) $(am__append_19) \
+ at MONOLITHIC_FALSE@	$(am__append_21) $(am__append_23) \
+ at MONOLITHIC_FALSE@	$(am__append_25) $(am__append_27) \
+ at MONOLITHIC_FALSE@	$(am__append_29) $(am__append_31) \
+ at MONOLITHIC_FALSE@	$(am__append_33) $(am__append_35) \
+ at MONOLITHIC_FALSE@	$(am__append_37) $(am__append_39) \
+ at MONOLITHIC_FALSE@	$(am__append_41) $(am__append_43) \
+ at MONOLITHIC_FALSE@	$(am__append_45) $(am__append_47) \
+ at MONOLITHIC_FALSE@	$(am__append_49) $(am__append_51) \
+ at MONOLITHIC_FALSE@	$(am__append_53) $(am__append_55) \
+ at MONOLITHIC_FALSE@	$(am__append_57) $(am__append_59) \
+ at MONOLITHIC_FALSE@	$(am__append_61) $(am__append_63) \
+ at MONOLITHIC_FALSE@	$(am__append_65) $(am__append_67) \
+ at MONOLITHIC_FALSE@	$(am__append_69) $(am__append_71) \
+ at MONOLITHIC_FALSE@	$(am__append_73) $(am__append_75) \
+ at MONOLITHIC_FALSE@	$(am__append_77) $(am__append_79) \
+ at MONOLITHIC_FALSE@	$(am__append_81) $(am__append_83) \
+ at MONOLITHIC_FALSE@	$(am__append_85) $(am__append_87) \
+ at MONOLITHIC_FALSE@	$(am__append_89) $(am__append_91) \
+ at MONOLITHIC_FALSE@	$(am__append_93) $(am__append_95) \
+ at MONOLITHIC_FALSE@	$(am__append_97) $(am__append_99) \
+ at MONOLITHIC_FALSE@	$(am__append_101) $(am__append_103) \
+ at MONOLITHIC_FALSE@	$(am__append_105) $(am__append_107) \
+ at MONOLITHIC_FALSE@	$(am__append_109) $(am__append_111) \
+ at MONOLITHIC_FALSE@	$(am__append_113) $(am__append_115) \
+ at MONOLITHIC_FALSE@	$(am__append_117) $(am__append_119) \
+ at MONOLITHIC_FALSE@	$(am__append_121) $(am__append_123) \
+ at MONOLITHIC_FALSE@	$(am__append_125) $(am__append_127) tests \
+ at MONOLITHIC_FALSE@	$(am__append_129) $(am__append_130) \
+ at MONOLITHIC_FALSE@	$(am__append_131)
+
+# build unit tests
+##################
+ at MONOLITHIC_TRUE@SUBDIRS = $(am__append_18) $(am__append_19) \
+ at MONOLITHIC_TRUE@	$(am__append_21) $(am__append_23) \
+ at MONOLITHIC_TRUE@	$(am__append_25) $(am__append_27) \
+ at MONOLITHIC_TRUE@	$(am__append_29) $(am__append_31) \
+ at MONOLITHIC_TRUE@	$(am__append_33) $(am__append_35) \
+ at MONOLITHIC_TRUE@	$(am__append_37) $(am__append_39) \
+ at MONOLITHIC_TRUE@	$(am__append_41) $(am__append_43) \
+ at MONOLITHIC_TRUE@	$(am__append_45) $(am__append_47) \
+ at MONOLITHIC_TRUE@	$(am__append_49) $(am__append_51) \
+ at MONOLITHIC_TRUE@	$(am__append_53) $(am__append_55) \
+ at MONOLITHIC_TRUE@	$(am__append_57) $(am__append_59) \
+ at MONOLITHIC_TRUE@	$(am__append_61) $(am__append_63) \
+ at MONOLITHIC_TRUE@	$(am__append_65) $(am__append_67) \
+ at MONOLITHIC_TRUE@	$(am__append_69) $(am__append_71) \
+ at MONOLITHIC_TRUE@	$(am__append_73) $(am__append_75) \
+ at MONOLITHIC_TRUE@	$(am__append_77) $(am__append_79) \
+ at MONOLITHIC_TRUE@	$(am__append_81) $(am__append_83) \
+ at MONOLITHIC_TRUE@	$(am__append_85) $(am__append_87) \
+ at MONOLITHIC_TRUE@	$(am__append_89) $(am__append_91) \
+ at MONOLITHIC_TRUE@	$(am__append_93) $(am__append_95) \
+ at MONOLITHIC_TRUE@	$(am__append_97) $(am__append_99) \
+ at MONOLITHIC_TRUE@	$(am__append_101) $(am__append_103) \
+ at MONOLITHIC_TRUE@	$(am__append_105) $(am__append_107) \
+ at MONOLITHIC_TRUE@	$(am__append_109) $(am__append_111) \
+ at MONOLITHIC_TRUE@	$(am__append_113) $(am__append_115) \
+ at MONOLITHIC_TRUE@	$(am__append_117) $(am__append_119) \
+ at MONOLITHIC_TRUE@	$(am__append_121) $(am__append_123) \
+ at MONOLITHIC_TRUE@	$(am__append_125) $(am__append_127) . tests \
+ at MONOLITHIC_TRUE@	$(am__append_129) $(am__append_130) \
+ at MONOLITHIC_TRUE@	$(am__append_131)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -1317,16 +1339,16 @@ crypto/iv/iv_gen_seq.lo: crypto/iv/$(am__dirstamp) \
 	crypto/iv/$(DEPDIR)/$(am__dirstamp)
 crypto/iv/iv_gen_null.lo: crypto/iv/$(am__dirstamp) \
 	crypto/iv/$(DEPDIR)/$(am__dirstamp)
-crypto/mgf1/$(am__dirstamp):
-	@$(MKDIR_P) crypto/mgf1
-	@: > crypto/mgf1/$(am__dirstamp)
-crypto/mgf1/$(DEPDIR)/$(am__dirstamp):
-	@$(MKDIR_P) crypto/mgf1/$(DEPDIR)
-	@: > crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
-crypto/mgf1/mgf1.lo: crypto/mgf1/$(am__dirstamp) \
-	crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
-crypto/mgf1/mgf1_bitspender.lo: crypto/mgf1/$(am__dirstamp) \
-	crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
+crypto/xofs/$(am__dirstamp):
+	@$(MKDIR_P) crypto/xofs
+	@: > crypto/xofs/$(am__dirstamp)
+crypto/xofs/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) crypto/xofs/$(DEPDIR)
+	@: > crypto/xofs/$(DEPDIR)/$(am__dirstamp)
+crypto/xofs/xof.lo: crypto/xofs/$(am__dirstamp) \
+	crypto/xofs/$(DEPDIR)/$(am__dirstamp)
+crypto/xofs/xof_bitspender.lo: crypto/xofs/$(am__dirstamp) \
+	crypto/xofs/$(DEPDIR)/$(am__dirstamp)
 credentials/$(am__dirstamp):
 	@$(MKDIR_P) credentials
 	@: > credentials/$(am__dirstamp)
@@ -1697,8 +1719,6 @@ mostlyclean-compile:
 	-rm -f crypto/hashers/*.lo
 	-rm -f crypto/iv/*.$(OBJEXT)
 	-rm -f crypto/iv/*.lo
-	-rm -f crypto/mgf1/*.$(OBJEXT)
-	-rm -f crypto/mgf1/*.lo
 	-rm -f crypto/prfs/*.$(OBJEXT)
 	-rm -f crypto/prfs/*.lo
 	-rm -f crypto/proposal/*.$(OBJEXT)
@@ -1707,6 +1727,8 @@ mostlyclean-compile:
 	-rm -f crypto/rngs/*.lo
 	-rm -f crypto/signers/*.$(OBJEXT)
 	-rm -f crypto/signers/*.lo
+	-rm -f crypto/xofs/*.$(OBJEXT)
+	-rm -f crypto/xofs/*.lo
 	-rm -f database/*.$(OBJEXT)
 	-rm -f database/*.lo
 	-rm -f eap/*.$(OBJEXT)
@@ -1794,8 +1816,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at crypto/iv/$(DEPDIR)/iv_gen_null.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at crypto/iv/$(DEPDIR)/iv_gen_rand.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at crypto/iv/$(DEPDIR)/iv_gen_seq.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at crypto/mgf1/$(DEPDIR)/mgf1.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at crypto/mgf1/$(DEPDIR)/mgf1_bitspender.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at crypto/prfs/$(DEPDIR)/mac_prf.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at crypto/prfs/$(DEPDIR)/prf.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at crypto/proposal/$(DEPDIR)/proposal_keywords.Plo at am__quote@
@@ -1803,6 +1823,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at crypto/rngs/$(DEPDIR)/rng.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at crypto/signers/$(DEPDIR)/mac_signer.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at crypto/signers/$(DEPDIR)/signer.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at crypto/xofs/$(DEPDIR)/xof.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at crypto/xofs/$(DEPDIR)/xof_bitspender.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at database/$(DEPDIR)/database.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at database/$(DEPDIR)/database_factory.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at eap/$(DEPDIR)/eap.Plo at am__quote@
@@ -1923,11 +1945,11 @@ clean-libtool:
 	-rm -rf crypto/crypters/.libs crypto/crypters/_libs
 	-rm -rf crypto/hashers/.libs crypto/hashers/_libs
 	-rm -rf crypto/iv/.libs crypto/iv/_libs
-	-rm -rf crypto/mgf1/.libs crypto/mgf1/_libs
 	-rm -rf crypto/prfs/.libs crypto/prfs/_libs
 	-rm -rf crypto/proposal/.libs crypto/proposal/_libs
 	-rm -rf crypto/rngs/.libs crypto/rngs/_libs
 	-rm -rf crypto/signers/.libs crypto/signers/_libs
+	-rm -rf crypto/xofs/.libs crypto/xofs/_libs
 	-rm -rf database/.libs database/_libs
 	-rm -rf eap/.libs eap/_libs
 	-rm -rf fetcher/.libs fetcher/_libs
@@ -2186,8 +2208,6 @@ distclean-generic:
 	-rm -f crypto/hashers/$(am__dirstamp)
 	-rm -f crypto/iv/$(DEPDIR)/$(am__dirstamp)
 	-rm -f crypto/iv/$(am__dirstamp)
-	-rm -f crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
-	-rm -f crypto/mgf1/$(am__dirstamp)
 	-rm -f crypto/prfs/$(DEPDIR)/$(am__dirstamp)
 	-rm -f crypto/prfs/$(am__dirstamp)
 	-rm -f crypto/proposal/$(DEPDIR)/$(am__dirstamp)
@@ -2196,6 +2216,8 @@ distclean-generic:
 	-rm -f crypto/rngs/$(am__dirstamp)
 	-rm -f crypto/signers/$(DEPDIR)/$(am__dirstamp)
 	-rm -f crypto/signers/$(am__dirstamp)
+	-rm -f crypto/xofs/$(DEPDIR)/$(am__dirstamp)
+	-rm -f crypto/xofs/$(am__dirstamp)
 	-rm -f database/$(DEPDIR)/$(am__dirstamp)
 	-rm -f database/$(am__dirstamp)
 	-rm -f eap/$(DEPDIR)/$(am__dirstamp)
@@ -2249,7 +2271,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
 	mostlyclean-am
 
 distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/mgf1/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) netw [...]
+	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) crypto/xofs/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) netw [...]
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -2296,7 +2318,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/mgf1/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) netw [...]
+	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) crypto/xofs/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) netw [...]
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index c23746e..4017444 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -10,484 +10,493 @@
 #include "oid.h"
 
 const oid_t oid_names[] = {
- {0x02,                         7, 1,  0, "ITU-T Administration"           }, /*   0 */
- {  0x82,                       0, 1,  1, ""                               }, /*   1 */
- {    0x06,                     0, 1,  2, "Germany ITU-T member"           }, /*   2 */
- {      0x01,                   0, 1,  3, "Deutsche Telekom AG"            }, /*   3 */
- {        0x0A,                 0, 1,  4, ""                               }, /*   4 */
- {          0x07,               0, 1,  5, ""                               }, /*   5 */
- {            0x14,             0, 0,  6, "ND"                             }, /*   6 */
- {0x09,                        18, 1,  0, "data"                           }, /*   7 */
- {  0x92,                       0, 1,  1, ""                               }, /*   8 */
- {    0x26,                     0, 1,  2, ""                               }, /*   9 */
- {      0x89,                   0, 1,  3, ""                               }, /*  10 */
- {        0x93,                 0, 1,  4, ""                               }, /*  11 */
- {          0xF2,               0, 1,  5, ""                               }, /*  12 */
- {            0x2C,             0, 1,  6, ""                               }, /*  13 */
- {              0x64,           0, 1,  7, "pilot"                          }, /*  14 */
- {                0x01,         0, 1,  8, "pilotAttributeType"             }, /*  15 */
- {                  0x01,      17, 0,  9, "UID"                            }, /*  16 */
- {                  0x19,       0, 0,  9, "DC"                             }, /*  17 */
- {0x55,                        67, 1,  0, "X.500"                          }, /*  18 */
- {  0x04,                      39, 1,  1, "X.509"                          }, /*  19 */
- {    0x03,                    21, 0,  2, "CN"                             }, /*  20 */
- {    0x04,                    22, 0,  2, "S"                              }, /*  21 */
- {    0x05,                    23, 0,  2, "SN"                             }, /*  22 */
- {    0x06,                    24, 0,  2, "C"                              }, /*  23 */
- {    0x07,                    25, 0,  2, "L"                              }, /*  24 */
- {    0x08,                    26, 0,  2, "ST"                             }, /*  25 */
- {    0x0A,                    27, 0,  2, "O"                              }, /*  26 */
- {    0x0B,                    28, 0,  2, "OU"                             }, /*  27 */
- {    0x0C,                    29, 0,  2, "T"                              }, /*  28 */
- {    0x0D,                    30, 0,  2, "D"                              }, /*  29 */
- {    0x24,                    31, 0,  2, "userCertificate"                }, /*  30 */
- {    0x29,                    32, 0,  2, "N"                              }, /*  31 */
- {    0x2A,                    33, 0,  2, "G"                              }, /*  32 */
- {    0x2B,                    34, 0,  2, "I"                              }, /*  33 */
- {    0x2D,                    35, 0,  2, "ID"                             }, /*  34 */
- {    0x2E,                    36, 0,  2, "dnQualifier"                    }, /*  35 */
- {    0x36,                    37, 0,  2, "dmdName"                        }, /*  36 */
- {    0x41,                    38, 0,  2, "pseudonym"                      }, /*  37 */
- {    0x48,                     0, 0,  2, "role"                           }, /*  38 */
- {  0x1D,                       0, 1,  1, "id-ce"                          }, /*  39 */
- {    0x09,                    41, 0,  2, "subjectDirectoryAttrs"          }, /*  40 */
- {    0x0E,                    42, 0,  2, "subjectKeyIdentifier"           }, /*  41 */
- {    0x0F,                    43, 0,  2, "keyUsage"                       }, /*  42 */
- {    0x10,                    44, 0,  2, "privateKeyUsagePeriod"          }, /*  43 */
- {    0x11,                    45, 0,  2, "subjectAltName"                 }, /*  44 */
- {    0x12,                    46, 0,  2, "issuerAltName"                  }, /*  45 */
- {    0x13,                    47, 0,  2, "basicConstraints"               }, /*  46 */
- {    0x14,                    48, 0,  2, "crlNumber"                      }, /*  47 */
- {    0x15,                    49, 0,  2, "reasonCode"                     }, /*  48 */
- {    0x17,                    50, 0,  2, "holdInstructionCode"            }, /*  49 */
- {    0x18,                    51, 0,  2, "invalidityDate"                 }, /*  50 */
- {    0x1B,                    52, 0,  2, "deltaCrlIndicator"              }, /*  51 */
- {    0x1C,                    53, 0,  2, "issuingDistributionPoint"       }, /*  52 */
- {    0x1D,                    54, 0,  2, "certificateIssuer"              }, /*  53 */
- {    0x1E,                    55, 0,  2, "nameConstraints"                }, /*  54 */
- {    0x1F,                    56, 0,  2, "crlDistributionPoints"          }, /*  55 */
- {    0x20,                    58, 1,  2, "certificatePolicies"            }, /*  56 */
- {      0x00,                   0, 0,  3, "anyPolicy"                      }, /*  57 */
- {    0x21,                    59, 0,  2, "policyMappings"                 }, /*  58 */
- {    0x23,                    60, 0,  2, "authorityKeyIdentifier"         }, /*  59 */
- {    0x24,                    61, 0,  2, "policyConstraints"              }, /*  60 */
- {    0x25,                    63, 1,  2, "extendedKeyUsage"               }, /*  61 */
- {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"            }, /*  62 */
- {    0x2E,                    64, 0,  2, "freshestCRL"                    }, /*  63 */
- {    0x36,                    65, 0,  2, "inhibitAnyPolicy"               }, /*  64 */
- {    0x37,                    66, 0,  2, "targetInformation"              }, /*  65 */
- {    0x38,                     0, 0,  2, "noRevAvail"                     }, /*  66 */
- {0x2A,                       191, 1,  0, ""                               }, /*  67 */
- {  0x83,                      80, 1,  1, ""                               }, /*  68 */
- {    0x08,                     0, 1,  2, "jp"                             }, /*  69 */
- {      0x8C,                   0, 1,  3, ""                               }, /*  70 */
- {        0x9A,                 0, 1,  4, ""                               }, /*  71 */
- {          0x4B,               0, 1,  5, ""                               }, /*  72 */
- {            0x3D,             0, 1,  6, ""                               }, /*  73 */
- {              0x01,           0, 1,  7, "security"                       }, /*  74 */
- {                0x01,         0, 1,  8, "algorithm"                      }, /*  75 */
- {                  0x01,       0, 1,  9, "symm-encryption-alg"            }, /*  76 */
- {                    0x02,    78, 0, 10, "camellia128-cbc"                }, /*  77 */
- {                    0x03,    79, 0, 10, "camellia192-cbc"                }, /*  78 */
- {                    0x04,     0, 0, 10, "camellia256-cbc"                }, /*  79 */
- {  0x86,                       0, 1,  1, ""                               }, /*  80 */
- {    0x48,                     0, 1,  2, "us"                             }, /*  81 */
- {      0x86,                 150, 1,  3, ""                               }, /*  82 */
- {        0xF6,                88, 1,  4, ""                               }, /*  83 */
- {          0x7D,               0, 1,  5, "NortelNetworks"                 }, /*  84 */
- {            0x07,             0, 1,  6, "Entrust"                        }, /*  85 */
- {              0x41,           0, 1,  7, "nsn-ce"                         }, /*  86 */
- {                0x00,         0, 0,  8, "entrustVersInfo"                }, /*  87 */
- {        0xF7,                 0, 1,  4, ""                               }, /*  88 */
- {          0x0D,               0, 1,  5, "RSADSI"                         }, /*  89 */
- {            0x01,           145, 1,  6, "PKCS"                           }, /*  90 */
- {              0x01,         103, 1,  7, "PKCS-1"                         }, /*  91 */
- {                0x01,        93, 0,  8, "rsaEncryption"                  }, /*  92 */
- {                0x02,        94, 0,  8, "md2WithRSAEncryption"           }, /*  93 */
- {                0x04,        95, 0,  8, "md5WithRSAEncryption"           }, /*  94 */
- {                0x05,        96, 0,  8, "sha-1WithRSAEncryption"         }, /*  95 */
- {                0x07,        97, 0,  8, "id-RSAES-OAEP"                  }, /*  96 */
- {                0x08,        98, 0,  8, "id-mgf1"                        }, /*  97 */
- {                0x09,        99, 0,  8, "id-pSpecified"                  }, /*  98 */
- {                0x0B,       100, 0,  8, "sha256WithRSAEncryption"        }, /*  99 */
- {                0x0C,       101, 0,  8, "sha384WithRSAEncryption"        }, /* 100 */
- {                0x0D,       102, 0,  8, "sha512WithRSAEncryption"        }, /* 101 */
- {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /* 102 */
- {              0x05,         108, 1,  7, "PKCS-5"                         }, /* 103 */
- {                0x03,       105, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 104 */
- {                0x0A,       106, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 105 */
- {                0x0C,       107, 0,  8, "id-PBKDF2"                      }, /* 106 */
- {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 107 */
- {              0x07,         115, 1,  7, "PKCS-7"                         }, /* 108 */
- {                0x01,       110, 0,  8, "data"                           }, /* 109 */
- {                0x02,       111, 0,  8, "signedData"                     }, /* 110 */
- {                0x03,       112, 0,  8, "envelopedData"                  }, /* 111 */
- {                0x04,       113, 0,  8, "signedAndEnvelopedData"         }, /* 112 */
- {                0x05,       114, 0,  8, "digestedData"                   }, /* 113 */
- {                0x06,         0, 0,  8, "encryptedData"                  }, /* 114 */
- {              0x09,         129, 1,  7, "PKCS-9"                         }, /* 115 */
- {                0x01,       117, 0,  8, "E"                              }, /* 116 */
- {                0x02,       118, 0,  8, "unstructuredName"               }, /* 117 */
- {                0x03,       119, 0,  8, "contentType"                    }, /* 118 */
- {                0x04,       120, 0,  8, "messageDigest"                  }, /* 119 */
- {                0x05,       121, 0,  8, "signingTime"                    }, /* 120 */
- {                0x06,       122, 0,  8, "counterSignature"               }, /* 121 */
- {                0x07,       123, 0,  8, "challengePassword"              }, /* 122 */
- {                0x08,       124, 0,  8, "unstructuredAddress"            }, /* 123 */
- {                0x0E,       125, 0,  8, "extensionRequest"               }, /* 124 */
- {                0x0F,       126, 0,  8, "S/MIME Capabilities"            }, /* 125 */
- {                0x16,         0, 1,  8, "certTypes"                      }, /* 126 */
- {                  0x01,     128, 0,  9, "X.509"                          }, /* 127 */
- {                  0x02,       0, 0,  9, "SDSI"                           }, /* 128 */
- {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 129 */
- {                0x01,       137, 1,  8, "pbeIds"                         }, /* 130 */
- {                  0x01,     132, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 131 */
- {                  0x02,     133, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 132 */
- {                  0x03,     134, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 133 */
- {                  0x04,     135, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 134 */
- {                  0x05,     136, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 135 */
- {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 136 */
- {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 137 */
- {                  0x01,       0, 1,  9, "bagIds"                         }, /* 138 */
- {                    0x01,   140, 0, 10, "keyBag"                         }, /* 139 */
- {                    0x02,   141, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 140 */
- {                    0x03,   142, 0, 10, "certBag"                        }, /* 141 */
- {                    0x04,   143, 0, 10, "crlBag"                         }, /* 142 */
- {                    0x05,   144, 0, 10, "secretBag"                      }, /* 143 */
- {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 144 */
- {            0x02,           148, 1,  6, "digestAlgorithm"                }, /* 145 */
- {              0x02,         147, 0,  7, "md2"                            }, /* 146 */
- {              0x05,           0, 0,  7, "md5"                            }, /* 147 */
- {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 148 */
- {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 149 */
- {      0xCE,                   0, 1,  3, ""                               }, /* 150 */
- {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 151 */
- {          0x02,             154, 1,  5, "id-publicKeyType"               }, /* 152 */
- {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 153 */
- {          0x03,             184, 1,  5, "ellipticCurve"                  }, /* 154 */
- {            0x00,           176, 1,  6, "c-TwoCurve"                     }, /* 155 */
- {              0x01,         157, 0,  7, "c2pnb163v1"                     }, /* 156 */
- {              0x02,         158, 0,  7, "c2pnb163v2"                     }, /* 157 */
- {              0x03,         159, 0,  7, "c2pnb163v3"                     }, /* 158 */
- {              0x04,         160, 0,  7, "c2pnb176w1"                     }, /* 159 */
- {              0x05,         161, 0,  7, "c2tnb191v1"                     }, /* 160 */
- {              0x06,         162, 0,  7, "c2tnb191v2"                     }, /* 161 */
- {              0x07,         163, 0,  7, "c2tnb191v3"                     }, /* 162 */
- {              0x08,         164, 0,  7, "c2onb191v4"                     }, /* 163 */
- {              0x09,         165, 0,  7, "c2onb191v5"                     }, /* 164 */
- {              0x0A,         166, 0,  7, "c2pnb208w1"                     }, /* 165 */
- {              0x0B,         167, 0,  7, "c2tnb239v1"                     }, /* 166 */
- {              0x0C,         168, 0,  7, "c2tnb239v2"                     }, /* 167 */
- {              0x0D,         169, 0,  7, "c2tnb239v3"                     }, /* 168 */
- {              0x0E,         170, 0,  7, "c2onb239v4"                     }, /* 169 */
- {              0x0F,         171, 0,  7, "c2onb239v5"                     }, /* 170 */
- {              0x10,         172, 0,  7, "c2pnb272w1"                     }, /* 171 */
- {              0x11,         173, 0,  7, "c2pnb304w1"                     }, /* 172 */
- {              0x12,         174, 0,  7, "c2tnb359v1"                     }, /* 173 */
- {              0x13,         175, 0,  7, "c2pnb368w1"                     }, /* 174 */
- {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 175 */
- {            0x01,             0, 1,  6, "primeCurve"                     }, /* 176 */
- {              0x01,         178, 0,  7, "prime192v1"                     }, /* 177 */
- {              0x02,         179, 0,  7, "prime192v2"                     }, /* 178 */
- {              0x03,         180, 0,  7, "prime192v3"                     }, /* 179 */
- {              0x04,         181, 0,  7, "prime239v1"                     }, /* 180 */
- {              0x05,         182, 0,  7, "prime239v2"                     }, /* 181 */
- {              0x06,         183, 0,  7, "prime239v3"                     }, /* 182 */
- {              0x07,           0, 0,  7, "prime256v1"                     }, /* 183 */
- {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 184 */
- {            0x01,           186, 0,  6, "ecdsa-with-SHA1"                }, /* 185 */
- {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 186 */
- {              0x01,         188, 0,  7, "ecdsa-with-SHA224"              }, /* 187 */
- {              0x02,         189, 0,  7, "ecdsa-with-SHA256"              }, /* 188 */
- {              0x03,         190, 0,  7, "ecdsa-with-SHA384"              }, /* 189 */
- {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 190 */
- {0x2B,                       418, 1,  0, ""                               }, /* 191 */
- {  0x06,                     332, 1,  1, "dod"                            }, /* 192 */
- {    0x01,                     0, 1,  2, "internet"                       }, /* 193 */
- {      0x04,                 283, 1,  3, "private"                        }, /* 194 */
- {        0x01,                 0, 1,  4, "enterprise"                     }, /* 195 */
- {          0x82,             233, 1,  5, ""                               }, /* 196 */
- {            0x37,           209, 1,  6, "Microsoft"                      }, /* 197 */
- {              0x0A,         202, 1,  7, ""                               }, /* 198 */
- {                0x03,         0, 1,  8, ""                               }, /* 199 */
- {                  0x03,     201, 0,  9, "msSGC"                          }, /* 200 */
- {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 201 */
- {              0x14,         206, 1,  7, "msEnrollmentInfrastructure"     }, /* 202 */
- {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 203 */
- {                  0x02,     205, 0,  9, "msSmartcardLogon"               }, /* 204 */
- {                  0x03,       0, 0,  9, "msUPN"                          }, /* 205 */
- {              0x15,           0, 1,  7, "msCertSrvInfrastructure"        }, /* 206 */
- {                0x07,       208, 0,  8, "msCertTemplate"                 }, /* 207 */
- {                0x0A,         0, 0,  8, "msApplicationCertPolicies"      }, /* 208 */
- {            0xA0,             0, 1,  6, ""                               }, /* 209 */
- {              0x2A,           0, 1,  7, "ITA"                            }, /* 210 */
- {                0x01,       212, 0,  8, "strongSwan"                     }, /* 211 */
- {                0x02,       213, 0,  8, "cps"                            }, /* 212 */
- {                0x03,       214, 0,  8, "e-voting"                       }, /* 213 */
- {                0x05,         0, 1,  8, "BLISS"                          }, /* 214 */
- {                  0x01,     217, 1,  9, "keyType"                        }, /* 215 */
- {                    0x01,     0, 0, 10, "blissPublicKey"                 }, /* 216 */
- {                  0x02,     226, 1,  9, "parameters"                     }, /* 217 */
- {                    0x01,   219, 0, 10, "BLISS-I"                        }, /* 218 */
- {                    0x02,   220, 0, 10, "BLISS-II"                       }, /* 219 */
- {                    0x03,   221, 0, 10, "BLISS-III"                      }, /* 220 */
- {                    0x04,   222, 0, 10, "BLISS-IV"                       }, /* 221 */
- {                    0x05,   223, 0, 10, "BLISS-B-I"                      }, /* 222 */
- {                    0x06,   224, 0, 10, "BLISS-B-II"                     }, /* 223 */
- {                    0x07,   225, 0, 10, "BLISS-B-III"                    }, /* 224 */
- {                    0x08,     0, 0, 10, "BLISS-B-IV"                     }, /* 225 */
- {                  0x03,       0, 1,  9, "blissSigType"                   }, /* 226 */
- {                    0x01,   228, 0, 10, "BLISS-with-SHA2-512"            }, /* 227 */
- {                    0x02,   229, 0, 10, "BLISS-with-SHA2-384"            }, /* 228 */
- {                    0x03,   230, 0, 10, "BLISS-with-SHA2-256"            }, /* 229 */
- {                    0x04,   231, 0, 10, "BLISS-with-SHA3-512"            }, /* 230 */
- {                    0x05,   232, 0, 10, "BLISS-with-SHA3-384"            }, /* 231 */
- {                    0x06,     0, 0, 10, "BLISS-with-SHA3-256"            }, /* 232 */
- {          0x89,             240, 1,  5, ""                               }, /* 233 */
- {            0x31,             0, 1,  6, ""                               }, /* 234 */
- {              0x01,           0, 1,  7, ""                               }, /* 235 */
- {                0x01,         0, 1,  8, ""                               }, /* 236 */
- {                  0x02,       0, 1,  9, ""                               }, /* 237 */
- {                    0x02,     0, 1, 10, ""                               }, /* 238 */
- {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 239 */
- {          0x97,             244, 1,  5, ""                               }, /* 240 */
- {            0x55,             0, 1,  6, ""                               }, /* 241 */
- {              0x01,           0, 1,  7, ""                               }, /* 242 */
- {                0x02,         0, 0,  8, "blowfish-cbc"                   }, /* 243 */
- {          0xC1,               0, 1,  5, ""                               }, /* 244 */
- {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 245 */
- {              0x01,           0, 1,  7, "eess"                           }, /* 246 */
- {                0x01,         0, 1,  8, "eess1"                          }, /* 247 */
- {                  0x01,     252, 1,  9, "eess1-algs"                     }, /* 248 */
- {                    0x01,   250, 0, 10, "ntru-EESS1v1-SVES"              }, /* 249 */
- {                    0x02,   251, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 250 */
- {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 251 */
- {                  0x02,     282, 1,  9, "eess1-params"                   }, /* 252 */
- {                    0x01,   254, 0, 10, "ees251ep1"                      }, /* 253 */
- {                    0x02,   255, 0, 10, "ees347ep1"                      }, /* 254 */
- {                    0x03,   256, 0, 10, "ees503ep1"                      }, /* 255 */
- {                    0x07,   257, 0, 10, "ees251sp2"                      }, /* 256 */
- {                    0x0C,   258, 0, 10, "ees251ep4"                      }, /* 257 */
- {                    0x0D,   259, 0, 10, "ees251ep5"                      }, /* 258 */
- {                    0x0E,   260, 0, 10, "ees251sp3"                      }, /* 259 */
- {                    0x0F,   261, 0, 10, "ees251sp4"                      }, /* 260 */
- {                    0x10,   262, 0, 10, "ees251sp5"                      }, /* 261 */
- {                    0x11,   263, 0, 10, "ees251sp6"                      }, /* 262 */
- {                    0x12,   264, 0, 10, "ees251sp7"                      }, /* 263 */
- {                    0x13,   265, 0, 10, "ees251sp8"                      }, /* 264 */
- {                    0x14,   266, 0, 10, "ees251sp9"                      }, /* 265 */
- {                    0x22,   267, 0, 10, "ees401ep1"                      }, /* 266 */
- {                    0x23,   268, 0, 10, "ees449ep1"                      }, /* 267 */
- {                    0x24,   269, 0, 10, "ees677ep1"                      }, /* 268 */
- {                    0x25,   270, 0, 10, "ees1087ep2"                     }, /* 269 */
- {                    0x26,   271, 0, 10, "ees541ep1"                      }, /* 270 */
- {                    0x27,   272, 0, 10, "ees613ep1"                      }, /* 271 */
- {                    0x28,   273, 0, 10, "ees887ep1"                      }, /* 272 */
- {                    0x29,   274, 0, 10, "ees1171ep1"                     }, /* 273 */
- {                    0x2A,   275, 0, 10, "ees659ep1"                      }, /* 274 */
- {                    0x2B,   276, 0, 10, "ees761ep1"                      }, /* 275 */
- {                    0x2C,   277, 0, 10, "ees1087ep1"                     }, /* 276 */
- {                    0x2D,   278, 0, 10, "ees1499ep1"                     }, /* 277 */
- {                    0x2E,   279, 0, 10, "ees401ep2"                      }, /* 278 */
- {                    0x2F,   280, 0, 10, "ees439ep1"                      }, /* 279 */
- {                    0x30,   281, 0, 10, "ees593ep1"                      }, /* 280 */
- {                    0x31,     0, 0, 10, "ees743ep1"                      }, /* 281 */
- {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 282 */
- {      0x05,                   0, 1,  3, "security"                       }, /* 283 */
- {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 284 */
- {          0x07,             329, 1,  5, "id-pkix"                        }, /* 285 */
- {            0x01,           290, 1,  6, "id-pe"                          }, /* 286 */
- {              0x01,         288, 0,  7, "authorityInfoAccess"            }, /* 287 */
- {              0x03,         289, 0,  7, "qcStatements"                   }, /* 288 */
- {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 289 */
- {            0x02,           293, 1,  6, "id-qt"                          }, /* 290 */
- {              0x01,         292, 0,  7, "cps"                            }, /* 291 */
- {              0x02,           0, 0,  7, "unotice"                        }, /* 292 */
- {            0x03,           303, 1,  6, "id-kp"                          }, /* 293 */
- {              0x01,         295, 0,  7, "serverAuth"                     }, /* 294 */
- {              0x02,         296, 0,  7, "clientAuth"                     }, /* 295 */
- {              0x03,         297, 0,  7, "codeSigning"                    }, /* 296 */
- {              0x04,         298, 0,  7, "emailProtection"                }, /* 297 */
- {              0x05,         299, 0,  7, "ipsecEndSystem"                 }, /* 298 */
- {              0x06,         300, 0,  7, "ipsecTunnel"                    }, /* 299 */
- {              0x07,         301, 0,  7, "ipsecUser"                      }, /* 300 */
- {              0x08,         302, 0,  7, "timeStamping"                   }, /* 301 */
- {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 302 */
- {            0x08,           311, 1,  6, "id-otherNames"                  }, /* 303 */
- {              0x01,         305, 0,  7, "personalData"                   }, /* 304 */
- {              0x02,         306, 0,  7, "userGroup"                      }, /* 305 */
- {              0x03,         307, 0,  7, "id-on-permanentIdentifier"      }, /* 306 */
- {              0x04,         308, 0,  7, "id-on-hardwareModuleName"       }, /* 307 */
- {              0x05,         309, 0,  7, "xmppAddr"                       }, /* 308 */
- {              0x06,         310, 0,  7, "id-on-SIM"                      }, /* 309 */
- {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 310 */
- {            0x0A,           316, 1,  6, "id-aca"                         }, /* 311 */
- {              0x01,         313, 0,  7, "authenticationInfo"             }, /* 312 */
- {              0x02,         314, 0,  7, "accessIdentity"                 }, /* 313 */
- {              0x03,         315, 0,  7, "chargingIdentity"               }, /* 314 */
- {              0x04,           0, 0,  7, "group"                          }, /* 315 */
- {            0x0B,           317, 0,  6, "subjectInfoAccess"              }, /* 316 */
- {            0x30,             0, 1,  6, "id-ad"                          }, /* 317 */
- {              0x01,         326, 1,  7, "ocsp"                           }, /* 318 */
- {                0x01,       320, 0,  8, "basic"                          }, /* 319 */
- {                0x02,       321, 0,  8, "nonce"                          }, /* 320 */
- {                0x03,       322, 0,  8, "crl"                            }, /* 321 */
- {                0x04,       323, 0,  8, "response"                       }, /* 322 */
- {                0x05,       324, 0,  8, "noCheck"                        }, /* 323 */
- {                0x06,       325, 0,  8, "archiveCutoff"                  }, /* 324 */
- {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 325 */
- {              0x02,         327, 0,  7, "caIssuers"                      }, /* 326 */
- {              0x03,         328, 0,  7, "timeStamping"                   }, /* 327 */
- {              0x05,           0, 0,  7, "caRepository"                   }, /* 328 */
- {          0x08,               0, 1,  5, "ipsec"                          }, /* 329 */
- {            0x02,             0, 1,  6, "certificate"                    }, /* 330 */
- {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 331 */
- {  0x0E,                     338, 1,  1, "oiw"                            }, /* 332 */
- {    0x03,                     0, 1,  2, "secsig"                         }, /* 333 */
- {      0x02,                   0, 1,  3, "algorithms"                     }, /* 334 */
- {        0x07,               336, 0,  4, "des-cbc"                        }, /* 335 */
- {        0x1A,               337, 0,  4, "sha-1"                          }, /* 336 */
- {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 337 */
- {  0x24,                     384, 1,  1, "TeleTrusT"                      }, /* 338 */
- {    0x03,                     0, 1,  2, "algorithm"                      }, /* 339 */
- {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 340 */
- {        0x01,               345, 1,  4, "rsaSignature"                   }, /* 341 */
- {          0x02,             343, 0,  5, "rsaSigWithripemd160"            }, /* 342 */
- {          0x03,             344, 0,  5, "rsaSigWithripemd128"            }, /* 343 */
- {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 344 */
- {        0x02,                 0, 1,  4, "ecSign"                         }, /* 345 */
- {          0x01,             347, 0,  5, "ecSignWithsha1"                 }, /* 346 */
- {          0x02,             348, 0,  5, "ecSignWithripemd160"            }, /* 347 */
- {          0x03,             349, 0,  5, "ecSignWithmd2"                  }, /* 348 */
- {          0x04,             350, 0,  5, "ecSignWithmd5"                  }, /* 349 */
- {          0x05,             367, 1,  5, "ttt-ecg"                        }, /* 350 */
- {            0x01,           355, 1,  6, "fieldType"                      }, /* 351 */
- {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 352 */
- {                0x01,         0, 1,  8, "basisType"                      }, /* 353 */
- {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 354 */
- {            0x02,           357, 1,  6, "keyType"                        }, /* 355 */
- {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 356 */
- {            0x03,           358, 0,  6, "curve"                          }, /* 357 */
- {            0x04,           365, 1,  6, "signatures"                     }, /* 358 */
- {              0x01,         360, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 359 */
- {              0x02,         361, 0,  7, "ecgdsa-with-SHA1"               }, /* 360 */
- {              0x03,         362, 0,  7, "ecgdsa-with-SHA224"             }, /* 361 */
- {              0x04,         363, 0,  7, "ecgdsa-with-SHA256"             }, /* 362 */
- {              0x05,         364, 0,  7, "ecgdsa-with-SHA384"             }, /* 363 */
- {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 364 */
- {            0x05,             0, 1,  6, "module"                         }, /* 365 */
- {              0x01,           0, 0,  7, "1"                              }, /* 366 */
- {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 367 */
- {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 368 */
- {              0x01,           0, 1,  7, "versionOne"                     }, /* 369 */
- {                0x01,       371, 0,  8, "brainpoolP160r1"                }, /* 370 */
- {                0x02,       372, 0,  8, "brainpoolP160t1"                }, /* 371 */
- {                0x03,       373, 0,  8, "brainpoolP192r1"                }, /* 372 */
- {                0x04,       374, 0,  8, "brainpoolP192t1"                }, /* 373 */
- {                0x05,       375, 0,  8, "brainpoolP224r1"                }, /* 374 */
- {                0x06,       376, 0,  8, "brainpoolP224t1"                }, /* 375 */
- {                0x07,       377, 0,  8, "brainpoolP256r1"                }, /* 376 */
- {                0x08,       378, 0,  8, "brainpoolP256t1"                }, /* 377 */
- {                0x09,       379, 0,  8, "brainpoolP320r1"                }, /* 378 */
- {                0x0A,       380, 0,  8, "brainpoolP320t1"                }, /* 379 */
- {                0x0B,       381, 0,  8, "brainpoolP384r1"                }, /* 380 */
- {                0x0C,       382, 0,  8, "brainpoolP384t1"                }, /* 381 */
- {                0x0D,       383, 0,  8, "brainpoolP512r1"                }, /* 382 */
- {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 383 */
- {  0x81,                       0, 1,  1, ""                               }, /* 384 */
- {    0x04,                     0, 1,  2, "Certicom"                       }, /* 385 */
- {      0x00,                   0, 1,  3, "curve"                          }, /* 386 */
- {        0x01,               388, 0,  4, "sect163k1"                      }, /* 387 */
- {        0x02,               389, 0,  4, "sect163r1"                      }, /* 388 */
- {        0x03,               390, 0,  4, "sect239k1"                      }, /* 389 */
- {        0x04,               391, 0,  4, "sect113r1"                      }, /* 390 */
- {        0x05,               392, 0,  4, "sect113r2"                      }, /* 391 */
- {        0x06,               393, 0,  4, "secp112r1"                      }, /* 392 */
- {        0x07,               394, 0,  4, "secp112r2"                      }, /* 393 */
- {        0x08,               395, 0,  4, "secp160r1"                      }, /* 394 */
- {        0x09,               396, 0,  4, "secp160k1"                      }, /* 395 */
- {        0x0A,               397, 0,  4, "secp256k1"                      }, /* 396 */
- {        0x0F,               398, 0,  4, "sect163r2"                      }, /* 397 */
- {        0x10,               399, 0,  4, "sect283k1"                      }, /* 398 */
- {        0x11,               400, 0,  4, "sect283r1"                      }, /* 399 */
- {        0x16,               401, 0,  4, "sect131r1"                      }, /* 400 */
- {        0x17,               402, 0,  4, "sect131r2"                      }, /* 401 */
- {        0x18,               403, 0,  4, "sect193r1"                      }, /* 402 */
- {        0x19,               404, 0,  4, "sect193r2"                      }, /* 403 */
- {        0x1A,               405, 0,  4, "sect233k1"                      }, /* 404 */
- {        0x1B,               406, 0,  4, "sect233r1"                      }, /* 405 */
- {        0x1C,               407, 0,  4, "secp128r1"                      }, /* 406 */
- {        0x1D,               408, 0,  4, "secp128r2"                      }, /* 407 */
- {        0x1E,               409, 0,  4, "secp160r2"                      }, /* 408 */
- {        0x1F,               410, 0,  4, "secp192k1"                      }, /* 409 */
- {        0x20,               411, 0,  4, "secp224k1"                      }, /* 410 */
- {        0x21,               412, 0,  4, "secp224r1"                      }, /* 411 */
- {        0x22,               413, 0,  4, "secp384r1"                      }, /* 412 */
- {        0x23,               414, 0,  4, "secp521r1"                      }, /* 413 */
- {        0x24,               415, 0,  4, "sect409k1"                      }, /* 414 */
- {        0x25,               416, 0,  4, "sect409r1"                      }, /* 415 */
- {        0x26,               417, 0,  4, "sect571k1"                      }, /* 416 */
- {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 417 */
- {0x60,                       472, 1,  0, ""                               }, /* 418 */
- {  0x86,                       0, 1,  1, ""                               }, /* 419 */
- {    0x48,                     0, 1,  2, ""                               }, /* 420 */
- {      0x01,                   0, 1,  3, "organization"                   }, /* 421 */
- {        0x65,               448, 1,  4, "gov"                            }, /* 422 */
- {          0x03,               0, 1,  5, "csor"                           }, /* 423 */
- {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 424 */
- {              0x01,         435, 1,  7, "aes"                            }, /* 425 */
- {                0x02,       427, 0,  8, "id-aes128-CBC"                  }, /* 426 */
- {                0x06,       428, 0,  8, "id-aes128-GCM"                  }, /* 427 */
- {                0x07,       429, 0,  8, "id-aes128-CCM"                  }, /* 428 */
- {                0x16,       430, 0,  8, "id-aes192-CBC"                  }, /* 429 */
- {                0x1A,       431, 0,  8, "id-aes192-GCM"                  }, /* 430 */
- {                0x1B,       432, 0,  8, "id-aes192-CCM"                  }, /* 431 */
- {                0x2A,       433, 0,  8, "id-aes256-CBC"                  }, /* 432 */
- {                0x2E,       434, 0,  8, "id-aes256-GCM"                  }, /* 433 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 434 */
- {              0x02,           0, 1,  7, "hashalgs"                       }, /* 435 */
- {                0x01,       437, 0,  8, "id-sha256"                      }, /* 436 */
- {                0x02,       438, 0,  8, "id-sha384"                      }, /* 437 */
- {                0x03,       439, 0,  8, "id-sha512"                      }, /* 438 */
- {                0x04,       440, 0,  8, "id-sha224"                      }, /* 439 */
- {                0x05,       441, 0,  8, "id-sha512-224"                  }, /* 440 */
- {                0x06,       442, 0,  8, "id-sha512-256"                  }, /* 441 */
- {                0x07,       443, 0,  8, "id-sha3-224"                    }, /* 442 */
- {                0x08,       444, 0,  8, "id-sha3-256"                    }, /* 443 */
- {                0x09,       445, 0,  8, "id-sha3-384"                    }, /* 444 */
- {                0x0A,       446, 0,  8, "id-sha3-512"                    }, /* 445 */
- {                0x0B,       447, 0,  8, "id-shake128"                    }, /* 446 */
- {                0x0C,         0, 0,  8, "id-shake256"                    }, /* 447 */
- {        0x86,                 0, 1,  4, ""                               }, /* 448 */
- {          0xf8,               0, 1,  5, ""                               }, /* 449 */
- {            0x42,           462, 1,  6, "netscape"                       }, /* 450 */
- {              0x01,         457, 1,  7, ""                               }, /* 451 */
- {                0x01,       453, 0,  8, "nsCertType"                     }, /* 452 */
- {                0x03,       454, 0,  8, "nsRevocationUrl"                }, /* 453 */
- {                0x04,       455, 0,  8, "nsCaRevocationUrl"              }, /* 454 */
- {                0x08,       456, 0,  8, "nsCaPolicyUrl"                  }, /* 455 */
- {                0x0d,         0, 0,  8, "nsComment"                      }, /* 456 */
- {              0x03,         460, 1,  7, "directory"                      }, /* 457 */
- {                0x01,         0, 1,  8, ""                               }, /* 458 */
- {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 459 */
- {              0x04,           0, 1,  7, "policy"                         }, /* 460 */
- {                0x01,         0, 0,  8, "nsSGC"                          }, /* 461 */
- {            0x45,             0, 1,  6, "verisign"                       }, /* 462 */
- {              0x01,           0, 1,  7, "pki"                            }, /* 463 */
- {                0x09,         0, 1,  8, "attributes"                     }, /* 464 */
- {                  0x02,     466, 0,  9, "messageType"                    }, /* 465 */
- {                  0x03,     467, 0,  9, "pkiStatus"                      }, /* 466 */
- {                  0x04,     468, 0,  9, "failInfo"                       }, /* 467 */
- {                  0x05,     469, 0,  9, "senderNonce"                    }, /* 468 */
- {                  0x06,     470, 0,  9, "recipientNonce"                 }, /* 469 */
- {                  0x07,     471, 0,  9, "transID"                        }, /* 470 */
- {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 471 */
- {0x67,                         0, 1,  0, ""                               }, /* 472 */
- {  0x81,                       0, 1,  1, ""                               }, /* 473 */
- {    0x05,                     0, 1,  2, ""                               }, /* 474 */
- {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 475 */
- {        0x01,               477, 0,  4, "tcg-at-tpmManufacturer"         }, /* 476 */
- {        0x02,               478, 0,  4, "tcg-at-tpmModel"                }, /* 477 */
- {        0x03,               479, 0,  4, "tcg-at-tpmVersion"              }, /* 478 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 479 */
+ {0x02,                         7, 1,  0, "ITU-T Administration"            }, /*   0 */
+ {  0x82,                       0, 1,  1, ""                                }, /*   1 */
+ {    0x06,                     0, 1,  2, "Germany ITU-T member"            }, /*   2 */
+ {      0x01,                   0, 1,  3, "Deutsche Telekom AG"             }, /*   3 */
+ {        0x0A,                 0, 1,  4, ""                                }, /*   4 */
+ {          0x07,               0, 1,  5, ""                                }, /*   5 */
+ {            0x14,             0, 0,  6, "ND"                              }, /*   6 */
+ {0x09,                        18, 1,  0, "data"                            }, /*   7 */
+ {  0x92,                       0, 1,  1, ""                                }, /*   8 */
+ {    0x26,                     0, 1,  2, ""                                }, /*   9 */
+ {      0x89,                   0, 1,  3, ""                                }, /*  10 */
+ {        0x93,                 0, 1,  4, ""                                }, /*  11 */
+ {          0xF2,               0, 1,  5, ""                                }, /*  12 */
+ {            0x2C,             0, 1,  6, ""                                }, /*  13 */
+ {              0x64,           0, 1,  7, "pilot"                           }, /*  14 */
+ {                0x01,         0, 1,  8, "pilotAttributeType"              }, /*  15 */
+ {                  0x01,      17, 0,  9, "UID"                             }, /*  16 */
+ {                  0x19,       0, 0,  9, "DC"                              }, /*  17 */
+ {0x55,                        67, 1,  0, "X.500"                           }, /*  18 */
+ {  0x04,                      39, 1,  1, "X.509"                           }, /*  19 */
+ {    0x03,                    21, 0,  2, "CN"                              }, /*  20 */
+ {    0x04,                    22, 0,  2, "S"                               }, /*  21 */
+ {    0x05,                    23, 0,  2, "SN"                              }, /*  22 */
+ {    0x06,                    24, 0,  2, "C"                               }, /*  23 */
+ {    0x07,                    25, 0,  2, "L"                               }, /*  24 */
+ {    0x08,                    26, 0,  2, "ST"                              }, /*  25 */
+ {    0x0A,                    27, 0,  2, "O"                               }, /*  26 */
+ {    0x0B,                    28, 0,  2, "OU"                              }, /*  27 */
+ {    0x0C,                    29, 0,  2, "T"                               }, /*  28 */
+ {    0x0D,                    30, 0,  2, "D"                               }, /*  29 */
+ {    0x24,                    31, 0,  2, "userCertificate"                 }, /*  30 */
+ {    0x29,                    32, 0,  2, "N"                               }, /*  31 */
+ {    0x2A,                    33, 0,  2, "G"                               }, /*  32 */
+ {    0x2B,                    34, 0,  2, "I"                               }, /*  33 */
+ {    0x2D,                    35, 0,  2, "ID"                              }, /*  34 */
+ {    0x2E,                    36, 0,  2, "dnQualifier"                     }, /*  35 */
+ {    0x36,                    37, 0,  2, "dmdName"                         }, /*  36 */
+ {    0x41,                    38, 0,  2, "pseudonym"                       }, /*  37 */
+ {    0x48,                     0, 0,  2, "role"                            }, /*  38 */
+ {  0x1D,                       0, 1,  1, "id-ce"                           }, /*  39 */
+ {    0x09,                    41, 0,  2, "subjectDirectoryAttrs"           }, /*  40 */
+ {    0x0E,                    42, 0,  2, "subjectKeyIdentifier"            }, /*  41 */
+ {    0x0F,                    43, 0,  2, "keyUsage"                        }, /*  42 */
+ {    0x10,                    44, 0,  2, "privateKeyUsagePeriod"           }, /*  43 */
+ {    0x11,                    45, 0,  2, "subjectAltName"                  }, /*  44 */
+ {    0x12,                    46, 0,  2, "issuerAltName"                   }, /*  45 */
+ {    0x13,                    47, 0,  2, "basicConstraints"                }, /*  46 */
+ {    0x14,                    48, 0,  2, "crlNumber"                       }, /*  47 */
+ {    0x15,                    49, 0,  2, "reasonCode"                      }, /*  48 */
+ {    0x17,                    50, 0,  2, "holdInstructionCode"             }, /*  49 */
+ {    0x18,                    51, 0,  2, "invalidityDate"                  }, /*  50 */
+ {    0x1B,                    52, 0,  2, "deltaCrlIndicator"               }, /*  51 */
+ {    0x1C,                    53, 0,  2, "issuingDistributionPoint"        }, /*  52 */
+ {    0x1D,                    54, 0,  2, "certificateIssuer"               }, /*  53 */
+ {    0x1E,                    55, 0,  2, "nameConstraints"                 }, /*  54 */
+ {    0x1F,                    56, 0,  2, "crlDistributionPoints"           }, /*  55 */
+ {    0x20,                    58, 1,  2, "certificatePolicies"             }, /*  56 */
+ {      0x00,                   0, 0,  3, "anyPolicy"                       }, /*  57 */
+ {    0x21,                    59, 0,  2, "policyMappings"                  }, /*  58 */
+ {    0x23,                    60, 0,  2, "authorityKeyIdentifier"          }, /*  59 */
+ {    0x24,                    61, 0,  2, "policyConstraints"               }, /*  60 */
+ {    0x25,                    63, 1,  2, "extendedKeyUsage"                }, /*  61 */
+ {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"             }, /*  62 */
+ {    0x2E,                    64, 0,  2, "freshestCRL"                     }, /*  63 */
+ {    0x36,                    65, 0,  2, "inhibitAnyPolicy"                }, /*  64 */
+ {    0x37,                    66, 0,  2, "targetInformation"               }, /*  65 */
+ {    0x38,                     0, 0,  2, "noRevAvail"                      }, /*  66 */
+ {0x2A,                       191, 1,  0, ""                                }, /*  67 */
+ {  0x83,                      80, 1,  1, ""                                }, /*  68 */
+ {    0x08,                     0, 1,  2, "jp"                              }, /*  69 */
+ {      0x8C,                   0, 1,  3, ""                                }, /*  70 */
+ {        0x9A,                 0, 1,  4, ""                                }, /*  71 */
+ {          0x4B,               0, 1,  5, ""                                }, /*  72 */
+ {            0x3D,             0, 1,  6, ""                                }, /*  73 */
+ {              0x01,           0, 1,  7, "security"                        }, /*  74 */
+ {                0x01,         0, 1,  8, "algorithm"                       }, /*  75 */
+ {                  0x01,       0, 1,  9, "symm-encryption-alg"             }, /*  76 */
+ {                    0x02,    78, 0, 10, "camellia128-cbc"                 }, /*  77 */
+ {                    0x03,    79, 0, 10, "camellia192-cbc"                 }, /*  78 */
+ {                    0x04,     0, 0, 10, "camellia256-cbc"                 }, /*  79 */
+ {  0x86,                       0, 1,  1, ""                                }, /*  80 */
+ {    0x48,                     0, 1,  2, "us"                              }, /*  81 */
+ {      0x86,                 150, 1,  3, ""                                }, /*  82 */
+ {        0xF6,                88, 1,  4, ""                                }, /*  83 */
+ {          0x7D,               0, 1,  5, "NortelNetworks"                  }, /*  84 */
+ {            0x07,             0, 1,  6, "Entrust"                         }, /*  85 */
+ {              0x41,           0, 1,  7, "nsn-ce"                          }, /*  86 */
+ {                0x00,         0, 0,  8, "entrustVersInfo"                 }, /*  87 */
+ {        0xF7,                 0, 1,  4, ""                                }, /*  88 */
+ {          0x0D,               0, 1,  5, "RSADSI"                          }, /*  89 */
+ {            0x01,           145, 1,  6, "PKCS"                            }, /*  90 */
+ {              0x01,         103, 1,  7, "PKCS-1"                          }, /*  91 */
+ {                0x01,        93, 0,  8, "rsaEncryption"                   }, /*  92 */
+ {                0x02,        94, 0,  8, "md2WithRSAEncryption"            }, /*  93 */
+ {                0x04,        95, 0,  8, "md5WithRSAEncryption"            }, /*  94 */
+ {                0x05,        96, 0,  8, "sha-1WithRSAEncryption"          }, /*  95 */
+ {                0x07,        97, 0,  8, "id-RSAES-OAEP"                   }, /*  96 */
+ {                0x08,        98, 0,  8, "id-mgf1"                         }, /*  97 */
+ {                0x09,        99, 0,  8, "id-pSpecified"                   }, /*  98 */
+ {                0x0B,       100, 0,  8, "sha256WithRSAEncryption"         }, /*  99 */
+ {                0x0C,       101, 0,  8, "sha384WithRSAEncryption"         }, /* 100 */
+ {                0x0D,       102, 0,  8, "sha512WithRSAEncryption"         }, /* 101 */
+ {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"         }, /* 102 */
+ {              0x05,         108, 1,  7, "PKCS-5"                          }, /* 103 */
+ {                0x03,       105, 0,  8, "pbeWithMD5AndDES-CBC"            }, /* 104 */
+ {                0x0A,       106, 0,  8, "pbeWithSHA1AndDES-CBC"           }, /* 105 */
+ {                0x0C,       107, 0,  8, "id-PBKDF2"                       }, /* 106 */
+ {                0x0D,         0, 0,  8, "id-PBES2"                        }, /* 107 */
+ {              0x07,         115, 1,  7, "PKCS-7"                          }, /* 108 */
+ {                0x01,       110, 0,  8, "data"                            }, /* 109 */
+ {                0x02,       111, 0,  8, "signedData"                      }, /* 110 */
+ {                0x03,       112, 0,  8, "envelopedData"                   }, /* 111 */
+ {                0x04,       113, 0,  8, "signedAndEnvelopedData"          }, /* 112 */
+ {                0x05,       114, 0,  8, "digestedData"                    }, /* 113 */
+ {                0x06,         0, 0,  8, "encryptedData"                   }, /* 114 */
+ {              0x09,         129, 1,  7, "PKCS-9"                          }, /* 115 */
+ {                0x01,       117, 0,  8, "E"                               }, /* 116 */
+ {                0x02,       118, 0,  8, "unstructuredName"                }, /* 117 */
+ {                0x03,       119, 0,  8, "contentType"                     }, /* 118 */
+ {                0x04,       120, 0,  8, "messageDigest"                   }, /* 119 */
+ {                0x05,       121, 0,  8, "signingTime"                     }, /* 120 */
+ {                0x06,       122, 0,  8, "counterSignature"                }, /* 121 */
+ {                0x07,       123, 0,  8, "challengePassword"               }, /* 122 */
+ {                0x08,       124, 0,  8, "unstructuredAddress"             }, /* 123 */
+ {                0x0E,       125, 0,  8, "extensionRequest"                }, /* 124 */
+ {                0x0F,       126, 0,  8, "S/MIME Capabilities"             }, /* 125 */
+ {                0x16,         0, 1,  8, "certTypes"                       }, /* 126 */
+ {                  0x01,     128, 0,  9, "X.509"                           }, /* 127 */
+ {                  0x02,       0, 0,  9, "SDSI"                            }, /* 128 */
+ {              0x0c,           0, 1,  7, "PKCS-12"                         }, /* 129 */
+ {                0x01,       137, 1,  8, "pbeIds"                          }, /* 130 */
+ {                  0x01,     132, 0,  9, "pbeWithSHAAnd128BitRC4"          }, /* 131 */
+ {                  0x02,     133, 0,  9, "pbeWithSHAAnd40BitRC4"           }, /* 132 */
+ {                  0x03,     134, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC" }, /* 133 */
+ {                  0x04,     135, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC" }, /* 134 */
+ {                  0x05,     136, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"      }, /* 135 */
+ {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"       }, /* 136 */
+ {                0x0a,         0, 1,  8, "PKCS-12v1"                       }, /* 137 */
+ {                  0x01,       0, 1,  9, "bagIds"                          }, /* 138 */
+ {                    0x01,   140, 0, 10, "keyBag"                          }, /* 139 */
+ {                    0x02,   141, 0, 10, "pkcs8ShroudedKeyBag"             }, /* 140 */
+ {                    0x03,   142, 0, 10, "certBag"                         }, /* 141 */
+ {                    0x04,   143, 0, 10, "crlBag"                          }, /* 142 */
+ {                    0x05,   144, 0, 10, "secretBag"                       }, /* 143 */
+ {                    0x06,     0, 0, 10, "safeContentsBag"                 }, /* 144 */
+ {            0x02,           148, 1,  6, "digestAlgorithm"                 }, /* 145 */
+ {              0x02,         147, 0,  7, "md2"                             }, /* 146 */
+ {              0x05,           0, 0,  7, "md5"                             }, /* 147 */
+ {            0x03,             0, 1,  6, "encryptionAlgorithm"             }, /* 148 */
+ {              0x07,           0, 0,  7, "3des-ede-cbc"                    }, /* 149 */
+ {      0xCE,                   0, 1,  3, ""                                }, /* 150 */
+ {        0x3D,                 0, 1,  4, "ansi-X9-62"                      }, /* 151 */
+ {          0x02,             154, 1,  5, "id-publicKeyType"                }, /* 152 */
+ {            0x01,             0, 0,  6, "id-ecPublicKey"                  }, /* 153 */
+ {          0x03,             184, 1,  5, "ellipticCurve"                   }, /* 154 */
+ {            0x00,           176, 1,  6, "c-TwoCurve"                      }, /* 155 */
+ {              0x01,         157, 0,  7, "c2pnb163v1"                      }, /* 156 */
+ {              0x02,         158, 0,  7, "c2pnb163v2"                      }, /* 157 */
+ {              0x03,         159, 0,  7, "c2pnb163v3"                      }, /* 158 */
+ {              0x04,         160, 0,  7, "c2pnb176w1"                      }, /* 159 */
+ {              0x05,         161, 0,  7, "c2tnb191v1"                      }, /* 160 */
+ {              0x06,         162, 0,  7, "c2tnb191v2"                      }, /* 161 */
+ {              0x07,         163, 0,  7, "c2tnb191v3"                      }, /* 162 */
+ {              0x08,         164, 0,  7, "c2onb191v4"                      }, /* 163 */
+ {              0x09,         165, 0,  7, "c2onb191v5"                      }, /* 164 */
+ {              0x0A,         166, 0,  7, "c2pnb208w1"                      }, /* 165 */
+ {              0x0B,         167, 0,  7, "c2tnb239v1"                      }, /* 166 */
+ {              0x0C,         168, 0,  7, "c2tnb239v2"                      }, /* 167 */
+ {              0x0D,         169, 0,  7, "c2tnb239v3"                      }, /* 168 */
+ {              0x0E,         170, 0,  7, "c2onb239v4"                      }, /* 169 */
+ {              0x0F,         171, 0,  7, "c2onb239v5"                      }, /* 170 */
+ {              0x10,         172, 0,  7, "c2pnb272w1"                      }, /* 171 */
+ {              0x11,         173, 0,  7, "c2pnb304w1"                      }, /* 172 */
+ {              0x12,         174, 0,  7, "c2tnb359v1"                      }, /* 173 */
+ {              0x13,         175, 0,  7, "c2pnb368w1"                      }, /* 174 */
+ {              0x14,           0, 0,  7, "c2tnb431r1"                      }, /* 175 */
+ {            0x01,             0, 1,  6, "primeCurve"                      }, /* 176 */
+ {              0x01,         178, 0,  7, "prime192v1"                      }, /* 177 */
+ {              0x02,         179, 0,  7, "prime192v2"                      }, /* 178 */
+ {              0x03,         180, 0,  7, "prime192v3"                      }, /* 179 */
+ {              0x04,         181, 0,  7, "prime239v1"                      }, /* 180 */
+ {              0x05,         182, 0,  7, "prime239v2"                      }, /* 181 */
+ {              0x06,         183, 0,  7, "prime239v3"                      }, /* 182 */
+ {              0x07,           0, 0,  7, "prime256v1"                      }, /* 183 */
+ {          0x04,               0, 1,  5, "id-ecSigType"                    }, /* 184 */
+ {            0x01,           186, 0,  6, "ecdsa-with-SHA1"                 }, /* 185 */
+ {            0x03,             0, 1,  6, "ecdsa-with-Specified"            }, /* 186 */
+ {              0x01,         188, 0,  7, "ecdsa-with-SHA224"               }, /* 187 */
+ {              0x02,         189, 0,  7, "ecdsa-with-SHA256"               }, /* 188 */
+ {              0x03,         190, 0,  7, "ecdsa-with-SHA384"               }, /* 189 */
+ {              0x04,           0, 0,  7, "ecdsa-with-SHA512"               }, /* 190 */
+ {0x2B,                       418, 1,  0, ""                                }, /* 191 */
+ {  0x06,                     332, 1,  1, "dod"                             }, /* 192 */
+ {    0x01,                     0, 1,  2, "internet"                        }, /* 193 */
+ {      0x04,                 283, 1,  3, "private"                         }, /* 194 */
+ {        0x01,                 0, 1,  4, "enterprise"                      }, /* 195 */
+ {          0x82,             233, 1,  5, ""                                }, /* 196 */
+ {            0x37,           209, 1,  6, "Microsoft"                       }, /* 197 */
+ {              0x0A,         202, 1,  7, ""                                }, /* 198 */
+ {                0x03,         0, 1,  8, ""                                }, /* 199 */
+ {                  0x03,     201, 0,  9, "msSGC"                           }, /* 200 */
+ {                  0x04,       0, 0,  9, "msEncryptingFileSystem"          }, /* 201 */
+ {              0x14,         206, 1,  7, "msEnrollmentInfrastructure"      }, /* 202 */
+ {                0x02,         0, 1,  8, "msCertificateTypeExtension"      }, /* 203 */
+ {                  0x02,     205, 0,  9, "msSmartcardLogon"                }, /* 204 */
+ {                  0x03,       0, 0,  9, "msUPN"                           }, /* 205 */
+ {              0x15,           0, 1,  7, "msCertSrvInfrastructure"         }, /* 206 */
+ {                0x07,       208, 0,  8, "msCertTemplate"                  }, /* 207 */
+ {                0x0A,         0, 0,  8, "msApplicationCertPolicies"       }, /* 208 */
+ {            0xA0,             0, 1,  6, ""                                }, /* 209 */
+ {              0x2A,           0, 1,  7, "ITA"                             }, /* 210 */
+ {                0x01,       212, 0,  8, "strongSwan"                      }, /* 211 */
+ {                0x02,       213, 0,  8, "cps"                             }, /* 212 */
+ {                0x03,       214, 0,  8, "e-voting"                        }, /* 213 */
+ {                0x05,         0, 1,  8, "BLISS"                           }, /* 214 */
+ {                  0x01,     217, 1,  9, "keyType"                         }, /* 215 */
+ {                    0x01,     0, 0, 10, "blissPublicKey"                  }, /* 216 */
+ {                  0x02,     226, 1,  9, "parameters"                      }, /* 217 */
+ {                    0x01,   219, 0, 10, "BLISS-I"                         }, /* 218 */
+ {                    0x02,   220, 0, 10, "BLISS-II"                        }, /* 219 */
+ {                    0x03,   221, 0, 10, "BLISS-III"                       }, /* 220 */
+ {                    0x04,   222, 0, 10, "BLISS-IV"                        }, /* 221 */
+ {                    0x05,   223, 0, 10, "BLISS-B-I"                       }, /* 222 */
+ {                    0x06,   224, 0, 10, "BLISS-B-II"                      }, /* 223 */
+ {                    0x07,   225, 0, 10, "BLISS-B-III"                     }, /* 224 */
+ {                    0x08,     0, 0, 10, "BLISS-B-IV"                      }, /* 225 */
+ {                  0x03,       0, 1,  9, "blissSigType"                    }, /* 226 */
+ {                    0x01,   228, 0, 10, "BLISS-with-SHA2-512"             }, /* 227 */
+ {                    0x02,   229, 0, 10, "BLISS-with-SHA2-384"             }, /* 228 */
+ {                    0x03,   230, 0, 10, "BLISS-with-SHA2-256"             }, /* 229 */
+ {                    0x04,   231, 0, 10, "BLISS-with-SHA3-512"             }, /* 230 */
+ {                    0x05,   232, 0, 10, "BLISS-with-SHA3-384"             }, /* 231 */
+ {                    0x06,     0, 0, 10, "BLISS-with-SHA3-256"             }, /* 232 */
+ {          0x89,             240, 1,  5, ""                                }, /* 233 */
+ {            0x31,             0, 1,  6, ""                                }, /* 234 */
+ {              0x01,           0, 1,  7, ""                                }, /* 235 */
+ {                0x01,         0, 1,  8, ""                                }, /* 236 */
+ {                  0x02,       0, 1,  9, ""                                }, /* 237 */
+ {                    0x02,     0, 1, 10, ""                                }, /* 238 */
+ {                      0x4B,   0, 0, 11, "TCGID"                           }, /* 239 */
+ {          0x97,             244, 1,  5, ""                                }, /* 240 */
+ {            0x55,             0, 1,  6, ""                                }, /* 241 */
+ {              0x01,           0, 1,  7, ""                                }, /* 242 */
+ {                0x02,         0, 0,  8, "blowfish-cbc"                    }, /* 243 */
+ {          0xC1,               0, 1,  5, ""                                }, /* 244 */
+ {            0x16,             0, 1,  6, "ntruCryptosystems"               }, /* 245 */
+ {              0x01,           0, 1,  7, "eess"                            }, /* 246 */
+ {                0x01,         0, 1,  8, "eess1"                           }, /* 247 */
+ {                  0x01,     252, 1,  9, "eess1-algs"                      }, /* 248 */
+ {                    0x01,   250, 0, 10, "ntru-EESS1v1-SVES"               }, /* 249 */
+ {                    0x02,   251, 0, 10, "ntru-EESS1v1-SVSSA"              }, /* 250 */
+ {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"           }, /* 251 */
+ {                  0x02,     282, 1,  9, "eess1-params"                    }, /* 252 */
+ {                    0x01,   254, 0, 10, "ees251ep1"                       }, /* 253 */
+ {                    0x02,   255, 0, 10, "ees347ep1"                       }, /* 254 */
+ {                    0x03,   256, 0, 10, "ees503ep1"                       }, /* 255 */
+ {                    0x07,   257, 0, 10, "ees251sp2"                       }, /* 256 */
+ {                    0x0C,   258, 0, 10, "ees251ep4"                       }, /* 257 */
+ {                    0x0D,   259, 0, 10, "ees251ep5"                       }, /* 258 */
+ {                    0x0E,   260, 0, 10, "ees251sp3"                       }, /* 259 */
+ {                    0x0F,   261, 0, 10, "ees251sp4"                       }, /* 260 */
+ {                    0x10,   262, 0, 10, "ees251sp5"                       }, /* 261 */
+ {                    0x11,   263, 0, 10, "ees251sp6"                       }, /* 262 */
+ {                    0x12,   264, 0, 10, "ees251sp7"                       }, /* 263 */
+ {                    0x13,   265, 0, 10, "ees251sp8"                       }, /* 264 */
+ {                    0x14,   266, 0, 10, "ees251sp9"                       }, /* 265 */
+ {                    0x22,   267, 0, 10, "ees401ep1"                       }, /* 266 */
+ {                    0x23,   268, 0, 10, "ees449ep1"                       }, /* 267 */
+ {                    0x24,   269, 0, 10, "ees677ep1"                       }, /* 268 */
+ {                    0x25,   270, 0, 10, "ees1087ep2"                      }, /* 269 */
+ {                    0x26,   271, 0, 10, "ees541ep1"                       }, /* 270 */
+ {                    0x27,   272, 0, 10, "ees613ep1"                       }, /* 271 */
+ {                    0x28,   273, 0, 10, "ees887ep1"                       }, /* 272 */
+ {                    0x29,   274, 0, 10, "ees1171ep1"                      }, /* 273 */
+ {                    0x2A,   275, 0, 10, "ees659ep1"                       }, /* 274 */
+ {                    0x2B,   276, 0, 10, "ees761ep1"                       }, /* 275 */
+ {                    0x2C,   277, 0, 10, "ees1087ep1"                      }, /* 276 */
+ {                    0x2D,   278, 0, 10, "ees1499ep1"                      }, /* 277 */
+ {                    0x2E,   279, 0, 10, "ees401ep2"                       }, /* 278 */
+ {                    0x2F,   280, 0, 10, "ees439ep1"                       }, /* 279 */
+ {                    0x30,   281, 0, 10, "ees593ep1"                       }, /* 280 */
+ {                    0x31,     0, 0, 10, "ees743ep1"                       }, /* 281 */
+ {                  0x03,       0, 0,  9, "eess1-encodingMethods"           }, /* 282 */
+ {      0x05,                   0, 1,  3, "security"                        }, /* 283 */
+ {        0x05,                 0, 1,  4, "mechanisms"                      }, /* 284 */
+ {          0x07,             329, 1,  5, "id-pkix"                         }, /* 285 */
+ {            0x01,           290, 1,  6, "id-pe"                           }, /* 286 */
+ {              0x01,         288, 0,  7, "authorityInfoAccess"             }, /* 287 */
+ {              0x03,         289, 0,  7, "qcStatements"                    }, /* 288 */
+ {              0x07,           0, 0,  7, "ipAddrBlocks"                    }, /* 289 */
+ {            0x02,           293, 1,  6, "id-qt"                           }, /* 290 */
+ {              0x01,         292, 0,  7, "cps"                             }, /* 291 */
+ {              0x02,           0, 0,  7, "unotice"                         }, /* 292 */
+ {            0x03,           303, 1,  6, "id-kp"                           }, /* 293 */
+ {              0x01,         295, 0,  7, "serverAuth"                      }, /* 294 */
+ {              0x02,         296, 0,  7, "clientAuth"                      }, /* 295 */
+ {              0x03,         297, 0,  7, "codeSigning"                     }, /* 296 */
+ {              0x04,         298, 0,  7, "emailProtection"                 }, /* 297 */
+ {              0x05,         299, 0,  7, "ipsecEndSystem"                  }, /* 298 */
+ {              0x06,         300, 0,  7, "ipsecTunnel"                     }, /* 299 */
+ {              0x07,         301, 0,  7, "ipsecUser"                       }, /* 300 */
+ {              0x08,         302, 0,  7, "timeStamping"                    }, /* 301 */
+ {              0x09,           0, 0,  7, "ocspSigning"                     }, /* 302 */
+ {            0x08,           311, 1,  6, "id-otherNames"                   }, /* 303 */
+ {              0x01,         305, 0,  7, "personalData"                    }, /* 304 */
+ {              0x02,         306, 0,  7, "userGroup"                       }, /* 305 */
+ {              0x03,         307, 0,  7, "id-on-permanentIdentifier"       }, /* 306 */
+ {              0x04,         308, 0,  7, "id-on-hardwareModuleName"        }, /* 307 */
+ {              0x05,         309, 0,  7, "xmppAddr"                        }, /* 308 */
+ {              0x06,         310, 0,  7, "id-on-SIM"                       }, /* 309 */
+ {              0x07,           0, 0,  7, "id-on-dnsSRV"                    }, /* 310 */
+ {            0x0A,           316, 1,  6, "id-aca"                          }, /* 311 */
+ {              0x01,         313, 0,  7, "authenticationInfo"              }, /* 312 */
+ {              0x02,         314, 0,  7, "accessIdentity"                  }, /* 313 */
+ {              0x03,         315, 0,  7, "chargingIdentity"                }, /* 314 */
+ {              0x04,           0, 0,  7, "group"                           }, /* 315 */
+ {            0x0B,           317, 0,  6, "subjectInfoAccess"               }, /* 316 */
+ {            0x30,             0, 1,  6, "id-ad"                           }, /* 317 */
+ {              0x01,         326, 1,  7, "ocsp"                            }, /* 318 */
+ {                0x01,       320, 0,  8, "basic"                           }, /* 319 */
+ {                0x02,       321, 0,  8, "nonce"                           }, /* 320 */
+ {                0x03,       322, 0,  8, "crl"                             }, /* 321 */
+ {                0x04,       323, 0,  8, "response"                        }, /* 322 */
+ {                0x05,       324, 0,  8, "noCheck"                         }, /* 323 */
+ {                0x06,       325, 0,  8, "archiveCutoff"                   }, /* 324 */
+ {                0x07,         0, 0,  8, "serviceLocator"                  }, /* 325 */
+ {              0x02,         327, 0,  7, "caIssuers"                       }, /* 326 */
+ {              0x03,         328, 0,  7, "timeStamping"                    }, /* 327 */
+ {              0x05,           0, 0,  7, "caRepository"                    }, /* 328 */
+ {          0x08,               0, 1,  5, "ipsec"                           }, /* 329 */
+ {            0x02,             0, 1,  6, "certificate"                     }, /* 330 */
+ {              0x02,           0, 0,  7, "iKEIntermediate"                 }, /* 331 */
+ {  0x0E,                     338, 1,  1, "oiw"                             }, /* 332 */
+ {    0x03,                     0, 1,  2, "secsig"                          }, /* 333 */
+ {      0x02,                   0, 1,  3, "algorithms"                      }, /* 334 */
+ {        0x07,               336, 0,  4, "des-cbc"                         }, /* 335 */
+ {        0x1A,               337, 0,  4, "sha-1"                           }, /* 336 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"           }, /* 337 */
+ {  0x24,                     384, 1,  1, "TeleTrusT"                       }, /* 338 */
+ {    0x03,                     0, 1,  2, "algorithm"                       }, /* 339 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"              }, /* 340 */
+ {        0x01,               345, 1,  4, "rsaSignature"                    }, /* 341 */
+ {          0x02,             343, 0,  5, "rsaSigWithripemd160"             }, /* 342 */
+ {          0x03,             344, 0,  5, "rsaSigWithripemd128"             }, /* 343 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"             }, /* 344 */
+ {        0x02,                 0, 1,  4, "ecSign"                          }, /* 345 */
+ {          0x01,             347, 0,  5, "ecSignWithsha1"                  }, /* 346 */
+ {          0x02,             348, 0,  5, "ecSignWithripemd160"             }, /* 347 */
+ {          0x03,             349, 0,  5, "ecSignWithmd2"                   }, /* 348 */
+ {          0x04,             350, 0,  5, "ecSignWithmd5"                   }, /* 349 */
+ {          0x05,             367, 1,  5, "ttt-ecg"                         }, /* 350 */
+ {            0x01,           355, 1,  6, "fieldType"                       }, /* 351 */
+ {              0x01,           0, 1,  7, "characteristictwoField"          }, /* 352 */
+ {                0x01,         0, 1,  8, "basisType"                       }, /* 353 */
+ {                  0x01,       0, 0,  9, "ipBasis"                         }, /* 354 */
+ {            0x02,           357, 1,  6, "keyType"                         }, /* 355 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"                    }, /* 356 */
+ {            0x03,           358, 0,  6, "curve"                           }, /* 357 */
+ {            0x04,           365, 1,  6, "signatures"                      }, /* 358 */
+ {              0x01,         360, 0,  7, "ecgdsa-with-RIPEMD160"           }, /* 359 */
+ {              0x02,         361, 0,  7, "ecgdsa-with-SHA1"                }, /* 360 */
+ {              0x03,         362, 0,  7, "ecgdsa-with-SHA224"              }, /* 361 */
+ {              0x04,         363, 0,  7, "ecgdsa-with-SHA256"              }, /* 362 */
+ {              0x05,         364, 0,  7, "ecgdsa-with-SHA384"              }, /* 363 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"              }, /* 364 */
+ {            0x05,             0, 1,  6, "module"                          }, /* 365 */
+ {              0x01,           0, 0,  7, "1"                               }, /* 366 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"        }, /* 367 */
+ {            0x01,             0, 1,  6, "ellipticCurve"                   }, /* 368 */
+ {              0x01,           0, 1,  7, "versionOne"                      }, /* 369 */
+ {                0x01,       371, 0,  8, "brainpoolP160r1"                 }, /* 370 */
+ {                0x02,       372, 0,  8, "brainpoolP160t1"                 }, /* 371 */
+ {                0x03,       373, 0,  8, "brainpoolP192r1"                 }, /* 372 */
+ {                0x04,       374, 0,  8, "brainpoolP192t1"                 }, /* 373 */
+ {                0x05,       375, 0,  8, "brainpoolP224r1"                 }, /* 374 */
+ {                0x06,       376, 0,  8, "brainpoolP224t1"                 }, /* 375 */
+ {                0x07,       377, 0,  8, "brainpoolP256r1"                 }, /* 376 */
+ {                0x08,       378, 0,  8, "brainpoolP256t1"                 }, /* 377 */
+ {                0x09,       379, 0,  8, "brainpoolP320r1"                 }, /* 378 */
+ {                0x0A,       380, 0,  8, "brainpoolP320t1"                 }, /* 379 */
+ {                0x0B,       381, 0,  8, "brainpoolP384r1"                 }, /* 380 */
+ {                0x0C,       382, 0,  8, "brainpoolP384t1"                 }, /* 381 */
+ {                0x0D,       383, 0,  8, "brainpoolP512r1"                 }, /* 382 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"                 }, /* 383 */
+ {  0x81,                       0, 1,  1, ""                                }, /* 384 */
+ {    0x04,                     0, 1,  2, "Certicom"                        }, /* 385 */
+ {      0x00,                   0, 1,  3, "curve"                           }, /* 386 */
+ {        0x01,               388, 0,  4, "sect163k1"                       }, /* 387 */
+ {        0x02,               389, 0,  4, "sect163r1"                       }, /* 388 */
+ {        0x03,               390, 0,  4, "sect239k1"                       }, /* 389 */
+ {        0x04,               391, 0,  4, "sect113r1"                       }, /* 390 */
+ {        0x05,               392, 0,  4, "sect113r2"                       }, /* 391 */
+ {        0x06,               393, 0,  4, "secp112r1"                       }, /* 392 */
+ {        0x07,               394, 0,  4, "secp112r2"                       }, /* 393 */
+ {        0x08,               395, 0,  4, "secp160r1"                       }, /* 394 */
+ {        0x09,               396, 0,  4, "secp160k1"                       }, /* 395 */
+ {        0x0A,               397, 0,  4, "secp256k1"                       }, /* 396 */
+ {        0x0F,               398, 0,  4, "sect163r2"                       }, /* 397 */
+ {        0x10,               399, 0,  4, "sect283k1"                       }, /* 398 */
+ {        0x11,               400, 0,  4, "sect283r1"                       }, /* 399 */
+ {        0x16,               401, 0,  4, "sect131r1"                       }, /* 400 */
+ {        0x17,               402, 0,  4, "sect131r2"                       }, /* 401 */
+ {        0x18,               403, 0,  4, "sect193r1"                       }, /* 402 */
+ {        0x19,               404, 0,  4, "sect193r2"                       }, /* 403 */
+ {        0x1A,               405, 0,  4, "sect233k1"                       }, /* 404 */
+ {        0x1B,               406, 0,  4, "sect233r1"                       }, /* 405 */
+ {        0x1C,               407, 0,  4, "secp128r1"                       }, /* 406 */
+ {        0x1D,               408, 0,  4, "secp128r2"                       }, /* 407 */
+ {        0x1E,               409, 0,  4, "secp160r2"                       }, /* 408 */
+ {        0x1F,               410, 0,  4, "secp192k1"                       }, /* 409 */
+ {        0x20,               411, 0,  4, "secp224k1"                       }, /* 410 */
+ {        0x21,               412, 0,  4, "secp224r1"                       }, /* 411 */
+ {        0x22,               413, 0,  4, "secp384r1"                       }, /* 412 */
+ {        0x23,               414, 0,  4, "secp521r1"                       }, /* 413 */
+ {        0x24,               415, 0,  4, "sect409k1"                       }, /* 414 */
+ {        0x25,               416, 0,  4, "sect409r1"                       }, /* 415 */
+ {        0x26,               417, 0,  4, "sect571k1"                       }, /* 416 */
+ {        0x27,                 0, 0,  4, "sect571r1"                       }, /* 417 */
+ {0x60,                       481, 1,  0, ""                                }, /* 418 */
+ {  0x86,                       0, 1,  1, ""                                }, /* 419 */
+ {    0x48,                     0, 1,  2, ""                                }, /* 420 */
+ {      0x01,                   0, 1,  3, "organization"                    }, /* 421 */
+ {        0x65,               457, 1,  4, "gov"                             }, /* 422 */
+ {          0x03,               0, 1,  5, "csor"                            }, /* 423 */
+ {            0x04,             0, 1,  6, "nistalgorithm"                   }, /* 424 */
+ {              0x01,         435, 1,  7, "aes"                             }, /* 425 */
+ {                0x02,       427, 0,  8, "id-aes128-CBC"                   }, /* 426 */
+ {                0x06,       428, 0,  8, "id-aes128-GCM"                   }, /* 427 */
+ {                0x07,       429, 0,  8, "id-aes128-CCM"                   }, /* 428 */
+ {                0x16,       430, 0,  8, "id-aes192-CBC"                   }, /* 429 */
+ {                0x1A,       431, 0,  8, "id-aes192-GCM"                   }, /* 430 */
+ {                0x1B,       432, 0,  8, "id-aes192-CCM"                   }, /* 431 */
+ {                0x2A,       433, 0,  8, "id-aes256-CBC"                   }, /* 432 */
+ {                0x2E,       434, 0,  8, "id-aes256-GCM"                   }, /* 433 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"                   }, /* 434 */
+ {              0x02,         448, 1,  7, "hashAlgs"                        }, /* 435 */
+ {                0x01,       437, 0,  8, "id-sha256"                       }, /* 436 */
+ {                0x02,       438, 0,  8, "id-sha384"                       }, /* 437 */
+ {                0x03,       439, 0,  8, "id-sha512"                       }, /* 438 */
+ {                0x04,       440, 0,  8, "id-sha224"                       }, /* 439 */
+ {                0x05,       441, 0,  8, "id-sha512-224"                   }, /* 440 */
+ {                0x06,       442, 0,  8, "id-sha512-256"                   }, /* 441 */
+ {                0x07,       443, 0,  8, "id-sha3-224"                     }, /* 442 */
+ {                0x08,       444, 0,  8, "id-sha3-256"                     }, /* 443 */
+ {                0x09,       445, 0,  8, "id-sha3-384"                     }, /* 444 */
+ {                0x0A,       446, 0,  8, "id-sha3-512"                     }, /* 445 */
+ {                0x0B,       447, 0,  8, "id-shake128"                     }, /* 446 */
+ {                0x0C,         0, 0,  8, "id-shake256"                     }, /* 447 */
+ {              0x03,           0, 1,  7, "sigAlgs"                         }, /* 448 */
+ {                0x09,       450, 0,  8, "id-ecdsa-with-sha3-224"          }, /* 449 */
+ {                0x0A,       451, 0,  8, "id-ecdsa-with-sha3-256"          }, /* 450 */
+ {                0x0B,       452, 0,  8, "id-ecdsa-with-sha3-384"          }, /* 451 */
+ {                0x0C,       453, 0,  8, "id-ecdsa-with-sha3-512"          }, /* 452 */
+ {                0x0D,       454, 0,  8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 453 */
+ {                0x0E,       455, 0,  8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 454 */
+ {                0x0F,       456, 0,  8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 455 */
+ {                0x10,         0, 0,  8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 456 */
+ {        0x86,                 0, 1,  4, ""                                }, /* 457 */
+ {          0xf8,               0, 1,  5, ""                                }, /* 458 */
+ {            0x42,           471, 1,  6, "netscape"                        }, /* 459 */
+ {              0x01,         466, 1,  7, ""                                }, /* 460 */
+ {                0x01,       462, 0,  8, "nsCertType"                      }, /* 461 */
+ {                0x03,       463, 0,  8, "nsRevocationUrl"                 }, /* 462 */
+ {                0x04,       464, 0,  8, "nsCaRevocationUrl"               }, /* 463 */
+ {                0x08,       465, 0,  8, "nsCaPolicyUrl"                   }, /* 464 */
+ {                0x0d,         0, 0,  8, "nsComment"                       }, /* 465 */
+ {              0x03,         469, 1,  7, "directory"                       }, /* 466 */
+ {                0x01,         0, 1,  8, ""                                }, /* 467 */
+ {                  0x03,       0, 0,  9, "employeeNumber"                  }, /* 468 */
+ {              0x04,           0, 1,  7, "policy"                          }, /* 469 */
+ {                0x01,         0, 0,  8, "nsSGC"                           }, /* 470 */
+ {            0x45,             0, 1,  6, "verisign"                        }, /* 471 */
+ {              0x01,           0, 1,  7, "pki"                             }, /* 472 */
+ {                0x09,         0, 1,  8, "attributes"                      }, /* 473 */
+ {                  0x02,     475, 0,  9, "messageType"                     }, /* 474 */
+ {                  0x03,     476, 0,  9, "pkiStatus"                       }, /* 475 */
+ {                  0x04,     477, 0,  9, "failInfo"                        }, /* 476 */
+ {                  0x05,     478, 0,  9, "senderNonce"                     }, /* 477 */
+ {                  0x06,     479, 0,  9, "recipientNonce"                  }, /* 478 */
+ {                  0x07,     480, 0,  9, "transID"                         }, /* 479 */
+ {                  0x08,       0, 0,  9, "extensionReq"                    }, /* 480 */
+ {0x67,                         0, 1,  0, ""                                }, /* 481 */
+ {  0x81,                       0, 1,  1, ""                                }, /* 482 */
+ {    0x05,                     0, 1,  2, ""                                }, /* 483 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"                   }, /* 484 */
+ {        0x01,               486, 0,  4, "tcg-at-tpmManufacturer"          }, /* 485 */
+ {        0x02,               487, 0,  4, "tcg-at-tpmModel"                 }, /* 486 */
+ {        0x03,               488, 0,  4, "tcg-at-tpmVersion"               }, /* 487 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"               }  /* 488 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 042f108..bca2999 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -240,22 +240,30 @@ extern const oid_t oid_names[];
 #define OID_SHA3_256						443
 #define OID_SHA3_384						444
 #define OID_SHA3_512						445
-#define OID_NS_REVOCATION_URL				453
-#define OID_NS_CA_REVOCATION_URL			454
-#define OID_NS_CA_POLICY_URL				455
-#define OID_NS_COMMENT						456
-#define OID_EMPLOYEE_NUMBER					459
-#define OID_PKI_MESSAGE_TYPE				465
-#define OID_PKI_STATUS						466
-#define OID_PKI_FAIL_INFO					467
-#define OID_PKI_SENDER_NONCE				468
-#define OID_PKI_RECIPIENT_NONCE				469
-#define OID_PKI_TRANS_ID					470
-#define OID_TPM_MANUFACTURER				476
-#define OID_TPM_MODEL						477
-#define OID_TPM_VERSION						478
-#define OID_TPM_ID_LABEL					479
+#define OID_ECDSA_WITH_SHA3_224				449
+#define OID_ECDSA_WITH_SHA3_256				450
+#define OID_ECDSA_WITH_SHA3_384				451
+#define OID_ECDSA_WITH_SHA3_512				452
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_224	453
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_256	454
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_384	455
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_512	456
+#define OID_NS_REVOCATION_URL				462
+#define OID_NS_CA_REVOCATION_URL			463
+#define OID_NS_CA_POLICY_URL				464
+#define OID_NS_COMMENT						465
+#define OID_EMPLOYEE_NUMBER					468
+#define OID_PKI_MESSAGE_TYPE				474
+#define OID_PKI_STATUS						475
+#define OID_PKI_FAIL_INFO					476
+#define OID_PKI_SENDER_NONCE				477
+#define OID_PKI_RECIPIENT_NONCE				478
+#define OID_PKI_TRANS_ID					479
+#define OID_TPM_MANUFACTURER				485
+#define OID_TPM_MODEL						486
+#define OID_TPM_VERSION						487
+#define OID_TPM_ID_LABEL					488
 
-#define OID_MAX								480
+#define OID_MAX								489
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index eeeb234..761a38a 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -433,7 +433,7 @@
                 0x2A         "id-aes256-CBC"			OID_AES256_CBC
                 0x2E         "id-aes256-GCM"			OID_AES256_GCM
                 0x2F         "id-aes256-CCM"			OID_AES256_CCM
-              0x02           "hashalgs"
+              0x02           "hashAlgs"
                 0x01         "id-sha256"				OID_SHA256
                 0x02         "id-sha384"				OID_SHA384
                 0x03         "id-sha512"				OID_SHA512
@@ -446,6 +446,15 @@
                 0x0A         "id-sha3-512"				OID_SHA3_512
                 0x0B         "id-shake128"
                 0x0C         "id-shake256"
+              0x03           "sigAlgs"
+                0x09         "id-ecdsa-with-sha3-224"			OID_ECDSA_WITH_SHA3_224
+                0x0A         "id-ecdsa-with-sha3-256"			OID_ECDSA_WITH_SHA3_256
+                0x0B         "id-ecdsa-with-sha3-384"			OID_ECDSA_WITH_SHA3_384
+                0x0C         "id-ecdsa-with-sha3-512"			OID_ECDSA_WITH_SHA3_512
+                0x0D         "id-rsassa-pkcs1v15-with-sha3-224"	OID_RSASSA_PKCS1V15_WITH_SHA3_224
+                0x0E         "id-rsassa-pkcs1v15-with-sha3-256"	OID_RSASSA_PKCS1V15_WITH_SHA3_256
+                0x0F         "id-rsassa-pkcs1v15-with-sha3-384"	OID_RSASSA_PKCS1V15_WITH_SHA3_384
+                0x10         "id-rsassa-pkcs1v15-with-sha3-512"	OID_RSASSA_PKCS1V15_WITH_SHA3_512
         0x86                 ""
           0xf8               ""
             0x42             "netscape"
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 956ce08..3ec9491 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,7 +1,8 @@
 /*
  * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffeb
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -548,10 +549,10 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
 		} schemes[] = {
 			{ "md5",		SIGN_RSA_EMSA_PKCS1_MD5,		KEY_RSA,	},
 			{ "sha1",		SIGN_RSA_EMSA_PKCS1_SHA1,		KEY_RSA,	},
-			{ "sha224",		SIGN_RSA_EMSA_PKCS1_SHA224,		KEY_RSA,	},
-			{ "sha256",		SIGN_RSA_EMSA_PKCS1_SHA256,		KEY_RSA,	},
-			{ "sha384",		SIGN_RSA_EMSA_PKCS1_SHA384,		KEY_RSA,	},
-			{ "sha512",		SIGN_RSA_EMSA_PKCS1_SHA512,		KEY_RSA,	},
+			{ "sha224",		SIGN_RSA_EMSA_PKCS1_SHA2_224,	KEY_RSA,	},
+			{ "sha256",		SIGN_RSA_EMSA_PKCS1_SHA2_256,	KEY_RSA,	},
+			{ "sha384",		SIGN_RSA_EMSA_PKCS1_SHA2_384,	KEY_RSA,	},
+			{ "sha512",		SIGN_RSA_EMSA_PKCS1_SHA2_512,	KEY_RSA,	},
 			{ "sha1",		SIGN_ECDSA_WITH_SHA1_DER,		KEY_ECDSA,	},
 			{ "sha256",		SIGN_ECDSA_WITH_SHA256_DER,		KEY_ECDSA,	},
 			{ "sha384",		SIGN_ECDSA_WITH_SHA384_DER,		KEY_ECDSA,	},
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index d6f211a..03f93b1 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -32,10 +32,14 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA3_512,
 	"RSA_EMSA_PKCS1_NULL",
 	"RSA_EMSA_PKCS1_MD5",
 	"RSA_EMSA_PKCS1_SHA1",
-	"RSA_EMSA_PKCS1_SHA224",
-	"RSA_EMSA_PKCS1_SHA256",
-	"RSA_EMSA_PKCS1_SHA384",
-	"RSA_EMSA_PKCS1_SHA512",
+	"RSA_EMSA_PKCS1_SHA2_224",
+	"RSA_EMSA_PKCS1_SHA2_256",
+	"RSA_EMSA_PKCS1_SHA2_384",
+	"RSA_EMSA_PKCS1_SHA2_512",
+	"RSA_EMSA_PKCS1_SHA3_224",
+	"RSA_EMSA_PKCS1_SHA3_256",
+	"RSA_EMSA_PKCS1_SHA3_384",
+	"RSA_EMSA_PKCS1_SHA3_512",
 	"ECDSA_WITH_SHA1_DER",
 	"ECDSA_WITH_SHA256_DER",
 	"ECDSA_WITH_SHA384_DER",
@@ -120,16 +124,24 @@ signature_scheme_t signature_scheme_from_oid(int oid)
 			return SIGN_RSA_EMSA_PKCS1_SHA1;
 		case OID_SHA224_WITH_RSA:
 		case OID_SHA224:
-			return SIGN_RSA_EMSA_PKCS1_SHA224;
+			return SIGN_RSA_EMSA_PKCS1_SHA2_224;
 		case OID_SHA256_WITH_RSA:
 		case OID_SHA256:
-			return SIGN_RSA_EMSA_PKCS1_SHA256;
+			return SIGN_RSA_EMSA_PKCS1_SHA2_256;
 		case OID_SHA384_WITH_RSA:
 		case OID_SHA384:
-			return SIGN_RSA_EMSA_PKCS1_SHA384;
+			return SIGN_RSA_EMSA_PKCS1_SHA2_384;
 		case OID_SHA512_WITH_RSA:
 		case OID_SHA512:
-			return SIGN_RSA_EMSA_PKCS1_SHA512;
+			return SIGN_RSA_EMSA_PKCS1_SHA2_512;
+		case OID_RSASSA_PKCS1V15_WITH_SHA3_224:
+			return SIGN_RSA_EMSA_PKCS1_SHA3_224;
+		case OID_RSASSA_PKCS1V15_WITH_SHA3_256:
+			return SIGN_RSA_EMSA_PKCS1_SHA3_256;
+		case OID_RSASSA_PKCS1V15_WITH_SHA3_384:
+			return SIGN_RSA_EMSA_PKCS1_SHA3_384;
+		case OID_RSASSA_PKCS1V15_WITH_SHA3_512:
+			return SIGN_RSA_EMSA_PKCS1_SHA3_512;
 		case OID_ECDSA_WITH_SHA1:
 		case OID_EC_PUBLICKEY:
 			return SIGN_ECDSA_WITH_SHA1_DER;
@@ -174,14 +186,22 @@ int signature_scheme_to_oid(signature_scheme_t scheme)
 			return OID_MD5_WITH_RSA;
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return OID_SHA1_WITH_RSA;
-		case SIGN_RSA_EMSA_PKCS1_SHA224:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_224:
 			return OID_SHA224_WITH_RSA;
-		case SIGN_RSA_EMSA_PKCS1_SHA256:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_256:
 			return OID_SHA256_WITH_RSA;
-		case SIGN_RSA_EMSA_PKCS1_SHA384:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_384:
 			return OID_SHA384_WITH_RSA;
-		case SIGN_RSA_EMSA_PKCS1_SHA512:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 			return OID_SHA512_WITH_RSA;
+		case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+			return OID_RSASSA_PKCS1V15_WITH_SHA3_224;
+		case SIGN_RSA_EMSA_PKCS1_SHA3_256:
+			return OID_RSASSA_PKCS1V15_WITH_SHA3_256;
+		case SIGN_RSA_EMSA_PKCS1_SHA3_384:
+			return OID_RSASSA_PKCS1V15_WITH_SHA3_384;
+		case SIGN_RSA_EMSA_PKCS1_SHA3_512:
+			return OID_RSASSA_PKCS1V15_WITH_SHA3_384;
 		case SIGN_ECDSA_WITH_SHA1_DER:
 			return OID_ECDSA_WITH_SHA1;
 		case SIGN_ECDSA_WITH_SHA256_DER:
@@ -216,9 +236,9 @@ static struct {
 	key_type_t type;
 	int max_keysize;
 } scheme_map[] = {
-	{ SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA,   3072 },
-	{ SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA,   7680 },
-	{ SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA,   0 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA, 3072 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA, 7680 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA, 0 },
 	{ SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 },
 	{ SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 },
 	{ SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 },
@@ -285,10 +305,14 @@ key_type_t key_type_from_signature_scheme(signature_scheme_t scheme)
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
-		case SIGN_RSA_EMSA_PKCS1_SHA224:
-		case SIGN_RSA_EMSA_PKCS1_SHA256:
-		case SIGN_RSA_EMSA_PKCS1_SHA384:
-		case SIGN_RSA_EMSA_PKCS1_SHA512:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_224:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_256:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_384:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
+		case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+		case SIGN_RSA_EMSA_PKCS1_SHA3_256:
+		case SIGN_RSA_EMSA_PKCS1_SHA3_384:
+		case SIGN_RSA_EMSA_PKCS1_SHA3_512:
 			return KEY_RSA;
 		case SIGN_ECDSA_WITH_SHA1_DER:
 		case SIGN_ECDSA_WITH_SHA256_DER:
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index ce48f9b..2361282 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -70,14 +70,22 @@ enum signature_scheme_t {
 	SIGN_RSA_EMSA_PKCS1_MD5,
 	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-1     */
 	SIGN_RSA_EMSA_PKCS1_SHA1,
-	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-224   */
-	SIGN_RSA_EMSA_PKCS1_SHA224,
-	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-256   */
-	SIGN_RSA_EMSA_PKCS1_SHA256,
-	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-384   */
-	SIGN_RSA_EMSA_PKCS1_SHA384,
-	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-512   */
-	SIGN_RSA_EMSA_PKCS1_SHA512,
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-2_224 */
+	SIGN_RSA_EMSA_PKCS1_SHA2_224,
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-2_256 */
+	SIGN_RSA_EMSA_PKCS1_SHA2_256,
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-2_384 */
+	SIGN_RSA_EMSA_PKCS1_SHA2_384,
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-2_512 */
+	SIGN_RSA_EMSA_PKCS1_SHA2_512,
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-3_224 */
+	SIGN_RSA_EMSA_PKCS1_SHA3_224,
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-3_256 */
+	SIGN_RSA_EMSA_PKCS1_SHA3_256,
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-3_384 */
+	SIGN_RSA_EMSA_PKCS1_SHA3_384,
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-3_512 */
+	SIGN_RSA_EMSA_PKCS1_SHA3_512,
 	/** ECDSA with SHA-1 using DER encoding as in RFC 3279             */
 	SIGN_ECDSA_WITH_SHA1_DER,
 	/** ECDSA with SHA-256 using DER encoding as in RFC 3279           */
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index c6b8d0c..8393d5b 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -108,7 +108,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator,
 	}
 	*value = cert;
 	enumerator->auth->replace(enumerator->auth, enumerator->inner,
-							  *rule, cert->get_ref(cert));
+							  *rule, cert);
 	return TRUE;
 }
 
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index 988e709..0f8bff2 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2010-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperwsil
+ * Copyright (C) 2010-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperwsil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -223,6 +224,7 @@ METHOD(mem_cred_t, add_crl, bool,
 	{
 		if (current->get_type(current) == CERT_X509_CRL)
 		{
+			chunk_t base;
 			bool found = FALSE;
 			crl_t *crl_c = (crl_t*)current;
 			chunk_t authkey = crl->get_authKeyIdentifier(crl);
@@ -246,17 +248,37 @@ METHOD(mem_cred_t, add_crl, bool,
 			}
 			if (found)
 			{
-				new = crl_is_newer(crl, crl_c);
-				if (new)
+				/* we keep at most one delta CRL for each base CRL */
+				if (crl->is_delta_crl(crl, &base))
 				{
-					this->untrusted->remove_at(this->untrusted, enumerator);
-					current->destroy(current);
+					if (!crl_c->is_delta_crl(crl_c, NULL))
+					{
+						if (chunk_equals(base, crl_c->get_serial(crl_c)))
+						{	/* keep the added delta and the existing base CRL
+							 * but check if this is the newest delta CRL for
+							 * the same base */
+							continue;
+						}
+					}
 				}
-				else
+				else if (crl_c->is_delta_crl(crl_c, &base))
+				{
+					if (chunk_equals(base, crl->get_serial(crl)))
+					{	/* keep the existing delta and the added base CRL,
+						 * but check if we don't store it already */
+						continue;
+					}
+				}
+				new = crl_is_newer(crl, crl_c);
+				if (!new)
 				{
 					cert->destroy(cert);
+					break;
 				}
-				break;
+				/* we remove the existing older CRL but there might be other
+				 * delta or base CRLs we can replace */
+				this->untrusted->remove_at(this->untrusted, enumerator);
+				current->destroy(current);
 			}
 		}
 	}
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 35dcf25..bab59a0 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -1,7 +1,8 @@
 /*
  * Copyright (C) 2013-2014 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -51,6 +52,7 @@ struct entry_t {
 		signer_constructor_t create_signer;
 		hasher_constructor_t create_hasher;
 		prf_constructor_t create_prf;
+		xof_constructor_t create_xof;
 		rng_constructor_t create_rng;
 		nonce_gen_constructor_t create_nonce_gen;
 		dh_constructor_t create_dh;
@@ -96,6 +98,11 @@ struct private_crypto_factory_t {
 	linked_list_t *prfs;
 
 	/**
+	 * registered xofs, as entry_t
+	 */
+	linked_list_t *xofs;
+
+	/**
 	 * registered rngs, as entry_t
 	 */
 	linked_list_t *rngs;
@@ -303,6 +310,38 @@ METHOD(crypto_factory_t, create_prf, prf_t*,
 	return prf;
 }
 
+METHOD(crypto_factory_t, create_xof, xof_t*,
+	private_crypto_factory_t *this, ext_out_function_t algo)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	xof_t *xof = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->xofs->create_enumerator(this->xofs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->algo == algo)
+		{
+			if (this->test_on_create &&
+				!this->tester->test_xof(this->tester, algo,
+										entry->create_xof, NULL,
+										default_plugin_name))
+			{
+				continue;
+			}
+			xof = entry->create_xof(algo);
+			if (xof)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return xof;
+}
+
 METHOD(crypto_factory_t, create_rng, rng_t*,
 	private_crypto_factory_t *this, rng_quality_t quality)
 {
@@ -633,6 +672,43 @@ METHOD(crypto_factory_t, remove_prf, void,
 	this->lock->unlock(this->lock);
 }
 
+METHOD(crypto_factory_t, add_xof, bool,
+	private_crypto_factory_t *this, ext_out_function_t algo,
+	const char *plugin_name, xof_constructor_t create)
+{
+	u_int speed = 0;
+
+	if (!this->test_on_add ||
+		this->tester->test_xof(this->tester, algo, create,
+							   this->bench ? &speed : NULL, plugin_name))
+	{
+		add_entry(this, this->xofs, algo, plugin_name, speed, create);
+		return TRUE;
+	}
+	this->test_failures++;
+	return FALSE;
+}
+
+METHOD(crypto_factory_t, remove_xof, void,
+	private_crypto_factory_t *this, xof_constructor_t create)
+{
+	entry_t *entry;
+	enumerator_t *enumerator;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->xofs->create_enumerator(this->xofs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->create_xof == create)
+		{
+			this->xofs->remove_at(this->xofs, enumerator);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
 METHOD(crypto_factory_t, add_rng, bool,
 	private_crypto_factory_t *this, rng_quality_t quality,
 	const char *plugin_name, rng_constructor_t create)
@@ -846,6 +922,23 @@ METHOD(crypto_factory_t, create_prf_enumerator, enumerator_t*,
 }
 
 /**
+ * Filter function to enumerate algorithm, not entry
+ */
+static bool xof_filter(void *n, entry_t **entry, ext_out_function_t *algo,
+					   void *i2, const char **plugin_name)
+{
+	*algo = (*entry)->algo;
+	*plugin_name = (*entry)->plugin_name;
+	return TRUE;
+}
+
+METHOD(crypto_factory_t, create_xof_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
+{
+	return create_enumerator(this, this->xofs, xof_filter);
+}
+
+/**
  * Filter function to enumerate group, not entry
  */
 static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group,
@@ -909,6 +1002,8 @@ METHOD(crypto_factory_t, add_test_vector, void,
 			return this->tester->add_hasher_vector(this->tester, vector);
 		case PSEUDO_RANDOM_FUNCTION:
 			return this->tester->add_prf_vector(this->tester, vector);
+		case EXTENDED_OUTPUT_FUNCTION:
+			return this->tester->add_xof_vector(this->tester, vector);
 		case RANDOM_NUMBER_GENERATOR:
 			return this->tester->add_rng_vector(this->tester, vector);
 		case DIFFIE_HELLMAN_GROUP:
@@ -961,6 +1056,10 @@ METHOD(enumerator_t, verify_enumerate, bool,
 			*valid = this->tester->test_prf(this->tester, entry->algo,
 							entry->create_prf, NULL, entry->plugin_name);
 			break;
+		case EXTENDED_OUTPUT_FUNCTION:
+			*valid = this->tester->test_xof(this->tester, entry->algo,
+							entry->create_xof, NULL, entry->plugin_name);
+			break;
 		case RANDOM_NUMBER_GENERATOR:
 			*valid = this->tester->test_rng(this->tester, entry->algo,
 							entry->create_rng, NULL, entry->plugin_name);
@@ -1009,6 +1108,9 @@ METHOD(crypto_factory_t, create_verify_enumerator, enumerator_t*,
 		case PSEUDO_RANDOM_FUNCTION:
 			inner = this->prfs->create_enumerator(this->prfs);
 			break;
+		case EXTENDED_OUTPUT_FUNCTION:
+			inner = this->xofs->create_enumerator(this->xofs);
+			break;
 		case RANDOM_NUMBER_GENERATOR:
 			inner = this->rngs->create_enumerator(this->rngs);
 			break;
@@ -1040,6 +1142,7 @@ METHOD(crypto_factory_t, destroy, void,
 	this->signers->destroy(this->signers);
 	this->hashers->destroy(this->hashers);
 	this->prfs->destroy(this->prfs);
+	this->xofs->destroy(this->xofs);
 	this->rngs->destroy(this->rngs);
 	this->nonce_gens->destroy(this->nonce_gens);
 	this->dhs->destroy(this->dhs);
@@ -1062,6 +1165,7 @@ crypto_factory_t *crypto_factory_create()
 			.create_signer = _create_signer,
 			.create_hasher = _create_hasher,
 			.create_prf = _create_prf,
+			.create_xof = _create_xof,
 			.create_rng = _create_rng,
 			.create_nonce_gen = _create_nonce_gen,
 			.create_dh = _create_dh,
@@ -1075,6 +1179,8 @@ crypto_factory_t *crypto_factory_create()
 			.remove_hasher = _remove_hasher,
 			.add_prf = _add_prf,
 			.remove_prf = _remove_prf,
+			.add_xof = _add_xof,
+			.remove_xof = _remove_xof,
 			.add_rng = _add_rng,
 			.remove_rng = _remove_rng,
 			.add_nonce_gen = _add_nonce_gen,
@@ -1086,6 +1192,7 @@ crypto_factory_t *crypto_factory_create()
 			.create_signer_enumerator = _create_signer_enumerator,
 			.create_hasher_enumerator = _create_hasher_enumerator,
 			.create_prf_enumerator = _create_prf_enumerator,
+			.create_xof_enumerator = _create_xof_enumerator,
 			.create_dh_enumerator = _create_dh_enumerator,
 			.create_rng_enumerator = _create_rng_enumerator,
 			.create_nonce_gen_enumerator = _create_nonce_gen_enumerator,
@@ -1098,6 +1205,7 @@ crypto_factory_t *crypto_factory_create()
 		.signers = linked_list_create(),
 		.hashers = linked_list_create(),
 		.prfs = linked_list_create(),
+		.xofs = linked_list_create(),
 		.rngs = linked_list_create(),
 		.nonce_gens = linked_list_create(),
 		.dhs = linked_list_create(),
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index e039156..4f61ba1 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -31,6 +32,7 @@ typedef struct crypto_factory_t crypto_factory_t;
 #include <crypto/hashers/hasher.h>
 #include <crypto/prfs/prf.h>
 #include <crypto/rngs/rng.h>
+#include <crypto/xofs/xof.h>
 #include <crypto/nonce_gen.h>
 #include <crypto/diffie_hellman.h>
 #include <crypto/transform.h>
@@ -63,6 +65,11 @@ typedef hasher_t* (*hasher_constructor_t)(hash_algorithm_t algo);
 typedef prf_t* (*prf_constructor_t)(pseudo_random_function_t algo);
 
 /**
+ * Constructor function for pseudo random functions
+ */
+typedef xof_t* (*xof_constructor_t)(ext_out_function_t algo);
+
+/**
  * Constructor function for source of randomness
  */
 typedef rng_t* (*rng_constructor_t)(rng_quality_t quality);
@@ -133,6 +140,14 @@ struct crypto_factory_t {
 	prf_t* (*create_prf)(crypto_factory_t *this, pseudo_random_function_t algo);
 
 	/**
+	 * Create an extended output function instance.
+	 *
+	 * @param algo			XOF algorithm to use
+	 * @return				xof_t instance, NULL if not supported
+	 */
+	xof_t* (*create_xof)(crypto_factory_t *this, ext_out_function_t algo);
+
+	/**
 	 * Create a source of randomness.
 	 *
 	 * @param quality		required randomness quality
@@ -253,6 +268,24 @@ struct crypto_factory_t {
 	void (*remove_prf)(crypto_factory_t *this, prf_constructor_t create);
 
 	/**
+	 * Register an xof constructor.
+	 *
+	 * @param algo			algorithm to constructor
+	 * @param plugin_name	plugin that registered this algorithm
+	 * @param create		constructor function for that algorithm
+	 * @return				TRUE if registered, FALSE if test vector failed
+	 */
+	bool (*add_xof)(crypto_factory_t *this, ext_out_function_t algo,
+					const char *plugin_name, xof_constructor_t create);
+
+	/**
+	 * Unregister an xof constructor.
+	 *
+	 * @param create		constructor function to unregister
+	 */
+	void (*remove_xof)(crypto_factory_t *this, xof_constructor_t create);
+
+	/**
 	 * Register a source of randomness.
 	 *
 	 * @param quality		quality of randomness this RNG serves
@@ -342,6 +375,13 @@ struct crypto_factory_t {
 	enumerator_t* (*create_prf_enumerator)(crypto_factory_t *this);
 
 	/**
+	 * Create an enumerator over all registered XOFs.
+	 *
+	 * @return				enumerator over ext_out_function_t, plugin
+	 */
+	enumerator_t* (*create_xof_enumerator)(crypto_factory_t *this);
+
+	/**
 	 * Create an enumerator over all registered diffie hellman groups.
 	 *
 	 * @return				enumerator over diffie_hellman_group_t, plugin
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 5607d35..e86e7ae 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -63,6 +63,11 @@ struct private_crypto_tester_t {
 	linked_list_t *prf;
 
 	/**
+	 * List of XOF test vectors
+	 */
+	linked_list_t *xof;
+
+	/**
 	 * List of RNG test vectors
 	 */
 	linked_list_t *rng;
@@ -1035,6 +1040,146 @@ failure:
 }
 
 /**
+ * Benchmark an XOF
+ */
+static u_int bench_xof(private_crypto_tester_t *this,
+					   ext_out_function_t alg, xof_constructor_t create)
+{
+	xof_t *xof;
+
+	xof = create(alg);
+	if (xof)
+	{
+		char seed[xof->get_seed_size(xof)];
+		char bytes[xof->get_block_size(xof)];
+		struct timespec start;
+		u_int runs;
+
+		memset(seed, 0x56, xof->get_seed_size(xof));
+		if (!xof->set_seed(xof, chunk_create(seed, xof->get_seed_size(xof))))
+		{
+			xof->destroy(xof);
+			return 0;
+		}
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			if (xof->get_bytes(xof, xof->get_block_size(xof), bytes))
+			{
+				runs++;
+			}
+		}
+		xof->destroy(xof);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_xof, bool,
+	private_crypto_tester_t *this, ext_out_function_t alg,
+	xof_constructor_t create, u_int *speed, const char *plugin_name)
+{
+	enumerator_t *enumerator;
+	xof_test_vector_t *vector;
+	bool failed = FALSE;
+	u_int tested = 0;
+
+	enumerator = this->xof->create_enumerator(this->xof);
+	while (enumerator->enumerate(enumerator, &vector))
+	{
+		xof_t *xof;
+		chunk_t seed, out = chunk_empty;
+
+		if (vector->alg != alg)
+		{
+			continue;
+		}
+
+		tested++;
+		failed = TRUE;
+		xof = create(alg);
+		if (!xof)
+		{
+			DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed",
+				 ext_out_function_names, alg, plugin_name);
+			break;
+		}
+
+		seed = chunk_create(vector->seed, vector->len);
+		if (!xof->set_seed(xof, seed))
+		{
+			goto failure;
+		}
+		/* allocated bytes */
+		if (!xof->allocate_bytes(xof, vector->out_len, &out))
+		{
+			goto failure;
+		}
+		if (out.len != vector->out_len)
+		{
+			goto failure;
+		}
+		if (!memeq(vector->out, out.ptr, out.len))
+		{
+			goto failure;
+		}
+		/* bytes to existing buffer */
+		memset(out.ptr, 0, out.len);
+		if (!xof->set_seed(xof, seed))
+		{
+			goto failure;
+		}
+		if (!xof->get_bytes(xof, vector->out_len, out.ptr))
+		{
+			goto failure;
+		}
+		if (!memeq(vector->out, out.ptr, vector->out_len))
+		{
+			goto failure;
+		}
+		/* bytes to existing buffer, using append mode */
+		/* TODO */
+
+		failed = FALSE;
+failure:
+		xof->destroy(xof);
+		chunk_free(&out);
+		if (failed)
+		{
+			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
+				 ext_out_function_names, alg, plugin_name, get_name(vector));
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!tested)
+	{
+		DBG1(DBG_LIB, "%s %N[%s]: no test vectors found",
+			 this->required ? "disabled" : "enabled ",
+			 ext_out_function_names, alg, plugin_name);
+		return !this->required;
+	}
+	if (!failed)
+	{
+		if (speed)
+		{
+			*speed = bench_xof(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors, %d points",
+				 ext_out_function_names, alg, plugin_name, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors",
+				 ext_out_function_names, alg, plugin_name, tested);
+		}
+	}
+	return !failed;
+}
+
+/**
  * Benchmark a RNG
  */
 static u_int bench_rng(private_crypto_tester_t *this,
@@ -1338,6 +1483,12 @@ METHOD(crypto_tester_t, add_prf_vector, void,
 	this->prf->insert_last(this->prf, vector);
 }
 
+METHOD(crypto_tester_t, add_xof_vector, void,
+	private_crypto_tester_t *this, xof_test_vector_t *vector)
+{
+	this->xof->insert_last(this->xof, vector);
+}
+
 METHOD(crypto_tester_t, add_rng_vector, void,
 	private_crypto_tester_t *this, rng_test_vector_t *vector)
 {
@@ -1358,6 +1509,7 @@ METHOD(crypto_tester_t, destroy, void,
 	this->signer->destroy(this->signer);
 	this->hasher->destroy(this->hasher);
 	this->prf->destroy(this->prf);
+	this->xof->destroy(this->xof);
 	this->rng->destroy(this->rng);
 	this->dh->destroy(this->dh);
 	free(this);
@@ -1377,6 +1529,7 @@ crypto_tester_t *crypto_tester_create()
 			.test_signer = _test_signer,
 			.test_hasher = _test_hasher,
 			.test_prf = _test_prf,
+			.test_xof = _test_xof,
 			.test_rng = _test_rng,
 			.test_dh = _test_dh,
 			.add_crypter_vector = _add_crypter_vector,
@@ -1384,6 +1537,7 @@ crypto_tester_t *crypto_tester_create()
 			.add_signer_vector = _add_signer_vector,
 			.add_hasher_vector = _add_hasher_vector,
 			.add_prf_vector = _add_prf_vector,
+			.add_xof_vector = _add_xof_vector,
 			.add_rng_vector = _add_rng_vector,
 			.add_dh_vector = _add_dh_vector,
 			.destroy = _destroy,
@@ -1393,6 +1547,7 @@ crypto_tester_t *crypto_tester_create()
 		.signer = linked_list_create(),
 		.hasher = linked_list_create(),
 		.prf = linked_list_create(),
+		.xof = linked_list_create(),
 		.rng = linked_list_create(),
 		.dh = linked_list_create(),
 
diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h
index 6cc9b0d..34dfa94 100644
--- a/src/libstrongswan/crypto/crypto_tester.h
+++ b/src/libstrongswan/crypto/crypto_tester.h
@@ -30,6 +30,7 @@ typedef struct aead_test_vector_t aead_test_vector_t;
 typedef struct signer_test_vector_t signer_test_vector_t;
 typedef struct hasher_test_vector_t hasher_test_vector_t;
 typedef struct prf_test_vector_t prf_test_vector_t;
+typedef struct xof_test_vector_t xof_test_vector_t;
 typedef struct rng_test_vector_t rng_test_vector_t;
 typedef struct dh_test_vector_t dh_test_vector_t;
 
@@ -114,6 +115,19 @@ struct prf_test_vector_t {
 	u_char *out;
 };
 
+struct xof_test_vector_t {
+	/** xof algorithm this test vector tests */
+	ext_out_function_t alg;
+	/** size of the seed data */
+	size_t len;
+	/** seed data */
+	u_char *seed;
+	/** size of the output */
+	size_t out_len;
+	/** expected output of size*/
+	u_char *out;
+};
+
 /**
  * Test vector for a RNG.
  *
@@ -217,6 +231,17 @@ struct crypto_tester_t {
 					 prf_constructor_t create,
 					 u_int *speed, const char *plugin_name);
 	/**
+	 * Test an XOF algorithm.
+	 *
+	 * @param alg			algorithm to test
+	 * @param create		constructor function for the XOF
+	 * @param speed			speed test result, NULL to omit
+	 * @return				TRUE if test passed
+	 */
+	bool (*test_xof)(crypto_tester_t *this, ext_out_function_t alg,
+					 xof_constructor_t create,
+					 u_int *speed, const char *plugin_name);
+	/**
 	 * Test a RNG implementation.
 	 *
 	 * @param alg			algorithm to test
@@ -275,6 +300,13 @@ struct crypto_tester_t {
 	void (*add_prf_vector)(crypto_tester_t *this, prf_test_vector_t *vector);
 
 	/**
+	 * Add a test vector to test an XOF.
+	 *
+	 * @param vector		pointer to test vector
+	 */
+	void (*add_xof_vector)(crypto_tester_t *this, xof_test_vector_t *vector);
+
+	/**
 	 * Add a test vector to test a RNG.
 	 *
 	 * @param vector		pointer to test vector
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 0d4cd91..6dcb6cb 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -49,7 +49,9 @@ ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL,
 	"NTRU_128",
 	"NTRU_192",
 	"NTRU_256");
-ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT,
+ENUM_NEXT(diffie_hellman_group_names, NH_128_BIT, NH_128_BIT, NTRU_256_BIT,
+	"NEWHOPE_128");
+ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NH_128_BIT,
 	"MODP_CUSTOM");
 ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
 
@@ -554,6 +556,7 @@ bool diffie_hellman_verify_value(diffie_hellman_group_t group, chunk_t value)
 		case NTRU_128_BIT:
 		case NTRU_192_BIT:
 		case NTRU_256_BIT:
+		case NH_128_BIT:
 			/* verification currently not supported, do in plugin */
 			valid = FALSE;
 			break;
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index abebd66..f457153 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -68,6 +68,7 @@ enum diffie_hellman_group_t {
 	NTRU_128_BIT = 1031,
 	NTRU_192_BIT = 1032,
 	NTRU_256_BIT = 1033,
+	NH_128_BIT   = 1040,
 	/** internally used DH group with additional parameters g and p, outside
 	 * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
 	MODP_CUSTOM = 65536,
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index e220593..d136799 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2012-2015 Tobias Brunner
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
@@ -83,12 +83,16 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
 		case OID_SHA512_WITH_RSA:
 			return HASH_SHA512;
 		case OID_SHA3_224:
+		case OID_RSASSA_PKCS1V15_WITH_SHA3_224:
 			return HASH_SHA3_224;
 		case OID_SHA3_256:
+		case OID_RSASSA_PKCS1V15_WITH_SHA3_256:
 			return HASH_SHA3_256;
 		case OID_SHA3_384:
+		case OID_RSASSA_PKCS1V15_WITH_SHA3_384:
 			return HASH_SHA3_384;
 		case OID_SHA3_512:
+		case OID_RSASSA_PKCS1V15_WITH_SHA3_512:
 			return HASH_SHA3_512;
 		default:
 			return HASH_UNKNOWN;
@@ -367,6 +371,14 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
 					return OID_SHA384_WITH_RSA;
 				case HASH_SHA512:
 					return OID_SHA512_WITH_RSA;
+				case HASH_SHA3_224:
+					return OID_RSASSA_PKCS1V15_WITH_SHA3_224;
+				case HASH_SHA3_256:
+					return OID_RSASSA_PKCS1V15_WITH_SHA3_256;
+				case HASH_SHA3_384:
+					return OID_RSASSA_PKCS1V15_WITH_SHA3_384;
+				case HASH_SHA3_512:
+					return OID_RSASSA_PKCS1V15_WITH_SHA3_512;
 				default:
 					return OID_UNKNOWN;
 			}
@@ -423,27 +435,32 @@ hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme)
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 		case SIGN_ECDSA_WITH_SHA1_DER:
 			return HASH_SHA1;
-		case SIGN_RSA_EMSA_PKCS1_SHA224:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_224:
 			return HASH_SHA224;
-		case SIGN_RSA_EMSA_PKCS1_SHA256:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_256:
 		case SIGN_ECDSA_WITH_SHA256_DER:
 		case SIGN_ECDSA_256:
 		case SIGN_BLISS_WITH_SHA2_256:
 			return HASH_SHA256;
-		case SIGN_RSA_EMSA_PKCS1_SHA384:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_384:
 		case SIGN_ECDSA_WITH_SHA384_DER:
 		case SIGN_ECDSA_384:
 		case SIGN_BLISS_WITH_SHA2_384:
 			return HASH_SHA384;
-		case SIGN_RSA_EMSA_PKCS1_SHA512:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 		case SIGN_ECDSA_WITH_SHA512_DER:
 		case SIGN_ECDSA_521:
 		case SIGN_BLISS_WITH_SHA2_512:
 			return HASH_SHA512;
+		case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+			return HASH_SHA3_224;
+		case SIGN_RSA_EMSA_PKCS1_SHA3_256:
 		case SIGN_BLISS_WITH_SHA3_256:
 			return HASH_SHA3_256;
+		case SIGN_RSA_EMSA_PKCS1_SHA3_384:
 		case SIGN_BLISS_WITH_SHA3_384:
 			return HASH_SHA3_384;
+		case SIGN_RSA_EMSA_PKCS1_SHA3_512:
 		case SIGN_BLISS_WITH_SHA3_512:
 			return HASH_SHA3_512;
 	}
diff --git a/src/libstrongswan/crypto/mgf1/mgf1.c b/src/libstrongswan/crypto/mgf1/mgf1.c
deleted file mode 100644
index 5116dfe..0000000
--- a/src/libstrongswan/crypto/mgf1/mgf1.c
+++ /dev/null
@@ -1,180 +0,0 @@
-/*
- * Copyright (C) 2013-2014 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "mgf1.h"
-
-#include "crypto/hashers/hasher.h"
-#include "utils/debug.h"
-#include "utils/test.h"
-
-typedef struct private_mgf1_t private_mgf1_t;
-
-/**
- * Private data of an mgf1_t object.
- */
-struct private_mgf1_t {
-
-	/**
-	 * Public mgf1_t interface.
-	 */
-	mgf1_t public;
-
-	/**
-	 * Hasher the MGF1 Mask Generation Function is based on
-	 */
-	hasher_t *hasher;
-
-	/**
-	 * Counter
-	 */
-	uint32_t counter;
-
-	/**
-	 * Set if counter has reached 2^32
-	 */
-	bool overflow;
-
-	/**
-	 * Current state to be hashed
-	 */
-	chunk_t state;
-
-	/**
-	 * Position of the 4 octet counter string
-	 */
-	u_char *ctr_str;
-
-};
-
-METHOD(mgf1_t, get_hash_size, size_t,
-	private_mgf1_t *this)
-{
-	return this->hasher->get_hash_size(this->hasher);
-}
-
-METHOD(mgf1_t, get_mask, bool,
-	private_mgf1_t *this, size_t mask_len, u_char *mask)
-{
-	u_char buf[HASH_SIZE_SHA512];
-	size_t hash_len;
-
-	hash_len = this->hasher->get_hash_size(this->hasher);
-
-	while (mask_len > 0)
-	{
-		/* detect overflow, set counter string and increment counter */
-		if (this->overflow)
-		{
-			return FALSE;
-		}
-		htoun32(this->ctr_str, this->counter++);
-		if (this->counter == 0)
-		{
-			this->overflow = TRUE;
-		}
-
-		/* get the next or final mask block from the hash function */
-		if (!this->hasher->get_hash(this->hasher, this->state,
-								   (mask_len < hash_len) ? buf : mask))
-		{
-			return FALSE;
-		}
-		if (mask_len < hash_len)
-		{
-			memcpy(mask, buf, mask_len);
-			return TRUE;
-		}
-		mask_len -= hash_len;
-		mask += hash_len;
-	}
-	return TRUE;
-}
-
-METHOD(mgf1_t, allocate_mask, bool,
-	private_mgf1_t *this, size_t mask_len, chunk_t *mask)
-{
-	if (mask_len == 0)
-	{
-		*mask = chunk_empty;
-		return TRUE;
-	}
-	*mask = chunk_alloc(mask_len);
-
-	return get_mask(this, mask_len, mask->ptr);
-}
-
-METHOD(mgf1_t, destroy, void,
-	private_mgf1_t *this)
-{
-	this->hasher->destroy(this->hasher);
-	chunk_clear(&this->state);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed,
-							  bool hash_seed)
-{
-	private_mgf1_t *this;
-	hasher_t *hasher;
-	size_t state_len;
-
-	if (seed.len == 0)
-	{
-		DBG1(DBG_LIB, "empty seed for MGF1");
-		return NULL;
-	}
-
-	hasher = lib->crypto->create_hasher(lib->crypto, alg);
-	if (!hasher)
-	{
-		DBG1(DBG_LIB, "failed to create %N hasher for MGF1",
-			 hash_algorithm_names, alg);
-		return NULL;
-	}
-	state_len = (hash_seed ? hasher->get_hash_size(hasher) : seed.len) + 4;
-	
-	INIT(this,
-		.public = {
-			.get_hash_size = _get_hash_size,
-			.allocate_mask = _allocate_mask,
-			.get_mask = _get_mask,
-			.destroy = _destroy,
-		},
-		.hasher = hasher,
-		.state = chunk_alloc(state_len),
-	);
-
-	/* determine position of the 4 octet counter string */
-	this->ctr_str = this->state.ptr + state_len - 4;
-
-	if (hash_seed)
-	{
-		if (!hasher->get_hash(hasher, seed, this->state.ptr))
-		{
-			DBG1(DBG_LIB, "failed to hash seed for MGF1");
-			destroy(this);
-			return NULL;
-		}
-	}
-	else
-	{
-		memcpy(this->state.ptr, seed.ptr, seed.len);
-	}
-
-	return &this->public;
-}
diff --git a/src/libstrongswan/crypto/mgf1/mgf1.h b/src/libstrongswan/crypto/mgf1/mgf1.h
deleted file mode 100644
index 592d315..0000000
--- a/src/libstrongswan/crypto/mgf1/mgf1.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2013-2014 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup mgf1 mgf1
- * @{ @ingroup crypto
- */
-
-#ifndef MGF1_H_
-#define MGF1_H_
-
-typedef struct mgf1_t mgf1_t;
-
-#include <library.h>
-
-/**
- * Implements the PKCS#1 MGF1 Mask Generation Function based on a hash function
- * defined in section 10.2.1 of RFC 2437
- */
-struct mgf1_t {
-
-	/**
-	 * Get the hash size of the underlying hash function
-	 *
-	 * @return			hash size in bytes
-	 */
-	size_t (*get_hash_size)(mgf1_t *this);
-
-	/**
-	 * Generate a mask pattern and copy it to an output buffer
-	 * If the maximum number of requests has been reached, reseeding occurs
-	 *
-	 * @param mask_len	number of mask bytes to generate
-	 * @param mask		output buffer of minimum size mask_len
-	 * @return			TRUE if successful
-	 */
-	bool (*get_mask)(mgf1_t *this, size_t mask_len, u_char *mask);
-
-	/**
-	 * Generate a mask pattern and return it in an allocated chunk
-	 *
-	 * @param mask_len	number of mask bytes to generate
-	 * @param mask		chunk containing generated mask
-	 * @return			TRUE if successful
-	 */
-	bool (*allocate_mask)(mgf1_t *this, size_t mask_len, chunk_t *mask);
-
-	/**
-	 * Destroy the MGF1 object
-	 */
-	void (*destroy)(mgf1_t *this);
-};
-
-/**
- * Create an MGF1 object
- *
- * @param alg			hash algorithm to be used by MGF1
- * @param seed			seed used by MGF1 to generate mask from
- * @param hash_seed		hash seed before using it as a seed for MGF1
- */
-mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed,
-							  bool hash_seed);
-
-#endif /** MGF1_H_ @}*/
-
diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c
deleted file mode 100644
index ef0a2bd..0000000
--- a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
- * Copyright (C) 2014 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "mgf1_bitspender.h"
-
-#include <crypto/mgf1/mgf1.h>
-
-typedef struct private_mgf1_bitspender_t private_mgf1_bitspender_t;
-
-/**
- * Private data structure for mgf1_bitspender_t object
- */
-struct private_mgf1_bitspender_t {
-	/**
-	 * Public interface.
-	 */
-	mgf1_bitspender_t public;
-
-	/**
-	 * MGF1 bit mask generator
-	 */
-	mgf1_t *mgf1;
-
-	/**
-	 * Octet storage (accommodates up to 64 octets)
-	 */
-	uint8_t octets[HASH_SIZE_SHA512];
-
-	/**
-	 * Length of the returned hash value in octets
-	 */
-	int hash_len;
-
-	/**
-	 * Number of generated octets
-	 */
-	int octets_count;
-
-	/**
-	 * Number of available octets
-	 */
-	int octets_left;
-
-	/**
-	 * Bit storage (accommodates up to 32 bits)
-	 */
-	uint32_t bits;
-
-	/**
-	 * Number of available bits
-	 */
-	int bits_left;
-
-	/**
-	 * Byte storage (accommodates up to 4 bytes)
-	 */
-	uint8_t bytes[4];
-
-	/**
-	 * Number of available bytes
-	 */
-	int bytes_left;
-
-};
-
-METHOD(mgf1_bitspender_t, get_bits, bool,
-	private_mgf1_bitspender_t *this, int bits_needed, uint32_t *bits)
-{
-	int bits_now;
-
-	*bits = 0x00000000;
-
-	if (bits_needed == 0)
-	{
-		/* trivial */
-		return TRUE;
-	}
-	if (bits_needed > 32)
-	{
-		/* too many bits requested */
-		return FALSE;
-	}
-
-	while (bits_needed)
-	{
-		if (this->bits_left == 0)
-		{
-			if (this->octets_left == 0)
-			{
-				/* get another block from MGF1 */
-				if (!this->mgf1->get_mask(this->mgf1, this->hash_len,
-													  this->octets))
-				{
-					/* no block available */
-					return FALSE;
-				}
-				this->octets_left = this->hash_len;
-				this->octets_count += this->hash_len;
-			}
-			this->bits = untoh32(this->octets + this->hash_len -
-												this->octets_left);
-			this->bits_left = 32;
-			this->octets_left -= 4;
-		}
-		if (bits_needed > this->bits_left)
-		{
-			bits_now = this->bits_left;
-			this->bits_left = 0;
-			bits_needed -= bits_now;
-		}
-		else
-		{
-			bits_now = bits_needed;
-			this->bits_left -= bits_needed;
-			bits_needed = 0;
-		}
-		if (bits_now == 32)
-		{
-			*bits = this->bits;
-		}
-		else
-		{
-			*bits <<= bits_now;
-			*bits |= this->bits >> this->bits_left;
-			if (this->bits_left)
-			{
-				this->bits &= 0xffffffff >> (32 - this->bits_left);
-			}
-		}
-	}
-	return TRUE;
-}
-
-METHOD(mgf1_bitspender_t, get_byte, bool,
-	private_mgf1_bitspender_t *this, uint8_t *byte)
-{
-	if (this->bytes_left == 0)
-	{
-		if (this->octets_left == 0)
-		{
-			/* get another block from MGF1 */
-			if (!this->mgf1->get_mask(this->mgf1, this->hash_len, this->octets))
-			{
-				/* no block available */
-				return FALSE;
-			}
-			this->octets_left = this->hash_len;
-			this->octets_count += this->hash_len;
-		}
-		memcpy(this->bytes, this->octets + this->hash_len -	this->octets_left, 4);
-		this->bytes_left = 4;
-		this->octets_left -= 4;
-	}
-	*byte = this->bytes[4 - this->bytes_left--];
-
-	return TRUE;
-}
-
-METHOD(mgf1_bitspender_t, destroy, void,
-	private_mgf1_bitspender_t *this)
-{
-	DBG2(DBG_LIB, "mgf1 generated %u octets", this->octets_count);
-	memwipe(this->octets, sizeof(this->octets));
-	this->mgf1->destroy(this->mgf1);
-	free(this);
-}
-
-/**
- * See header.
- */
-mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed,
-										  bool hash_seed)
-{
-	private_mgf1_bitspender_t *this;
-	mgf1_t *mgf1;
-
-	mgf1 = mgf1_create(alg, seed, hash_seed);
-	if (!mgf1)
-	{
-	    return NULL;
-	}
-	DBG2(DBG_LIB, "mgf1 based on %N is seeded with %u octets",
-				   hash_algorithm_short_names, alg, seed.len);
-
-	INIT(this,
-		.public = {
-			.get_bits = _get_bits,
-			.get_byte = _get_byte,
-			.destroy = _destroy,
-		},
-		.mgf1 = mgf1,
-		.hash_len = mgf1->get_hash_size(mgf1),
-	);
-
-	return &this->public;
-}
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index 282d40e..cd4e576 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -154,7 +154,7 @@ METHOD(proposal_keywords_t, register_algname_parser, void,
 	private_proposal_keywords_t *this, proposal_algname_parser_t parser)
 {
 	this->lock->write_lock(this->lock);
-	this->tokens->insert_first(this->parsers, parser);
+	this->parsers->insert_first(this->parsers, parser);
 	this->lock->unlock(this->lock);
 }
 
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
index ba4c895..b058ad2 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -59,12 +59,12 @@ struct proposal_token {
 	uint16_t          keysize;
 };
 
-#define TOTAL_KEYWORDS 140
+#define TOTAL_KEYWORDS 141
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 11
-#define MAX_HASH_VALUE 266
-/* maximum key range = 256, duplicates = 0 */
+#define MIN_HASH_VALUE 7
+#define MAX_HASH_VALUE 282
+/* maximum key range = 276, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -80,32 +80,32 @@ hash (str, len)
 {
   static const unsigned short asso_values[] =
     {
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267,  71,   4,
-       20,   6,  48,  32,  10,  30,   5,   3, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267,  97, 267,   4,   8,  18,
-       56, 107, 107,  78,  10,   4, 267, 267,   3,   5,
-        7,   4,  30,  92, 104,   3,  32, 145, 267, 267,
-        3, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267, 267, 267, 267,
-      267, 267, 267, 267, 267, 267, 267
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283,  75,   2,
+       16,  16,  30,  26,   8,  35,   3,   1, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283,  29, 283,  10,   2,  16,
+       46,   1,  23,  78,   4,   4, 283, 283,   1,   9,
+        5,   2, 124, 117,  77, 106,  85,  27, 283, 283,
+        1, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
+      283, 283, 283, 283, 283, 283, 283
     };
   register int hval = len;
 
@@ -145,23 +145,20 @@ hash (str, len)
 static const struct proposal_token wordlist[] =
   {
     {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
-    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
     {"noesn",            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0},
-    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
+    {"modpnone",         DIFFIE_HELLMAN_GROUP, MODP_NONE,                 0},
     {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
     {"ntru128",          DIFFIE_HELLMAN_GROUP, NTRU_128_BIT,              0},
+    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
     {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
     {"md5_128",          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0},
-    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
     {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
     {"ntru192",          DIFFIE_HELLMAN_GROUP, NTRU_192_BIT,              0},
     {"ntru112",          DIFFIE_HELLMAN_GROUP, NTRU_112_BIT,              0},
-    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
-    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
+    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
     {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
     {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
     {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
     {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
@@ -171,14 +168,17 @@ static const struct proposal_token wordlist[] =
     {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
     {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
     {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
-    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"ntru256",          DIFFIE_HELLMAN_GROUP, NTRU_256_BIT,              0},
+    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
+    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
     {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
     {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
+    {"ntru256",          DIFFIE_HELLMAN_GROUP, NTRU_256_BIT,              0},
     {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
     {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
     {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
     {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
     {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
@@ -187,26 +187,32 @@ static const struct proposal_token wordlist[] =
     {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
     {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
     {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
-    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
     {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
+    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
     {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
     {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
     {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
-    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
-    {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
+    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
     {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
     {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
-    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
-    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
     {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
-    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
     {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
     {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
-    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
+    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
     {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
     {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
     {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
+    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
     {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
     {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
     {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
@@ -215,106 +221,103 @@ static const struct proposal_token wordlist[] =
     {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
     {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
-    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
-    {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"modpnone",         DIFFIE_HELLMAN_GROUP, MODP_NONE,                 0},
-    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
-    {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
+    {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
+    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
     {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
-    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
-    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
+    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
     {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
     {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
-    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
-    {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
     {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
     {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
-    {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
-    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
+    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
+    {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
+    {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
+    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
     {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
-    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
-    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
-    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
-    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
-    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
-    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
-    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
-    {"ecp512bp",         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0},
+    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
+    {"newhope128",       DIFFIE_HELLMAN_GROUP, NH_128_BIT,                0},
     {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
     {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
-    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
+    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
     {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
-    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
+    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
     {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
-    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
+    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
     {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
     {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"ecp256bp",         DIFFIE_HELLMAN_GROUP, ECP_256_BP,                0},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
+    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
     {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
+    {"ecp512bp",         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0},
     {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
-    {"ecp384bp",         DIFFIE_HELLMAN_GROUP, ECP_384_BP,                0},
-    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
+    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
+    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
     {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
+    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
+    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
+    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
+    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
+    {"ecp384bp",         DIFFIE_HELLMAN_GROUP, ECP_384_BP,                0},
+    {"ecp256bp",         DIFFIE_HELLMAN_GROUP, ECP_256_BP,                0},
+    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
     {"chacha20poly1305", ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305,  256},
-    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
-    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
-    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
     {"ecp224bp",         DIFFIE_HELLMAN_GROUP, ECP_224_BP,                0},
     {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
-    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
     {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
-    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
     {"prfaesxcbc",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0},
-    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"prfaescmac",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0}
   };
 
 static const short lookup[] =
   {
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,   1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,   2,  -1,  -1,  -1,
+      3,   4,  -1,   5,   6,   7,   8,  -1,  -1,  -1,
+     -1,   9,  -1,  -1,  10,  11,  -1,  12,  -1,  13,
+     14,  15,  16,  17,  18,  19,  20,  21,  22,  23,
+     24,  25,  26,  -1,  27,  28,  29,  30,  31,  32,
+     33,  34,  35,  36,  37,  38,  -1,  39,  40,  41,
+     42,  43,  44,  45,  46,  -1,  47,  48,  -1,  49,
+     50,  51,  52,  53,  54,  -1,  55,  56,  57,  58,
+     59,  60,  61,  62,  63,  64,  -1,  65,  -1,  -1,
+     66,  67,  68,  69,  70,  71,  72,  73,  74,  75,
+     76,  77,  78,  79,  -1,  80,  81,  82,  83,  -1,
+     84,  85,  86,  87,  88,  89,  90,  91,  92,  93,
+     94,  95,  96,  97,  98,  99, 100,  -1, 101,  -1,
+     -1,  -1, 102,  -1, 103, 104, 105, 106,  -1, 107,
+     -1, 108, 109, 110, 111, 112, 113, 114,  -1, 115,
+     -1, 116, 117,  -1,  -1, 118, 119, 120,  -1, 121,
+     -1,  -1, 122, 123, 124,  -1, 125, 126, 127,  -1,
+    128, 129, 130,  -1, 131, 132,  -1,  -1,  -1,  -1,
+     -1,  -1, 133, 134,  -1,  -1,  -1, 135,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 136,  -1,
+     -1, 137,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,   0,  -1,  -1,   1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,   2,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   3,
-      4,  -1,   5,  -1,   6,   7,  -1,   8,   9,  -1,
-     -1,  -1,  -1,  -1,  -1,  10,  -1,  11,  12,  13,
-     14,  -1,  -1,  -1,  15,  -1,  16,  17,  -1,  18,
-     19,  20,  21,  22,  23,  24,  25,  26,  27,  -1,
-     -1,  -1,  28,  29,  30,  -1,  31,  -1,  32,  33,
-     34,  -1,  35,  36,  37,  38,  -1,  39,  40,  41,
-     42,  -1,  43,  44,  -1,  -1,  -1,  -1,  -1,  45,
-     -1,  46,  47,  48,  49,  50,  51,  52,  53,  54,
-     55,  56,  -1,  57,  58,  59,  60,  61,  62,  63,
-     64,  65,  66,  67,  68,  69,  70,  71,  72,  73,
-     74,  75,  76,  77,  78,  79,  80,  81,  82,  83,
-     84,  -1,  85,  86,  -1,  87,  88,  89,  90,  91,
-     92,  -1,  93,  94,  95,  96,  97,  98,  99, 100,
-     -1,  -1, 101, 102, 103,  -1,  -1, 104, 105, 106,
-    107, 108, 109,  -1,  -1, 110,  -1, 111, 112, 113,
-    114,  -1, 115, 116,  -1, 117, 118, 119, 120, 121,
-     -1,  -1,  -1,  -1, 122, 123, 124,  -1, 125,  -1,
-     -1,  -1, 126, 127, 128,  -1, 129, 130, 131,  -1,
-     -1, 132, 133,  -1,  -1,  -1, 134,  -1, 135, 136,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1, 137,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1, 138,  -1,  -1, 139
+     -1,  -1,  -1,  -1,  -1,  -1,  -1, 138, 139,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1, 140
   };
 
 #ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
index 8760243..3ac7729 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -167,5 +167,6 @@ ntru112,          DIFFIE_HELLMAN_GROUP, NTRU_112_BIT,              0
 ntru128,          DIFFIE_HELLMAN_GROUP, NTRU_128_BIT,              0
 ntru192,          DIFFIE_HELLMAN_GROUP, NTRU_192_BIT,              0
 ntru256,          DIFFIE_HELLMAN_GROUP, NTRU_256_BIT,              0
+newhope128,       DIFFIE_HELLMAN_GROUP, NH_128_BIT,                0
 noesn,            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0
 esn,              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0
diff --git a/src/libstrongswan/crypto/transform.c b/src/libstrongswan/crypto/transform.c
index 7c6678b..808cb99 100644
--- a/src/libstrongswan/crypto/transform.c
+++ b/src/libstrongswan/crypto/transform.c
@@ -17,13 +17,15 @@
 #include <crypto/hashers/hasher.h>
 #include <crypto/rngs/rng.h>
 
-ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, COMPRESSION_ALGORITHM,
+ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, EXTENDED_OUTPUT_FUNCTION,
 	"UNDEFINED_TRANSFORM_TYPE",
 	"HASH_ALGORITHM",
 	"RANDOM_NUMBER_GENERATOR",
 	"AEAD_ALGORITHM",
-	"COMPRESSION_ALGORITHM");
-ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, COMPRESSION_ALGORITHM,
+	"COMPRESSION_ALGORITHM",
+	"EXTENDED OUTPUT FUNCTION");
+ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS,
+								EXTENDED_OUTPUT_FUNCTION,
 	"ENCRYPTION_ALGORITHM",
 	"PSEUDO_RANDOM_FUNCTION",
 	"INTEGRITY_ALGORITHM",
@@ -60,6 +62,8 @@ enum_name_t* transform_get_enum_names(transform_type_t type)
 			return diffie_hellman_group_names;
 		case EXTENDED_SEQUENCE_NUMBERS:
 			return extended_sequence_numbers_names;
+		case EXTENDED_OUTPUT_FUNCTION:
+			return ext_out_function_names;
 		case UNDEFINED_TRANSFORM_TYPE:
 		case COMPRESSION_ALGORITHM:
 			break;
diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h
index 0cb84f0..e043e60 100644
--- a/src/libstrongswan/crypto/transform.h
+++ b/src/libstrongswan/crypto/transform.h
@@ -34,6 +34,7 @@ enum transform_type_t {
 	RANDOM_NUMBER_GENERATOR = 243,
 	AEAD_ALGORITHM = 244,
 	COMPRESSION_ALGORITHM = 245,
+	EXTENDED_OUTPUT_FUNCTION = 246,
 	ENCRYPTION_ALGORITHM = 1,
 	PSEUDO_RANDOM_FUNCTION = 2,
 	INTEGRITY_ALGORITHM = 3,
diff --git a/src/libstrongswan/crypto/xofs/mgf1.h b/src/libstrongswan/crypto/xofs/mgf1.h
new file mode 100644
index 0000000..5ad3a51
--- /dev/null
+++ b/src/libstrongswan/crypto/xofs/mgf1.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mgf1 mgf1
+ * @{ @ingroup crypto
+ */
+
+#ifndef MGF1_H_
+#define MGF1_H_
+
+typedef struct mgf1_t mgf1_t;
+
+#include "xof.h"
+
+/**
+ * Implements the PKCS#1 MGF1 Mask Generation Function based on a hash function
+ * defined in section 10.2.1 of RFC 2437
+ */
+struct mgf1_t {
+
+	/**
+	 * Generic xof_t interface for this Extended Output Function (XOF).
+	 */
+	xof_t xof_interface;
+
+	/**
+	 * Hash the seed before using it as a seed for MGF1
+	 * 
+	 * @param yes		TRUE if seed has to be hashed first
+	 */
+	void (*set_hash_seed)(mgf1_t *this, bool yes);
+};
+
+#endif /** MGF1_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h b/src/libstrongswan/crypto/xofs/xof.c
similarity index 65%
copy from src/libstrongswan/plugins/bliss/tests/bliss_tests.h
copy to src/libstrongswan/crypto/xofs/xof.c
index f0959cc..1e9c283 100644
--- a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
+++ b/src/libstrongswan/crypto/xofs/xof.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,11 +13,15 @@
  * for more details.
  */
 
-TEST_SUITE(bliss_fft_suite_create)
-TEST_SUITE(bliss_bitpacker_suite_create)
-TEST_SUITE(bliss_huffman_suite_create)
-TEST_SUITE(bliss_keys_suite_create)
-TEST_SUITE(bliss_sampler_suite_create)
-TEST_SUITE(bliss_signature_suite_create)
-TEST_SUITE(bliss_sign_suite_create)
+#include "xof.h"
+
+ENUM(ext_out_function_names, XOF_UNDEFINED, XOF_CHACHA20,
+	"XOF_UNDEFINED",
+	"XOF_MGF1_SHA1",
+	"XOF_MGF1_SHA256",
+	"XOF_MGF1_SHA512",
+	"XOF_SHAKE128",
+	"XOF_SHAKE256",
+	"XOF_CHACHA20"
+);
 
diff --git a/src/libstrongswan/crypto/xofs/xof.h b/src/libstrongswan/crypto/xofs/xof.h
new file mode 100644
index 0000000..8c9ae01
--- /dev/null
+++ b/src/libstrongswan/crypto/xofs/xof.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xof xof
+ * @{ @ingroup crypto
+ */
+
+#ifndef XOF_H_
+#define XOF_H_
+
+typedef enum ext_out_function_t ext_out_function_t;
+typedef struct xof_t xof_t;
+
+#include <library.h>
+
+/**
+ * Extendable Output Functions.
+ */
+enum ext_out_function_t {
+	XOF_UNDEFINED,
+	/** RFC 2437 PKCS#1 */
+	XOF_MGF1_SHA1,
+	/** RFC 2437 PKCS#1 */
+	XOF_MGF1_SHA256,
+	/** RFC 2437 PKCS#1 */
+	XOF_MGF1_SHA512,
+	/** FIPS 202 */
+	XOF_SHAKE_128,
+	/** FIPS 202 */
+	XOF_SHAKE_256,
+	/** RFC 7539 ChaCha20 */
+	XOF_CHACHA20,
+};
+
+/**
+ * enum name for ext_out_function_t.
+ */
+extern enum_name_t *ext_out_function_names;
+
+/**
+ * Generic interface for Extended Output Function (XOF)
+ */
+struct xof_t {
+
+	/**
+	 * Return the type of the Extended Output Function
+	 *
+	 * @return			XOF type
+	 */
+	ext_out_function_t (*get_type)(xof_t *this);
+
+	/**
+	 * Generates pseudo random bytes and writes them in the buffer.
+	 *
+	 * @param out_len	number of output bytes requested
+	 * @param buffer	pointer where the generated bytes will be written
+	 * @return			TRUE if bytes generated successfully
+	 */
+	bool (*get_bytes)(xof_t *this, size_t out_len,
+					  uint8_t *buffer) __attribute__((warn_unused_result));
+
+	/**
+	 * Generates pseudo random bytes and allocate space for them.
+	 *
+	 * @param out_len	number of output bytes requested
+	 * @param chunk		chunk which will hold generated bytes
+	 * @return			TRUE if bytes allocated and generated successfully
+	 */
+	bool (*allocate_bytes)(xof_t *this, size_t out_len,
+						   chunk_t *chunk) __attribute__((warn_unused_result));
+
+	/**
+	 * Get the output block size
+	 *
+	 * @return			block size in bytes
+	 */
+	size_t (*get_block_size)(xof_t *this);
+
+	/**
+	 * Get the recommended minimum seed size
+	 *
+	 * @return			seed size in bytes
+	 */
+	size_t (*get_seed_size)(xof_t *this);
+
+	/**
+	 * Set the key for this xof_t object.
+	 *
+	 * @param sed		seed to set
+	 * @return			TRUE if XOF initialized with seed successfully
+	 */
+	bool (*set_seed)(xof_t *this,
+					 chunk_t seed) __attribute__((warn_unused_result));
+
+	/**
+	 * Destroys a xof object.
+	 */
+	void (*destroy)(xof_t *this);
+};
+
+#endif /** XOF_H_ @}*/
diff --git a/src/libstrongswan/crypto/xofs/xof_bitspender.c b/src/libstrongswan/crypto/xofs/xof_bitspender.c
new file mode 100644
index 0000000..f18b806
--- /dev/null
+++ b/src/libstrongswan/crypto/xofs/xof_bitspender.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2014-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xof_bitspender.h"
+#include "mgf1.h"
+
+typedef struct private_xof_bitspender_t private_xof_bitspender_t;
+
+/**
+ * Private data structure for xof_bitspender_t object
+ */
+struct private_xof_bitspender_t {
+	/**
+	 * Public interface.
+	 */
+	xof_bitspender_t public;
+
+	/**
+	 * Extended Output Function (XOF)
+	 */
+	xof_t *xof;
+
+	/**
+	 * Length of the returned hash value in octets
+	 */
+	int hash_len;
+
+	/**
+	 * Bit storage (accommodates up to 32 bits)
+	 */
+	uint32_t bits;
+
+	/**
+	 * Number of available bits
+	 */
+	int bits_left;
+
+	/**
+	 * Byte storage (accommodates up to 4 bytes)
+	 */
+	uint8_t bytes[4];
+
+	/**
+	 * Number of available bytes
+	 */
+	int bytes_left;
+
+	/**
+	 * Number of octets spent
+	 */
+	int octet_count;
+
+};
+
+static bool get_next_block(private_xof_bitspender_t *this, uint8_t *buffer)
+{
+	if (!this->xof->get_bytes(this->xof, 4, buffer))
+	{
+		/* no block available */
+		return FALSE;
+	}
+	this->octet_count += 4;
+
+	return TRUE;
+}
+
+METHOD(xof_bitspender_t, get_bits, bool,
+	private_xof_bitspender_t *this, int bits_needed, uint32_t *bits)
+{
+	int bits_now;
+
+	*bits = 0x00000000;
+
+	if (bits_needed == 0)
+	{
+		/* trivial */
+		return TRUE;
+	}
+	if (bits_needed > 32)
+	{
+		/* too many bits requested */
+		return FALSE;
+	}
+
+	while (bits_needed)
+	{
+		if (this->bits_left == 0)
+		{
+			uint8_t buf[4];
+
+			if (!get_next_block(this, buf))
+			{
+				return FALSE;
+			}
+			this->bits = untoh32(buf);
+			this->bits_left = 32;
+		}
+		if (bits_needed > this->bits_left)
+		{
+			bits_now = this->bits_left;
+			this->bits_left = 0;
+			bits_needed -= bits_now;
+		}
+		else
+		{
+			bits_now = bits_needed;
+			this->bits_left -= bits_needed;
+			bits_needed = 0;
+		}
+		if (bits_now == 32)
+		{
+			*bits = this->bits;
+		}
+		else
+		{
+			*bits <<= bits_now;
+			*bits |= this->bits >> this->bits_left;
+			if (this->bits_left)
+			{
+				this->bits &= 0xffffffff >> (32 - this->bits_left);
+			}
+		}
+	}
+
+	return TRUE;
+}
+
+METHOD(xof_bitspender_t, get_byte, bool,
+	private_xof_bitspender_t *this, uint8_t *byte)
+{
+	if (this->bytes_left == 0)
+	{
+		if (!get_next_block(this, this->bytes))
+		{
+			return FALSE;
+		}
+		this->bytes_left = 4;
+	}
+	*byte = this->bytes[4 - this->bytes_left--];
+
+	return TRUE;
+}
+
+METHOD(xof_bitspender_t, destroy, void,
+	private_xof_bitspender_t *this)
+{
+	DBG2(DBG_LIB, "%N generated %u octets", ext_out_function_names,
+				   this->xof->get_type(this->xof), this->octet_count);
+	memwipe(this->bytes, 4);
+	this->xof->destroy(this->xof);
+	free(this);
+}
+
+/**
+ * See header.
+ */
+xof_bitspender_t *xof_bitspender_create(ext_out_function_t alg, chunk_t seed,
+										bool hash_seed)
+{
+	private_xof_bitspender_t *this;
+	xof_t *xof;
+
+	xof = lib->crypto->create_xof(lib->crypto, alg);
+	if (!xof)
+	{
+		return NULL;
+	}
+
+	switch (alg)
+	{
+		case XOF_MGF1_SHA1:
+		case XOF_MGF1_SHA256:
+		case XOF_MGF1_SHA512:
+		{
+			mgf1_t *mgf1 = (mgf1_t*)xof;
+
+			mgf1->set_hash_seed(mgf1, hash_seed);
+			break;
+		}
+		default:
+			break;
+	}
+	if (!xof->set_seed(xof, seed))
+	{
+		xof->destroy(xof);
+		return NULL;
+	}
+	DBG2(DBG_LIB, "%N is seeded with %u octets", ext_out_function_names,
+				   alg, seed.len);
+
+	INIT(this,
+		.public = {
+			.get_bits = _get_bits,
+			.get_byte = _get_byte,
+			.destroy = _destroy,
+		},
+		.xof = xof,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h b/src/libstrongswan/crypto/xofs/xof_bitspender.h
similarity index 60%
rename from src/libstrongswan/crypto/mgf1/mgf1_bitspender.h
rename to src/libstrongswan/crypto/xofs/xof_bitspender.h
index f7df8e8..f422079 100644
--- a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h
+++ b/src/libstrongswan/crypto/xofs/xof_bitspender.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,22 +14,24 @@
  */
 
 /**
- * @defgroup mgf1_bitspender mgf1_bitspender
+ * @defgroup xof_bitspender xof_bitspender
  * @{ @ingroup mgf1
  */
 
-#ifndef MGF1_BITSPENDER_H_
-#define MGF1_BITSPENDER_H_
+#ifndef XOF_BITSPENDER_H_
+#define XOF_BITSPENDER_H_
+
+#include "xof.h"
 
 #include <library.h>
-#include <crypto/hashers/hasher.h>
 
-typedef struct mgf1_bitspender_t mgf1_bitspender_t;
+typedef struct xof_bitspender_t xof_bitspender_t;
 
 /**
- * Generates a given number of pseudo-random bits at a time using MGF1
+ * Generates a given number of pseudo-random bits at a time using an
+ * Extended Output Function (XOF)
  */
-struct mgf1_bitspender_t {
+struct xof_bitspender_t {
 
 	/**
 	 * Get pseudo-random bits
@@ -38,7 +40,7 @@ struct mgf1_bitspender_t {
 	 * @param bits			Pseudo-random bits
 	 * @result				FALSE if internal MGF1 error occurred
 	 */
-	bool (*get_bits)(mgf1_bitspender_t *this, int bits_needed, uint32_t *bits);
+	bool (*get_bits)(xof_bitspender_t *this, int bits_needed, uint32_t *bits);
 
 	/**
 	 * Get a pseudo-random byte
@@ -46,22 +48,22 @@ struct mgf1_bitspender_t {
 	 * @param byte			Pseudo-random byte
 	 * @result				FALSE if internal MGF1 error occurred
 	 */
-	bool (*get_byte)(mgf1_bitspender_t *this, uint8_t *byte);
+	bool (*get_byte)(xof_bitspender_t *this, uint8_t *byte);
 
 	/**
-	 * Destroy mgf1_bitspender_t object
+	 * Destroy xof_bitspender_t object
 	 */
-	void (*destroy)(mgf1_bitspender_t *this);
+	void (*destroy)(xof_bitspender_t *this);
 };
 
 /**
- * Create a mgf1_bitspender_t object
+ * Create a xof_bitspender_t object
  *
- * @param alg				Hash algorithm to be used with MGF1
- * @param seed				Seed used to initialize MGF1
+ * @param alg				XOF to be used
+ * @param seed				Seed used to initialize XOF
  * @param hash_seed			Hash seed before using it as a seed for MFG1
  */
-mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed,
-										  bool hash_seed);
+xof_bitspender_t *xof_bitspender_create(ext_out_function_t alg, chunk_t seed,
+										bool hash_seed);
 
-#endif /** MGF1_BITSPENDER_H_ @}*/
+#endif /** XOF_BITSPENDER_H_ @}*/
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index e130b93..4f79dcc 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -55,6 +55,13 @@ struct private_library_t {
 	 */
 	bool integrity_failed;
 
+#ifdef LEAK_DETECTIVE
+	/**
+	 * Where to write leak detective output to
+	 */
+	FILE *ld_out;
+#endif
+
 	/**
 	 * Number of times we have been initialized
 	 */
@@ -95,32 +102,34 @@ library_t *lib = NULL;
 /**
  * Default leak report callback
  */
-static void report_leaks(void *user, int count, size_t bytes,
-						 backtrace_t *bt, bool detailed)
+CALLBACK(report_leaks, void,
+	private_library_t *this, int count, size_t bytes, backtrace_t *bt,
+	bool detailed)
 {
-	fprintf(stderr, "%zu bytes total, %d allocations, %zu bytes average:\n",
+	fprintf(this->ld_out, "%zu bytes total, %d allocations, %zu bytes average:\n",
 			bytes, count, bytes / count);
-	bt->log(bt, stderr, detailed);
+	bt->log(bt, this->ld_out, detailed);
 }
 
 /**
  * Default leak report summary callback
  */
-static void sum_leaks(void* user, int count, size_t bytes, int whitelisted)
+CALLBACK(sum_leaks, void,
+	private_library_t *this, int count, size_t bytes, int whitelisted)
 {
 	switch (count)
 	{
 		case 0:
-			fprintf(stderr, "No leaks detected");
+			fprintf(this->ld_out, "No leaks detected");
 			break;
 		case 1:
-			fprintf(stderr, "One leak detected");
+			fprintf(this->ld_out, "One leak detected");
 			break;
 		default:
-			fprintf(stderr, "%d leaks detected, %zu bytes", count, bytes);
+			fprintf(this->ld_out, "%d leaks detected, %zu bytes", count, bytes);
 			break;
 	}
-	fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted);
+	fprintf(this->ld_out, ", %d suppressed by whitelist\n", whitelisted);
 }
 #endif /* LEAK_DETECTIVE */
 
@@ -172,6 +181,12 @@ void library_deinit()
 		lib->leak_detective->destroy(lib->leak_detective);
 		lib->leak_detective = NULL;
 	}
+#ifdef LEAK_DETECTIVE
+	if (this->ld_out && this->ld_out != stderr)
+	{
+		fclose(this->ld_out);
+	}
+#endif /* LEAK_DETECTIVE */
 
 	backtrace_deinit();
 	arrays_deinit();
@@ -301,11 +316,22 @@ bool library_init(char *settings, const char *namespace)
 	backtrace_init();
 
 #ifdef LEAK_DETECTIVE
+	{
+		FILE *out = NULL;
+		char *log;
+
+		log = getenv("LEAK_DETECTIVE_LOG");
+		if (log)
+		{
+			out = fopen(log, "a");
+		}
+		this->ld_out = out ?: stderr;
+	}
 	lib->leak_detective = leak_detective_create();
 	if (lib->leak_detective)
 	{
 		lib->leak_detective->set_report_cb(lib->leak_detective,
-										   report_leaks, sum_leaks, NULL);
+										   report_leaks, sum_leaks, this);
 	}
 #endif /* LEAK_DETECTIVE */
 
diff --git a/src/libstrongswan/math/libnttfft/Makefile.am b/src/libstrongswan/math/libnttfft/Makefile.am
new file mode 100644
index 0000000..ec98abe
--- /dev/null
+++ b/src/libstrongswan/math/libnttfft/Makefile.am
@@ -0,0 +1,15 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	@COVERAGE_CFLAGS@
+
+AM_LDFLAGS = \
+	-no-undefined
+
+ipseclib_LTLIBRARIES = libnttfft.la
+
+libnttfft_la_SOURCES = \
+	ntt_fft_reduce.h ntt_fft.h ntt_fft.c \
+	ntt_fft_params.h ntt_fft_params.c
+
diff --git a/src/libradius/Makefile.in b/src/libstrongswan/math/libnttfft/Makefile.in
similarity index 94%
copy from src/libradius/Makefile.in
copy to src/libstrongswan/math/libnttfft/Makefile.in
index f5a5d12..1a56213 100644
--- a/src/libradius/Makefile.in
+++ b/src/libstrongswan/math/libnttfft/Makefile.in
@@ -88,7 +88,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libradius
+subdir = src/libstrongswan/math/libnttfft
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -136,11 +136,9 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
-libradius_la_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
-am_libradius_la_OBJECTS = radius_message.lo radius_socket.lo \
-	radius_client.lo radius_config.lo
-libradius_la_OBJECTS = $(am_libradius_la_OBJECTS)
+libnttfft_la_LIBADD =
+am_libnttfft_la_OBJECTS = ntt_fft.lo ntt_fft_params.lo
+libnttfft_la_OBJECTS = $(am_libnttfft_la_OBJECTS)
 AM_V_lt = $(am__v_lt_ at AM_V@)
 am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -179,8 +177,8 @@ AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(libradius_la_SOURCES)
-DIST_SOURCES = $(libradius_la_SOURCES)
+SOURCES = $(libnttfft_la_SOURCES)
+DIST_SOURCES = $(libnttfft_la_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -346,7 +344,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -380,8 +377,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -435,25 +430,24 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan
 
+AM_CFLAGS = \
+	@COVERAGE_CFLAGS@
+
 AM_LDFLAGS = \
 	-no-undefined
 
-ipseclib_LTLIBRARIES = libradius.la
-libradius_la_LIBADD = \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la -lm
-
-libradius_la_SOURCES = \
-	radius_message.h radius_message.c \
-	radius_socket.h radius_socket.c \
-	radius_client.h radius_client.c \
-	radius_config.h radius_config.c \
-	radius_mppe.h
+ipseclib_LTLIBRARIES = libnttfft.la
+libnttfft_la_SOURCES = \
+	ntt_fft_reduce.h ntt_fft.h ntt_fft.c \
+	ntt_fft_params.h ntt_fft_params.c
 
 all: all-am
 
@@ -468,9 +462,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libradius/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/math/libnttfft/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libradius/Makefile
+	  $(AUTOMAKE) --gnu src/libstrongswan/math/libnttfft/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -524,8 +518,8 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f $${locs}; \
 	}
 
-libradius.la: $(libradius_la_OBJECTS) $(libradius_la_DEPENDENCIES) $(EXTRA_libradius_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libradius_la_OBJECTS) $(libradius_la_LIBADD) $(LIBS)
+libnttfft.la: $(libnttfft_la_OBJECTS) $(libnttfft_la_DEPENDENCIES) $(EXTRA_libnttfft_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libnttfft_la_OBJECTS) $(libnttfft_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -533,10 +527,8 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/radius_client.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/radius_config.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/radius_message.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/radius_socket.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntt_fft.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntt_fft_params.Plo at am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft.c b/src/libstrongswan/math/libnttfft/ntt_fft.c
similarity index 67%
rename from src/libstrongswan/plugins/bliss/bliss_fft.c
rename to src/libstrongswan/math/libnttfft/ntt_fft.c
index 033c214..f83dbfc 100644
--- a/src/libstrongswan/plugins/bliss/bliss_fft.c
+++ b/src/libstrongswan/math/libnttfft/ntt_fft.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,34 +13,44 @@
  * for more details.
  */
 
-#include "bliss_fft.h"
+#include "ntt_fft.h"
+#include "ntt_fft_reduce.h"
 
-typedef struct private_bliss_fft_t private_bliss_fft_t;
+/**
+ * Described in header.
+ */
+void libnttfft_init(void)
+{
+	/* empty */
+}
+
+typedef struct private_ntt_fft_t private_ntt_fft_t;
 
 /**
- * Private data structure for bliss_fft_t object
+ * Private data structure for ntt_fft_t object
  */
-struct private_bliss_fft_t {
+struct private_ntt_fft_t {
+
 	/**
 	 * Public interface.
 	 */
-	bliss_fft_t public;
+	ntt_fft_t public;
 
 	/**
 	 * FFT parameter set used as constants
 	 */
-	bliss_fft_params_t *p;
+	const ntt_fft_params_t *p;
 
 };
 
-METHOD(bliss_fft_t, get_size, uint16_t,
-	private_bliss_fft_t *this)
+METHOD(ntt_fft_t, get_size, uint16_t,
+	private_ntt_fft_t *this)
 {
 	return this->p->n;
 }
 
-METHOD(bliss_fft_t, get_modulus, uint16_t,
-	private_bliss_fft_t *this)
+METHOD(ntt_fft_t, get_modulus, uint16_t,
+	private_ntt_fft_t *this)
 {
 	return this->p->q;
 }
@@ -54,8 +64,7 @@ METHOD(bliss_fft_t, get_modulus, uint16_t,
  * x[i2] ---|-|--|*|-- x[i2]
  *
  */
-static void butterfly(private_bliss_fft_t *this, uint32_t *x, int i1,int i2,
-															  int iw)
+static void butterfly(private_ntt_fft_t *this, uint32_t *x, int i1,int i2, int iw)
 {
 	uint32_t xp, xm;
 
@@ -65,14 +74,14 @@ static void butterfly(private_bliss_fft_t *this, uint32_t *x, int i1,int i2,
 	{
 		xp -= this->p->q;
 	}
-	x[i1] =  xp;
-	x[i2] = (xm * this->p->w[iw]) % this->p->q;
+	x[i1] = xp;
+	x[i2] = ntt_fft_mreduce(xm * this->p->wr[iw], this->p);
 }
 
 /**
  * Trivial butterfly operation of last FFT stage
  */
-static void butterfly_last(private_bliss_fft_t *this, uint32_t *x, int i1)
+static void butterfly_last(private_ntt_fft_t *this, uint32_t *x, int i1)
 {
 	uint32_t xp, xm;
 	int i2 = i1 + 1;
@@ -91,23 +100,22 @@ static void butterfly_last(private_bliss_fft_t *this, uint32_t *x, int i1)
 	x[i2] = xm;
 }
 
-METHOD(bliss_fft_t, transform, void,
-	private_bliss_fft_t *this, uint32_t *a, uint32_t *b, bool inverse)
+METHOD(ntt_fft_t, transform, void,
+	private_ntt_fft_t *this, uint32_t *a, uint32_t *b, bool inverse)
 {
-	int stage, i, j, k, m, n, t, iw, i_rev;
-	uint16_t q;
+	int stage, i, j, k, m, n, s, t, iw, i_rev;
 	uint32_t tmp;
 
-	/* we are going to use the transform size n and the modulus q a lot */
+	/* we are going to use the transform size n a lot */
 	n = this->p->n;
-	q = this->p->q;
+	s = this->p->s;
 
 	if (!inverse)
 	{
 		/* apply linear phase needed for negative wrapped convolution */
 		for (i = 0; i < n; i++)
 		{
-			b[i] = (a[i] * this->p->w[i]) % q;
+			b[i] = ntt_fft_mreduce(a[i] * this->p->wf[s*i], this->p);
 		}
 	}
 	else if (a != b)
@@ -137,7 +145,7 @@ METHOD(bliss_fft_t, transform, void,
 			{
 				for (i = 0; i < m; i++)
 				{
-					iw = 2 * (inverse ? (n - i * k) : (i * k));
+					iw = s * (inverse ? (n - i * k) : (i * k));
 					butterfly(this, b, t + i, t + i + m, iw);
 				}				
 			}
@@ -167,13 +175,13 @@ METHOD(bliss_fft_t, transform, void,
 	{
 		for (i = 0; i < n; i++)
 		{
-			b[i] = (((b[i] * this->p->w[2*n - i]) % q) * this->p->n_inv) % q;
+			b[i] = ntt_fft_mreduce(b[i] * this->p->wi[i], this->p);
 		}
 	}
 }
 
-METHOD(bliss_fft_t, destroy, void,
-	private_bliss_fft_t *this)
+METHOD(ntt_fft_t, destroy, void,
+	private_ntt_fft_t *this)
 {
 	free(this);
 }
@@ -181,9 +189,9 @@ METHOD(bliss_fft_t, destroy, void,
 /**
  * See header.
  */
-bliss_fft_t *bliss_fft_create(bliss_fft_params_t *params)
+ntt_fft_t *ntt_fft_create(const ntt_fft_params_t *params)
 {
-	private_bliss_fft_t *this;
+	private_ntt_fft_t *this;
 
 	INIT(this,
 		.public = {
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft.h b/src/libstrongswan/math/libnttfft/ntt_fft.h
similarity index 64%
rename from src/libstrongswan/plugins/bliss/bliss_fft.h
rename to src/libstrongswan/math/libnttfft/ntt_fft.h
index a79edd2..c05bb4e 100644
--- a/src/libstrongswan/plugins/bliss/bliss_fft.h
+++ b/src/libstrongswan/math/libnttfft/ntt_fft.h
@@ -14,37 +14,39 @@
  */
 
 /**
- * @defgroup bliss_fft bliss_fft
- * @{ @ingroup bliss_p
+ * @defgroup ntt_p libnttfft
+ *
+ * @defgroup ntt_fft ntt_fft
+ * @{ @ingroup ntt_p
  */
 
-#ifndef BLISS_FFT_H_
-#define BLISS_FFT_H_
+#ifndef NTT_FFT_H_
+#define NTT_FFT_H_
 
-#include "bliss_fft_params.h"
+#include "ntt_fft_params.h"
 
 #include <library.h>
 
-typedef struct bliss_fft_t bliss_fft_t;
+typedef struct ntt_fft_t ntt_fft_t;
 
 /**
  * Implements a Number Theoretic Transform (NTT) via the FFT algorithm
  */
-struct bliss_fft_t {
+struct ntt_fft_t {
 
 	/**
 	 * Get the size of the Number Theoretic Transform
 	 *
 	 * @result			Transform size
 	 */
-	uint16_t (*get_size)(bliss_fft_t *this);
+	uint16_t (*get_size)(ntt_fft_t *this);
 
 	/**
 	 * Get the prime modulus of the Number Theoretic Transform
 	 *
 	 * @result			Prime modulus
 	 */
-	uint16_t (*get_modulus)(bliss_fft_t *this);
+	uint16_t (*get_modulus)(ntt_fft_t *this);
 
 	/**
 	 * Compute the [inverse] NTT of a polynomial
@@ -53,19 +55,25 @@ struct bliss_fft_t {
 	 * @param b			Coefficient of output polynomial
 	 * @param inverse	TRUE if the inverse NTT has to be computed
 	 */
-	void (*transform)(bliss_fft_t *this, uint32_t *a, uint32_t *b, bool inverse);
+	void (*transform)(ntt_fft_t *this, uint32_t *a, uint32_t *b, bool inverse);
 
 	/**
-	 * Destroy bliss_fft_t object
+	 * Destroy ntt_fft_t object
 	 */
-	void (*destroy)(bliss_fft_t *this);
+	void (*destroy)(ntt_fft_t *this);
 };
 
 /**
- * Create a bliss_fft_t object for a given FFT parameter set
+ * Create a ntt_fft_t object for a given FFT parameter set
  *
  * @param params		FFT parameters
  */
-bliss_fft_t *bliss_fft_create(bliss_fft_params_t *params);
+ntt_fft_t *ntt_fft_create(const ntt_fft_params_t *params);
+
+/**
+ * Dummy libnttfft initialization function needed for integrity test
+ */
+void libnttfft_init(void);
+
 
-#endif /** BLISS_FFT_H_ @}*/
+#endif /** NTT_FFT_H_ @}*/
diff --git a/src/libstrongswan/math/libnttfft/ntt_fft_params.c b/src/libstrongswan/math/libnttfft/ntt_fft_params.c
new file mode 100644
index 0000000..4daac27
--- /dev/null
+++ b/src/libstrongswan/math/libnttfft/ntt_fft_params.c
@@ -0,0 +1,652 @@
+/*
+ * Copyright (C) 2014-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntt_fft_params.h"
+
+/**
+ * FFT twiddle factors in Montgomery form for q = 12289 and n = 1024
+ */
+static const uint16_t wr_12289_1024[] = {
+	 4075,  3051,  2031,  1207,  9987, 10092,  2948,  9273, 11973,  9094,
+	 3202,  9430,  7377,  5092,  3728, 10626,  4536,  1062,  2882,  6039,
+	  975, 10908,  6065,  2249, 11889,  4978, 10431,  7270, 12138,  4890,
+	 6119,  4895,  6364,  4611,  4737, 10911,  6212,  9452,  8455,  8758,
+	11316,  1479, 11026, 11847,  2920,  7901,  6190,  8374,  4789,  1170,
+	 8174,  7278,   241, 11809,  1058,  2686,  8724,  9650,  5868,  4885,
+	 5874,  5179,  7991, 10600,  3262,    81,  3969, 10146,  5594,  3748,
+	11606,  3400,  6843,  3504, 11939,  7428,  7591,  3289,  1404,  7351,
+	 3818,  2747, 11713,  8643,  5681,  8011, 11580,  2126,  5862,  4591,
+	 3757, 12047,   431,  8830,  2555,  2305,  2344,  4255, 11871,  4096,
+
+	 4080,  3296,  1747, 11869,  3998, 11567,  1489, 11516, 11279, 11955,
+	 8212,  9140,  5456,  9275, 12071,  1607,  5009, 11950,  7967,  9424,
+	 7083,  2975, 10596,  3066,  2766,   355,  5106,  4414,  7373,  4896,
+	 6413,  7012, 11785, 12171,  6507, 11618,  3988, 11077,  2057,  2481,
+	10968,  9005, 11130,  4654,  6844,  3553,  2051,  2187,  8851,  3584,
+	 3570,  2884,  6137,  5777,   426,  8585,  2839,  3932,  8333,  2780,
+	 1041,  1853,  4774,   435,  9026, 12159,  5919,  7384,  5435,  8246,
+	10806,  1067,  3127,  5755, 11637,  4919,  7540,   790,  1843,  4284,
+	 1003, 12280, 11848,  2969, 10302,   949,  9634,  5084,  3336,  3707,
+	 9597,  3271,   522,  1000, 12133,  4645,  6403,  6522,    64,  3136,
+
+	 6196,  8668,  6906,  6591,  3445,  9048,   948,  9585,  2683,  8577,
+	 2447,  9302,  1105,  4989, 10970,  9103,  3643,  6461,  9364,  4143,
+	 6383,  5542,  1200,  9644,  5574,  2768,   453,  9908,  6221,  9893,
+	 5486, 10745, 10367,  4134,  5942,  8511, 11502, 10593,  2919,  7852,
+	 3789,  1326,  3529,   875,  6008, 11745, 10211,  8779,    56,  2744,
+	11566,  1440,  9115,  4231, 10695,  7917,  6974,  9923,  6956,  9041,
+	  605,  5067,  2503, 12046,   382,  6429,  7796,  1045,  2049,  2089,
+	 4049,  1777,  1050,  2294,  1805,  2422,  8077,  2525,   835,  4048,
+	 1728, 10938,  7535,   545,  2127,  5911,  6992, 10805,  1018,   726,
+	10996, 10377,  4624,  5374,  5257, 11813,  1254,     1,    49,  2401,
+
+	 7048,  1260,   295,  2166,  7822,  2319,  3030,  1002, 12231,  9447,
+	 8210,  9042,   654,  7468,  9551,  1017,   677,  8595,  3329,  3364,
+	 5079,  3091,  3991, 11224,  9260, 11336,  2459,  9890,  5339,  3542,
+	 1512,   354,  5057,  2013,   325,  3636,  6118,  4846,  3963,  9852,
+	 3477, 10616,  4046,  1630,  6136,  5728, 10314,  1537,  1579,  3637,
+	 6167,  7247, 11011, 11112,  3772,   493, 11868,  3949,  9166,  6730,
+	10256, 10984,  9789,   390,  6821,  2426,  8273, 12129,  4449,  9088,
+	 2908,  7313,  1956,  9821,  1958,  9919,  6760, 11726,  9280,    27,
+	 1323,  3382,  5961,  9442,  7965,  9326,  2281,  1168,  8076,  2476,
+	10723,  9289,   468, 10643,  5369,  5012, 12097,  2881,  5990, 10863,
+
+	 3860,  4805,  1954,  9723,  9445,  8112,  4240, 11136,  4948,  8961,
+	 8974,  9611,  3957,  9558,  1360,  5195,  8775, 12149,  5429,  7952,
+	 8689,  7935,  7856,  3985, 10930,  7143,  5915,  7188,  8120,  4632,
+	 5766, 12176,  6752, 11334,  2361,  5088,  3532,  1022,   922,  8311,
+	 1702,  9664,  6554,  1632,  6234, 10530, 12121,  4057,  2169,  7969,
+	 9522, 11885,  4782,   827,  3656,  7098,  3710,  9744, 10474,  9377,
+	 4780,   729, 11143,  5291,  1190,  9154,  6142,  6022,   142,  6958,
+	 9139,  5407,  6874,  5023,   347,  4714,  9784,   145,  7105,  4053,
+	 1973, 10654,  5908,  6845,  3602,  4452,  9235, 10111,  3879,  5736,
+	10706,  8456,  8807,  1428,  8527, 12286, 12142,  5086,  3434,  8509,
+
+	11404,  5791,  1112,  5332,  3199,  9283,   174,  8526, 12237,  9741,
+	10327,  2174,  8214,  9238, 10258, 11082,  2302,  2197,  9341,  3016,
+	  316,  3195,  9087,  2859,  4912,  7197,  8561,  1663,  7753, 11227,
+	 9407,  6250, 11314,  1381,  6224, 10040,   400,  7311,  1858,  5019,
+	  151,  7399,  6170,  7394,  5925,  7678,  7552,  1378,  6077,  2837,
+	 3834,  3531,   973, 10810,  1263,   442,  9369,  4388,  6099,  3915,
+	 7500, 11119,  4115,  5011, 12048,   480, 11231,  9603,  3565,  2639,
+	 6421,  7404,  6415,  7110,  4298,  1689,  9027, 12208,  8320,  2143,
+	 6695,  8541,   683,  8889,  5446,  8785,   350,  4861,  4698,  9000,
+	10885,  4938,  8471,  9542,   576,  3646,  6608,  4278,   709, 10163,
+
+	 6427,  7698,  8532,   242, 11858,  3459,  9734,  9984,  9945,  8034,
+	  418,  8193,  8209,  8993, 10542,   420,  8291,   722, 10800,   773,
+	 1010,   334,  4077,  3149,  6833,  3014,   218, 10682,  7280,   339,
+	 4322,  2865,  5206,  9314,  1693,  9223,  9523, 11934,  7183,  7875,
+	 4916,  7393,  5876,  5277,   504,   118,  5782,   671,  8301,  1212,
+	10232,  9808,  1321,  3284,  1159,  7635,  5445,  8736, 10238, 10102,
+	 3438,  8705,  8719,  9405,  6152,  6512, 11863,  3704,  9450,  8357,
+	 3956,  9509, 11248, 10436,  7515, 11854,  3263,   130,  6370,  4905,
+	 6854,  4043,  1483, 11222,  9162,  6534,   652,  7370,  4749, 11499,
+	10446,  8005, 11286,     9,   441,  9320,  1987, 11340,  2655,  7205,
+
+	 8953,  8582,  2692,  9018, 11767, 11289,   156,  7644,  5886,  5767,
+	12225,  9153,  6093,  3621,  5383,  5698,  8844,  3241, 11341,  2704,
+	 9606,  3712,  9842,  2987, 11184,  7300,  1319,  3186,  8646,  5828,
+	 2925,  8146,  5906,  6747, 11089,  2645,  6715,  9521, 11836,  2381,
+	 6068,  2396,  6803,  1544,  1922,  8155,  6347,  3778,   787,  1696,
+	 9370,  4437,  8500, 10963,  8760, 11414,  6281,   544,  2078,  3510,
+	12233,  9545,   723, 10849,  3174,  8058,  1594,  4372,  5315,  2366,
+	 5333,  3248, 11684,  7222,  9786,   243, 11907,  5860,  4493, 11244,
+	10240, 10200,  8240, 10512, 11239,  9995, 10484,  9867,  4212,  9764,
+	11454,  8241, 10561,  1351,  4754, 11744, 10162,  6378,  5297,  1484,
+
+	11271, 11563,  1293,  1912,  7665,  6915,  7032,   476, 11035, 12288,
+	12240,  9888,  5241, 11029, 11994, 10123,  4467,  9970,  9259, 11287,
+	   58,  2842,  4079,  3247, 11635,  4821,  2738, 11272, 11612,  3694,
+	 8960,  8925,  7210,  9198,  8298,  1065,  3029,   953,  9830,  2399,
+	 6950,  8747, 10777, 11935,  7232, 10276, 11964,  8653,  6171,  7443,
+	 8326,  2437,  8812,  1673,  8243, 10659,  6153,  6561,  1975, 10752,
+	10710,  8652,  6122,  5042,  1278,  1177,  8517, 11796,   421,  8340,
+	 3123,  5559,  2033,  1305,  2500, 11899,  5468,  9863,  4016,   160,
+	 7840,  3201,  9381,  4976, 10333,  2468, 10331,  2370,  5529,   563,
+	 3009, 12262, 10966,  8907,  6328,  2847,  4324,  2963, 10008, 11121,
+
+	 4213,  9813,  1566,  3000, 11821,  1646,  6920,  7277,   192,  9408,
+	 6299,  1426,  8429,  7484, 10335,  2566,  2844,  4177,  8049,  1153,
+	 7341,  3328,  3315,  2678,  8332,  2731, 10929,  7094,  3514,   140,
+	 6860,  4337,  3600,  4354,  4433,  8304,  1359,  5146,  6374,  5101,
+	 4169,  7657,  6523,   113,  5537,   955,  9928,  7201,  8757, 11267,
+	11367,  3978, 10587,  2625,  5735, 10657,  6055,  1759,   168,  8232,
+	10120,  4320,  2767,   404,  7507, 11462,  8633,  5191,  8579,  2545,
+	 1815,  2912,  7509, 11560,  1146,  6998, 11099,  3135,  6147,  6267,
+	12147,  5331,  3150,  6882,  5415,  7266, 11942,  7575,  2505, 12144,
+	 5184,  8236, 10316,  1635,  6381,  5444,  8687,  7837,  3054,  2178,
+
+	 8410,  6553,  1583,  3833,  3482, 10861,  3762,     3,   147,  7203,
+	 8855,  3780,   885,  6498, 11177,  6957,  9090,  3006, 12115,  3763,
+	   52,  2548,  1962, 10115,  4075
+};
+
+/**
+ * FFT phase shift in forward transform for q = 12289 and n = 1024
+ */
+static const uint16_t wf_12289_1024[] = {
+	 3186, 10013,  8646, 11366,  5828,  3929,  2925,  8186,  8146,  7866,
+	 5906,  4475,  6747, 10362, 11089,  3889,  2645,  6226,  6715, 10138,
+	 9521,  5202, 11836,  9118,  2381,  4378,  6068,  5609,  2396,  4483,
+	 6803, 10754,  1544, 10808,  1922,  1165,  8155,  7929,  6347,  7562,
+	 3778,  1868,   787,  5509,  1696, 11872,  9370,  4145,  4437,  6481,
+	 8500, 10344, 10963,  3007,  8760, 12164, 11414,  6164,  6281,  7100,
+	  544,  3808,  2078,  2257,  3510, 12281, 12233, 11897,  9545,  5370,
+	  723,  5061, 10849,  2209,  3174,  9929,  8058,  7250,  1594, 11158,
+	 4372,  6026,  5315,   338,  2366,  4273,  5333,   464,  3248, 10447,
+	11684,  8054,  7222,  1398,  9786,  7057,   243,  1701, 11907,  9615,
+
+	 5860,  4153,  4493,  6873, 11244,  4974, 10240, 10235, 10200,  9955,
+	 8240,  8524, 10512, 12139, 11239,  4939,  9995,  8520, 10484, 11943,
+	 9867,  7624,  4212,  4906,  9764,  6903, 11454,  6444,  8241,  8531,
+	10561,   193,  1351,  9457,  4754,  8700, 11744,  8474, 10162,  9689,
+	 6378,  7779,  5297,   212,  1484, 10388, 11271,  5163, 11563,  7207,
+	 1293,  9051,  1912,  1095,  7665,  4499,  6915, 11538,  7032,    68,
+	  476,  3332, 11035,  3511, 12288, 12282, 12240, 11946,  9888,  7771,
+	 5241, 12109, 11029,  3469, 11994, 10224, 10123,  9416,  4467,  6691,
+	 9970,  8345,  9259,  3368, 11287,  5275,    58,   406,  2842,  7605,
+	 4079,  3975,  3247, 10440, 11635,  7711,  4821,  9169,  2738,  6877,
+
+	11272,  5170, 11612,  7550,  3694,  1280,  8960,  1275,  8925,  1030,
+	 7210,  1314,  9198,  2941,  8298,  8930,  1065,  7455,  3029,  8914,
+	  953,  6671,  9830,  7365,  2399,  4504,  6950, 11783,  8747, 12073,
+	10777,  1705, 11935,  9811,  7232,  1468, 10276, 10487, 11964, 10014,
+	 8653, 11415,  6171,  6330,  7443,  2945,  8326,  9126,  2437,  4770,
+	 8812,   239,  1673, 11711,  8243,  8545, 10659,   879,  6153,  6204,
+	 6561,  9060,  1975,  1536, 10752,  1530, 10710,  1236,  8652, 11408,
+	 6122,  5987,  5042, 10716,  1278,  8946,  1177,  8239,  8517, 10463,
+	11796,  8838,   421,  2947,  8340,  9224,  3123,  9572,  5559,  2046,
+	 2033,  1942,  1305,  9135,  2500,  5211, 11899,  9559,  5468,  1409,
+
+	 9863,  7596,  4016,  3534,   160,  1120,  7840,  5724,  3201, 10118,
+	 9381,  4222,  4976, 10254, 10333, 10886,  2468,  4987, 10331, 10872,
+	 2370,  4301,  5529,  1836,   563,  3941,  3009,  8774, 12262, 12100,
+	10966,  3028,  8907,   904,  6328,  7429,  2847,  7640,  4324,  5690,
+	 2963,  8452, 10008,  8611, 11121,  4113,  4213,  4913,  9813,  7246,
+	 1566, 10962,  3000,  8711, 11821,  9013,  1646, 11522,  6920, 11573,
+	 7277,  1783,   192,  1344,  9408,  4411,  6299,  7226,  1426,  9982,
+	 8429,  9847,  7484,  3232, 10335, 10900,  2566,  5673,  2844,  7619,
+	 4177,  4661,  8049,  7187,  1153,  8071,  7341,  2231,  3328, 11007,
+	 3315, 10916,  2678,  6457,  8332,  9168,  2731,  6828, 10929,  2769,
+
+	 7094,   502,  3514,    20,   140,   980,  6860, 11153,  4337,  5781,
+	 3600,   622,  4354,  5900,  4433,  6453,  8304,  8972,  1359,  9513,
+	 5146, 11444,  6374,  7751,  5101, 11129,  4169,  4605,  7657,  4443,
+	 6523,  8794,   113,   791,  5537,  1892,   955,  6685,  9928,  8051,
+	 7201,  1251,  8757, 12143, 11267,  5135, 11367,  5835,  3978,  3268,
+	10587,   375,  2625,  6086,  5735,  3278, 10657,   865,  6055,  5518,
+	 1759,    24,   168,  1176,  8232,  8468, 10120,  9395,  4320,  5662,
+	 2767,  7080,   404,  2828,  7507,  3393, 11462,  6500,  8633, 11275,
+	 5191, 11759,  8579, 10897,  2545,  5526,  1815,   416,  2912,  8095,
+	 7509,  3407, 11560,  7186,  1146,  8022,  6998, 12119, 11099,  3959,
+
+	 3135,  9656,  6147,  6162,  6267,  7002, 12147, 11295,  5331,   450,
+	 3150,  9761,  6882, 11307,  5415,  1038,  7266,  1706, 11942,  9860,
+	 7575,  3869,  2505,  5246, 12144, 11274,  5184, 11710,  8236,  8496,
+	10316, 10767,  1635, 11445,  6381,  7800,  5444,  1241,  8687, 11653,
+	 7837,  5703,  3054,  9089,  2178,  2957,  8410,  9714,  6553,  9004,
+	 1583, 11081,  3833,  2253,  3482, 12085, 10861,  2293,  3762,  1756,
+	    3,    21,   147,  1029,  7203,  1265,  8855,   540,  3780,  1882,
+	  885,  6195,  6498,  8619, 11177,  4505,  6957, 11832,  9090,  2185,
+	 3006,  8753, 12115, 11071,  3763,  1763,    52,   364,  2548,  5547,
+	 1962,  1445, 10115,  9360,  4075,  3947,  3051,  9068,  2031,  1928,
+
+	 1207,  8449,  9987,  8464, 10092,  9199,  2948,  8347,  9273,  3466,
+	11973, 10077,  9094,  2213,  3202, 10125,  9430,  4565,  7377,  2483,
+	 5092, 11066,  3728,  1518, 10626,   648,  4536,  7174,  1062,  7434,
+	 2882,  7885,  6039,  5406,   975,  6825, 10908,  2622,  6065,  5588,
+	 2249,  3454, 11889,  9489,  4978, 10268, 10431, 11572,  7270,  1734,
+	12138, 11232,  4890,  9652,  6119,  5966,  4895,  9687,  6364,  7681,
+	 4611,  7699,  4737,  8581, 10911,  2643,  6212,  6617,  9452,  4719,
+	 8455, 10029,  8758, 12150, 11316,  5478,  1479, 10353, 11026,  3448,
+	11847,  9195,  2920,  8151,  7901,  6151,  6190,  6463,  8374,  9462,
+	 4789,  8945,  1170,  8190,  8174,  8062,  7278,  1790,   241,  1687,
+
+	11809,  8929,  1058,  7406,  2686,  6513,  8724, 11912,  9650,  6105,
+	 5868,  4209,  4885,  9617,  5874,  4251,  5179, 11675,  7991,  6781,
+	10600,   466,  3262, 10545,    81,   567,  3969,  3205, 10146,  9577,
+	 5594,  2291,  3748,  1658, 11606,  7508,  3400, 11511,  6843, 11034,
+	 3504, 12239, 11939,  9839,  7428,  2840,  7591,  3981,  3289, 10734,
+	 1404,  9828,  7351,  2301,  3818,  2148,  2747,  6940, 11713,  8257,
+	 8643, 11345,  5681,  2900,  8011,  6921, 11580,  7326,  2126,  2593,
+	 5862,  4167,  4591,  7559,  3757,  1721, 12047, 10595,   431,  3017,
+	 8830,   365,  2555,  5596,  2305,  3846,  2344,  4119,  4255,  5207,
+	11871,  9363,  4096,  4094,  4080,  3982,  3296, 10783,  1747, 12229,
+
+	11869,  9349,  3998,  3408, 11567,  7235,  1489, 10423, 11516,  6878,
+	11279,  5219, 11955,  9951,  8212,  8328,  9140,  2535,  5456,  1325,
+	 9275,  3480, 12071, 10763,  1607, 11249,  5009, 10485, 11950,  9916,
+	 7967,  6613,  9424,  4523,  7083,   425,  2975,  8536, 10596,   438,
+	 3066,  9173,  2766,  7073,   355,  2485,  5106, 11164,  4414,  6320,
+	 7373,  2455,  4896,  9694,  6413,  8024,  7012, 12217, 11785,  8761,
+	12171, 11463,  6507,  8682, 11618,  7592,  3988,  3338, 11077,  3805,
+	 2057,  2110,  2481,  5078, 10968,  3042,  9005,  1590, 11130,  4176,
+	 4654,  8000,  6844, 11041,  3553,   293,  2051,  2068,  2187,  3020,
+	 8851,   512,  3584,   510,  3570,   412,  2884,  7899,  6137,  6092,
+
+	 5777,  3572,   426,  2982,  8585, 10939,  2839,  7584,  3932,  2946,
+	 8333,  9175,  2780,  7171,  1041,  7287,  1853,   682,  4774,  8840,
+	  435,  3045,  9026,  1737, 12159, 11379,  5919,  4566,  7384,  2532,
+	 5435,  1178,  8246,  8566, 10806,  1908,  1067,  7469,  3127,  9600,
+	 5755,  3418, 11637,  7725,  4919,  9855,  7540,  3624,   790,  5530,
+	 1843,   612,  4284,  5410,  1003,  7021, 12280, 12226, 11848,  9202,
+	 2969,  8494, 10302, 10669,   949,  6643,  9634,  5993,  5084, 11010,
+	 3336, 11063,  3707,  1371,  9597,  5734,  3271, 10608,   522,  3654,
+	 1000,  7000, 12133, 11197,  4645,  7937,  6403,  7954,  6522,  8787,
+	   64,   448,  3136,  9663,  6196,  6505,  8668, 11520,  6906, 11475,
+
+	 6591,  9270,  3445, 11826,  9048,  1891,   948,  6636,  9585,  5650,
+	 2683,  6492,  8577, 10883,  2447,  4840,  9302,  3669,  1105,  7735,
+	 4989, 10345, 10970,  3056
+};
+
+/**
+ * FFT phase shift and scaling inverse transform for q = 12289 and n = 1024
+ */
+static const uint16_t wi_12289_1024[] = {
+	12277,  5265,  9530,  3117,  5712,   816, 10650,  3277,  9246,  4832,
+	 5957,   851, 10655, 10300,  3227,   461,  3577,   511,    73,  1766,
+	 5519,  2544,  2119,  7325,  2802,  5667, 11343,  3376,  5749,  6088,
+	 7892,  2883,  3923,  2316,  3842,  4060,   580,  3594,  2269,  9102,
+	 6567,  9716,  1388,  5465,  7803,  8137,  2918,  3928,  9339, 10112,
+	11978, 10489,  3254,  3976,   568,  8859, 11799, 12219, 12279, 10532,
+	12038,  8742,  4760,   680,  8875,  4779,  7705,  8123,  2916, 10950,
+	 6831,  4487,   641, 10625,  5029,  2474,  2109,  5568,  2551,  2120,
+	 3814,  4056,  2335, 10867,  3308, 11006,  6839,   977, 10673,  8547,
+	 1221,  1930,  7298, 11576,  8676,  2995,  3939,  7585, 11617, 12193,
+
+	 5253,  2506,   358,  8829,  6528, 11466,  1638,   234,  1789, 10789,
+	 6808, 11506,  8666,  1238,  3688,  4038,  4088,   584,  1839,  7285,
+	 8063,  4663,  9444, 10127,  8469,  4721,  2430,  9125, 11837,  1691,
+	10775,  6806,  6239,  6158,  7902,  4640,  4174,  5863, 11371,  3380,
+	 3994, 11104,  6853,   979,  3651, 11055,  6846,   978,  7162,  9801,
+	10178,  1454,  7230,  4544,  9427,  8369, 11729, 12209, 10522, 10281,
+	 8491,  1213,  5440,  9555,  1365,   195,  3539, 11039,  1577,  5492,
+	11318,  5128, 11266,  3365,  7503,  4583,  7677,  8119,  4671,  5934,
+	 7870,  6391,   913,  1886,  2025,  5556,  7816, 11650,  6931,  9768,
+	 3151,  9228,  6585,  7963, 11671,  6934, 11524,  6913, 11521,  5157,
+
+	 7759,  2864,  9187,  3068,  5705,   815,  1872,  2023,   289,  5308,
+	 6025,  7883,  9904,  4926,  7726,  8126,  4672,  2423,  9124,  3059,
+	  437,  1818,  7282,  6307,   901,  7151, 11555,  8673,  1239,   177,
+	 5292,   756,   108,  1771,   253,  8814, 10037,  4945,  2462,  7374,
+	 2809,  5668,  7832,  4630,  2417,  5612,  7824,  8140,  4674,  7690,
+	11632,  8684, 11774,  1682,  5507,  7809, 11649, 10442,  8514,  6483,
+	 9704,  6653,  2706, 10920,  1560,  3734,  2289,   327,  7069,  4521,
+	 4157,  4105,  2342, 10868, 12086, 12260,  3507,   501, 10605,  1515,
+	 1972,  7304,  2799,  3911,  7581,  1083,  7177,  6292,  4410,   630,
+	   90,  3524,  2259,  7345,  6316,  6169,  6148,  6145,  4389,   627,
+
+	10623, 12051, 12255,  8773,  6520,  2687,  3895,  2312,  5597, 11333,
+	 1619,  5498,  2541,   363,  3563,   509,  7095, 11547, 12183,  3496,
+	 2255,  9100,  1300,  7208,  8052,  6417,  7939,  9912,  1416,  5469,
+	 6048,   864,  1879,  2024,  9067,  6562,  2693,  7407,  9836, 10183,
+	 8477,  1211,   173,  7047,  8029,  1147,  3675,   525,    75,  7033,
+	 8027,  8169,  1167,  7189,  1027,  7169,  9802,  6667,  2708,  3898,
+	 4068,  9359,  1337,   191,  5294,  6023,  2616,  7396, 11590,  8678,
+	 8262,  6447,   921, 10665, 12057,  3478,  4008, 11106, 12120,  3487,
+	 9276, 10103,  6710, 11492,  8664,  8260,  1180, 10702,  5040,   720,
+	 3614,  5783,  9604,  1372,   196,    28,     4, 10534,  5016, 11250,
+
+	10385, 12017,  8739,  3004,  9207,  6582,  6207,  7909,  4641,   663,
+	 7117,  8039,  2904,  3926,  4072,  7604,  6353, 11441,  3390,  5751,
+	11355, 10400,  8508,  2971,  2180,  2067,  5562, 11328,  6885, 11517,
+	 6912,  2743,  3903, 11091,  3340,  9255, 10100,  4954,  7730,  6371,
+	 9688,  1384,  7220,  2787,  9176,  4822,  4200,   600,  7108,  2771,
+	 3907,  9336,  8356,  8216,  8196,  4682,  4180,  9375,  6606,  7966,
+	 1138, 10696,  1528,  5485, 11317,  8639, 10012,  6697,  7979,  4651,
+	 2420,  7368, 11586, 10433,  3246,  7486,  2825, 10937,  3318,   474,
+	 7090,  4524,  5913,  7867,  4635,  9440, 11882,  3453,  5760,  4334,
+	 9397,  3098, 10976,  1568,   224,    32, 10538,  3261,  3977,  9346,
+
+	10113,  8467, 11743, 12211,  3500,   500,  1827,   261,  5304,  7780,
+	 2867, 10943,  6830,  7998, 11676,  1668,  5505,  2542,  9141,  4817,
+	 9466,  6619, 11479,  5151,  4247,  7629,  4601,  5924,  6113,  6140,
+	 9655,  6646,  2705,  2142,   306,  7066,  2765,   395,  1812,  3770,
+	11072,  8604, 10007, 11963,  1709,  9022,  4800,  7708,  9879,  6678,
+	  954,  5403,  4283,  4123,   589,  8862,  1266,  3692,  2283,  9104,
+	11834, 12224,  7013,  4513,  7667,  6362,  4420,  2387,   341,  7071,
+	 9788,  6665,  9730,  1390, 10732, 10311,  1473,  1966,  3792,  7564,
+	11614, 10437,  1491,   213,  1786,  9033,  3046,  9213, 10094,  1442,
+	  206,  1785,   255,  1792,   256, 10570,  1510,  7238,  1034,  7170,
+
+	 6291,  7921, 11665,  3422,  4000,  2327,  2088,  5565,   795, 10647,
+	 1521,  5484,  2539,  7385,  1055,  7173,  8047, 11683,  1669,  1994,
+	 3796,  5809,  4341,  9398, 11876, 12230, 10525, 12037, 12253,  3506,
+	 4012,  9351,  4847,  2448,  7372,  9831,  3160,  2207,  5582,  2553,
+	 7387,  6322,  9681,  1383, 10731,  1533,   219,  5298,  4268,  7632,
+	 6357,  9686,  8406,  4712,  9451, 10128,  4958,  5975, 11387,  8649,
+	11769,  6948, 11526, 12180,  1740, 10782,  6807,  2728,  7412,  4570,
+	 4164,  4106, 11120, 12122,  8754, 11784,  3439,  5758, 11356,  6889,
+	 9762, 11928,  1704,  1999, 10819, 12079, 12259,  7018, 11536,  1648,
+	 1991,  2040,  2047,  2048, 10826, 12080,  8748,  8272,  8204,  1172,
+
+	 1923,  7297,  2798,  7422,  6327,  4415,  7653,  6360, 11442, 12168,
+	 7005,  8023,  9924,  8440,  8228,  2931,  7441,  1063,  3663,  5790,
+	 9605, 10150,  1450,  8985, 11817, 10466, 10273, 12001,  3470,  7518,
+	 1074,  1909,  7295,  9820,  4914,   702,  5367,  7789,  8135,  9940,
+	 1420,  3714, 11064, 12114, 12264,  1752,  5517,  9566, 11900,  1700,
+	 3754,  5803,   829,  1874,  7290,  2797, 10933,  5073,  7747,  8129,
+	 6428,  6185, 11417,  1631,   233,  5300,  9535, 10140, 11982,  8734,
+	 8270,  2937, 10953,  8587,  8249,  2934,  9197,  4825,  5956,  4362,
+	 9401,  1343,  3703,   529, 10609, 12049,  6988,  6265,   895,  3639,
+	 4031,  4087,  4095,   585, 10617,  8539,  4731,  4187,  9376,  3095,
+
+	 9220, 10095, 10220,  1460, 10742, 12068,  1724,  5513, 11321,  6884,
+	 2739,  5658,  6075,  4379, 11159, 10372,  8504,  4726,  9453,  3106,
+	 7466, 11600, 10435,  8513,  9994,  8450,  9985,  3182, 10988,  8592,
+	 2983,  9204,  4826,  2445,  5616,  6069,   867,  3635,  5786, 11360,
+	 5134,  2489, 10889, 12089,  1727,  7269,  2794,  9177,  1311,  5454,
+	 9557,  6632,  2703,  9164, 10087,  1441,  3717,   531,  3587,  2268,
+	  324,  5313,   759,  1864,  5533,  2546,  7386,  9833,  8427,  4715,
+	11207,  1601,  7251,  4547, 11183, 12131,  1733, 10781, 10318,  1474,
+	10744,  5046,  4232, 11138, 10369,  6748,   964,  7160,  4534,  7670,
+	 8118,  8182,  4680, 11202,  6867,   981,  8918,  1274,   182,    26,
+
+	 7026,  8026, 11680, 12202, 10521,  1503,  7237,  4545,  5916,  9623,
+	 8397, 11733, 10454,  3249,  9242,  6587,   941,  1890,   270, 10572,
+	 6777,  9746,  6659,  6218,  6155,  6146,   878,  1881,  7291, 11575,
+	12187,  1741,  7271,  8061, 11685,  6936,  4502,  9421,  4857,  4205,
+	 7623,  1089, 10689,  1527,  8996, 10063, 11971, 10488,  6765,  2722,
+	 3900,  9335, 11867,  6962, 11528,  5158,  4248,  4118,  5855,  2592,
+	 5637,  6072,  2623,  7397,  8079,  9932,  4930,  5971,   853,  3633,
+	  519,  8852, 11798,  3441, 11025,  1575,   225,  8810, 11792, 12218,
+	 3501,  9278,  3081,  9218,  4828,  7712,  8124, 11694, 12204,  3499,
+	 4011,   573,  3593,  5780,  7848,  9899, 10192,  1456,   208,  7052,
+
+	 2763,  7417, 11593, 10434, 12024,  8740, 11782, 10461,  3250,  5731,
+	 7841,  9898,  1414,   202,  3540,  7528,  2831,  2160, 10842,  5060,
+	 4234,  4116,   588,    84
+};
+
+/**
+ * Bit-reversed indices for n = 1024
+ */
+static const uint16_t rev_1024[] = {
+	   0,  512,  256,  768,  128,  640,  384,  896,   64,  576,
+	 320,  832,  192,  704,  448,  960,   32,  544,  288,  800,
+	 160,  672,  416,  928,   96,  608,  352,  864,  224,  736,
+	 480,  992,   16,  528,  272,  784,  144,  656,  400,  912,
+	  80,  592,  336,  848,  208,  720,  464,  976,   48,  560,
+	 304,  816,  176,  688,  432,  944,  112,  624,  368,  880,
+	 240,  752,  496, 1008,    8,  520,  264,  776,  136,  648,
+	 392,  904,   72,  584,  328,  840,  200,  712,  456,  968,
+	  40,  552,  296,  808,  168,  680,  424,  936,  104,  616,
+	 360,  872,  232,  744,  488, 1000,   24,  536,  280,  792,
+
+	 152,  664,  408,  920,   88,  600,  344,  856,  216,  728,
+	 472,  984,   56,  568,  312,  824,  184,  696,  440,  952,
+	 120,  632,  376,  888,  248,  760,  504, 1016,    4,  516,
+	 260,  772,  132,  644,  388,  900,   68,  580,  324,  836,
+	 196,  708,  452,  964,   36,  548,  292,  804,  164,  676,
+	 420,  932,  100,  612,  356,  868,  228,  740,  484,  996,
+	  20,  532,  276,  788,  148,  660,  404,  916,   84,  596,
+	 340,  852,  212,  724,  468,  980,   52,  564,  308,  820,
+	 180,  692,  436,  948,  116,  628,  372,  884,  244,  756,
+	 500, 1012,   12,  524,  268,  780,  140,  652,  396,  908,
+
+	  76,  588,  332,  844,  204,  716,  460,  972,   44,  556,
+	 300,  812,  172,  684,  428,  940,  108,  620,  364,  876,
+	 236,  748,  492, 1004,   28,  540,  284,  796,  156,  668,
+	 412,  924,   92,  604,  348,  860,  220,  732,  476,  988,
+	  60,  572,  316,  828,  188,  700,  444,  956,  124,  636,
+	 380,  892,  252,  764,  508, 1020,    2,  514,  258,  770,
+	 130,  642,  386,  898,   66,  578,  322,  834,  194,  706,
+	 450,  962,   34,  546,  290,  802,  162,  674,  418,  930,
+	  98,  610,  354,  866,  226,  738,  482,  994,   18,  530,
+	 274,  786,  146,  658,  402,  914,   82,  594,  338,  850,
+
+	 210,  722,  466,  978,   50,  562,  306,  818,  178,  690,
+	 434,  946,  114,  626,  370,  882,  242,  754,  498, 1010,
+	  10,  522,  266,  778,  138,  650,  394,  906,   74,  586,
+	 330,  842,  202,  714,  458,  970,   42,  554,  298,  810,
+	 170,  682,  426,  938,  106,  618,  362,  874,  234,  746,
+	 490, 1002,   26,  538,  282,  794,  154,  666,  410,  922,
+	  90,  602,  346,  858,  218,  730,  474,  986,   58,  570,
+	 314,  826,  186,  698,  442,  954,  122,  634,  378,  890,
+	 250,  762,  506, 1018,    6,  518,  262,  774,  134,  646,
+	 390,  902,   70,  582,  326,  838,  198,  710,  454,  966,
+
+	  38,  550,  294,  806,  166,  678,  422,  934,  102,  614,
+	 358,  870,  230,  742,  486,  998,   22,  534,  278,  790,
+	 150,  662,  406,  918,   86,  598,  342,  854,  214,  726,
+	 470,  982,   54,  566,  310,  822,  182,  694,  438,  950,
+	 118,  630,  374,  886,  246,  758,  502, 1014,   14,  526,
+	 270,  782,  142,  654,  398,  910,   78,  590,  334,  846,
+	 206,  718,  462,  974,   46,  558,  302,  814,  174,  686,
+	 430,  942,  110,  622,  366,  878,  238,  750,  494, 1006,
+	  30,  542,  286,  798,  158,  670,  414,  926,   94,  606,
+	 350,  862,  222,  734,  478,  990,   62,  574,  318,  830,
+
+	 190,  702,  446,  958,  126,  638,  382,  894,  254,  766,
+	 510, 1022,    1,  513,  257,  769,  129,  641,  385,  897,
+	  65,  577,  321,  833,  193,  705,  449,  961,   33,  545,
+	 289,  801,  161,  673,  417,  929,   97,  609,  353,  865,
+	 225,  737,  481,  993,   17,  529,  273,  785,  145,  657,
+	 401,  913,   81,  593,  337,  849,  209,  721,  465,  977,
+	  49,  561,  305,  817,  177,  689,  433,  945,  113,  625,
+	 369,  881,  241,  753,  497, 1009,    9,  521,  265,  777,
+	 137,  649,  393,  905,   73,  585,  329,  841,  201,  713,
+	 457,  969,   41,  553,  297,  809,  169,  681,  425,  937,
+
+	 105,  617,  361,  873,  233,  745,  489, 1001,   25,  537,
+	 281,  793,  153,  665,  409,  921,   89,  601,  345,  857,
+	 217,  729,  473,  985,   57,  569,  313,  825,  185,  697,
+	 441,  953,  121,  633,  377,  889,  249,  761,  505, 1017,
+	   5,  517,  261,  773,  133,  645,  389,  901,   69,  581,
+	 325,  837,  197,  709,  453,  965,   37,  549,  293,  805,
+	 165,  677,  421,  933,  101,  613,  357,  869,  229,  741,
+	 485,  997,   21,  533,  277,  789,  149,  661,  405,  917,
+	  85,  597,  341,  853,  213,  725,  469,  981,   53,  565,
+	 309,  821,  181,  693,  437,  949,  117,  629,  373,  885,
+
+	 245,  757,  501, 1013,   13,  525,  269,  781,  141,  653,
+	 397,  909,   77,  589,  333,  845,  205,  717,  461,  973,
+	  45,  557,  301,  813,  173,  685,  429,  941,  109,  621,
+	 365,  877,  237,  749,  493, 1005,   29,  541,  285,  797,
+	 157,  669,  413,  925,   93,  605,  349,  861,  221,  733,
+	 477,  989,   61,  573,  317,  829,  189,  701,  445,  957,
+	 125,  637,  381,  893,  253,  765,  509, 1021,    3,  515,
+	 259,  771,  131,  643,  387,  899,   67,  579,  323,  835,
+	 195,  707,  451,  963,   35,  547,  291,  803,  163,  675,
+	 419,  931,   99,  611,  355,  867,  227,  739,  483,  995,
+
+	  19,  531,  275,  787,  147,  659,  403,  915,   83,  595,
+	 339,  851,  211,  723,  467,  979,   51,  563,  307,  819,
+	 179,  691,  435,  947,  115,  627,  371,  883,  243,  755,
+	 499, 1011,   11,  523,  267,  779,  139,  651,  395,  907,
+	  75,  587,  331,  843,  203,  715,  459,  971,   43,  555,
+	 299,  811,  171,  683,  427,  939,  107,  619,  363,  875,
+	 235,  747,  491, 1003,   27,  539,  283,  795,  155,  667,
+	 411,  923,   91,  603,  347,  859,  219,  731,  475,  987,
+	  59,  571,  315,  827,  187,  699,  443,  955,  123,  635,
+	 379,  891,  251,  763,  507, 1019,    7,  519,  263,  775,
+
+	 135,  647,  391,  903,   71,  583,  327,  839,  199,  711,
+	 455,  967,   39,  551,  295,  807,  167,  679,  423,  935,
+	 103,  615,  359,  871,  231,  743,  487,  999,   23,  535,
+	 279,  791,  151,  663,  407,  919,   87,  599,  343,  855,
+	 215,  727,  471,  983,   55,  567,  311,  823,  183,  695,
+	 439,  951,  119,  631,  375,  887,  247,  759,  503, 1015,
+	  15,  527,  271,  783,  143,  655,  399,  911,   79,  591,
+	 335,  847,  207,  719,  463,  975,   47,  559,  303,  815,
+	 175,  687,  431,  943,  111,  623,  367,  879,  239,  751,
+	 495, 1007,   31,  543,  287,  799,  159,  671,  415,  927,
+
+	  95,  607,  351,  863,  223,  735,  479,  991,   63,  575,
+	 319,  831,  191,  703,  447,  959,  127,  639,  383,  895,
+	 255,  767,  511, 1023
+};
+
+const ntt_fft_params_t ntt_fft_12289_1024 = {
+	12289, 12287, 18, 3186, (1<<18)-1, 1024, 12277, 10,
+	wr_12289_1024, wf_12289_1024, wi_12289_1024, 1, rev_1024
+};
+
+/**
+ * FFT phase shift and scaling inverse transform for q = 12289 and n = 512
+ */
+static const uint16_t wi_12289_512[] = {
+	12265,  6771, 11424,  9011,  6203, 11914,  9021,  6454,  7154,   146,
+	11038,  4238,  5604, 10397, 11498,  3495,  7846,  7684,  1160,  4538,
+	  845,  2776,  3317,  5836,  6389, 11667,  6508,  1136, 11309, 12269,
+	11787,  9520,  5461,  3121,  5832,  1373,  1282, 10058,  4218,  5102,
+	 7628,  4670,  6616,  1389,  9057,  2442,  2307,  5063,  7878, 10945,
+	10506,   716,   767,  3276,  3578,  1327,  5043,  7376,  8176,  3678,
+	 3837,  6599,  4649,  4860, 11385,  9261,   189,  3515,  8348, 10453,
+	 7988,  1417,  7302,  1403,  2035,  8067,  2171,  6565, 11169,  8755,
+	 4693, 10880,  2730,  7078,  3154, 10347, 10243,  2717,  3065,  9342,
+	 3451,  1826,  4050,  3343,  1573,  6302,   881, 11053, 10759, 10753,
+
+	 3229,  6085, 11410,  3744,   578, 12050,  7519,  3163,  9344,  5959,
+	  874,  2275,  1802, 10821,  2478, 10584,   216,   506,  7785,  4924,
+	 5618,  3375,  4834,  3359,  9348, 10975, 11259, 11014, 11009,  4739,
+	 7119,  5412,  3120,  4578,  1849,  8314,  4684, 11883,  7014,  8921,
+	 3944,  5598,  2873,  2065,  8820,   180,  4518,   343,     7,  8778,
+	 8957, 12221,   751,  7790, 11194,  3238,  5082,  7126,  1901, 12077,
+	 4510,  2600,  3815,  3589,  2832, 12096,  3758,  5845,  5386,  7383,
+	 4665,   346,  3769,  7350,   150,  3765,  2334,  2054,  7315,  5416,
+	 8136,  2674, 10588,  5232, 10891,  4235,  1842, 11825,  8016, 11951,
+	 6263,  1131,  5039,  2360, 10080,  7228,  6919,   392,     8, 10032,
+
+	 8481,  5189,  6125,   125,  9282,  1945,  5808,  8144,   417,  6780,
+	10421,  4727,  4360, 11124,  1481,  1535,  7806,  6680,  7911,  3171,
+	 7087,  2151,  6063,  8400,  1927,  7814,  4423,  4103,  8360,   923,
+	 2276,  3056, 10345,  7735,  3669,  4840, 10883,  6492,  5650,  6636,
+	 1891, 11826,  9270, 11475, 11520,  6505,  9663,   448,  8787,  7954,
+	 7937, 11197,  7000,  3654, 10608,  5734,  1371, 11063, 11010,  5993,
+	 6643, 10669,  8494,  9202, 12226,  7021,  5410,   612,  5530,  3624,
+	 9855,  7725,  3418,  9600,  7469,  1908,  8566,  1178,  2532,  4566,
+	11379,  1737,  3045,  8840,   682,  7287,  7171,  9175,  2946,  7584,
+	10939,  2982,  3572,  6092,  7899,   412,   510,   512,  3020,  2068,
+
+	  293, 11041,  8000,  4176,  1590,  3042,  5078,  2110,  3805,  3338,
+	 7592,  8682, 11463,  8761, 12217,  8024,  9694,  2455,  6320, 11164,
+	 2485,  7073,  9173,   438,  8536,   425,  4523,  6613,  9916, 10485,
+	11249, 10763,  3480,  1325,  2535,  8328,  9951,  5219,  6878, 10423,
+	 7235,  3408,  9349, 12229, 10783,  3982,  4094,  9363,  5207,  4119,
+	 3846,  5596,   365,  3017, 10595,  1721,  7559,  4167,  2593,  7326,
+	 6921,  2900, 11345,  8257,  6940,  2148,  2301,  9828, 10734,  3981,
+	 2840,  9839, 12239, 11034, 11511,  7508,  1658,  2291,  9577,  3205,
+	  567, 10545,   466,  6781, 11675,  4251,  9617,  4209,  6105, 11912,
+	 6513,  7406,  8929,  1687,  1790,  8062,  8190,  8945,  9462,  6463,
+
+	 6151,  8151,  9195,  3448, 10353,  5478, 12150, 10029,  4719,  6617,
+	 2643,  8581,  7699,  7681,  9687,  5966,  9652, 11232,  1734, 11572,
+	10268,  9489,  3454,  5588,  2622,  6825,  5406,  7885,  7434,  7174,
+	  648,  1518, 11066,  2483,  4565, 10125,  2213, 10077,  3466,  8347,
+	 9199,  8464,  8449,  1928,  9068,  3947,  9360,  1445,  5547,   364,
+	 1763, 11071,  8753,  2185, 11832,  4505,  8619,  6195,  1882,   540,
+	 1265,  1029,    21,  1756,  2293, 12085,  2253, 11081,  9004,  9714,
+	 2957,  9089,  5703, 11653,  1241,  7800, 11445, 10767,  8496, 11710,
+	11274,  5246,  3869,  9860,  1706,  1038, 11307,  9761,   450, 11295,
+	 7002,  6162,  9656,  3959, 12119,  8022,  7186,  3407,  8095,   416,
+
+	 5526, 10897, 11759, 11275,  6500,  3393,  2828,  7080,  5662,  9395,
+	 8468,  1176
+};
+
+/**
+ * Bit-reversed indices for n = 512
+ */
+static const uint16_t rev_512[] = {
+	  0, 256, 128, 384,  64, 320, 192, 448,  32, 288, 
+	160, 416,  96, 352, 224, 480,  16, 272, 144, 400,
+	 80, 336, 208, 464,  48, 304, 176, 432, 112, 368,
+	240, 496,   8, 264, 136, 392,  72, 328, 200, 456,
+	 40, 296, 168, 424, 104, 360, 232, 488,  24, 280,
+	152, 408,  88, 344, 216, 472,  56, 312, 184, 440,
+	120, 376, 248, 504,   4, 260, 132, 388,  68, 324,
+	196, 452,  36, 292, 164, 420, 100, 356, 228, 484,
+	 20, 276, 148, 404,  84, 340, 212, 468,  52, 308,
+	180, 436, 116, 372, 244, 500,  12, 268, 140, 396,
+
+	 76, 332, 204, 460,  44, 300, 172, 428, 108, 364,
+	236, 492,  28, 284, 156, 412,  92, 348, 220, 476,
+	 60, 316, 188, 444, 124, 380, 252, 508,   2, 258,
+	130, 386,  66, 322, 194, 450,  34, 290, 162, 418,
+	 98, 354, 226, 482,  18, 274, 146, 402,  82, 338,
+	210, 466,  50, 306, 178, 434, 114, 370, 242, 498,
+	 10, 266, 138, 394,  74, 330, 202, 458,  42, 298,
+	170, 426, 106, 362, 234, 490,  26, 282, 154, 410,
+	 90, 346, 218, 474,  58, 314, 186, 442, 122, 378,
+	250, 506,   6, 262, 134, 390,  70, 326, 198, 454,
+
+	 38, 294, 166, 422, 102, 358, 230, 486,  22, 278,
+	150, 406,  86, 342, 214, 470,  54, 310, 182, 438,
+	118, 374, 246, 502,  14, 270, 142, 398,  78, 334,
+	206, 462,  46, 302, 174, 430, 110, 366, 238, 494,
+	 30, 286, 158, 414,  94, 350, 222, 478,  62, 318,
+	190, 446, 126, 382, 254, 510,   1, 257, 129, 385,
+	 65, 321, 193, 449,  33, 289, 161, 417,  97, 353,
+	225, 481,  17, 273, 145, 401,  81, 337, 209, 465,
+	 49, 305, 177, 433, 113, 369, 241, 497,   9, 265,
+	137, 393,  73, 329, 201, 457,  41, 297, 169, 425,
+
+	105, 361, 233, 489,  25, 281, 153, 409,  89, 345,
+	217, 473,  57, 313, 185, 441, 121, 377, 249, 505,
+	  5, 261, 133, 389,  69, 325, 197, 453,  37, 293,
+	165, 421, 101, 357, 229, 485,  21, 277, 149, 405,
+	 85, 341, 213, 469,  53, 309, 181, 437, 117, 373,
+	245, 501,  13, 269, 141, 397,  77, 333, 205, 461,
+	 45, 301, 173, 429, 109, 365, 237, 493,  29, 285,
+	157, 413,  93, 349, 221, 477,  61, 317, 189, 445,
+	125, 381, 253, 509,   3, 259, 131, 387,  67, 323,
+	195, 451,  35, 291, 163, 419,  99, 355, 227, 483,
+
+	 19, 275, 147, 403,  83, 339, 211, 467,  51, 307,
+	179, 435, 115, 371, 243, 499,  11, 267, 139, 395,
+	 75, 331, 203, 459,  43, 299, 171, 427, 107, 363,
+	235, 491,  27, 283, 155, 411,  91, 347, 219, 475,
+	 59, 315, 187, 443, 123, 379, 251, 507,   7, 263,
+	135, 391,  71, 327, 199, 455,  39, 295, 167, 423,
+	103, 359, 231, 487,  23, 279, 151, 407,  87, 343,
+	215, 471,  55, 311, 183, 439, 119, 375, 247, 503,
+	 15, 271, 143, 399,  79, 335, 207, 463,  47, 303,
+	175, 431, 111, 367, 239, 495,  31, 287, 159, 415,
+
+	 95, 351, 223, 479,  63, 319, 191, 447, 127, 383,
+	255, 511
+};
+
+const ntt_fft_params_t ntt_fft_12289_512 = {
+	12289, 12287, 18, 3186, (1<<18)-1, 512, 12265, 9,
+	wr_12289_1024, wf_12289_1024, wi_12289_512, 2, rev_512
+};
+
+/**
+ * FFT twiddle factors in Montgomery form for q = 17 and n = 8
+ */
+static const uint16_t wr_17_8[] = { 15, 16, 8, 4, 2, 1, 9, 13, 15 };
+
+/**
+ * FFT phase shift in forward transform for q = 17 and n = 8
+ */
+static const uint16_t wf_17_8[] = { 4, 12, 2, 6, 1, 3, 9, 10 };
+
+/**
+ * FFT phase shift and scaling inverse transform for q = 17 and n = 8
+ */
+static const uint16_t wi_17_8[] = { 15, 5, 13, 10, 9, 3, 1, 6 };
+
+/**
+ * Bit-reversed indices for n = 8
+ */
+static const uint16_t rev_8[] = { 0, 4, 2, 6, 1, 5, 3, 7 };
+
+const ntt_fft_params_t ntt_fft_17_8 = {
+	17, 15, 5, 4, (1<<5)-1, 8, 15, 3, wr_17_8, wf_17_8, wi_17_8, 1, rev_8
+};
diff --git a/src/libstrongswan/math/libnttfft/ntt_fft_params.h b/src/libstrongswan/math/libnttfft/ntt_fft_params.h
new file mode 100644
index 0000000..27fabe7
--- /dev/null
+++ b/src/libstrongswan/math/libnttfft/ntt_fft_params.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2014-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntt_fft_params ntt_fft_params
+ * @{ @ingroup ntt_p
+ */
+
+#ifndef NTT_FFT_PARAMS_H_
+#define NTT_FFT_PARAMS_H_
+
+#include <library.h>
+
+typedef struct ntt_fft_params_t ntt_fft_params_t;
+
+/**
+ * Defines the parameters for an NTT computed via the FFT algorithm
+ */
+struct ntt_fft_params_t {
+
+	/**
+	 * Prime modulus
+	 */
+	uint16_t q;
+
+	/**
+	 * Inverse of Prime modulus (-q_inv * q mod r = 1)
+	 */
+	uint16_t q_inv;
+
+	/**
+	 * Logarithm of Montgomery radix: log2(r)
+	 */
+	uint16_t rlog;
+
+	/**
+	 * Square of Montgomery radix: r^2 mod q
+	 */
+	const uint32_t r2;
+
+	/**
+	 * Montgomery radix mask: (1<<rlog) - 1
+	 */
+	const uint32_t rmask;
+
+	/**
+	 * Size of the FFT with the condition k * n = q-1
+	 */
+	const uint16_t n;
+
+	/**
+	 * Inverse of n mod q used for normalization of the FFT
+	 */
+	const uint16_t n_inv;
+
+	/**
+	 * Number of FFT stages  stages = log2(n)
+	 */
+	const uint16_t stages;
+
+	/**
+	 * FFT twiddle factors (n-th roots of unity) in Montgomery form
+	 */
+	const uint16_t *wr;
+
+	/**
+	 * FFT phase shift (2n-th roots of unity) in forward transform
+	 */
+	const uint16_t *wf;
+
+	/**
+	 * FFT phase shift (2n-th roots of unity) and scaling in inverse transform
+	 */
+	const uint16_t *wi;
+
+	/**
+	 * Subsampling of FFT twiddle factors table
+	 */
+	const uint16_t s;
+
+	/**
+	 * FFT bit reversal
+	 */
+	const uint16_t *rev;
+
+};
+
+/**
+ * FFT parameters for q = 12289 and n = 1024
+ */
+extern const ntt_fft_params_t ntt_fft_12289_1024;
+
+/**
+ * FFT parameters for q = 12289 and n = 512
+ */
+extern const ntt_fft_params_t ntt_fft_12289_512;
+
+/**
+ * FFT parameters for q = 17 and n = 8
+ */
+extern const ntt_fft_params_t ntt_fft_17_8;
+
+#endif /** NTT_FFT_PARAMS_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h b/src/libstrongswan/math/libnttfft/ntt_fft_reduce.h
similarity index 51%
copy from src/libstrongswan/plugins/bliss/tests/bliss_tests.h
copy to src/libstrongswan/math/libnttfft/ntt_fft_reduce.h
index f0959cc..5ff2b95 100644
--- a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
+++ b/src/libstrongswan/math/libnttfft/ntt_fft_reduce.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,11 +13,30 @@
  * for more details.
  */
 
-TEST_SUITE(bliss_fft_suite_create)
-TEST_SUITE(bliss_bitpacker_suite_create)
-TEST_SUITE(bliss_huffman_suite_create)
-TEST_SUITE(bliss_keys_suite_create)
-TEST_SUITE(bliss_sampler_suite_create)
-TEST_SUITE(bliss_signature_suite_create)
-TEST_SUITE(bliss_sign_suite_create)
+/**
+ * @defgroup ntt_fft ntt_fft
+ * @{ @ingroup ntt_p
+ */
+
+#ifndef NTT_REDUCE_H_
+#define NTT_REDUCE_H_
+
+#include "ntt_fft_params.h"
+
+/**
+ * Montgomery Reduction
+ *
+ * Montgomery, P. L. Modular multiplication without trial division.
+ * Mathematics of Computation 44, 170 (1985), 519–521.
+ */
+static inline uint32_t ntt_fft_mreduce(uint32_t x, const ntt_fft_params_t *p)
+{
+	uint32_t m, t;
+	
+	m = (x * p->q_inv) & p->rmask;
+	t = (x + m * p->q) >> p->rlog;
+
+	return (t < p->q) ? t : t - p->q;
+}
 
+#endif /** NTT_REDUCE_H_ @}*/
diff --git a/src/libstrongswan/math/libnttfft/tests/Makefile.am b/src/libstrongswan/math/libnttfft/tests/Makefile.am
new file mode 100644
index 0000000..55e6fff
--- /dev/null
+++ b/src/libstrongswan/math/libnttfft/tests/Makefile.am
@@ -0,0 +1,21 @@
+TESTS = ntt_fft_tests
+
+check_PROGRAMS = $(TESTS)
+
+ntt_fft_tests_SOURCES = \
+	suites/test_ntt_fft.c \
+	ntt_fft_tests.h ntt_fft_tests.c
+
+ntt_fft_tests_CFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/tests \
+	-I$(top_srcdir)/src/libstrongswan/math/libnttfft \
+	-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
+	-DPLUGINS=\""${s_plugins}\"" \
+	@COVERAGE_CFLAGS@
+
+ntt_fft_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+ntt_fft_tests_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la \
+	../libnttfft.la
diff --git a/src/starter/tests/Makefile.in b/src/libstrongswan/math/libnttfft/tests/Makefile.in
similarity index 83%
copy from src/starter/tests/Makefile.in
copy to src/libstrongswan/math/libnttfft/tests/Makefile.in
index 25e3e74..54e02ed 100644
--- a/src/starter/tests/Makefile.in
+++ b/src/libstrongswan/math/libnttfft/tests/Makefile.in
@@ -87,9 +87,9 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-TESTS = starter_tests$(EXEEXT)
+TESTS = ntt_fft_tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
-subdir = src/starter/tests
+subdir = src/libstrongswan/math/libnttfft/tests
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -108,22 +108,23 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__EXEEXT_1 = starter_tests$(EXEEXT)
+am__EXEEXT_1 = ntt_fft_tests$(EXEEXT)
 am__dirstamp = $(am__leading_dot)dirstamp
-am_starter_tests_OBJECTS = suites/starter_tests-test_parser.$(OBJEXT) \
-	starter_tests-starter_tests.$(OBJEXT)
-starter_tests_OBJECTS = $(am_starter_tests_OBJECTS)
-starter_tests_DEPENDENCIES =  \
+am_ntt_fft_tests_OBJECTS =  \
+	suites/ntt_fft_tests-test_ntt_fft.$(OBJEXT) \
+	ntt_fft_tests-ntt_fft_tests.$(OBJEXT)
+ntt_fft_tests_OBJECTS = $(am_ntt_fft_tests_OBJECTS)
+ntt_fft_tests_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la \
-	../libstarter.la
+	../libnttfft.la
 AM_V_lt = $(am__v_lt_ at AM_V@)
 am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
-starter_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(starter_tests_CFLAGS) \
-	$(CFLAGS) $(starter_tests_LDFLAGS) $(LDFLAGS) -o $@
+ntt_fft_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(ntt_fft_tests_CFLAGS) \
+	$(CFLAGS) $(ntt_fft_tests_LDFLAGS) $(LDFLAGS) -o $@
 AM_V_P = $(am__v_P_ at AM_V@)
 am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -158,8 +159,8 @@ AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(starter_tests_SOURCES)
-DIST_SOURCES = $(starter_tests_SOURCES)
+SOURCES = $(ntt_fft_tests_SOURCES)
+DIST_SOURCES = $(ntt_fft_tests_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -347,7 +348,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -381,8 +381,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -436,24 +434,28 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-starter_tests_SOURCES = \
-	suites/test_parser.c \
-	starter_tests.h starter_tests.c
+ntt_fft_tests_SOURCES = \
+	suites/test_ntt_fft.c \
+	ntt_fft_tests.h ntt_fft_tests.c
 
-starter_tests_CFLAGS = \
+ntt_fft_tests_CFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libstrongswan/tests \
-	-I$(top_srcdir)/src/starter \
+	-I$(top_srcdir)/src/libstrongswan/math/libnttfft \
+	-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
+	-DPLUGINS=\""${s_plugins}\"" \
 	@COVERAGE_CFLAGS@
 
-starter_tests_LDFLAGS = @COVERAGE_LDFLAGS@
-starter_tests_LDADD = \
+ntt_fft_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+ntt_fft_tests_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la \
-	../libstarter.la
+	../libnttfft.la
 
 all: all-am
 
@@ -468,9 +470,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/starter/tests/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/math/libnttfft/tests/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/starter/tests/Makefile
+	  $(AUTOMAKE) --gnu src/libstrongswan/math/libnttfft/tests/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -503,12 +505,12 @@ suites/$(am__dirstamp):
 suites/$(DEPDIR)/$(am__dirstamp):
 	@$(MKDIR_P) suites/$(DEPDIR)
 	@: > suites/$(DEPDIR)/$(am__dirstamp)
-suites/starter_tests-test_parser.$(OBJEXT): suites/$(am__dirstamp) \
+suites/ntt_fft_tests-test_ntt_fft.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 
-starter_tests$(EXEEXT): $(starter_tests_OBJECTS) $(starter_tests_DEPENDENCIES) $(EXTRA_starter_tests_DEPENDENCIES) 
-	@rm -f starter_tests$(EXEEXT)
-	$(AM_V_CCLD)$(starter_tests_LINK) $(starter_tests_OBJECTS) $(starter_tests_LDADD) $(LIBS)
+ntt_fft_tests$(EXEEXT): $(ntt_fft_tests_OBJECTS) $(ntt_fft_tests_DEPENDENCIES) $(EXTRA_ntt_fft_tests_DEPENDENCIES) 
+	@rm -f ntt_fft_tests$(EXEEXT)
+	$(AM_V_CCLD)$(ntt_fft_tests_LINK) $(ntt_fft_tests_OBJECTS) $(ntt_fft_tests_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -517,8 +519,8 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/starter_tests-starter_tests.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/starter_tests-test_parser.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntt_fft_tests-ntt_fft_tests.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/ntt_fft_tests-test_ntt_fft.Po at am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -544,33 +546,33 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
-suites/starter_tests-test_parser.o: suites/test_parser.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(starter_tests_CFLAGS) $(CFLAGS) -MT suites/starter_tests-test_parser.o -MD -MP -MF suites/$(DEPDIR)/starter_tests-test_parser.Tpo -c -o suites/starter_tests-test_parser.o `test -f 'suites/test_parser.c' || echo '$(srcdir)/'`suites/test_parser.c
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/starter_tests-test_parser.Tpo suites/$(DEPDIR)/starter_tests-test_parser.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_parser.c' object='suites/starter_tests-test_parser.o' libtool=no @AMDEPBACKSLASH@
+suites/ntt_fft_tests-test_ntt_fft.o: suites/test_ntt_fft.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ntt_fft_tests_CFLAGS) $(CFLAGS) -MT suites/ntt_fft_tests-test_ntt_fft.o -MD -MP -MF suites/$(DEPDIR)/ntt_fft_tests-test_ntt_fft.Tpo -c -o suites/ntt_fft_tests-test_ntt_fft.o `test -f 'suites/test_ntt_fft.c' || echo '$(srcdir)/'`suites/test_ntt_fft.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/ntt_fft_tests-test_ntt_fft.Tpo suites/$(DEPDIR)/ntt_fft_tests-test_ntt_fft.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ntt_fft.c' object='suites/ntt_fft_tests-test_ntt_fft.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(starter_tests_CFLAGS) $(CFLAGS) -c -o suites/starter_tests-test_parser.o `test -f 'suites/test_parser.c' || echo '$(srcdir)/'`suites/test_parser.c
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ntt_fft_tests_CFLAGS) $(CFLAGS) -c -o suites/ntt_fft_tests-test_ntt_fft.o `test -f 'suites/test_ntt_fft.c' || echo '$(srcdir)/'`suites/test_ntt_fft.c
 
-suites/starter_tests-test_parser.obj: suites/test_parser.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(starter_tests_CFLAGS) $(CFLAGS) -MT suites/starter_tests-test_parser.obj -MD -MP -MF suites/$(DEPDIR)/starter_tests-test_parser.Tpo -c -o suites/starter_tests-test_parser.obj `if test -f 'suites/test_parser.c'; then $(CYGPATH_W) 'suites/test_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_parser.c'; fi`
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/starter_tests-test_parser.Tpo suites/$(DEPDIR)/starter_tests-test_parser.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_parser.c' object='suites/starter_tests-test_parser.obj' libtool=no @AMDEPBACKSLASH@
+suites/ntt_fft_tests-test_ntt_fft.obj: suites/test_ntt_fft.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ntt_fft_tests_CFLAGS) $(CFLAGS) -MT suites/ntt_fft_tests-test_ntt_fft.obj -MD -MP -MF suites/$(DEPDIR)/ntt_fft_tests-test_ntt_fft.Tpo -c -o suites/ntt_fft_tests-test_ntt_fft.obj `if test -f 'suites/test_ntt_fft.c'; then $(CYGPATH_W) 'suites/test_ntt_fft.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntt_fft.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/ntt_fft_tests-test_ntt_fft.Tpo suites/$(DEPDIR)/ntt_fft_tests-test_ntt_fft.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ntt_fft.c' object='suites/ntt_fft_tests-test_ntt_fft.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(starter_tests_CFLAGS) $(CFLAGS) -c -o suites/starter_tests-test_parser.obj `if test -f 'suites/test_parser.c'; then $(CYGPATH_W) 'suites/test_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_parser.c'; fi`
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ntt_fft_tests_CFLAGS) $(CFLAGS) -c -o suites/ntt_fft_tests-test_ntt_fft.obj `if test -f 'suites/test_ntt_fft.c'; then $(CYGPATH_W) 'suites/test_ntt_fft.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntt_fft.c'; fi`
 
-starter_tests-starter_tests.o: starter_tests.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(starter_tests_CFLAGS) $(CFLAGS) -MT starter_tests-starter_tests.o -MD -MP -MF $(DEPDIR)/starter_tests-starter_tests.Tpo -c -o starter_tests-starter_tests.o `test -f 'starter_tests.c' || echo '$(srcdir)/'`starter_tests.c
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/starter_tests-starter_tests.Tpo $(DEPDIR)/starter_tests-starter_tests.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='starter_tests.c' object='starter_tests-starter_tests.o' libtool=no @AMDEPBACKSLASH@
+ntt_fft_tests-ntt_fft_tests.o: ntt_fft_tests.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ntt_fft_tests_CFLAGS) $(CFLAGS) -MT ntt_fft_tests-ntt_fft_tests.o -MD -MP -MF $(DEPDIR)/ntt_fft_tests-ntt_fft_tests.Tpo -c -o ntt_fft_tests-ntt_fft_tests.o `test -f 'ntt_fft_tests.c' || echo '$(srcdir)/'`ntt_fft_tests.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ntt_fft_tests-ntt_fft_tests.Tpo $(DEPDIR)/ntt_fft_tests-ntt_fft_tests.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ntt_fft_tests.c' object='ntt_fft_tests-ntt_fft_tests.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(starter_tests_CFLAGS) $(CFLAGS) -c -o starter_tests-starter_tests.o `test -f 'starter_tests.c' || echo '$(srcdir)/'`starter_tests.c
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ntt_fft_tests_CFLAGS) $(CFLAGS) -c -o ntt_fft_tests-ntt_fft_tests.o `test -f 'ntt_fft_tests.c' || echo '$(srcdir)/'`ntt_fft_tests.c
 
-starter_tests-starter_tests.obj: starter_tests.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(starter_tests_CFLAGS) $(CFLAGS) -MT starter_tests-starter_tests.obj -MD -MP -MF $(DEPDIR)/starter_tests-starter_tests.Tpo -c -o starter_tests-starter_tests.obj `if test -f 'starter_tests.c'; then $(CYGPATH_W) 'starter_tests.c'; else $(CYGPATH_W) '$(srcdir)/starter_tests.c'; fi`
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/starter_tests-starter_tests.Tpo $(DEPDIR)/starter_tests-starter_tests.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='starter_tests.c' object='starter_tests-starter_tests.obj' libtool=no @AMDEPBACKSLASH@
+ntt_fft_tests-ntt_fft_tests.obj: ntt_fft_tests.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ntt_fft_tests_CFLAGS) $(CFLAGS) -MT ntt_fft_tests-ntt_fft_tests.obj -MD -MP -MF $(DEPDIR)/ntt_fft_tests-ntt_fft_tests.Tpo -c -o ntt_fft_tests-ntt_fft_tests.obj `if test -f 'ntt_fft_tests.c'; then $(CYGPATH_W) 'ntt_fft_tests.c'; else $(CYGPATH_W) '$(srcdir)/ntt_fft_tests.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ntt_fft_tests-ntt_fft_tests.Tpo $(DEPDIR)/ntt_fft_tests-ntt_fft_tests.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ntt_fft_tests.c' object='ntt_fft_tests-ntt_fft_tests.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(starter_tests_CFLAGS) $(CFLAGS) -c -o starter_tests-starter_tests.obj `if test -f 'starter_tests.c'; then $(CYGPATH_W) 'starter_tests.c'; else $(CYGPATH_W) '$(srcdir)/starter_tests.c'; fi`
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ntt_fft_tests_CFLAGS) $(CFLAGS) -c -o ntt_fft_tests-ntt_fft_tests.obj `if test -f 'ntt_fft_tests.c'; then $(CYGPATH_W) 'ntt_fft_tests.c'; else $(CYGPATH_W) '$(srcdir)/ntt_fft_tests.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libstrongswan/math/libnttfft/tests/ntt_fft_tests.c
similarity index 70%
copy from src/libcharon/tests/libcharon_tests.c
copy to src/libstrongswan/math/libnttfft/tests/ntt_fft_tests.c
index e25e543..71f5664 100644
--- a/src/libcharon/tests/libcharon_tests.c
+++ b/src/libstrongswan/math/libnttfft/tests/ntt_fft_tests.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2014 Martin Willi
- * Copyright (C) 2014 revosec AG
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,21 +14,18 @@
  */
 
 #include <test_runner.h>
-#include <daemon.h>
+
+#include <library.h>
 
 /* declare test suite constructors */
 #define TEST_SUITE(x) test_suite_t* x();
-#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
-#include "libcharon_tests.h"
+#include "ntt_fft_tests.h"
 #undef TEST_SUITE
-#undef TEST_SUITE_DEPEND
 
 static test_configuration_t tests[] = {
 #define TEST_SUITE(x) \
 	{ .suite = x, },
-#define TEST_SUITE_DEPEND(x, type, ...) \
-	{ .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) },
-#include "libcharon_tests.h"
+#include "ntt_fft_tests.h"
 	{ .suite = NULL, }
 };
 
@@ -38,10 +35,7 @@ static bool test_runner_init(bool init)
 	{
 		char *plugins, *plugindir;
 
-		libcharon_init();
-
-		plugins = getenv("TESTS_PLUGINS") ?:
-					lib->settings->get_str(lib->settings,
+		plugins = lib->settings->get_str(lib->settings,
 										"tests.load", PLUGINS);
 		plugindir = lib->settings->get_str(lib->settings,
 										"tests.plugindir", PLUGINDIR);
@@ -53,12 +47,14 @@ static bool test_runner_init(bool init)
 	}
 	else
 	{
-		libcharon_deinit();
+		lib->processor->set_threads(lib->processor, 0);
+		lib->processor->cancel(lib->processor);
+		lib->plugins->unload(lib->plugins);
 	}
 	return TRUE;
 }
 
 int main(int argc, char *argv[])
 {
-	return test_runner_run("libcharon", tests, test_runner_init);
+	return test_runner_run("ntt_fft", tests, test_runner_init);
 }
diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h b/src/libstrongswan/math/libnttfft/tests/ntt_fft_tests.h
similarity index 65%
copy from src/libstrongswan/plugins/bliss/tests/bliss_tests.h
copy to src/libstrongswan/math/libnttfft/tests/ntt_fft_tests.h
index f0959cc..200b5b0 100644
--- a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
+++ b/src/libstrongswan/math/libnttfft/tests/ntt_fft_tests.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,11 +13,5 @@
  * for more details.
  */
 
-TEST_SUITE(bliss_fft_suite_create)
-TEST_SUITE(bliss_bitpacker_suite_create)
-TEST_SUITE(bliss_huffman_suite_create)
-TEST_SUITE(bliss_keys_suite_create)
-TEST_SUITE(bliss_sampler_suite_create)
-TEST_SUITE(bliss_signature_suite_create)
-TEST_SUITE(bliss_sign_suite_create)
+TEST_SUITE(ntt_fft_suite_create)
 
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c b/src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c
similarity index 51%
rename from src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c
rename to src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c
index 009aaf8..d827718 100644
--- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c
+++ b/src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,17 +15,22 @@
 
 #include "test_suite.h"
 
-#include <bliss_fft.h>
+#include <ntt_fft.h>
+#include <ntt_fft_reduce.h>
 
-static bliss_fft_params_t *fft_params[] = {
-	&bliss_fft_17_8,
-	&bliss_fft_12289_512
+#include <time.h>
+
+static const ntt_fft_params_t *fft_params[] = {
+	&ntt_fft_17_8,
+	&ntt_fft_12289_512,
+	&ntt_fft_12289_1024
 };
 
-START_TEST(test_bliss_fft_impulse)
+START_TEST(test_ntt_fft_impulse)
 {
-	bliss_fft_t *fft;
+	ntt_fft_t *fft;
 	uint16_t n = fft_params[_i]->n;
+	uint32_t rq = (1 << fft_params[_i]->rlog) % fft_params[_i]->q;
 	uint32_t x[n], X[n];
 	int i;
 
@@ -35,12 +40,12 @@ START_TEST(test_bliss_fft_impulse)
 	}
 	x[0] = 1;
  
-	fft = bliss_fft_create(fft_params[_i]);
+	fft = ntt_fft_create(fft_params[_i]);
 	fft->transform(fft, x, X, FALSE);
 
 	for (i = 0; i < n; i++)
 	{
-		ck_assert(X[i] == 1);
+		ck_assert(X[i] == rq);
 	}
 	fft->transform(fft, X, x, TRUE);
 
@@ -52,9 +57,9 @@ START_TEST(test_bliss_fft_impulse)
 }
 END_TEST
 
-START_TEST(test_bliss_fft_wrap)
+START_TEST(test_ntt_fft_wrap)
 {
-	bliss_fft_t *fft;
+	ntt_fft_t *fft;
 	uint16_t n = fft_params[_i]->n;
 	uint16_t q = fft_params[_i]->q;
 	uint32_t x[n],y[n], X[n], Y[n];
@@ -65,7 +70,7 @@ START_TEST(test_bliss_fft_wrap)
 		x[i] = i;
 		y[i] = 0;
 	}
-	fft = bliss_fft_create(fft_params[_i]);
+	fft = ntt_fft_create(fft_params[_i]);
 	ck_assert(fft->get_size(fft) == n);
 	ck_assert(fft->get_modulus(fft) == q); 
 	fft->transform(fft, x, X, FALSE);
@@ -77,7 +82,7 @@ START_TEST(test_bliss_fft_wrap)
 
 		for (i = 0; i < n; i++)
 		{
-			Y[i] = (X[i] * Y[i]) % q;
+			Y[i] = ntt_fft_mreduce(X[i] * Y[i], fft_params[_i]);
 		}
 		fft->transform(fft, Y, Y, TRUE);
 
@@ -91,19 +96,58 @@ START_TEST(test_bliss_fft_wrap)
 }
 END_TEST
 
-Suite *bliss_fft_suite_create()
+START_TEST(test_ntt_fft_speed)
+{
+	ntt_fft_t *fft;
+	struct timespec start, stop;
+	int i, m, count = 10000;
+	int n = fft_params[_i]->n;
+	uint32_t x[n], X[n];
+
+	for (i = 0; i < n; i++)
+	{
+		x[i] = i;
+	}
+	fft = ntt_fft_create(fft_params[_i]);
+
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &start);
+	for (m = 0; m < count; m++)
+	{
+		fft->transform(fft, x, X, FALSE);
+		fft->transform(fft, X, x, TRUE);
+	}
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &stop);
+
+	DBG0(DBG_LIB, "%d FFT-%d loops in %d ms\n", count, n,
+				  (stop.tv_nsec - start.tv_nsec) / 1000000 +
+				  (stop.tv_sec - start.tv_sec) * 1000);
+
+	for (i = 0; i < n; i++)
+	{
+		ck_assert(x[i] == i);
+	}
+	fft->destroy(fft);
+}
+END_TEST
+
+Suite *ntt_fft_suite_create()
 {
 	Suite *s;
 	TCase *tc;
 
-	s = suite_create("bliss_fft");
+	s = suite_create("ntt_fft");
 
 	tc = tcase_create("impulse");
-	tcase_add_loop_test(tc, test_bliss_fft_impulse, 0, countof(fft_params));
+	tcase_add_loop_test(tc, test_ntt_fft_impulse, 0, countof(fft_params));
 	suite_add_tcase(s, tc);
 
 	tc = tcase_create("negative_wrap");
-	tcase_add_loop_test(tc, test_bliss_fft_wrap, 0, countof(fft_params));
+	tcase_add_loop_test(tc, test_ntt_fft_wrap, 0, countof(fft_params));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("speed");
+	tcase_set_timeout(tc, 10);
+	tcase_add_loop_test(tc, test_ntt_fft_speed, 1, countof(fft_params));
 	suite_add_tcase(s, tc);
 
 	return s;
diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in
index a1ee0f8..210d7c2 100644
--- a/src/libstrongswan/plugins/acert/Makefile.in
+++ b/src/libstrongswan/plugins/acert/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 02cd0f8..9e926ac 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/aesni/Makefile.in b/src/libstrongswan/plugins/aesni/Makefile.in
index 576b6da..ea41ab3 100644
--- a/src/libstrongswan/plugins/aesni/Makefile.in
+++ b/src/libstrongswan/plugins/aesni/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index 1f09228..aa3be42 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 5e1b1f3..4441558 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/bliss/Makefile.am b/src/libstrongswan/plugins/bliss/Makefile.am
index e2aaaf5..b2d0942 100644
--- a/src/libstrongswan/plugins/bliss/Makefile.am
+++ b/src/libstrongswan/plugins/bliss/Makefile.am
@@ -1,5 +1,6 @@
 AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/math/libnttfft
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS) \
@@ -7,9 +8,12 @@ AM_CFLAGS = \
 
 # these file are also used by bliss_huffman
 noinst_LTLIBRARIES = libbliss-params.la
+
 libbliss_params_la_SOURCES = \
-	bliss_param_set.h bliss_param_set.c \
-	bliss_fft_params.h bliss_fft_params.c
+	bliss_param_set.h bliss_param_set.c
+
+libbliss_params_la_LIBADD = \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la
 
 # these files are also used by the tests, we can't directly refer to them
 # because of the subdirectory, which would cause distclean to fail
@@ -20,12 +24,14 @@ libbliss_la_SOURCES = \
 	bliss_signature.h bliss_signature.c \
 	bliss_utils.h bliss_utils.c \
 	bliss_bitpacker.h bliss_bitpacker.c \
-	bliss_fft.h bliss_fft.c \
 	bliss_huffman_code.h bliss_huffman_code.c \
 	bliss_huffman_code_1.c bliss_huffman_code_3.c bliss_huffman_code_4.c \
 	bliss_huffman_coder.h bliss_huffman_coder.c \
 	bliss_sampler.h bliss_sampler.c
-libbliss_la_LIBADD = libbliss-params.la
+
+libbliss_la_LIBADD = \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
+	libbliss-params.la
 
 if MONOLITHIC
 noinst_LTLIBRARIES += libstrongswan-bliss.la
@@ -43,7 +49,10 @@ libstrongswan_bliss_la_LIBADD = libbliss.la
 noinst_PROGRAMS = bliss_huffman
 
 bliss_huffman_SOURCES = bliss_huffman.c
-bliss_huffman_LDADD = -lm libbliss-params.la
+
+bliss_huffman_LDADD = -lm \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
+	libbliss-params.la
 
 recreate-bliss-huffman :	bliss_huffman bliss_huffman_code.h
 	$(AM_V_GEN) \
diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in
index 389e20e..746709b 100644
--- a/src/libstrongswan/plugins/bliss/Makefile.in
+++ b/src/libstrongswan/plugins/bliss/Makefile.in
@@ -139,17 +139,20 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libbliss_params_la_LIBADD =
-am_libbliss_params_la_OBJECTS = bliss_param_set.lo bliss_fft_params.lo
+libbliss_params_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la
+am_libbliss_params_la_OBJECTS = bliss_param_set.lo
 libbliss_params_la_OBJECTS = $(am_libbliss_params_la_OBJECTS)
 AM_V_lt = $(am__v_lt_ at AM_V@)
 am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
-libbliss_la_DEPENDENCIES = libbliss-params.la
+libbliss_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
+	libbliss-params.la
 am_libbliss_la_OBJECTS = bliss_private_key.lo bliss_public_key.lo \
 	bliss_signature.lo bliss_utils.lo bliss_bitpacker.lo \
-	bliss_fft.lo bliss_huffman_code.lo bliss_huffman_code_1.lo \
+	bliss_huffman_code.lo bliss_huffman_code_1.lo \
 	bliss_huffman_code_3.lo bliss_huffman_code_4.lo \
 	bliss_huffman_coder.lo bliss_sampler.lo
 libbliss_la_OBJECTS = $(am_libbliss_la_OBJECTS)
@@ -166,7 +169,9 @@ libstrongswan_bliss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 PROGRAMS = $(noinst_PROGRAMS)
 am_bliss_huffman_OBJECTS = bliss_huffman.$(OBJEXT)
 bliss_huffman_OBJECTS = $(am_bliss_huffman_OBJECTS)
-bliss_huffman_DEPENDENCIES = libbliss-params.la
+bliss_huffman_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
+	libbliss-params.la
 AM_V_P = $(am__v_P_ at AM_V@)
 am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -370,7 +375,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -404,8 +408,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -459,11 +461,14 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/math/libnttfft
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS) \
@@ -476,8 +481,10 @@ AM_CFLAGS = \
 # because of the subdirectory, which would cause distclean to fail
 noinst_LTLIBRARIES = libbliss-params.la libbliss.la $(am__append_1)
 libbliss_params_la_SOURCES = \
-	bliss_param_set.h bliss_param_set.c \
-	bliss_fft_params.h bliss_fft_params.c
+	bliss_param_set.h bliss_param_set.c
+
+libbliss_params_la_LIBADD = \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la
 
 libbliss_la_SOURCES = \
 	bliss_private_key.h bliss_private_key.c \
@@ -485,13 +492,15 @@ libbliss_la_SOURCES = \
 	bliss_signature.h bliss_signature.c \
 	bliss_utils.h bliss_utils.c \
 	bliss_bitpacker.h bliss_bitpacker.c \
-	bliss_fft.h bliss_fft.c \
 	bliss_huffman_code.h bliss_huffman_code.c \
 	bliss_huffman_code_1.c bliss_huffman_code_3.c bliss_huffman_code_4.c \
 	bliss_huffman_coder.h bliss_huffman_coder.c \
 	bliss_sampler.h bliss_sampler.c
 
-libbliss_la_LIBADD = libbliss-params.la
+libbliss_la_LIBADD = \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
+	libbliss-params.la
+
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-bliss.la
 libstrongswan_bliss_la_SOURCES = \
 	bliss_plugin.h bliss_plugin.c
@@ -499,7 +508,10 @@ libstrongswan_bliss_la_SOURCES = \
 libstrongswan_bliss_la_LDFLAGS = -module -avoid-version
 libstrongswan_bliss_la_LIBADD = libbliss.la
 bliss_huffman_SOURCES = bliss_huffman.c
-bliss_huffman_LDADD = -lm libbliss-params.la
+bliss_huffman_LDADD = -lm \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
+	libbliss-params.la
+
 all: all-am
 
 .SUFFIXES:
@@ -609,8 +621,6 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bliss_bitpacker.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bliss_fft.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bliss_fft_params.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bliss_huffman.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bliss_huffman_code.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bliss_huffman_code_1.Plo at am__quote@
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft_params.c b/src/libstrongswan/plugins/bliss/bliss_fft_params.c
deleted file mode 100644
index c892c06..0000000
--- a/src/libstrongswan/plugins/bliss/bliss_fft_params.c
+++ /dev/null
@@ -1,215 +0,0 @@
-/*
- * Copyright (C) 2014 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "bliss_fft_params.h"
-
-/**
- * FFT parameters for q = 12289 and 2n = 1024
- */
-static uint16_t w_12289_1024[] = {
-	    1,    49,  2401,  7048,  1260,   295,  2166,  7822,  2319,  3030,
-	 1002, 12231,  9447,  8210,  9042,   654,  7468,  9551,  1017,   677,
-	 8595,  3329,  3364,  5079,  3091,  3991, 11224,  9260, 11336,  2459,
-	 9890,  5339,  3542,  1512,   354,  5057,  2013,   325,  3636,  6118,
-	 4846,  3963,  9852,  3477, 10616,  4046,  1630,  6136,  5728, 10314,
-	 1537,  1579,  3637,  6167,  7247, 11011, 11112,  3772,   493, 11868,
-	 3949,  9166,  6730, 10256, 10984,  9789,   390,  6821,  2426,  8273,
-	12129,  4449,  9088,  2908,  7313,  1956,  9821,  1958,  9919,  6760,
-	11726,  9280,    27,  1323,  3382,  5961,  9442,  7965,  9326,  2281,
-	 1168,  8076,  2476, 10723,  9289,   468, 10643,  5369,  5012, 12097,
-
-	 2881,  5990, 10863,  3860,  4805,  1954,  9723,  9445,  8112,  4240,
-	11136,  4948,  8961,  8974,  9611,  3957,  9558,  1360,  5195,  8775,
-	12149,  5429,  7952,  8689,  7935,  7856,  3985, 10930,  7143,  5915,
-	 7188,  8120,  4632,  5766, 12176,  6752, 11334,  2361,  5088,  3532,
-	 1022,   922,  8311,  1702,  9664,  6554,  1632,  6234, 10530, 12121,
-	 4057,  2169,  7969,  9522, 11885,  4782,   827,  3656,  7098,  3710,
-	 9744, 10474,  9377,  4780,   729, 11143,  5291,  1190,  9154,  6142,
-	 6022,   142,  6958,  9139,  5407,  6874,  5023,   347,  4714,  9784,
-	  145,  7105,  4053,  1973, 10654,  5908,  6845,  3602,  4452,  9235,
-	10111,  3879,  5736, 10706,  8456,  8807,  1428,  8527, 12286, 12142,
-
-	 5086,  3434,  8509, 11404,  5791,  1112,  5332,  3199,  9283,   174,
-	 8526, 12237,  9741, 10327,  2174,  8214,  9238, 10258, 11082,  2302,
-	 2197,  9341,  3016,   316,  3195,  9087,  2859,  4912,  7197,  8561,
-	 1663,  7753, 11227,  9407,  6250, 11314,  1381,  6224, 10040,   400,
-     7311,  1858,  5019,   151,  7399,  6170,  7394,  5925,  7678,  7552,
-	 1378,  6077,  2837,  3834,  3531,   973, 10810,  1263,   442,  9369,
-	 4388,  6099,  3915,  7500, 11119,  4115,  5011, 12048,   480, 11231,
-	 9603,  3565,  2639,  6421,  7404,  6415,  7110,  4298,  1689,  9027,
-	12208,  8320,  2143,  6695,  8541,   683,  8889,  5446,  8785,   350,
-	 4861,  4698,  9000, 10885,  4938,  8471,  9542,   576,  3646,  6608,
-
-	 4278,   709, 10163,  6427,  7698,  8532,   242, 11858,  3459,  9734,
-	 9984,  9945,  8034,   418,  8193,  8209,  8993, 10542,   420,  8291,
-	  722, 10800,   773,  1010,   334,  4077,  3149,  6833,  3014,   218,
-	10682,  7280,   339,  4322,  2865,  5206,  9314,  1693,  9223,  9523,
-	11934,  7183,  7875,  4916,  7393,  5876,  5277,   504,   118,  5782,
-	  671,  8301,  1212, 10232,  9808,  1321,  3284,  1159,  7635,  5445,
-	 8736, 10238, 10102,  3438,  8705,  8719,  9405,  6152,  6512, 11863,
-	 3704,  9450,  8357,  3956,  9509, 11248, 10436,  7515, 11854,  3263,
-	  130,  6370,  4905,  6854,  4043,  1483, 11222,  9162,  6534,   652,
-	 7370,  4749, 11499, 10446,  8005, 11286,     9,   441,  9320,  1987,
-
-	11340,  2655,  7205,  8953,  8582,  2692,  9018, 11767, 11289,   156,
-	 7644,  5886,  5767, 12225,  9153,  6093,  3621,  5383,  5698,  8844,
-	 3241, 11341,  2704,  9606,  3712,  9842,  2987, 11184,  7300,  1319,
-	 3186,  8646,  5828,  2925,  8146,  5906,  6747, 11089,  2645,  6715,
-	 9521, 11836,  2381,  6068,  2396,  6803,  1544,  1922,  8155,  6347,
-	 3778,   787,  1696,  9370,  4437,  8500, 10963,  8760, 11414,  6281,
-	  544,  2078,  3510, 12233,  9545,   723, 10849,  3174,  8058,  1594,
-	 4372,  5315,  2366,  5333,  3248, 11684,  7222,  9786,   243, 11907,
-	 5860,  4493, 11244, 10240, 10200,  8240, 10512, 11239,  9995, 10484,
-	 9867,  4212,  9764, 11454,  8241, 10561,  1351,  4754, 11744, 10162,
-
-	 6378,  5297,  1484, 11271, 11563,  1293,  1912,  7665,  6915,  7032,
-	  476, 11035, 12288, 12240,  9888,  5241, 11029, 11994, 10123,  4467,
-	 9970,  9259, 11287,    58,  2842,  4079,  3247, 11635,  4821,  2738,
-	11272, 11612,  3694,  8960,  8925,  7210,  9198,  8298,  1065,  3029,
-	  953,  9830,  2399,  6950,  8747, 10777, 11935,  7232, 10276, 11964,
-	 8653,  6171,  7443,  8326,  2437,  8812,  1673,  8243, 10659,  6153,
-	 6561,  1975, 10752, 10710,  8652,  6122,  5042,  1278,  1177,  8517,
-	11796,   421,  8340,  3123,  5559,  2033,  1305,  2500, 11899,  5468,
-	 9863,  4016,   160,  7840,  3201,  9381,  4976, 10333,  2468, 10331,
-	 2370,  5529,  563,   3009, 12262, 10966,  8907,  6328,  2847,  4324,
-
-	 2963, 10008, 11121,  4213,  9813,  1566,  3000, 11821,  1646,  6920,
-	 7277,   192,  9408,  6299,  1426,  8429,  7484, 10335,  2566,  2844,
-	 4177,  8049,  1153,  7341,  3328,  3315,  2678,  8332,  2731, 10929,
-	 7094,  3514,   140,  6860,  4337,  3600,  4354,  4433,  8304,  1359,
-	 5146,  6374,  5101,  4169,  7657,  6523,   113,  5537,   955,  9928,
-	 7201,  8757, 11267, 11367,  3978, 10587,  2625,  5735, 10657,  6055,
-	 1759,   168,  8232, 10120,  4320,  2767,   404,  7507, 11462,  8633,
-	 5191,  8579,  2545,  1815,  2912,  7509, 11560,  1146,  6998, 11099,
-	 3135,  6147,  6267, 12147,  5331,  3150,  6882,  5415,  7266, 11942,
-	 7575,  2505, 12144,  5184,  8236, 10316,  1635,  6381,  5444,  8687,
-
-	 7837,  3054,  2178,  8410,  6553,  1583,  3833,  3482, 10861,  3762,
-	    3,   147,  7203,  8855,  3780,   885,  6498, 11177,  6957,  9090,
-	 3006, 12115,  3763,    52,  2548,  1962, 10115,  4075,  3051,  2031,
-	 1207,  9987, 10092,  2948,  9273, 11973,  9094,  3202,  9430,  7377,
-	 5092,  3728, 10626,  4536,  1062,  2882,  6039,   975, 10908,  6065,
-	 2249, 11889,  4978, 10431,  7270, 12138,  4890,  6119,  4895,  6364,
-	 4611,  4737, 10911,  6212,  9452,  8455,  8758, 11316,  1479, 11026,
-	11847,  2920,  7901,  6190,  8374,  4789,  1170,  8174,  7278,   241,
-	11809,  1058,  2686,  8724,  9650,  5868,  4885,  5874,  5179,  7991,
-	10600,  3262,    81,  3969, 10146,  5594,  3748, 11606,  3400,  6843,
-
-	 3504, 11939,  7428,  7591,  3289,  1404,  7351,  3818,  2747, 11713,
-	 8643,  5681,  8011, 11580,  2126,  5862,  4591,  3757, 12047,   431,
-	 8830,  2555,  2305,  2344,  4255, 11871,  4096,  4080,  3296,  1747,
-	11869,  3998, 11567,  1489, 11516, 11279, 11955,  8212,  9140,  5456,
-	 9275, 12071,  1607,  5009, 11950,  7967,  9424,  7083,  2975, 10596,
-	 3066,  2766,   355,  5106,  4414,  7373,  4896,  6413,  7012, 11785,
-	12171,  6507, 11618,  3988, 11077,  2057,  2481, 10968,  9005, 11130,
-	 4654,  6844,  3553,  2051,  2187,  8851,  3584,  3570,  2884,  6137,
-	 5777, 	 426,  8585,  2839,  3932,  8333,  2780,  1041,  1853,  4774,
-	  435,  9026, 12159,  5919,  7384,  5435,  8246, 10806,  1067,  3127,
-
-	 5755, 11637,  4919,  7540,   790,  1843,  4284,  1003, 12280, 11848,
-	 2969, 10302,   949,  9634,  5084,  3336,  3707,  9597,  3271,   522,
-	 1000, 12133,  4645,  6403,  6522,    64,  3136,  6196,  8668,  6906,
-	 6591,  3445,  9048,   948,  9585,  2683,  8577,  2447,  9302,  1105,
-	 4989, 10970,  9103,  3643,  6461,  9364,  4143,  6383,  5542,  1200,
-	 9644,  5574,  2768,   453,  9908,  6221,  9893,  5486, 10745, 10367,
-	 4134,  5942,  8511, 11502, 10593,  2919,  7852,  3789,  1326,  3529,
-	  875,  6008, 11745, 10211,  8779,    56,  2744, 11566,  1440,  9115,
-	 4231, 10695,  7917,  6974,  9923,  6956,  9041,   605,  5067,  2503,
-	12046,   382,  6429,  7796,  1045,  2049,  2089,  4049,  1777,  1050,
-
-	 2294,  1805,  2422,  8077,  2525,   835,  4048,  1728, 10938,  7535,
-	  545,  2127,  5911,  6992, 10805,  1018,   726, 10996, 10377,  4624,
-	  5374, 5257, 11813,  1254,     1
-};
-
-/**
- * Bit-reversed indices for n = 512
- */
-static uint16_t rev_512[] = {
-	  0, 256, 128, 384,  64, 320, 192, 448,  32, 288, 
-	160, 416,  96, 352, 224, 480,  16, 272, 144, 400,
-	 80, 336, 208, 464,  48, 304, 176, 432, 112, 368,
-	240, 496,   8, 264, 136, 392,  72, 328, 200, 456,
-	 40, 296, 168, 424, 104, 360, 232, 488,  24, 280,
-	152, 408,  88, 344, 216, 472,  56, 312, 184, 440,
-	120, 376, 248, 504,   4, 260, 132, 388,  68, 324,
-	196, 452,  36, 292, 164, 420, 100, 356, 228, 484,
-	 20, 276, 148, 404,  84, 340, 212, 468,  52, 308,
-	180, 436, 116, 372, 244, 500,  12, 268, 140, 396,
-
-	 76, 332, 204, 460,  44, 300, 172, 428, 108, 364,
-	236, 492,  28, 284, 156, 412,  92, 348, 220, 476,
-	 60, 316, 188, 444, 124, 380, 252, 508,   2, 258,
-	130, 386,  66, 322, 194, 450,  34, 290, 162, 418,
-	 98, 354, 226, 482,  18, 274, 146, 402,  82, 338,
-	210, 466,  50, 306, 178, 434, 114, 370, 242, 498,
-	 10, 266, 138, 394,  74, 330, 202, 458,  42, 298,
-	170, 426, 106, 362, 234, 490,  26, 282, 154, 410,
-	 90, 346, 218, 474,  58, 314, 186, 442, 122, 378,
-	250, 506,   6, 262, 134, 390,  70, 326, 198, 454,
-
-	 38, 294, 166, 422, 102, 358, 230, 486,  22, 278,
-	150, 406,  86, 342, 214, 470,  54, 310, 182, 438,
-	118, 374, 246, 502,  14, 270, 142, 398,  78, 334,
-	206, 462,  46, 302, 174, 430, 110, 366, 238, 494,
-	 30, 286, 158, 414,  94, 350, 222, 478,  62, 318,
-	190, 446, 126, 382, 254, 510,   1, 257, 129, 385,
-	 65, 321, 193, 449,  33, 289, 161, 417,  97, 353,
-	225, 481,  17, 273, 145, 401,  81, 337, 209, 465,
-	 49, 305, 177, 433, 113, 369, 241, 497,   9, 265,
-	137, 393,  73, 329, 201, 457,  41, 297, 169, 425,
-
-	105, 361, 233, 489,  25, 281, 153, 409,  89, 345,
-	217, 473,  57, 313, 185, 441, 121, 377, 249, 505,
-	  5, 261, 133, 389,  69, 325, 197, 453,  37, 293,
-	165, 421, 101, 357, 229, 485,  21, 277, 149, 405,
-	 85, 341, 213, 469,  53, 309, 181, 437, 117, 373,
-	245, 501,  13, 269, 141, 397,  77, 333, 205, 461,
-	 45, 301, 173, 429, 109, 365, 237, 493,  29, 285,
-	157, 413,  93, 349, 221, 477,  61, 317, 189, 445,
-	125, 381, 253, 509,   3, 259, 131, 387,  67, 323,
-	195, 451,  35, 291, 163, 419,  99, 355, 227, 483,
-
-	 19, 275, 147, 403,  83, 339, 211, 467,  51, 307,
-	179, 435, 115, 371, 243, 499,  11, 267, 139, 395,
-	 75, 331, 203, 459,  43, 299, 171, 427, 107, 363,
-	235, 491,  27, 283, 155, 411,  91, 347, 219, 475,
-	 59, 315, 187, 443, 123, 379, 251, 507,   7, 263,
-	135, 391,  71, 327, 199, 455,  39, 295, 167, 423,
-	103, 359, 231, 487,  23, 279, 151, 407,  87, 343,
-	215, 471,  55, 311, 183, 439, 119, 375, 247, 503,
-	 15, 271, 143, 399,  79, 335, 207, 463,  47, 303,
-	175, 431, 111, 367, 239, 495,  31, 287, 159, 415,
-
-	 95, 351, 223, 479,  63, 319, 191, 447, 127, 383,
-	255, 511
-};
-
-bliss_fft_params_t bliss_fft_12289_512 = {
-	12289, 512, 12265, 9, w_12289_1024, rev_512
-};
-
-/**
- * FFT parameters for q = 17 and n = 16
- */
-static uint16_t w_17_16[] = {
-	1, 3, 9, 10, 13, 5, 15, 11, 16, 14, 8, 7, 4, 12, 2, 6, 1 };
-
-/**
- * Bit-reversed indices for n = 8
- */
-static uint16_t rev_8[] = { 0, 4, 2, 6, 1, 5, 3, 7 };
-
-bliss_fft_params_t bliss_fft_17_8 = { 17, 8, 15, 3, w_17_16, rev_8 };
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft_params.h b/src/libstrongswan/plugins/bliss/bliss_fft_params.h
deleted file mode 100644
index 31b151b..0000000
--- a/src/libstrongswan/plugins/bliss/bliss_fft_params.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (C) 2014 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup bliss_fft_params bliss_fft_params
- * @{ @ingroup bliss_p
- */
-
-#ifndef BLISS_FFT_PARAMS_H_
-#define BLISS_FFT_PARAMS_H_
-
-#include <library.h>
-
-typedef struct bliss_fft_params_t bliss_fft_params_t;
-
-/**
- * Defines the parameters for an NTT computed via the FFT algorithm
- */
-struct bliss_fft_params_t {
-
-	/**
-	 * Prime modulus
-	 */
-	uint16_t q;
-
-	/**
-	 * Size of the FFT with the condition k * n = q-1
-	 */
-	uint16_t n;
-
-	/**
-	 * Inverse of n mod q used for normalization of the FFT
-	 */
-	uint16_t n_inv;
-
-	/**
-	 * Number of FFT stages  stages = log2(n)
-	 */
-	uint16_t stages;
-
-	/**
-	 * FFT twiddle factors (n-th roots of unity)
-	 */
-	uint16_t *w;
-
-	/**
-	 * FFT bit reversal
-	 */
-	uint16_t *rev;
-
-};
-
-/**
- * FFT parameters for q = 12289 and n = 512
- */
-extern bliss_fft_params_t bliss_fft_12289_512;
-
-/**
- * FFT parameters for q = 17 and n = 8
- */
-extern bliss_fft_params_t bliss_fft_17_8;
-
-#endif /** BLISS_FFT_PARAMS_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman.c b/src/libstrongswan/plugins/bliss/bliss_huffman.c
index 647234f..71e75d6 100644
--- a/src/libstrongswan/plugins/bliss/bliss_huffman.c
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman.c
@@ -209,7 +209,7 @@ static void remove_node(node_t *list, node_t **last, node_t *node)
  */
 int main(int argc, char *argv[])
 {
-	bliss_param_set_t *set;
+	const bliss_param_set_t *set;
 	int dx, bliss_type, depth = 1, groups, groups_left, pairs = 1;
 	int i_max = 9, k_max = 8, index_max = (2*k_max - 1) * i_max;
 	int i, i_top, k, k_top;
diff --git a/src/libstrongswan/plugins/bliss/bliss_param_set.c b/src/libstrongswan/plugins/bliss/bliss_param_set.c
index 3781a58..b6649d7 100644
--- a/src/libstrongswan/plugins/bliss/bliss_param_set.c
+++ b/src/libstrongswan/plugins/bliss/bliss_param_set.c
@@ -33,7 +33,7 @@ ENUM(bliss_param_set_id_names, BLISS_I, BLISS_B_IV,
  *
  * c[i] = exp(-2^i/f), i = 0..20, with f = k_sigma^2 / ln 2 = 93'076.9
  */
-static uint8_t c_bliss_i[] = {
+static const uint8_t c_bliss_i[] = {
 	255, 255,  75, 191, 247,  94,  30,  51, 147, 246,  89,  59,  99, 248,  26, 128,
 	255, 254, 151, 128, 109, 166,  88, 143,  30, 175, 149,  20, 240,  81, 138, 111,
 	255, 253,  47,   2, 214, 243, 188,  76, 236, 235,  40,  62,  54,  35,  33, 205,
@@ -62,7 +62,7 @@ static uint8_t c_bliss_i[] = {
  *
  * c[i] = exp(-2^i/f), i = 0..20, with f = k_sigma^2 / ln 2 = 125'550.5
  */
-static uint8_t c_bliss_iii[] = {
+static const uint8_t c_bliss_iii[] = {
 	255, 255, 122,  95,  16, 128,  14, 195,  60,  90, 166, 191, 205,  26, 144, 204,
 	255, 254, 244, 190, 102, 192, 187, 141, 169,  92,  33,  30, 170, 141, 184,  56,
 	255, 253, 233, 125, 228, 131,  93, 148, 121,  92,  52, 122, 149,  96,  29,  66,
@@ -91,7 +91,7 @@ static uint8_t c_bliss_iii[] = {
  *
  * c[i] = exp(-2^i/f), i = 0..21, with f = k_sigma^2 / ln 2 = 147'732.0
  */
-static uint8_t c_bliss_iv[] = {
+static const uint8_t c_bliss_iv[] = {
 	255, 255, 142, 111, 102,   2, 141,  87, 150,  42,  18,  70,   6, 224,  18,  70,
 	255, 255,  28, 222, 254, 102,  20,  78, 133,  78, 189, 107,  29,   7,  23, 193,
 	255, 254,  57, 190, 198,  79, 181, 181, 108,  75, 142, 145,  45, 238, 193,  29,
@@ -119,7 +119,7 @@ static uint8_t c_bliss_iv[] = {
 /**
  * BLISS signature parameter set definitions
  */
-static bliss_param_set_t bliss_param_sets[] = {
+static const bliss_param_set_t bliss_param_sets[] = {
 
 	/* BLISS-I scheme */
 	{
@@ -131,7 +131,7 @@ static bliss_param_set_t bliss_param_sets[] = {
 		.q2_inv = 6145,
 		.n = 512,
 		.n_bits = 9,
-		.fft_params = &bliss_fft_12289_512,
+		.fft_params = &ntt_fft_12289_512,
 		.non_zero1 = 154,
 		.non_zero2 = 0,
 		.kappa = 23,
@@ -161,7 +161,7 @@ static bliss_param_set_t bliss_param_sets[] = {
 		.q2_inv = 6145,
 		.n = 512,
 		.n_bits = 9,
-		.fft_params = &bliss_fft_12289_512,
+		.fft_params = &ntt_fft_12289_512,
 		.non_zero1 = 216,
 		.non_zero2 = 16,
 		.kappa = 30,
@@ -191,7 +191,7 @@ static bliss_param_set_t bliss_param_sets[] = {
 		.q2_inv = 6145,
 		.n = 512,
 		.n_bits = 9,
-		.fft_params = &bliss_fft_12289_512,
+		.fft_params = &ntt_fft_12289_512,
 		.non_zero1 = 231,
 		.non_zero2 = 31,
 		.kappa = 39,
@@ -221,7 +221,7 @@ static bliss_param_set_t bliss_param_sets[] = {
 		.q2_inv = 6145,
 		.n = 512,
 		.n_bits = 9,
-		.fft_params = &bliss_fft_12289_512,
+		.fft_params = &ntt_fft_12289_512,
 		.non_zero1 = 154,
 		.non_zero2 = 0,
 		.kappa = 23,
@@ -251,7 +251,7 @@ static bliss_param_set_t bliss_param_sets[] = {
 		.q2_inv = 6145,
 		.n = 512,
 		.n_bits = 9,
-		.fft_params = &bliss_fft_12289_512,
+		.fft_params = &ntt_fft_12289_512,
 		.non_zero1 = 216,
 		.non_zero2 = 16,
 		.kappa = 30,
@@ -281,7 +281,7 @@ static bliss_param_set_t bliss_param_sets[] = {
 		.q2_inv = 6145,
 		.n = 512,
 		.n_bits = 9,
-		.fft_params = &bliss_fft_12289_512,
+		.fft_params = &ntt_fft_12289_512,
 		.non_zero1 = 231,
 		.non_zero2 = 31,
 		.kappa = 39,
@@ -306,7 +306,7 @@ static bliss_param_set_t bliss_param_sets[] = {
 /**
  * See header.
  */
-bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id)
+const bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id)
 {
 	int i;
 
@@ -324,7 +324,7 @@ bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id)
 /**
  * See header.
  */
-bliss_param_set_t* bliss_param_set_get_by_oid(int oid)
+const bliss_param_set_t* bliss_param_set_get_by_oid(int oid)
 {
 	int i;
 
diff --git a/src/libstrongswan/plugins/bliss/bliss_param_set.h b/src/libstrongswan/plugins/bliss/bliss_param_set.h
index 33a8009..8c043b9 100644
--- a/src/libstrongswan/plugins/bliss/bliss_param_set.h
+++ b/src/libstrongswan/plugins/bliss/bliss_param_set.h
@@ -24,7 +24,7 @@
 typedef enum bliss_param_set_id_t bliss_param_set_id_t;
 typedef struct bliss_param_set_t bliss_param_set_t;
 
-#include "bliss_fft_params.h"
+#include "ntt_fft_params.h"
 #include "bliss_huffman_code.h"
 
 #include <library.h>
@@ -53,132 +53,132 @@ struct bliss_param_set_t {
 	/**
 	 * BLISS parameter set ID
 	 */
-	bliss_param_set_id_t id;
+	const bliss_param_set_id_t id;
 
 	/**
 	 * BLISS parameter set OID
 	 */
-	int oid;
+	const int oid;
 
 	/**
 	 * Security strength in bits
 	 */
-	uint16_t strength;
+	const uint16_t strength;
 
 	/**
 	 * Prime modulus
 	 */
-	uint16_t q;
+	const uint16_t q;
 
 	/**
 	 * Number of bits in q
 	 */
-	uint16_t q_bits;
+	const uint16_t q_bits;
 
 	/**
 	 * Inverse of (q + 2) mod 2q
 	 */
-	uint16_t q2_inv;
+	const uint16_t q2_inv;
 
 	/**
 	 * Ring dimension equal to the number of polynomial coefficients
 	 */
-	uint16_t n;
+	const uint16_t n;
 
 	/**
 	 * Number of bits in n
 	 */
-	uint16_t n_bits;
+	const uint16_t n_bits;
 
 	/**
 	 * FFT parameters
 	 */
-	bliss_fft_params_t *fft_params;
+	const ntt_fft_params_t *fft_params;
 
 	/**
 	 * Number of [-1, +1] secret key coefficients
 	 */
-	uint16_t non_zero1;
+	const uint16_t non_zero1;
 
 	/**
 	 * Number of [-2, +2] secret key coefficients
 	 */
-	uint16_t non_zero2;
+	const uint16_t non_zero2;
 
 	/**
 	 * Number of secret key terms that go into Nk(S) norm
 	 */
-	uint16_t kappa;
+	const uint16_t kappa;
 
 	/**
 	 * Maximum Nk(S) tolerable NK(S) norm (BLISS only)
 	 */
-	uint32_t nks_max;
+	const uint32_t nks_max;
 
 	/**
 	 * Maximum value Pmax for ||Sc'||^2 norm (BLISS-B only)
 	 */
-	uint32_t p_max;
+	const uint32_t p_max;
 
 	/**
 	 * Standard deviation sigma
 	 */
-	uint16_t sigma;
+	const uint16_t sigma;
 
 	/**
 	 *  k_sigma = ceiling[ sqrt(2*ln 2) * sigma ]
 	 */
-	uint16_t k_sigma;
+	const uint16_t k_sigma;
 
 	/**
 	 *  Number of bits in k_sigma
 	 */
-	uint16_t k_sigma_bits;
+	const uint16_t k_sigma_bits;
 
 	/**
 	 * Coefficients for Bernoulli sampling with exponential biases
 	 */
-	uint8_t *c;
+	const uint8_t *c;
 
 	/**
 	 * Number of columns in Bernoulli coefficient table
 	 */
-	size_t c_cols;
+	const size_t c_cols;
 
 	/**
 	 * Number of rows in Bernoulli coefficient table
 	 */
-	size_t c_rows;
+	const size_t c_rows;
 
 	/**
 	 * Number of bits in z1
 	 */
-	uint16_t z1_bits;
+	const uint16_t z1_bits;
 
 	/**
 	 * Number of z2 bits to be dropped after rounding
 	 */
-	uint16_t d;
+	const uint16_t d;
 
 	/**
 	 * Modulus p = floor(2q / 2^d) applied after bit dropping
 	 */
-	uint16_t p;
+	const uint16_t p;
 
 	/**
 	 * M = sigma^2 / alpha_rejection^2
 	 */
-	uint32_t M;
+	const uint32_t M;
 
 	/**
 	 * B_infinity bound
 	 */
-	uint16_t B_inf;
+	const uint16_t B_inf;
 
 	/**
 	 * B_verify bound
 	 */
-	uint32_t B_l2;
+	const uint32_t B_l2;
 
 };
 
@@ -188,7 +188,7 @@ struct bliss_param_set_t {
  * @param id	BLISS parameter set ID
  * @return		BLISS parameter set
 */
-bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id);
+const bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id);
 
 /**
  * Get BLISS signature parameter set by BLISS parameter set OID
@@ -196,6 +196,6 @@ bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id);
  * @param oid	BLISS parameter set OID
  * @return		BLISS parameter set
 */
-bliss_param_set_t* bliss_param_set_get_by_oid(int oid);
+const bliss_param_set_t* bliss_param_set_get_by_oid(int oid);
 
 #endif /** BLISS_PARAM_SET_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.c b/src/libstrongswan/plugins/bliss/bliss_plugin.c
index 4adcf1e..cdf3e96 100644
--- a/src/libstrongswan/plugins/bliss/bliss_plugin.c
+++ b/src/libstrongswan/plugins/bliss/bliss_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -50,6 +50,8 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_REGISTER(PRIVKEY_GEN, bliss_private_key_gen, FALSE),
 			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_BLISS),
 				PLUGIN_DEPENDS(RNG, RNG_TRUE),
+				PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA1),
+				PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA256),
 		PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_BLISS),
 		PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
@@ -57,29 +59,41 @@ METHOD(plugin_t, get_features, int,
 		/* signature schemes, private */
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_256),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA256),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_384),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_512),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_256),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA3_256),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_384),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA3_384),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_512),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA3_512),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		/* signature verification schemes */
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_256),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA256),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_384),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_512),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_256),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA3_256),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_384),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA3_384),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_512),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA3_512),
+			PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA512),
 	};
 	*features = f;
 
diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c
index 20bbc6a..25253ed 100644
--- a/src/libstrongswan/plugins/bliss/bliss_private_key.c
+++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -20,9 +20,10 @@
 #include "bliss_sampler.h"
 #include "bliss_signature.h"
 #include "bliss_bitpacker.h"
-#include "bliss_fft.h"
+#include "ntt_fft.h"
+#include "ntt_fft_reduce.h"
 
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof_bitspender.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <asn1/oid.h>
@@ -46,7 +47,7 @@ struct private_bliss_private_key_t {
 	/**
 	 * BLISS signature parameter set
 	 */
-	bliss_param_set_t *set;
+	const bliss_param_set_t *set;
 
 	/**
 	 * BLISS secret key S1 (coefficients of polynomial f)
@@ -64,6 +65,11 @@ struct private_bliss_private_key_t {
 	uint32_t *A;
 
 	/**
+	 * NTT of BLISS public key in Montgomery representation Ar = rA mod
+	 */
+	uint32_t *Ar;
+
+	/**
 	 * reference count
 	 */
 	refcount_t ref;
@@ -163,12 +169,12 @@ static void greedy_sc(int8_t *s1, int8_t *s2, int n, uint16_t *c_indices,
 static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 					   chunk_t data, chunk_t *signature)
 {
-	bliss_fft_t *fft;
+	ntt_fft_t *fft;
 	bliss_signature_t *sig;
 	bliss_sampler_t *sampler = NULL;
 	rng_t *rng;
 	hasher_t *hasher;
-	hash_algorithm_t mgf1_alg, oracle_alg;
+	ext_out_function_t mgf1_alg, oracle_alg;
 	size_t mgf1_seed_len;
 	uint8_t mgf1_seed_buf[HASH_SIZE_SHA512], data_hash_buf[HASH_SIZE_SHA512];
 	chunk_t mgf1_seed, data_hash;
@@ -203,12 +209,12 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 	/* Set MGF1 hash algorithm and seed length based on security strength */
 	if (this->set->strength > 160)
 	{
-		mgf1_alg = HASH_SHA256;
+		mgf1_alg = XOF_MGF1_SHA256;
 		mgf1_seed_len = HASH_SIZE_SHA256;
 	}
 	else
 	{
-		mgf1_alg = HASH_SHA1;
+		mgf1_alg = XOF_MGF1_SHA1;
 		mgf1_seed_len = HASH_SIZE_SHA1;
 	}
 	mgf1_seed = chunk_create(mgf1_seed_buf, mgf1_seed_len);
@@ -220,7 +226,7 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 	}
 
 	/* MGF1 hash algorithm to be used for random oracle */
-	oracle_alg = HASH_SHA512;
+	oracle_alg = XOF_MGF1_SHA512;
 
 	/* Initialize a couple of needed variables */
 	n  = this->set->n;
@@ -241,7 +247,7 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 	y2 = z2;
 	ud = z2d;
 
-	fft = bliss_fft_create(this->set->fft_params);
+	fft = ntt_fft_create(this->set->fft_params);
 
 	/* Use of the enhanced BLISS-B signature algorithm? */
 	switch (this->set->id)
@@ -337,7 +343,7 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 
 		for (i = 0; i < n; i++)
 		{
-			ay[i] = (this->A[i] * ay[i]) % q;
+			ay[i] = ntt_fft_mreduce(this->Ar[i] * ay[i], this->set->fft_params);
 		}
 		fft->transform(fft, ay, ay, TRUE);
 
@@ -668,6 +674,7 @@ METHOD(private_key_t, destroy, void,
 			free(this->s2);
 		}
 		free(this->A);
+		free(this->Ar);
 		free(this);
 	}
 }
@@ -795,13 +802,13 @@ static uint32_t nks_norm(int8_t *s1, int8_t *s2, int n, uint16_t kappa)
 /**
  * Compute the inverse x1 of x modulo q as x^(-1) = x^(q-2) mod q
  */
-static uint32_t invert(uint32_t x, uint16_t q)
+static uint32_t invert(private_bliss_private_key_t *this, uint32_t x)
 {
 	uint32_t x1, x2;
 	uint16_t q2;
 	int i, i_max;
 
-	q2 = q - 2;
+	q2 = this->set->q - 2;
 	x1 = (q2 & 1) ? x : 1;
 	x2 = x;
 	i_max = 15;
@@ -812,11 +819,11 @@ static uint32_t invert(uint32_t x, uint16_t q)
 	}
 	for (i = 1; i <= i_max; i++)
 	{
-		x2 = (x2 * x2) % q;
+		x2 = ntt_fft_mreduce(x2 * x2, this->set->fft_params);
 
 		if (q2 & (1 << i))
 		{
-			x1 = (x1 * x2) % q;
+			x1 = ntt_fft_mreduce(x1 * x2, this->set->fft_params);
 		}
 	}
 
@@ -827,14 +834,14 @@ static uint32_t invert(uint32_t x, uint16_t q)
  * Create a vector with sparse and small coefficients from seed
  */
 static int8_t* create_vector_from_seed(private_bliss_private_key_t *this,
-									   hash_algorithm_t alg, chunk_t seed)
+									   ext_out_function_t alg, chunk_t seed)
 {
-	mgf1_bitspender_t *bitspender;
+	xof_bitspender_t *bitspender;
 	uint32_t index, sign;
 	int8_t *vector;
 	int non_zero;
 
-	bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+	bitspender = xof_bitspender_create(alg, seed, FALSE);
 	if (!bitspender)
 	{
 	    return NULL;
@@ -903,7 +910,7 @@ static bool create_secret(private_bliss_private_key_t *this, rng_t *rng,
 	int i, n;
 	chunk_t seed;
 	size_t seed_len;
-	hash_algorithm_t alg;
+	ext_out_function_t alg;
 
 	n = this->set->n;
 	*s1 = NULL;
@@ -912,12 +919,12 @@ static bool create_secret(private_bliss_private_key_t *this, rng_t *rng,
 	/* Set MGF1 hash algorithm and seed length based on security strength */
 	if (this->set->strength > 160)
 	{
-		alg = HASH_SHA256;
+		alg = XOF_MGF1_SHA256;
 		seed_len = HASH_SIZE_SHA256;
 	}
 	else
 	{
-		alg = HASH_SHA1;
+		alg = XOF_MGF1_SHA1;
 		seed_len = HASH_SIZE_SHA1;
 	}
 	seed = chunk_create(seed_buf, seed_len);
@@ -1000,8 +1007,8 @@ bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args)
 	uint32_t *S1, *S2, *a;
 	uint16_t q;
 	bool success = FALSE;
-	bliss_param_set_t *set;
-	bliss_fft_t *fft;
+	const bliss_param_set_t *set;
+	ntt_fft_t *fft;
 	rng_t *rng;
 
 	while (TRUE)
@@ -1062,13 +1069,14 @@ bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args)
 	this->set = set;
 
 	/* We derive the public key from the private key using the FFT */
-	fft = bliss_fft_create(set->fft_params);
+	fft = ntt_fft_create(set->fft_params);
 
 	/* Some vectors needed to derive the publi key */
 	S1 = malloc(n * sizeof(uint32_t));
 	S2 = malloc(n * sizeof(uint32_t));
 	a  = malloc(n * sizeof(uint32_t));
-	this->A = malloc(n * sizeof(uint32_t));
+	this->A  = malloc(n * sizeof(uint32_t));
+	this->Ar = malloc(n * sizeof(uint32_t));
 
 	/* Instantiate a true random generator */
 	rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
@@ -1091,6 +1099,7 @@ bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args)
 		fft->transform(fft, S2, S2, FALSE);
 
 		success = TRUE;
+
 		for (i = 0; i < n; i++)
 		{
 			if (S1[i] == 0)
@@ -1103,8 +1112,9 @@ bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args)
 				success = FALSE;
 				break;
 			}
-			this->A[i] = invert(S1[i], q);
-			this->A[i] = (S2[i] * this->A[i]) % q;
+			this->Ar[i] = invert(this, S1[i]);
+			this->Ar[i] = ntt_fft_mreduce(S2[i] * this->Ar[i], set->fft_params);
+			this->A[i]  = ntt_fft_mreduce(this->Ar[i], set->fft_params);
 		}
 	}
 	while (!success && trials < SECRET_KEY_TRIALS_MAX);
@@ -1114,13 +1124,15 @@ bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args)
 
 	if (success)
 	{
-		fft->transform(fft, this->A, a, TRUE);
+		fft->transform(fft, this->Ar, a, TRUE);
 
 		DBG4(DBG_LIB, "   i   f   g     a     F     G     A");
 		for (i = 0; i < n; i++)
 		{
 			DBG4(DBG_LIB, "%4d %3d %3d %5u %5u %5u %5u",
-				 i, this->s1[i], this->s2[i], a[i], S1[i], S2[i], this->A[i]);
+						  i, this->s1[i], this->s2[i],
+						  ntt_fft_mreduce(a[i], set->fft_params),
+				 		  S1[i], S2[i], this->A[i]);
 		}
 	}
 	else
@@ -1167,7 +1179,7 @@ bliss_private_key_t *bliss_private_key_load(key_type_t type, va_list args)
 	asn1_parser_t *parser;
 	size_t s_bits = 0;
 	int8_t s, s_min = 0, s_max = 0;
-	uint32_t s_sign = 0x02, s_mask = 0xfffffffc, value;
+	uint32_t s_sign = 0x02, s_mask = 0xfffffffc, value, r2;
 	bool success = FALSE;
 	int objectID, oid, i;
 
@@ -1248,6 +1260,14 @@ bliss_private_key_t *bliss_private_key_load(key_type_t type, va_list args)
 				{
 					goto end;
 				}
+				this->Ar = malloc(this->set->n * sizeof(uint32_t));
+				r2 = this->set->fft_params->r2;
+
+				for (i = 0; i < this->set->n; i++)
+				{
+					this->Ar[i] = ntt_fft_mreduce(this->A[i] * r2,
+												  this->set->fft_params);
+				}
 				break;
 			case PRIV_KEY_SECRET1:
 				if (object.len != 1 + (s_bits * this->set->n + 7)/8)
diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c
index 93d1165..f7ddbbf 100644
--- a/src/libstrongswan/plugins/bliss/bliss_public_key.c
+++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,7 +16,8 @@
 #include "bliss_public_key.h"
 #include "bliss_signature.h"
 #include "bliss_bitpacker.h"
-#include "bliss_fft.h"
+#include "ntt_fft.h"
+#include "ntt_fft_reduce.h"
 #include "bliss_utils.h"
 
 #include <asn1/asn1.h>
@@ -37,7 +38,7 @@ struct private_bliss_public_key_t {
 	/**
 	 * BLISS signature parameter set
 	 */
-	bliss_param_set_t *set;
+	const bliss_param_set_t *set;
 
 	/**
 	 * NTT of BLISS public key a (coefficients of polynomial (2g + 1)/f)
@@ -45,6 +46,11 @@ struct private_bliss_public_key_t {
 	uint32_t *A;
 
 	/**
+	 * NTT of BLISS public key in Montgomery representation Ar = rA mod
+	 */
+	uint32_t *Ar;
+
+	/**
 	 * reference counter
 	 */
 	refcount_t ref;
@@ -70,8 +76,8 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
 	uint8_t data_hash_buf[HASH_SIZE_SHA512];
 	chunk_t data_hash;
 	hasher_t *hasher;
-	hash_algorithm_t oracle_alg;
-	bliss_fft_t *fft;
+	ext_out_function_t oracle_alg;
+	ntt_fft_t *fft;
 	bliss_signature_t *sig;
 	bool success = FALSE;
 
@@ -104,7 +110,7 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
 	}
 
 	/* MGF1 hash algorithm to be used for random oracle */
-	oracle_alg = HASH_SHA512;
+	oracle_alg = XOF_MGF1_SHA512;
 
 	/* Initialize a couple of needed variables */
 	n  = this->set->n;
@@ -120,12 +126,12 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
 	{
 		az[i] = z1[i] < 0 ? q + z1[i] : z1[i];
 	}
-	fft = bliss_fft_create(this->set->fft_params);
+	fft = ntt_fft_create(this->set->fft_params);
 	fft->transform(fft, az, az, FALSE);
 
 	for (i = 0; i < n; i++)
 	{
-		az[i] = (this->A[i] * az[i]) % q;
+		az[i] = ntt_fft_mreduce(this->Ar[i] * az[i], this->set->fft_params);
 	}
 	fft->transform(fft, az, az, TRUE);
 
@@ -279,6 +285,7 @@ METHOD(public_key_t, destroy, void,
 	{
 		lib->encoding->clear_cache(lib->encoding, this);
 		free(this->A);
+		free(this->Ar);
 		free(this);
 	}
 }
@@ -304,7 +311,8 @@ bliss_public_key_t *bliss_public_key_load(key_type_t type, va_list args)
 	chunk_t blob = chunk_empty, object, param;
 	asn1_parser_t *parser;
 	bool success = FALSE;
-	int objectID, oid;
+	int objectID, oid, i;
+	uint32_t r2;
 
 	while (TRUE)
 	{
@@ -380,6 +388,14 @@ bliss_public_key_t *bliss_public_key_load(key_type_t type, va_list args)
 				{
 					goto end;
 				}
+				this->Ar = malloc(this->set->n * sizeof(uint32_t));
+				r2 = this->set->fft_params->r2;
+
+				for (i = 0; i < this->set->n; i++)
+				{
+					this->Ar[i] = ntt_fft_mreduce(this->A[i] * r2,
+												  this->set->fft_params);
+				}
 				break;
 		}
 	}
@@ -399,7 +415,7 @@ end:
 /**
  * See header.
  */
-bool bliss_public_key_from_asn1(chunk_t object, bliss_param_set_t *set,
+bool bliss_public_key_from_asn1(chunk_t object, const bliss_param_set_t *set,
 								uint32_t **pubkey)
 {
 	bliss_bitpacker_t *packer;
@@ -438,7 +454,7 @@ bool bliss_public_key_from_asn1(chunk_t object, bliss_param_set_t *set,
 /**
  * See header.
  */
-chunk_t bliss_public_key_encode(uint32_t *pubkey, bliss_param_set_t *set)
+chunk_t bliss_public_key_encode(uint32_t *pubkey, const bliss_param_set_t *set)
 {
 	bliss_bitpacker_t *packer;
 	chunk_t encoding;
@@ -460,7 +476,7 @@ chunk_t bliss_public_key_encode(uint32_t *pubkey, bliss_param_set_t *set)
  * See header.
  */
 chunk_t bliss_public_key_info_encode(int oid, uint32_t *pubkey,
-									 bliss_param_set_t *set)
+									 const bliss_param_set_t *set)
 {
 	chunk_t encoding, pubkey_encoding;
 
@@ -479,7 +495,7 @@ chunk_t bliss_public_key_info_encode(int oid, uint32_t *pubkey,
  * See header.
  */
 bool bliss_public_key_fingerprint(int oid, uint32_t *pubkey,
-								  bliss_param_set_t *set,
+								  const bliss_param_set_t *set,
 								  cred_encoding_type_t type, chunk_t *fp)
 {
 	hasher_t *hasher;
diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.h b/src/libstrongswan/plugins/bliss/bliss_public_key.h
index cd8f231..d8dd2df 100644
--- a/src/libstrongswan/plugins/bliss/bliss_public_key.h
+++ b/src/libstrongswan/plugins/bliss/bliss_public_key.h
@@ -61,7 +61,7 @@ bliss_public_key_t *bliss_public_key_load(key_type_t type, va_list args);
  * @param pubkey	coefficients of public key vector
  * @return			TRUE if parsing successful
  */
-bool bliss_public_key_from_asn1(chunk_t object, bliss_param_set_t *set,
+bool bliss_public_key_from_asn1(chunk_t object, const bliss_param_set_t *set,
 								uint32_t **pubkey);
 
 /**
@@ -71,7 +71,7 @@ bool bliss_public_key_from_asn1(chunk_t object, bliss_param_set_t *set,
  * @param set		BLISS parameter set for the public key vector
  * @result			ASN.1 encoded subjectPublicKey
  */
-chunk_t bliss_public_key_encode(uint32_t *pubkey, bliss_param_set_t *set);
+chunk_t bliss_public_key_encode(uint32_t *pubkey, const bliss_param_set_t *set);
 
 /**
  * Encode a BLISS subjectPublicKeyInfo record in ASN.1 DER format
@@ -82,7 +82,7 @@ chunk_t bliss_public_key_encode(uint32_t *pubkey, bliss_param_set_t *set);
  * @result			ASN.1 encoded subjectPublicKeyInfo record
  */
 chunk_t bliss_public_key_info_encode(int oid, uint32_t *pubkey,
-									 bliss_param_set_t *set);
+									 const bliss_param_set_t *set);
 
 /**
  * Generate a BLISS public key fingerprint
@@ -95,7 +95,7 @@ chunk_t bliss_public_key_info_encode(int oid, uint32_t *pubkey,
  * @result			TRUE if generation was successful
  */
 bool bliss_public_key_fingerprint(int oid, uint32_t *pubkey,
-								  bliss_param_set_t *set,
+								  const bliss_param_set_t *set,
 								  cred_encoding_type_t type, chunk_t *fp);
 
 #endif /** BLISS_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_sampler.c b/src/libstrongswan/plugins/bliss/bliss_sampler.c
index fa45a2f..fb29d66 100644
--- a/src/libstrongswan/plugins/bliss/bliss_sampler.c
+++ b/src/libstrongswan/plugins/bliss/bliss_sampler.c
@@ -17,7 +17,7 @@
 
 typedef struct private_bliss_sampler_t private_bliss_sampler_t;
 
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof_bitspender.h>
 
 /**
  * Private data of a bliss_sampler_t object.
@@ -32,12 +32,12 @@ struct private_bliss_sampler_t {
 	/**
 	 * BLISS parameter the rejection sampling is to be based on
 	 */
-	bliss_param_set_t *set;
+	const bliss_param_set_t *set;
 
 	/**
 	 * Bitspender used for random rejection sampling
 	 */
-	mgf1_bitspender_t *bitspender;
+	xof_bitspender_t *bitspender;
 
 };
 
@@ -45,7 +45,8 @@ METHOD(bliss_sampler_t, bernoulli_exp, bool,
 	private_bliss_sampler_t *this, uint32_t x, bool *accepted)
 {
 	uint32_t x_mask;
-	uint8_t *c, u;
+	uint8_t u;
+	const uint8_t *c;
 	int i;
 
 	x_mask = 1 << (this->set->c_rows - 1);
@@ -221,13 +222,13 @@ METHOD(bliss_sampler_t, destroy, void,
 /**
  * See header.
  */
-bliss_sampler_t *bliss_sampler_create(hash_algorithm_t alg, chunk_t seed,
-									  bliss_param_set_t *set)
+bliss_sampler_t *bliss_sampler_create(ext_out_function_t alg, chunk_t seed,
+									  const bliss_param_set_t *set)
 {
 	private_bliss_sampler_t *this;
-	mgf1_bitspender_t *bitspender;
+	xof_bitspender_t *bitspender;
 
-	bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+	bitspender = xof_bitspender_create(alg, seed, FALSE);
 	if (!bitspender)
 	{
 		return NULL;
diff --git a/src/libstrongswan/plugins/bliss/bliss_sampler.h b/src/libstrongswan/plugins/bliss/bliss_sampler.h
index 2c75d44..3e6d3d0 100644
--- a/src/libstrongswan/plugins/bliss/bliss_sampler.h
+++ b/src/libstrongswan/plugins/bliss/bliss_sampler.h
@@ -84,11 +84,11 @@ struct bliss_sampler_t {
 /**
  * Create a bliss_sampler_t object.
  *
- * @param alg		Hash algorithm to be used for the internal bitspender
+ * @param alg		XOF to be used for the internal bitspender
  * @param seed		Seed used to initialize the internal bitspender
  * @param set		BLISS parameter set to be used
  */
-bliss_sampler_t *bliss_sampler_create(hash_algorithm_t alg, chunk_t seed,
-									  bliss_param_set_t *set);
+bliss_sampler_t *bliss_sampler_create(ext_out_function_t alg, chunk_t seed,
+									  const bliss_param_set_t *set);
 
 #endif /** BLISS_SAMPLER_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_signature.c b/src/libstrongswan/plugins/bliss/bliss_signature.c
index e603da3..f4e1bff 100644
--- a/src/libstrongswan/plugins/bliss/bliss_signature.c
+++ b/src/libstrongswan/plugins/bliss/bliss_signature.c
@@ -32,7 +32,7 @@ struct private_bliss_signature_t {
 	/**
 	 * BLISS signature parameter set
 	 */
-	bliss_param_set_t *set;
+	const bliss_param_set_t *set;
 
 	/**
 	 * BLISS signature vector z1 of size n
@@ -134,7 +134,7 @@ METHOD(bliss_signature_t, destroy, void,
 /**
  * See header.
  */
-bliss_signature_t *bliss_signature_create(bliss_param_set_t *set)
+bliss_signature_t *bliss_signature_create(const bliss_param_set_t *set)
 {
 	private_bliss_signature_t *this;
 
@@ -156,7 +156,7 @@ bliss_signature_t *bliss_signature_create(bliss_param_set_t *set)
 /**
  * See header.
  */
-bliss_signature_t *bliss_signature_create_from_data(bliss_param_set_t *set,
+bliss_signature_t *bliss_signature_create_from_data(const bliss_param_set_t *set,
 													chunk_t encoding)
 {
 	private_bliss_signature_t *this;
diff --git a/src/libstrongswan/plugins/bliss/bliss_signature.h b/src/libstrongswan/plugins/bliss/bliss_signature.h
index d37f539..20ed6c0 100644
--- a/src/libstrongswan/plugins/bliss/bliss_signature.h
+++ b/src/libstrongswan/plugins/bliss/bliss_signature.h
@@ -61,7 +61,7 @@ struct bliss_signature_t {
  *
  * @param set			BLISS parameter set
  */
-bliss_signature_t *bliss_signature_create(bliss_param_set_t *set);
+bliss_signature_t *bliss_signature_create(const bliss_param_set_t *set);
 
 /**
  * Create a BLISS signature object from encoding.
@@ -69,7 +69,7 @@ bliss_signature_t *bliss_signature_create(bliss_param_set_t *set);
  * @param set			BLISS parameter set
  * @param encoding		binary signature encoding
  */
-bliss_signature_t *bliss_signature_create_from_data(bliss_param_set_t *set,
+bliss_signature_t *bliss_signature_create_from_data(const bliss_param_set_t *set,
 													chunk_t encoding);
 
 #endif /** BLISS_SIGNATURE_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.c b/src/libstrongswan/plugins/bliss/bliss_utils.c
index 5e313ff..5baa1f8 100644
--- a/src/libstrongswan/plugins/bliss/bliss_utils.c
+++ b/src/libstrongswan/plugins/bliss/bliss_utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -17,7 +17,7 @@
 
 #include <asn1/asn1.h>
 #include <crypto/hashers/hasher.h>
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof_bitspender.h>
 #include <utils/debug.h>
 
 /**
@@ -39,7 +39,8 @@ int32_t bliss_utils_scalar_product(int32_t *x, int32_t *y, int n)
 /**
  * See header.
  */
-void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd)
+void bliss_utils_round_and_drop(const bliss_param_set_t *set,
+								int32_t *x, int16_t *xd)
 {
 	int32_t factor;
 	int i;
@@ -55,8 +56,8 @@ void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd)
 /**
  * See header.
  */
-bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
-							uint16_t *ud, bliss_param_set_t *set,
+bool bliss_utils_generate_c(ext_out_function_t alg, chunk_t data_hash,
+							uint16_t *ud, const bliss_param_set_t *set,
 							uint16_t *c_indices)
 {
 	int i, index_trials = 0, index_found = 0;
@@ -64,7 +65,7 @@ bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
 	uint32_t index;
 	uint8_t *seed_pos;
 	chunk_t seed;
-	mgf1_bitspender_t *bitspender;
+	xof_bitspender_t *bitspender;
 
 	seed = chunk_alloca(data_hash.len + set->n * sizeof(uint16_t));
 
@@ -79,7 +80,7 @@ bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
 		seed_pos += sizeof(uint16_t);
 	}
 
-	bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+	bitspender = xof_bitspender_create(alg, seed, FALSE);
 	if (!bitspender)
 	{
 	    return NULL;
@@ -117,7 +118,8 @@ bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
 /**
  * See header.
  */
-bool bliss_utils_check_norms(bliss_param_set_t *set, int32_t *z1, int16_t *z2d)
+bool bliss_utils_check_norms(const bliss_param_set_t *set,
+							 int32_t *z1, int16_t *z2d)
 {
 	int32_t z2ds[set->n];
 	int32_t z1_min, z1_max, norm;
diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.h b/src/libstrongswan/plugins/bliss/bliss_utils.h
index 156968d..bfaf3c4 100644
--- a/src/libstrongswan/plugins/bliss/bliss_utils.h
+++ b/src/libstrongswan/plugins/bliss/bliss_utils.h
@@ -42,29 +42,31 @@ int32_t bliss_utils_scalar_product(int32_t *x, int32_t *y, int n);
  * @param x			input vector x of size n
  * @param xd		rounded vector x with d bits dropped
  */
-void bliss_utils_round_and_drop(bliss_param_set_t *set,	int32_t *x, int16_t *xd);
+void bliss_utils_round_and_drop(const bliss_param_set_t *set,
+								int32_t *x, int16_t *xd);
 
 /**
  * Generate the binary challenge vector c as an array of kappa indices
  *
- * @param alg		hash algorithm to be used for the internal oracle
- * @param data_hash	hash of the data to be signed
- * @param ud		input vector ud of size n
- * @param set		BLISS parameter set to be used (n, n_bits, kappa)
- * @param c_indices	indexes of non-zero challenge coefficients
+ * @param alg			XOF to be used for the internal oracle
+ * @param data_hash		hash of the data to be signed
+ * @param ud			input vector ud of size n
+ * @param set			BLISS parameter set to be used (n, n_bits, kappa)
+ * @param c_indices		indexes of non-zero challenge coefficients
  */
-bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
-							uint16_t *ud, bliss_param_set_t *set,
+bool bliss_utils_generate_c(ext_out_function_t alg, chunk_t data_hash,
+							uint16_t *ud, const bliss_param_set_t *set,
 							uint16_t *c_indices);
 
 /**
  * Check the infinity and l2 norms of the vectors z1 and z2d << d
  *
- * @param set	BLISS parameter set
- * @param z1	input vector
- * @param z2d	input vector
- * @result		TRUE if infinite and l2 norms do not exceed boundaries
+ * @param set		BLISS parameter set
+ * @param z1		input vector
+ * @param z2d		input vector
+ * @result			TRUE if infinite and l2 norms do not exceed boundaries
  */
-bool bliss_utils_check_norms(bliss_param_set_t *set, int32_t *z1, int16_t *z2d);
+bool bliss_utils_check_norms(const bliss_param_set_t *set,
+							 int32_t *z1, int16_t *z2d);
 
 #endif /** BLISS_UTILS_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.am b/src/libstrongswan/plugins/bliss/tests/Makefile.am
index bd87753..1ec8d55 100644
--- a/src/libstrongswan/plugins/bliss/tests/Makefile.am
+++ b/src/libstrongswan/plugins/bliss/tests/Makefile.am
@@ -3,7 +3,6 @@ TESTS = bliss_tests
 check_PROGRAMS = $(TESTS)
 
 bliss_tests_SOURCES = \
-	suites/test_bliss_fft.c \
 	suites/test_bliss_bitpacker.c \
 	suites/test_bliss_huffman.c \
 	suites/test_bliss_keys.c \
@@ -15,6 +14,7 @@ bliss_tests_SOURCES = \
 bliss_tests_CFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libstrongswan/tests \
+	-I$(top_srcdir)/src/libstrongswan/math/libnttfft \
 	-I$(top_srcdir)/src/libstrongswan/plugins/bliss \
 	-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
 	-DPLUGINS=\""${s_plugins}\"" \
@@ -24,4 +24,5 @@ bliss_tests_LDFLAGS = @COVERAGE_LDFLAGS@
 bliss_tests_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
 	../libbliss.la
diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in
index 85619c5..05f95dc 100644
--- a/src/libstrongswan/plugins/bliss/tests/Makefile.in
+++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in
@@ -110,7 +110,7 @@ CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__EXEEXT_1 = bliss_tests$(EXEEXT)
 am__dirstamp = $(am__leading_dot)dirstamp
-am_bliss_tests_OBJECTS = suites/bliss_tests-test_bliss_fft.$(OBJEXT) \
+am_bliss_tests_OBJECTS =  \
 	suites/bliss_tests-test_bliss_bitpacker.$(OBJEXT) \
 	suites/bliss_tests-test_bliss_huffman.$(OBJEXT) \
 	suites/bliss_tests-test_bliss_keys.$(OBJEXT) \
@@ -122,6 +122,7 @@ bliss_tests_OBJECTS = $(am_bliss_tests_OBJECTS)
 bliss_tests_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
 	../libbliss.la
 AM_V_lt = $(am__v_lt_ at AM_V@)
 am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
@@ -353,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,11 +440,12 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 bliss_tests_SOURCES = \
-	suites/test_bliss_fft.c \
 	suites/test_bliss_bitpacker.c \
 	suites/test_bliss_huffman.c \
 	suites/test_bliss_keys.c \
@@ -458,6 +457,7 @@ bliss_tests_SOURCES = \
 bliss_tests_CFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libstrongswan/tests \
+	-I$(top_srcdir)/src/libstrongswan/math/libnttfft \
 	-I$(top_srcdir)/src/libstrongswan/plugins/bliss \
 	-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
 	-DPLUGINS=\""${s_plugins}\"" \
@@ -467,6 +467,7 @@ bliss_tests_LDFLAGS = @COVERAGE_LDFLAGS@
 bliss_tests_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
 	../libbliss.la
 
 all: all-am
@@ -517,8 +518,6 @@ suites/$(am__dirstamp):
 suites/$(DEPDIR)/$(am__dirstamp):
 	@$(MKDIR_P) suites/$(DEPDIR)
 	@: > suites/$(DEPDIR)/$(am__dirstamp)
-suites/bliss_tests-test_bliss_fft.$(OBJEXT): suites/$(am__dirstamp) \
-	suites/$(DEPDIR)/$(am__dirstamp)
 suites/bliss_tests-test_bliss_bitpacker.$(OBJEXT):  \
 	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
 suites/bliss_tests-test_bliss_huffman.$(OBJEXT):  \
@@ -545,7 +544,6 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bliss_tests-bliss_tests.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Po at am__quote@
@@ -576,20 +574,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
-suites/bliss_tests-test_bliss_fft.o: suites/test_bliss_fft.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_fft.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo -c -o suites/bliss_tests-test_bliss_fft.o `test -f 'suites/test_bliss_fft.c' || echo '$(srcdir)/'`suites/test_bliss_fft.c
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_fft.c' object='suites/bliss_tests-test_bliss_fft.o' libtool=no @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_fft.o `test -f 'suites/test_bliss_fft.c' || echo '$(srcdir)/'`suites/test_bliss_fft.c
-
-suites/bliss_tests-test_bliss_fft.obj: suites/test_bliss_fft.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_fft.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo -c -o suites/bliss_tests-test_bliss_fft.obj `if test -f 'suites/test_bliss_fft.c'; then $(CYGPATH_W) 'suites/test_bliss_fft.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_fft.c'; fi`
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_fft.c' object='suites/bliss_tests-test_bliss_fft.obj' libtool=no @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_fft.obj `if test -f 'suites/test_bliss_fft.c'; then $(CYGPATH_W) 'suites/test_bliss_fft.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_fft.c'; fi`
-
 suites/bliss_tests-test_bliss_bitpacker.o: suites/test_bliss_bitpacker.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_bitpacker.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo -c -o suites/bliss_tests-test_bliss_bitpacker.o `test -f 'suites/test_bliss_bitpacker.c' || echo '$(srcdir)/'`suites/test_bliss_bitpacker.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po
diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h b/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
index f0959cc..61f37d5 100644
--- a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
+++ b/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,7 +13,6 @@
  * for more details.
  */
 
-TEST_SUITE(bliss_fft_suite_create)
 TEST_SUITE(bliss_bitpacker_suite_create)
 TEST_SUITE(bliss_huffman_suite_create)
 TEST_SUITE(bliss_keys_suite_create)
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
index 1bd1266..26c5b60 100644
--- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
@@ -22,16 +22,16 @@ static u_int key_size[] = { 1, 3, 4};
 START_TEST(test_bliss_sampler_gaussian)
 {
 	bliss_sampler_t *sampler;
-	bliss_param_set_t *set;
+	const bliss_param_set_t *set;
 	int i, k, count;
 	uint32_t hist[8], sign[3];
 	int32_t z;
-	hash_algorithm_t alg;
+	ext_out_function_t alg;
 	size_t seed_len;
 	chunk_t seed;
 
 	set = bliss_param_set_get_by_id(key_size[_i]);
-	alg = HASH_SHA256;
+	alg = XOF_MGF1_SHA256;
 	seed_len = 32;
 	count = 10000000;
 
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c
index 2a2f48c..6f56650 100644
--- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c
@@ -95,8 +95,8 @@ static chunk_t data = chunk_from_chars(
 
 START_TEST(test_bliss_signature_fail)
 {
-	bliss_param_set_t set2 = { .id = BLISS_B_II };
-	bliss_param_set_t *set;
+	const bliss_param_set_t set2 = { .id = BLISS_B_II };
+	const bliss_param_set_t *set;
 	bliss_signature_t *signature;
 	chunk_t encoding;
 	int k;
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index d543311..895af62 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index d93b047..39caacd 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/chapoly/Makefile.am b/src/libstrongswan/plugins/chapoly/Makefile.am
index 1753de0..d6d577c 100644
--- a/src/libstrongswan/plugins/chapoly/Makefile.am
+++ b/src/libstrongswan/plugins/chapoly/Makefile.am
@@ -15,7 +15,8 @@ libstrongswan_chapoly_la_SOURCES = \
 	chapoly_plugin.h chapoly_plugin.c \
 	chapoly_drv.h chapoly_drv.c \
 	chapoly_drv_portable.h chapoly_drv_portable.c \
-	chapoly_aead.h chapoly_aead.c
+	chapoly_aead.h chapoly_aead.c \
+	chapoly_xof.h chapoly_xof.c
 
 noinst_LTLIBRARIES += libchapoly-drv-ssse3.la
 libchapoly_drv_ssse3_la_SOURCES = chapoly_drv_ssse3.h chapoly_drv_ssse3.c
diff --git a/src/libstrongswan/plugins/chapoly/Makefile.in b/src/libstrongswan/plugins/chapoly/Makefile.in
index d5b77a9..c0de9d8 100644
--- a/src/libstrongswan/plugins/chapoly/Makefile.in
+++ b/src/libstrongswan/plugins/chapoly/Makefile.in
@@ -152,7 +152,7 @@ libchapoly_drv_ssse3_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(LDFLAGS) -o $@
 libstrongswan_chapoly_la_DEPENDENCIES = libchapoly-drv-ssse3.la
 am_libstrongswan_chapoly_la_OBJECTS = chapoly_plugin.lo chapoly_drv.lo \
-	chapoly_drv_portable.lo chapoly_aead.lo
+	chapoly_drv_portable.lo chapoly_aead.lo chapoly_xof.lo
 libstrongswan_chapoly_la_OBJECTS =  \
 	$(am_libstrongswan_chapoly_la_OBJECTS)
 libstrongswan_chapoly_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
@@ -365,7 +365,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -399,8 +398,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -454,6 +451,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -469,7 +468,8 @@ libstrongswan_chapoly_la_SOURCES = \
 	chapoly_plugin.h chapoly_plugin.c \
 	chapoly_drv.h chapoly_drv.c \
 	chapoly_drv_portable.h chapoly_drv_portable.c \
-	chapoly_aead.h chapoly_aead.c
+	chapoly_aead.h chapoly_aead.c \
+	chapoly_xof.h chapoly_xof.c
 
 libchapoly_drv_ssse3_la_SOURCES = chapoly_drv_ssse3.h chapoly_drv_ssse3.c
 @USE_X86X64_TRUE at libchapoly_drv_ssse3_la_CFLAGS = $(PLUGIN_CFLAGS) -mssse3
@@ -573,6 +573,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/chapoly_drv.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/chapoly_drv_portable.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/chapoly_plugin.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/chapoly_xof.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/libchapoly_drv_ssse3_la-chapoly_drv_ssse3.Plo at am__quote@
 
 .c.o:
diff --git a/src/libstrongswan/plugins/chapoly/chapoly_plugin.c b/src/libstrongswan/plugins/chapoly/chapoly_plugin.c
index 02e7121..447960b 100644
--- a/src/libstrongswan/plugins/chapoly/chapoly_plugin.c
+++ b/src/libstrongswan/plugins/chapoly/chapoly_plugin.c
@@ -15,6 +15,7 @@
 
 #include "chapoly_plugin.h"
 #include "chapoly_aead.h"
+#include "chapoly_xof.h"
 
 #include <library.h>
 
@@ -43,6 +44,8 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_REGISTER(AEAD, chapoly_aead_create),
 			PLUGIN_PROVIDE(AEAD, ENCR_CHACHA20_POLY1305, 32),
+		PLUGIN_REGISTER(XOF, chapoly_xof_create),
+			PLUGIN_PROVIDE(XOF, XOF_CHACHA20),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libstrongswan/plugins/chapoly/chapoly_xof.c b/src/libstrongswan/plugins/chapoly/chapoly_xof.c
new file mode 100644
index 0000000..2740a55
--- /dev/null
+++ b/src/libstrongswan/plugins/chapoly/chapoly_xof.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "chapoly_xof.h"
+#include "chapoly_drv.h"
+
+typedef struct private_chapoly_xof_t private_chapoly_xof_t;
+
+/**
+ * Private data of an chapoly_xof_t object.
+ */
+struct private_chapoly_xof_t {
+
+	/**
+	 * Public chapoly_xof_t interface.
+	 */
+	chapoly_xof_t public;
+
+	/**
+	 * Latest block of the ChaCha20 stream.
+	 */
+	uint8_t stream[CHACHA_BLOCK_SIZE];
+
+	/**
+	 * Index pointing to the current position in the stream
+	 */
+	u_int stream_index;
+
+	/**
+	 * Driver backend
+	 */
+	chapoly_drv_t *drv;
+};
+
+METHOD(xof_t, get_type, ext_out_function_t,
+	private_chapoly_xof_t *this)
+{
+	return XOF_CHACHA20;
+}
+
+METHOD(xof_t, get_bytes, bool,
+	private_chapoly_xof_t *this, size_t out_len, uint8_t *buffer)
+{
+	size_t index = 0, len, blocks;
+
+	/* empty the stream buffer first */
+	len = min(out_len, CHACHA_BLOCK_SIZE - this->stream_index);
+	if (len)
+	{
+		memcpy(buffer, this->stream + this->stream_index, len);
+		index += len;
+		this->stream_index += len;
+	}
+
+	/* copy whole stream blocks directly to output buffer */
+	blocks = (out_len - index) / CHACHA_BLOCK_SIZE;	
+	while (blocks--)
+	{
+		if (!this->drv->chacha(this->drv, buffer + index))
+		{
+			return FALSE;
+		}
+		index += CHACHA_BLOCK_SIZE;
+	}	
+	
+	/* refill the stream buffer if some more output bytes are needed */
+	len = out_len - index;
+	if (len)
+	{
+		if (!this->drv->chacha(this->drv, this->stream))
+		{
+			return FALSE;
+		}
+		memcpy(buffer + index, this->stream, len);
+		this->stream_index = len;
+	}		
+	
+	return TRUE;
+}
+
+METHOD(xof_t, allocate_bytes, bool,
+	private_chapoly_xof_t *this, size_t out_len, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(out_len);
+
+	if (!get_bytes(this, out_len, chunk->ptr))
+	{
+		chunk_free(chunk);
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+METHOD(xof_t, get_block_size, size_t,
+	private_chapoly_xof_t *this)
+{
+	return CHACHA_BLOCK_SIZE;
+}
+
+METHOD(xof_t, get_seed_size, size_t,
+	private_chapoly_xof_t *this)
+{
+	return CHACHA_KEY_SIZE + CHACHA_SALT_SIZE + CHACHA_IV_SIZE;
+}
+
+METHOD(xof_t, set_seed, bool,
+	private_chapoly_xof_t *this, chunk_t seed)
+{
+	this->stream_index = CHACHA_BLOCK_SIZE;
+
+	return  seed.len == get_seed_size(this) &&
+			this->drv->set_key(this->drv, "expand 32-byte k",
+							seed.ptr, seed.ptr + CHACHA_KEY_SIZE) &&
+			this->drv->init(this->drv,
+						 	seed.ptr + CHACHA_KEY_SIZE + CHACHA_SALT_SIZE);
+}
+
+METHOD(xof_t, destroy, void,
+	private_chapoly_xof_t *this)
+{
+	this->drv->destroy(this->drv);
+	free(this);
+}
+
+/**
+ * See header
+ */
+chapoly_xof_t *chapoly_xof_create(ext_out_function_t algorithm)
+{
+	private_chapoly_xof_t *this;
+	chapoly_drv_t *drv;
+
+	if (algorithm != XOF_CHACHA20)
+	{
+		return NULL;
+	}
+
+	drv = chapoly_drv_probe();
+	if (!drv)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.xof_interface = {
+				.get_type = _get_type,
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_block_size = _get_block_size,
+				.get_seed_size = _get_seed_size,
+				.set_seed = _set_seed,
+				.destroy = _destroy,
+			},
+		},
+		.drv = drv,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/chapoly/chapoly_xof.h b/src/libstrongswan/plugins/chapoly/chapoly_xof.h
new file mode 100644
index 0000000..cd0586f
--- /dev/null
+++ b/src/libstrongswan/plugins/chapoly/chapoly_xof.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup chapoly_xof chapoly_xof
+ * @{ @ingroup chapoly
+ */
+
+#ifndef CHAPOLY_XOF_H_
+#define CHAPOLY_XOF_H_
+
+#include <crypto/aead.h>
+
+typedef struct chapoly_xof_t chapoly_xof_t;
+
+/**
+ * ChaCha20 XOF implementation
+ *
+ * Based on RFC 7539 ChaCha20 stream initialized with block counter = 1
+ */
+struct chapoly_xof_t {
+
+	/**
+	 * Generic xof_t interface for this Extended Output Function (XOF).
+	 */
+	xof_t xof_interface;
+};
+
+/**
+ * Create a chapoly_xof instance.
+ *
+ * @param algorithm		XOF_CHACHA20
+ * @return				chapoly_xof_t object, NULL if not supported
+ */
+chapoly_xof_t *chapoly_xof_create(ext_out_function_t algorithm);
+
+#endif /** CHAPOLY_XOF_H_ @}*/
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 2703dc4..24702df 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 90fd6bd..56b4835 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 94a7f11..16d177e 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 5092c54..7aad683 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index c2e49b6..7890585 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 1481f8d..327ebd3 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/files/Makefile.in b/src/libstrongswan/plugins/files/Makefile.in
index 7623a95..4bfe127 100644
--- a/src/libstrongswan/plugins/files/Makefile.in
+++ b/src/libstrongswan/plugins/files/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 7c2ae7c..cceb705 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index eb4a0ae..fb649f4 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 727cc24..f2396f4 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index 938a464..15b876b 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -206,16 +206,16 @@ METHOD(private_key_t, sign, bool,
 	{
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return sign_raw(this, data, sig);
-		case SIGN_RSA_EMSA_PKCS1_SHA1:
-			return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig);
-		case SIGN_RSA_EMSA_PKCS1_SHA224:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_224:
 			return sign_pkcs1(this, HASH_SHA224, "sha224", data, sig);
-		case SIGN_RSA_EMSA_PKCS1_SHA256:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_256:
 			return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig);
-		case SIGN_RSA_EMSA_PKCS1_SHA384:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_384:
 			return sign_pkcs1(this, HASH_SHA384, "sha384", data, sig);
-		case SIGN_RSA_EMSA_PKCS1_SHA512:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 			return sign_pkcs1(this, HASH_SHA512, "sha512", data, sig);
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig);
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 			return sign_pkcs1(this, HASH_MD5, "md5", data, sig);
 		default:
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 291287a..90829e0 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -173,18 +173,18 @@ METHOD(public_key_t, verify, bool,
 	{
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return verify_raw(this, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_MD5:
-			return verify_pkcs1(this, HASH_MD5, "md5", data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA1:
-			return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA224:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_224:
 			return verify_pkcs1(this, HASH_SHA224, "sha224", data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA256:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_256:
 			return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA384:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_384:
 			return verify_pkcs1(this, HASH_SHA384, "sha384", data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA512:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 			return verify_pkcs1(this, HASH_SHA512, "sha512", data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature);
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+			return verify_pkcs1(this, HASH_MD5, "md5", data, signature);
 		default:
 			DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
 				 signature_scheme_names, scheme);
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 32d5beb..bee1f80 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index ea75896..c759753 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -80,30 +80,46 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
 		/* signature schemes, private */
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL),
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1),
-			PLUGIN_DEPENDS(HASHER, HASH_SHA1),
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA224),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_224),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA224),
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA256),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_256),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA256),
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA384),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_384),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA384),
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA512),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_512),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_224),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA3_224),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_256),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA3_256),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_384),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA3_384),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_512),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA3_512),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA1),
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5),
 			PLUGIN_DEPENDS(HASHER, HASH_MD5),
 		/* signature verification schemes */
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL),
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
-			PLUGIN_DEPENDS(HASHER, HASH_SHA1),
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA224),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_224),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA224),
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_256),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA256),
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA384),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_384),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA384),
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA512),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_512),
 			PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_224),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA3_224),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_256),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA3_256),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_384),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA3_384),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_512),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA3_512),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA1),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_MD5),
 			PLUGIN_DEPENDS(HASHER, HASH_MD5),
 		/* en-/decryption schemes */
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index e5d418e..21b4208 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -347,16 +347,24 @@ METHOD(private_key_t, sign, bool,
 	{
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA1:
-			return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA224:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_224:
 			return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA256:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_256:
 			return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA384:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_384:
 			return build_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA512:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 			return build_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+			return build_emsa_pkcs1_signature(this, HASH_SHA3_224, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_256:
+			return build_emsa_pkcs1_signature(this, HASH_SHA3_256, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_384:
+			return build_emsa_pkcs1_signature(this, HASH_SHA3_384, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_512:
+			return build_emsa_pkcs1_signature(this, HASH_SHA3_512, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 			return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
 		default:
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index e738908..2b2c7f2 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -291,18 +291,26 @@ METHOD(public_key_t, verify, bool,
 	{
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return verify_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_MD5:
-			return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA1:
-			return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA224:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_224:
 			return verify_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA256:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_256:
 			return verify_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA384:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_384:
 			return verify_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA512:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 			return verify_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+			return verify_emsa_pkcs1_signature(this, HASH_SHA3_224, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_256:
+			return verify_emsa_pkcs1_signature(this, HASH_SHA3_256, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_384:
+			return verify_emsa_pkcs1_signature(this, HASH_SHA3_384, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_512:
+			return verify_emsa_pkcs1_signature(this, HASH_SHA3_512, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+			return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
 		default:
 			DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
 				 signature_scheme_names, scheme);
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index 6d8a845..c6e4e8d 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
index e290c80..1f5ae35 100644
--- a/src/libstrongswan/plugins/keychain/Makefile.in
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 429cd9e..9c448cd 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index fe4c555..635d5fc 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -93,8 +93,7 @@ static bool parse(LDAP *ldap, LDAPMessage *result, chunk_t *response)
 	}
 	else
 	{
-		DBG1(DBG_LIB, "finding first LDAP entry failed: %s",
-			 ldap_err2string(ldap_result2error(ldap, entry, 0)));
+		DBG1(DBG_LIB, "finding first LDAP entry failed");
 	}
 	return success;
 }
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 669856c..d336a53 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index d937ca3..a31d0a2 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/mgf1/Makefile.am b/src/libstrongswan/plugins/mgf1/Makefile.am
new file mode 100644
index 0000000..8df227f
--- /dev/null
+++ b/src/libstrongswan/plugins/mgf1/Makefile.am
@@ -0,0 +1,17 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-mgf1.la
+else
+plugin_LTLIBRARIES = libstrongswan-mgf1.la
+endif
+
+libstrongswan_mgf1_la_SOURCES = \
+	mgf1_plugin.h mgf1_plugin.c \
+	mgf1_xof.h mgf1_xof.c
+
+libstrongswan_mgf1_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/mgf1/Makefile.in
similarity index 94%
copy from src/libstrongswan/plugins/xcbc/Makefile.in
copy to src/libstrongswan/plugins/mgf1/Makefile.in
index 98fad6f..189e214 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/mgf1/Makefile.in
@@ -88,7 +88,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libstrongswan/plugins/xcbc
+subdir = src/libstrongswan/plugins/mgf1
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -136,19 +136,19 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_xcbc_la_LIBADD =
-am_libstrongswan_xcbc_la_OBJECTS = xcbc_plugin.lo xcbc.lo
-libstrongswan_xcbc_la_OBJECTS = $(am_libstrongswan_xcbc_la_OBJECTS)
+libstrongswan_mgf1_la_LIBADD =
+am_libstrongswan_mgf1_la_OBJECTS = mgf1_plugin.lo mgf1_xof.lo
+libstrongswan_mgf1_la_OBJECTS = $(am_libstrongswan_mgf1_la_OBJECTS)
 AM_V_lt = $(am__v_lt_ at AM_V@)
 am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
-libstrongswan_xcbc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+libstrongswan_mgf1_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_xcbc_la_LDFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_mgf1_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
- at MONOLITHIC_FALSE@am_libstrongswan_xcbc_la_rpath = -rpath $(plugindir)
- at MONOLITHIC_TRUE@am_libstrongswan_xcbc_la_rpath =
+ at MONOLITHIC_FALSE@am_libstrongswan_mgf1_la_rpath = -rpath $(plugindir)
+ at MONOLITHIC_TRUE@am_libstrongswan_mgf1_la_rpath =
 AM_V_P = $(am__v_P_ at AM_V@)
 am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -183,8 +183,8 @@ AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(libstrongswan_xcbc_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_xcbc_la_SOURCES)
+SOURCES = $(libstrongswan_mgf1_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_mgf1_la_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -448,12 +447,13 @@ AM_CPPFLAGS = \
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
 
- at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xcbc.la
- at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xcbc.la
-libstrongswan_xcbc_la_SOURCES = \
-	xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-mgf1.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-mgf1.la
+libstrongswan_mgf1_la_SOURCES = \
+	mgf1_plugin.h mgf1_plugin.c \
+	mgf1_xof.h mgf1_xof.c
 
-libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
+libstrongswan_mgf1_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -467,9 +467,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/xcbc/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/mgf1/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/xcbc/Makefile
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/mgf1/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -534,8 +534,8 @@ clean-pluginLTLIBRARIES:
 	  rm -f $${locs}; \
 	}
 
-libstrongswan-xcbc.la: $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_DEPENDENCIES) $(EXTRA_libstrongswan_xcbc_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(libstrongswan_xcbc_la_LINK) $(am_libstrongswan_xcbc_la_rpath) $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_LIBADD) $(LIBS)
+libstrongswan-mgf1.la: $(libstrongswan_mgf1_la_OBJECTS) $(libstrongswan_mgf1_la_DEPENDENCIES) $(EXTRA_libstrongswan_mgf1_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_mgf1_la_LINK) $(am_libstrongswan_mgf1_la_rpath) $(libstrongswan_mgf1_la_OBJECTS) $(libstrongswan_mgf1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -543,8 +543,8 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/xcbc.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/xcbc_plugin.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/mgf1_plugin.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/mgf1_xof.Plo at am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
diff --git a/src/libstrongswan/plugins/sha3/sha3_plugin.c b/src/libstrongswan/plugins/mgf1/mgf1_plugin.c
similarity index 60%
copy from src/libstrongswan/plugins/sha3/sha3_plugin.c
copy to src/libstrongswan/plugins/mgf1/mgf1_plugin.c
index 28068f3..8df3ac2 100644
--- a/src/libstrongswan/plugins/sha3/sha3_plugin.c
+++ b/src/libstrongswan/plugins/mgf1/mgf1_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,46 +13,48 @@
  * for more details.
  */
 
-#include "sha3_plugin.h"
+#include "mgf1_plugin.h"
+#include "mgf1_xof.h"
 
 #include <library.h>
-#include "sha3_hasher.h"
 
-typedef struct private_sha3_plugin_t private_sha3_plugin_t;
+typedef struct private_mgf1_plugin_t private_mgf1_plugin_t;
 
 /**
- * private data of sha3_plugin
+ * private data of mgf1_plugin
  */
-struct private_sha3_plugin_t {
+struct private_mgf1_plugin_t {
 
 	/**
 	 * public functions
 	 */
-	sha3_plugin_t public;
+	mgf1_plugin_t public;
 };
 
 METHOD(plugin_t, get_name, char*,
-	private_sha3_plugin_t *this)
+	private_mgf1_plugin_t *this)
 {
-	return "sha3";
+	return "mgf1";
 }
 
 METHOD(plugin_t, get_features, int,
-	private_sha3_plugin_t *this, plugin_feature_t *features[])
+	private_mgf1_plugin_t *this, plugin_feature_t *features[])
 {
 	static plugin_feature_t f[] = {
-		PLUGIN_REGISTER(HASHER, sha3_hasher_create),
-			PLUGIN_PROVIDE(HASHER, HASH_SHA3_224),
-			PLUGIN_PROVIDE(HASHER, HASH_SHA3_256),
-			PLUGIN_PROVIDE(HASHER, HASH_SHA3_384),
-			PLUGIN_PROVIDE(HASHER, HASH_SHA3_512),
+		PLUGIN_REGISTER(XOF, mgf1_xof_create),
+			PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA1),
+				PLUGIN_DEPENDS(HASHER, HASH_SHA1),
+			PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA256),
+				PLUGIN_DEPENDS(HASHER, HASH_SHA256),
+			PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA512),
+				PLUGIN_DEPENDS(HASHER, HASH_SHA512),
 	};
 	*features = f;
 	return countof(f);
 }
 
 METHOD(plugin_t, destroy, void,
-	private_sha3_plugin_t *this)
+	private_mgf1_plugin_t *this)
 {
 	free(this);
 }
@@ -60,9 +62,9 @@ METHOD(plugin_t, destroy, void,
 /*
  * see header file
  */
-plugin_t *sha3_plugin_create()
+plugin_t *mgf1_plugin_create()
 {
-	private_sha3_plugin_t *this;
+	private_mgf1_plugin_t *this;
 
 	INIT(this,
 		.public = {
diff --git a/src/libcharon/plugins/maemo/maemo_plugin.h b/src/libstrongswan/plugins/mgf1/mgf1_plugin.h
similarity index 62%
rename from src/libcharon/plugins/maemo/maemo_plugin.h
rename to src/libstrongswan/plugins/mgf1/mgf1_plugin.h
index 23d139b..50105ca 100644
--- a/src/libcharon/plugins/maemo/maemo_plugin.h
+++ b/src/libstrongswan/plugins/mgf1/mgf1_plugin.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,24 +14,24 @@
  */
 
 /**
- * @defgroup maemo maemo
- * @ingroup cplugins
+ * @defgroup mgf1_p mgf1
+ * @ingroup plugins
  *
- * @defgroup maemo_plugin maemo_plugin
- * @{ @ingroup maemo
+ * @defgroup mgf1_plugin mgf1_plugin
+ * @{ @ingroup mgf1_p
  */
 
-#ifndef MAEMO_PLUGIN_H_
-#define MAEMO_PLUGIN_H_
+#ifndef MGF1_PLUGIN_H_
+#define MGF1_PLUGIN_H_
 
 #include <plugins/plugin.h>
 
-typedef struct maemo_plugin_t maemo_plugin_t;
+typedef struct mgf1_plugin_t mgf1_plugin_t;
 
 /**
- * Maemo integration plugin.
+ * Plugin implementing the MGF1 Mask Generator Function in software.
  */
-struct maemo_plugin_t {
+struct mgf1_plugin_t {
 
 	/**
 	 * implements plugin interface
@@ -39,4 +39,4 @@ struct maemo_plugin_t {
 	plugin_t plugin;
 };
 
-#endif /** MAEMO_PLUGIN_H_ @}*/
+#endif /** MGF1_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/mgf1/mgf1_xof.c b/src/libstrongswan/plugins/mgf1/mgf1_xof.c
new file mode 100644
index 0000000..0f5fda9
--- /dev/null
+++ b/src/libstrongswan/plugins/mgf1/mgf1_xof.c
@@ -0,0 +1,285 @@
+/*
+ * Copyright (C) 2013-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mgf1_xof.h"
+
+#include "crypto/hashers/hasher.h"
+#include "utils/debug.h"
+
+typedef struct private_mgf1_xof_t private_mgf1_xof_t;
+
+/**
+ * Private data of an mgf1_xof_t object.
+ */
+struct private_mgf1_xof_t {
+
+	/**
+	 * Public mgf1_xof_t interface.
+	 */
+	mgf1_xof_t public;
+
+	/**
+	 * XOF type of the MGF1 Mask Generation Function
+	 */
+	ext_out_function_t type;
+
+	/**
+	 * Hasher the MGF1 Mask Generation Function is based on
+	 */
+	hasher_t *hasher;
+
+	/**
+	 * Is the seed hashed before using it as a seed for MGF1 ?
+	 */
+	bool hash_seed;
+
+	/**
+	 * Counter
+	 */
+	uint32_t counter;
+
+	/**
+	 * Set if counter has reached 2^32
+	 */
+	bool overflow;
+
+	/**
+	 * Current state to be hashed
+	 */
+	chunk_t state;
+
+	/**
+	 * Position of the 4 octet counter string
+	 */
+	uint8_t *ctr_str;
+
+	/**
+	 * Latest hash block
+	 */
+	uint8_t buf[HASH_SIZE_SHA512];
+
+	/**
+	 * Index pointing to the current position in the hash block
+	 */
+	size_t buf_index;
+
+};
+
+METHOD(xof_t, get_type, ext_out_function_t,
+	private_mgf1_xof_t *this)
+{
+	return this->type;
+}
+
+static bool get_next_block(private_mgf1_xof_t *this, uint8_t *buffer)
+{
+	/* detect overflow, set counter string and increment counter */
+	if (this->overflow)
+	{
+		DBG1(DBG_LIB, "MGF1 overflow occurred");
+		return FALSE;
+	}
+	htoun32(this->ctr_str, this->counter++);
+	if (this->counter == 0)
+	{
+		this->overflow = TRUE;
+	}
+
+	/* get the next block from the hash function */
+	if (!this->hasher->get_hash(this->hasher, this->state, buffer))
+	{
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+METHOD(xof_t, get_bytes, bool,
+	private_mgf1_xof_t *this, size_t out_len, uint8_t *buffer)
+{
+	size_t index = 0, blocks, len, hash_size;
+
+	hash_size = this->hasher->get_hash_size(this->hasher);
+
+	/* empty the current hash block buffer first */
+	len = min(out_len, hash_size - this->buf_index);
+	if (len)
+	{
+		memcpy(buffer, this->buf + this->buf_index, len);
+		index += len;
+		this->buf_index += len;
+	}
+
+	/* copy whole hash blocks directly to output buffer */
+	blocks = (out_len - index) / hash_size;
+	while (blocks--)
+	{
+		if (!get_next_block(this, buffer + index))
+		{
+			return FALSE;
+		}
+		index += hash_size;
+	}
+
+	/* get another hash block if some more output bytes are needed */
+	len = out_len - index;
+	if (len)
+	{
+		if (!get_next_block(this, this->buf))
+		{
+			return FALSE;
+		}
+		memcpy(buffer + index, this->buf, len);
+		this->buf_index = len;
+	}
+
+	return TRUE;
+}
+
+METHOD(xof_t, allocate_bytes, bool,
+	private_mgf1_xof_t *this, size_t out_len, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(out_len);
+
+	if (!get_bytes(this, out_len, chunk->ptr))
+	{
+		chunk_free(chunk);
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+METHOD(xof_t, get_block_size, size_t,
+	private_mgf1_xof_t *this)
+{
+	return this->hasher->get_hash_size(this->hasher);
+}
+
+METHOD(xof_t, get_seed_size, size_t,
+	private_mgf1_xof_t *this)
+{
+	return this->hasher->get_hash_size(this->hasher);
+}
+
+METHOD(xof_t, set_seed, bool,
+	private_mgf1_xof_t *this, chunk_t seed)
+{
+	size_t hash_size, state_len;
+
+	if (seed.len == 0)
+	{
+		DBG1(DBG_LIB, "empty seed for MGF1");
+		return FALSE;
+	}
+
+	/* determine state size and allocate space accordingly */
+	hash_size = this->hasher->get_hash_size(this->hasher);
+	state_len = (this->hash_seed ? hash_size : seed.len) + 4;
+	chunk_clear(&this->state);
+	this->state = chunk_alloc(state_len);
+
+	/* hash block buffer is empty */
+	this->buf_index = hash_size;
+
+	/* reset counter */
+	this->counter = 0;
+
+	/* determine position of the 4 octet counter string */
+	this->ctr_str = this->state.ptr + state_len - 4;
+
+	if (this->hash_seed)
+	{
+		if (!this->hasher->get_hash(this->hasher, seed, this->state.ptr))
+		{
+			DBG1(DBG_LIB, "failed to hash seed for MGF1");
+			return FALSE;
+		}
+	}
+	else
+	{
+		memcpy(this->state.ptr, seed.ptr, seed.len);
+	}
+
+	return TRUE;
+}
+
+METHOD(xof_t, destroy, void,
+	private_mgf1_xof_t *this)
+{
+	this->hasher->destroy(this->hasher);
+	chunk_clear(&this->state);
+	free(this);
+}
+
+METHOD(mgf1_t, set_hash_seed, void,
+	private_mgf1_xof_t *this, bool yes)
+{
+	this->hash_seed = yes;
+}
+
+/*
+ * Described in header.
+ */
+mgf1_xof_t *mgf1_xof_create(ext_out_function_t algorithm)
+{
+	private_mgf1_xof_t *this;
+	hash_algorithm_t hash_alg;
+	hasher_t *hasher;
+
+	switch (algorithm)
+	{
+		case XOF_MGF1_SHA1:
+			hash_alg = HASH_SHA1;
+			break;
+		case XOF_MGF1_SHA256:
+			hash_alg = HASH_SHA256;
+			break;
+		case XOF_MGF1_SHA512:
+			hash_alg = HASH_SHA512;
+			break;
+		default:
+			return NULL;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+	if (!hasher)
+	{
+		DBG1(DBG_LIB, "failed to create %N hasher for MGF1",
+			 hash_algorithm_names, hash_alg);
+		return NULL;
+	}
+	
+	INIT(this,
+		.public = {
+			.mgf1_interface = {
+				.xof_interface = {
+					.get_type = _get_type,
+					.get_bytes = _get_bytes,
+					.allocate_bytes = _allocate_bytes,
+					.get_block_size = _get_block_size,
+					.get_seed_size = _get_seed_size,
+					.set_seed = _set_seed,
+					.destroy = _destroy,
+				},
+				.set_hash_seed = _set_hash_seed,
+			},
+		},
+		.type = algorithm,
+		.hasher = hasher,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/mgf1/mgf1_xof.h b/src/libstrongswan/plugins/mgf1/mgf1_xof.h
new file mode 100644
index 0000000..9d60a80
--- /dev/null
+++ b/src/libstrongswan/plugins/mgf1/mgf1_xof.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mgf1_xof mgf1_xof
+ * @{ @ingroup crypto
+ */
+
+#ifndef MGF1_XOF_H_
+#define MGF1_XOF_H_
+
+typedef struct mgf1_xof_t mgf1_xof_t;
+
+#include <crypto/xofs/mgf1.h>
+
+/**
+ * Implements the PKCS#1 MGF1_XOF Mask Generation Function based on a hash
+ * function defined in section 10.2.1 of RFC 2437
+ */
+struct mgf1_xof_t {
+
+	/**
+	 * mgf1_t interface for this Extended Output Function (XOF).
+	 */
+	mgf1_t mgf1_interface;
+};
+
+/**
+ * Create an mgf1_xof_t object
+ *
+ * @param algorithm		XOF_MGF1_SHA1, XOF_MGF1_SHA256 or XOF_MGF1_SHA512
+ * @return				mgf1_xof_t object, NULL if not supported
+ */
+mgf1_xof_t *mgf1_xof_create(ext_out_function_t algorithm);
+
+#endif /** MGF1_XOF_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 821dbc1..57dab35 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/newhope/Makefile.am b/src/libstrongswan/plugins/newhope/Makefile.am
new file mode 100644
index 0000000..b01987d
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/Makefile.am
@@ -0,0 +1,33 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/math/libnttfft
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS) \
+	@COVERAGE_CFLAGS@
+
+# these files are also used by the tests, we can't directly refer to them
+# because of the subdirectory, which would cause distclean to fail
+noinst_LTLIBRARIES = libnewhope.la
+libnewhope_la_SOURCES = \
+	newhope_ke.h newhope_ke.c \
+	newhope_noise.h newhope_noise.c \
+	newhope_reconciliation.h newhope_reconciliation.c
+
+libnewhope_la_LIBADD = \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la
+
+if MONOLITHIC
+noinst_LTLIBRARIES += libstrongswan-newhope.la
+else
+plugin_LTLIBRARIES = libstrongswan-newhope.la
+endif
+
+libstrongswan_newhope_la_SOURCES = \
+	newhope_plugin.h newhope_plugin.c
+
+libstrongswan_newhope_la_LDFLAGS = -module -avoid-version
+
+libstrongswan_newhope_la_LIBADD = libnewhope.la
+
+
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/newhope/Makefile.in
similarity index 90%
copy from src/libstrongswan/plugins/unbound/Makefile.in
copy to src/libstrongswan/plugins/newhope/Makefile.in
index ea27fd3..be31fb2 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/newhope/Makefile.in
@@ -88,7 +88,8 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libstrongswan/plugins/unbound
+ at MONOLITHIC_TRUE@am__append_1 = libstrongswan-newhope.la
+subdir = src/libstrongswan/plugins/newhope
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -136,22 +137,26 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_unbound_la_DEPENDENCIES =
-am_libstrongswan_unbound_la_OBJECTS = unbound_plugin.lo \
-	unbound_resolver.lo unbound_rr.lo unbound_response.lo
-libstrongswan_unbound_la_OBJECTS =  \
-	$(am_libstrongswan_unbound_la_OBJECTS)
+libnewhope_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la
+am_libnewhope_la_OBJECTS = newhope_ke.lo newhope_noise.lo \
+	newhope_reconciliation.lo
+libnewhope_la_OBJECTS = $(am_libnewhope_la_OBJECTS)
 AM_V_lt = $(am__v_lt_ at AM_V@)
 am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
-libstrongswan_unbound_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+libstrongswan_newhope_la_DEPENDENCIES = libnewhope.la
+am_libstrongswan_newhope_la_OBJECTS = newhope_plugin.lo
+libstrongswan_newhope_la_OBJECTS =  \
+	$(am_libstrongswan_newhope_la_OBJECTS)
+libstrongswan_newhope_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unbound_la_LDFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_newhope_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
- at MONOLITHIC_FALSE@am_libstrongswan_unbound_la_rpath = -rpath \
+ at MONOLITHIC_FALSE@am_libstrongswan_newhope_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
- at MONOLITHIC_TRUE@am_libstrongswan_unbound_la_rpath =
+ at MONOLITHIC_TRUE@am_libstrongswan_newhope_la_rpath =
 AM_V_P = $(am__v_P_ at AM_V@)
 am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -186,8 +191,9 @@ AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(libstrongswan_unbound_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_unbound_la_SOURCES)
+SOURCES = $(libnewhope_la_SOURCES) $(libstrongswan_newhope_la_SOURCES)
+DIST_SOURCES = $(libnewhope_la_SOURCES) \
+	$(libstrongswan_newhope_la_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -353,7 +359,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +392,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,26 +445,37 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-DIPSEC_CONFDIR=\"${sysconfdir}\"
+	-I$(top_srcdir)/src/libstrongswan/math/libnttfft
 
 AM_CFLAGS = \
-	$(PLUGIN_CFLAGS)
-
- at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unbound.la
- at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unbound.la
-libstrongswan_unbound_la_SOURCES = \
-	unbound_plugin.h unbound_plugin.c \
-	unbound_resolver.c unbound_resolver.h \
-	unbound_rr.h unbound_rr.c \
-	unbound_response.h unbound_response.c
-
-libstrongswan_unbound_la_LDFLAGS = -module -avoid-version
-libstrongswan_unbound_la_LIBADD = -lunbound -lldns
+	$(PLUGIN_CFLAGS) \
+	@COVERAGE_CFLAGS@
+
+
+# these files are also used by the tests, we can't directly refer to them
+# because of the subdirectory, which would cause distclean to fail
+noinst_LTLIBRARIES = libnewhope.la $(am__append_1)
+libnewhope_la_SOURCES = \
+	newhope_ke.h newhope_ke.c \
+	newhope_noise.h newhope_noise.c \
+	newhope_reconciliation.h newhope_reconciliation.c
+
+libnewhope_la_LIBADD = \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la
+
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-newhope.la
+libstrongswan_newhope_la_SOURCES = \
+	newhope_plugin.h newhope_plugin.c
+
+libstrongswan_newhope_la_LDFLAGS = -module -avoid-version
+libstrongswan_newhope_la_LIBADD = libnewhope.la
 all: all-am
 
 .SUFFIXES:
@@ -475,9 +489,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/unbound/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/newhope/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/unbound/Makefile
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/newhope/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -542,8 +556,11 @@ clean-pluginLTLIBRARIES:
 	  rm -f $${locs}; \
 	}
 
-libstrongswan-unbound.la: $(libstrongswan_unbound_la_OBJECTS) $(libstrongswan_unbound_la_DEPENDENCIES) $(EXTRA_libstrongswan_unbound_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(libstrongswan_unbound_la_LINK) $(am_libstrongswan_unbound_la_rpath) $(libstrongswan_unbound_la_OBJECTS) $(libstrongswan_unbound_la_LIBADD) $(LIBS)
+libnewhope.la: $(libnewhope_la_OBJECTS) $(libnewhope_la_DEPENDENCIES) $(EXTRA_libnewhope_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK)  $(libnewhope_la_OBJECTS) $(libnewhope_la_LIBADD) $(LIBS)
+
+libstrongswan-newhope.la: $(libstrongswan_newhope_la_OBJECTS) $(libstrongswan_newhope_la_DEPENDENCIES) $(EXTRA_libstrongswan_newhope_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_newhope_la_LINK) $(am_libstrongswan_newhope_la_rpath) $(libstrongswan_newhope_la_OBJECTS) $(libstrongswan_newhope_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -551,10 +568,10 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/unbound_plugin.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/unbound_resolver.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/unbound_response.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/unbound_rr.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/newhope_ke.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/newhope_noise.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/newhope_plugin.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/newhope_reconciliation.Plo at am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
diff --git a/src/libstrongswan/plugins/newhope/newhope_ke.c b/src/libstrongswan/plugins/newhope/newhope_ke.c
new file mode 100644
index 0000000..28956d5
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/newhope_ke.c
@@ -0,0 +1,622 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Based on public domain code by Erdem Alkim, Léo Ducas, Thomas Pöppelmann,
+ * and Peter Schwabe.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "newhope_ke.h"
+#include "newhope_noise.h"
+#include "newhope_reconciliation.h"
+
+#include <ntt_fft.h>
+#include <ntt_fft_reduce.h>
+#include <crypto/diffie_hellman.h>
+#include <utils/debug.h>
+
+static const int seed_len =   32;  /* 256 bits */
+static const int poly_len = 1792;  /* size of 1024 packed 14-bit coefficients */
+static const int rec_len =   256;  /* size of 1024 packed  2-bit coefficients */
+
+typedef struct private_newhope_ke_t private_newhope_ke_t;
+
+/**
+ * Private data of an newhope_ke_t object.
+ */
+struct private_newhope_ke_t {
+
+	/**
+	 * Public newhope_ke_t interface.
+	 */
+	newhope_ke_t public;
+
+	/**
+	 * FFT parameter set
+	 */
+	const ntt_fft_params_t *params;
+
+	/**
+	 * Secret noise polynomial s
+	 */
+	uint32_t *s;
+
+	/**
+	 * Output polynomial u = a * NTT(s') + NTT(e')
+	 */
+	uint32_t *u;
+
+	/**
+	 * Error reconciliation help bits
+	 */
+	uint8_t *r;
+
+	/**
+	 * Shared secret
+	 */
+	chunk_t shared_secret;
+
+};
+
+/**
+ * Derive 14-bit coefficients of polynomial a from 256 bit random seed
+ * using the SHAKE128 extended output function
+ */
+static uint32_t* derive_a_poly(private_newhope_ke_t *this, chunk_t seed)
+{
+	uint32_t *a;
+	uint8_t x[2];
+	int i = 0;
+	xof_t *xof;
+
+	xof = lib->crypto->create_xof(lib->crypto, XOF_SHAKE_128);
+	if (!xof)
+	{
+		DBG1(DBG_LIB, "could not instantiate SHAKE128 XOF");
+		return NULL;
+	}
+
+	if (!xof->set_seed(xof, seed))
+	{
+		DBG1(DBG_LIB, "could not set seed of SHAKE128 XOF");
+		xof->destroy(xof);
+		return NULL;
+	}
+
+	/* allocate dynamic memory for polynomial a */
+	a = (uint32_t*)malloc(this->params->n * sizeof(uint32_t));
+
+	while (i < this->params->n)
+	{
+		if (!xof->get_bytes(xof, sizeof(x), x))
+		{
+			DBG1(DBG_LIB, "could not get bytes from SHAKE128 XOF");
+			xof->destroy(xof);
+			free(a);
+			return NULL;
+		}
+
+		/*
+		 * Treat x as a 16 bit unsigned little endian integer
+		 * and truncate to 14 bits
+		 */
+		a[i] = uletoh16(x) & 0x3fff;
+
+		if (a[i] < this->params->q)
+		{
+			i++;
+		}
+	}
+	xof->destroy(xof);
+
+	return a;
+}
+
+/**
+ * Pack four 14-bit coefficients into seven consecutive bytes
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |L 0 0 0 0 0 0 0|L 1 H 0 0 0 0 0|M 1 1 1 1 1 1 1|L 2 2 2 H 1 1 1|
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |M 2 2 2 2 2 2 2|L 3 3 3 3 3 H 2|H 3 3 3 3 3 3 3|L 0 0 0 0 0 0 0|
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+static void pack_poly(private_newhope_ke_t *this, uint8_t *x, uint32_t *p)
+{
+	int i;
+
+	for (i = 0; i < this->params->n; i += 4)
+	{
+		*x++ = (p[i] & 0xff );
+		*x++ = (p[i]   >>  8) | (p[i+1] << 6);
+		*x++ = (p[i+1] >>  2);
+		*x++ = (p[i+1] >> 10) | (p[i+2] << 4);
+		*x++ = (p[i+2] >>  4);
+		*x++ = (p[i+2] >> 12) | (p[i+3] << 2);
+		*x++ = (p[i+3] >>  6);
+	}
+}
+
+/**
+ * Unpack seven consecutive bytes into four 14-bit coefficients
+ */
+static uint32_t* unpack_poly(private_newhope_ke_t * this, uint8_t *x)
+{
+	uint32_t *p;
+	int i;
+
+	p = (uint32_t*)malloc(this->params->n * sizeof(uint32_t));
+
+	for (i = 0; i < this->params->n; i += 4)
+	{
+		p[i]   =  x[0]       | (((uint32_t)x[1] & 0x3f) <<  8);
+		p[i+1] = (x[1] >> 6) | (((uint32_t)x[2]) <<  2)
+							 | (((uint32_t)x[3] & 0x0f) << 10);
+		p[i+2] = (x[3] >> 4) | (((uint32_t)x[4]) <<  4)
+							 | (((uint32_t)x[5] & 0x03) << 12);
+		p[i+3] = (x[5] >> 2) | (((uint32_t)x[6]) <<  6);
+		x += 7;
+	}
+	for (i = 0; i < this->params->n; i++)
+	{
+		if (p[i] >= this->params->q)
+		{
+			DBG1(DBG_LIB, "polynomial coefficient must be smaller than %u",
+						   this->params->q);
+			free(p);
+			return NULL;
+		}
+	}
+	return p;
+}
+
+/**
+ * Multiply and add polynomials in the frequency domain
+ */
+static uint32_t* multiply_add_poly(private_newhope_ke_t *this,
+								   uint32_t *a, uint32_t *e)
+{
+	ntt_fft_t *fft;
+	uint32_t *b, t;
+	int i;
+
+	/* transform s and h to frequency domain */
+	fft = ntt_fft_create(this->params);
+	fft->transform(fft, this->s, this->s, FALSE);
+	fft->transform(fft, e, e, FALSE);
+	fft->destroy(fft);
+
+	b = (uint32_t*)malloc(this->params->n * sizeof(uint32_t));
+
+	/* compute  b = a * s + e in the frequency domain */
+	for (i = 0; i < this->params->n; i++)
+	{
+		/* convert a[i] to Montgomery domain */
+		t = ntt_fft_mreduce(a[i] * this->params->r2, this->params);
+
+		/* compute b[i] = a[i] * s[i] + e[i] in Montgomery domain */
+		t = ntt_fft_mreduce(t * this->s[i], this->params) + e[i];
+
+ 		/* exit Montgomery domain before transmitting polynomial b */
+		b[i] = ntt_fft_mreduce(t, this->params);
+	}
+	memwipe(e, this->params->n * sizeof(uint32_t));
+
+	return b;
+}
+
+/**
+ * Multiply polynomials in the frequency domain and return to time domain
+ */
+static uint32_t* multiply_ntt_inv_poly(private_newhope_ke_t *this, uint32_t *b)
+{
+	ntt_fft_t *fft;
+	uint32_t *v, t;
+	int i;
+
+	v = (uint32_t*)malloc(this->params->n * sizeof(uint32_t));
+
+	for (i = 0; i < this->params->n; i++)
+	{
+		/* convert b[i] to Montgomery domain */
+		t = ntt_fft_mreduce(b[i] * this->params->r2, this->params);
+
+		/* compute v[i] = b[i] * s[i] in Montgomery domain */
+		v[i] = ntt_fft_mreduce(t * this->s[i], this->params);
+	}
+
+	/* transform v back to time domain */
+	fft = ntt_fft_create(this->params);
+	fft->transform(fft, v, v, TRUE);
+	fft->destroy(fft);
+
+	return v;
+}
+
+/**
+ * Pack four 2-bit coefficents into one byte
+ */
+static void pack_rec(private_newhope_ke_t *this, uint8_t *x, uint8_t *r)
+{
+	int i;
+
+	for (i = 0; i < this->params->n; i += 4)
+	{
+		*x++ = r[i] | r[i+1] << 2 | r[i+2] << 4 | r[i+3] << 6;
+	}
+}
+
+static uint8_t* unpack_rec(private_newhope_ke_t *this, uint8_t *x)
+{
+	uint8_t *r;
+	int i;
+
+	r = (uint8_t*)malloc(this->params->n);
+
+	for (i = 0; i < this->params->n; i += 4)
+	{
+		r[i]   = (*x)      & 0x03;
+		r[i+1] = (*x >> 2) & 0x03;
+		r[i+2] = (*x >> 4) & 0x03;
+		r[i+3] = (*x >> 6) & 0x03;
+		x++;
+	}
+
+	return r;
+}
+
+METHOD(diffie_hellman_t, get_my_public_value, bool,
+	private_newhope_ke_t *this, chunk_t *value)
+{
+	uint16_t n, q;
+	int i;
+
+	/* Define some often-used constants */
+	n = this->params->n;
+	q = this->params->q;
+
+	/* are we the initiator? */
+	if (this->u == NULL)
+	{
+		rng_t *rng;
+		uint32_t *a = NULL, *b = NULL, *e = NULL;
+		uint8_t noise_seed_buf[seed_len];
+		chunk_t noise_seed = { noise_seed_buf, seed_len};
+		chunk_t a_seed;
+		newhope_noise_t *noise = NULL;
+		bool success = FALSE;
+
+		/* allocate space for public output value */
+		*value = chunk_alloc(poly_len + seed_len);
+		a_seed = chunk_create(value->ptr + poly_len, seed_len);
+
+		/* create polynomial a from 256 bit random seed */
+		rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+		if (!rng)
+		{
+			DBG1(DBG_LIB, "could not instatiate random source");
+			return FALSE;
+		}
+		if (!rng->get_bytes(rng, seed_len, a_seed.ptr))
+		{
+			DBG1(DBG_LIB, "could not generate seed for polynomial a");
+			goto end;
+		}
+
+		a = derive_a_poly(this, a_seed);
+		if (a == NULL)
+		{
+			goto end;
+		}
+
+		/* generate random seed for the derivation of noise polynomials */
+		if (!rng->get_bytes(rng, seed_len, noise_seed.ptr))
+		{
+			DBG1(DBG_LIB, "could not generate seed for noise polynomials");
+			goto end;
+		}
+
+		/* create noise polynomial generator */
+		noise = newhope_noise_create(noise_seed);
+		if (!noise)
+		{
+			goto end;
+		}
+
+		/* create noise polynomial s from seed with nonce = 0x00 */
+		this->s = noise->get_binomial_words(noise, 0x00, n, q);
+		if (this->s == NULL)
+		{
+			goto end;
+		}
+
+		/* create noise polynomial e from seed with nonce = 0x01 */
+		e = noise->get_binomial_words(noise, 0x01, n, q);
+		if (e == NULL)
+		{
+			goto end;
+		}
+
+		/* compute b = a * NTT(s) + NTT(e) */
+		b = multiply_add_poly(this, a, e);
+
+		DBG3(DBG_LIB, "   i  a[i]  b[i]");
+		for (i = 0; i < n; i++)
+		{
+			DBG3(DBG_LIB, "%4d %5u %5u", i, a[i], b[i]);
+		}
+
+		/* pack coefficients of polynomial b */
+		pack_poly(this, value->ptr, b);
+		success = TRUE;
+
+	end:
+		rng->destroy(rng);
+		DESTROY_IF(noise);
+		free(a);
+		free(b);
+		free(e);
+
+		if (!success)
+		{
+		chunk_free(value);
+		}
+		return success;
+	}
+	else
+	{
+		DBG3(DBG_LIB, "   i  u[i]  r[i]");
+		for (i = 0; i < n; i++)
+		{
+			DBG3(DBG_LIB, "%4d %5u %5u", i, this->u[i], this->r[i]);
+		}
+
+		/* allocate space for public output value */
+		*value = chunk_alloc(poly_len + rec_len);
+
+		/* pack coefficients of polynomial u */
+		pack_poly(this, value->ptr, this->u);
+
+		/* pack coefficients of polynomial r */
+		pack_rec(this, value->ptr + poly_len, this->r);
+
+		return TRUE;
+	}
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, bool,
+	private_newhope_ke_t *this, chunk_t *secret)
+{
+	if (this->shared_secret.len == 0)
+	{
+		*secret = chunk_empty;
+		return FALSE;
+	}
+	*secret = chunk_clone(this->shared_secret);
+
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, set_other_public_value, bool,
+	private_newhope_ke_t *this, chunk_t value)
+{
+	newhope_reconciliation_t * rec;
+	uint16_t n, q;
+	int i;
+
+	/* Define some often-used constants */
+	n = this->params->n;
+	q = this->params->q;
+
+	/* are we the responder? */
+	if (this->s == NULL)
+	{
+		uint32_t *a = NULL, *b = NULL, *e1 = NULL, *e2 = NULL, *v = NULL, t;
+		uint8_t *rbits = NULL;
+		uint8_t noise_seed_buf[seed_len];
+		chunk_t noise_seed = { noise_seed_buf, seed_len };
+		chunk_t a_seed;
+		newhope_noise_t *noise = NULL;
+		rng_t *rng = NULL;
+		bool success = FALSE;
+
+		if (value.len != poly_len + seed_len)
+		{
+			DBG1(DBG_LIB, "received %N KE payload of incorrect size",
+						   diffie_hellman_group_names, NH_128_BIT);
+			return FALSE;
+		}
+		a_seed = chunk_create(value.ptr + poly_len, seed_len);
+
+		a = derive_a_poly(this, a_seed);
+		if (a == NULL)
+		{
+			return FALSE;
+		}
+
+		b = unpack_poly(this, value.ptr);
+		if (b == NULL)
+		{
+			goto end;
+		}
+
+		/* debug output of polynomials a and b */
+		DBG3(DBG_LIB, "   i  a[i]  b[i]");
+		for (i = 0; i < n; i++)
+		{
+			DBG3(DBG_LIB, "%4d %5u %5u", i, a[i], b[i]);
+		}
+
+		/* generate random seed for the derivation of noise polynomials */
+		rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+		if (!rng)
+		{
+			DBG1(DBG_LIB, "could not instatiate random source");
+			goto end;
+		}
+		if (!rng->get_bytes(rng, seed_len, noise_seed.ptr))
+		{
+			DBG1(DBG_LIB, "could not generate seed for noise polynomials");
+			goto end;
+		}
+
+		/* create noise polynomial generator */
+		noise = newhope_noise_create(noise_seed);
+		if (!noise)
+		{
+			goto end;
+		}
+
+		/* create noise polynomial s' from seed with nonce = 0x00 */
+		this->s = noise->get_binomial_words(noise, 0x00, n, q);
+		if (this->s == NULL)
+		{
+			goto end;
+		}
+
+		/* create noise polynomial e' from seed with nonce = 0x01 */
+		e1 = noise->get_binomial_words(noise, 0x01, n, q);
+		if (e1 == NULL)
+		{
+			goto end;
+		}
+
+		/* create noise polynomial e'' from seed with nonce = 0x02 */
+		e2 = noise->get_binomial_words(noise, 0x02, n, q);
+		if (e2 == NULL)
+		{
+			goto end;
+		}
+
+		/* compute u = a * NTT(s') + NTT(e') */
+		this->u = multiply_add_poly(this, a, e1);
+
+		/* compute v = NTT_inv( b * NTT(s') ) */
+		v = multiply_ntt_inv_poly(this, b);
+
+		/* compute v = v + e'' */
+		for (i = 0; i < n; i++)
+		{
+			t = v[i] + e2[i];
+			v[i] = (t < q) ? t : t - q;
+		}
+		memwipe(e2, n * sizeof(uint32_t));
+
+		/* create uniform noise bytes from seed with nonce = 0x02 */
+		rbits = noise->get_uniform_bytes(noise, 0x03, n/(4*8));
+
+		rec = newhope_reconciliation_create(n, q);
+		this->r = rec->help_reconcile(rec, v, rbits);
+		free(rbits);
+		this->shared_secret = rec->reconcile(rec, v, this->r);
+		rec->destroy(rec);
+
+		DBG4(DBG_LIB, "key: %B", &this->shared_secret);
+		success = TRUE;
+
+	end:
+		DESTROY_IF(rng);
+		DESTROY_IF(noise);
+		free(a);
+		free(b);
+		free(e1);
+		free(e2);
+		free(v);
+
+		return success;
+	}
+	else
+	{
+		uint32_t *v;
+
+		if (value.len != poly_len + rec_len)
+		{
+			DBG1(DBG_LIB, "received %N KE payload of incorrect size",
+						   diffie_hellman_group_names, NH_128_BIT);
+			return FALSE;
+		}
+
+		this->u = unpack_poly(this, value.ptr);
+		if (this->u == NULL)
+		{
+			return FALSE;
+		}
+
+		this->r = unpack_rec(this, value.ptr + poly_len);
+		if (this->r == NULL)
+		{
+			return FALSE;
+		}
+
+		DBG3(DBG_LIB, "   i  u[i]  r[i]");
+		for (i = 0; i < n; i++)
+		{
+			DBG3(DBG_LIB, "%4d %5u %5u", i, this->u[i], this->r[i]);
+		}
+
+		/* compute v' = NTT_inv( u * NTT(s) ) */
+		v = multiply_ntt_inv_poly(this, this->u);
+
+		rec = newhope_reconciliation_create(n, q);
+		this->shared_secret = rec->reconcile(rec, v, this->r);
+		free(v);
+		rec->destroy(rec);
+
+		DBG4(DBG_LIB, "key: %B", &this->shared_secret);
+
+		return TRUE;
+	}
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_newhope_ke_t *this)
+{
+	return NH_128_BIT;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+	private_newhope_ke_t *this)
+{
+	chunk_clear(&this->shared_secret);
+	memwipe(this->s, this->params->n * sizeof(uint32_t));
+	free(this->s);
+	free(this->u);
+	free(this->r);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+newhope_ke_t *newhope_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
+{
+	private_newhope_ke_t *this;
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.params = &ntt_fft_12289_1024,
+
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/newhope/newhope_ke.h b/src/libstrongswan/plugins/newhope/newhope_ke.h
new file mode 100644
index 0000000..677d04f
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/newhope_ke.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup newhope_ke newhope_ke
+ * @{ @ingroup newhope_p
+ */
+
+#ifndef NEWHOPE_KE_H_
+#define NEWHOPE_KE_H_
+
+typedef struct newhope_ke_t newhope_ke_t;
+
+#include <library.h>
+
+/**
+ * Implementation of a key exchange algorithm using the New Hope algorithm
+ */
+struct newhope_ke_t {
+
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new newhope_ke_t object.
+ *
+ * @param group			New Hope DH group number
+ * @param g				not used
+ * @param p				not used
+ * @return				newhope_ke_t object, NULL if not supported
+ */
+newhope_ke_t *newhope_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p);
+
+#endif /** NEWHOPE_KE_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/newhope/newhope_noise.c b/src/libstrongswan/plugins/newhope/newhope_noise.c
new file mode 100644
index 0000000..5ba9f94
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/newhope_noise.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Based on public domain code by Erdem Alkim, Léo Ducas, Thomas Pöppelmann,
+ * and Peter Schwabe.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "newhope_noise.h"
+
+typedef struct private_newhope_noise_t private_newhope_noise_t;
+
+static const int seed_len =   32;  /* 256 bits */
+static const int nonce_len =  12;  /*  96 bits */
+
+/**
+ * Private data of an newhope_noise_t object.
+ */
+struct private_newhope_noise_t {
+
+	/**
+	 * Public newhope_noise_t interface.
+	 */
+	newhope_noise_t public;
+
+	/**
+	 * 256 bit seed and 96 bit nonce (44 bytes)
+	 */
+	chunk_t seed;
+
+	/**
+	 * ChaCha20 stream
+	 */
+	xof_t *xof;
+
+};
+
+METHOD(newhope_noise_t, get_uniform_bytes, uint8_t*,
+	private_newhope_noise_t *this, uint8_t nonce, uint16_t n)
+{
+	uint8_t *bytes;
+
+	this->seed.ptr[seed_len] = nonce;
+	if (!this->xof->set_seed(this->xof, this->seed))
+	{
+		DBG1(DBG_LIB, "could not set seed of CHACHA20 XOF");
+		return NULL;
+	}
+
+	/* allocate dynamic memory for the noise polynomial */
+	bytes = (uint8_t*)malloc(n);
+
+	if (!this->xof->get_bytes(this->xof, n, bytes))
+	{
+		DBG1(DBG_LIB, "could not get bytes from SHAKE128 XOF");
+		free(bytes);
+		return NULL;
+	}
+
+	return bytes;
+}
+
+METHOD(newhope_noise_t, get_binomial_words, uint32_t*,
+	private_newhope_noise_t *this, uint8_t nonce, uint16_t n, uint16_t q)
+{
+	uint32_t *np, a, b, d, t;
+	uint8_t x[4];
+	int i = 0, j;
+
+	this->seed.ptr[seed_len] = nonce;
+	if (!this->xof->set_seed(this->xof, this->seed))
+	{
+		DBG1(DBG_LIB, "could not set seed of CHACHA20 XOF");
+		return NULL;
+	}
+
+	/* allocate dynamic memory for the noise polynomial */
+	np = (uint32_t*)malloc(n * sizeof(uint32_t));
+
+	for (i = 0; i < n; i++)
+	{
+		if (!this->xof->get_bytes(this->xof, sizeof(x), x))
+		{
+			DBG1(DBG_LIB, "could not get bytes from SHAKE128 XOF");
+			free(np);
+			return NULL;
+		}
+
+		/* Treat x as a 32 bit unsigned little endian integer */
+		t = uletoh32(x);
+
+		/* Compute Psi_16 distribution */
+		d = 0;
+		for (j = 0; j < 8; j++)
+		{
+			d += (t >> j) & 0x01010101;
+		}
+		a = ((d >>  8) & 0xff) + (d & 0xff);
+		b = ((d >> 16) & 0xff) + (d >> 24);
+		np[i] = (a >= b) ? a - b : a + q - b;
+	}
+
+	return np;
+}
+
+METHOD(newhope_noise_t, destroy, void,
+	private_newhope_noise_t *this)
+{
+	this->xof->destroy(this->xof);
+	chunk_free(&this->seed);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+newhope_noise_t *newhope_noise_create(chunk_t seed)
+{
+	private_newhope_noise_t *this;
+	xof_t *xof;
+
+	if (seed.len != seed_len)
+	{
+		DBG1(DBG_LIB, "seed for ChaCha20 stream must be 256 bits");
+		return NULL;
+	}
+
+	xof = lib->crypto->create_xof(lib->crypto, XOF_CHACHA20);
+	if (!xof)
+	{
+		DBG1(DBG_LIB, "could not instantiate ChaCha20 stream");
+		return NULL;
+	}	
+
+	INIT(this,
+		.public = {
+			.get_uniform_bytes = _get_uniform_bytes,
+			.get_binomial_words = _get_binomial_words,
+			.destroy = _destroy,
+		},
+		.xof = xof,
+		.seed = chunk_alloc(seed_len + nonce_len),
+	);
+
+	/* initialize seed for ChaCha 20 stream */
+	memcpy(this->seed.ptr, seed.ptr, seed_len);
+	memset(this->seed.ptr + seed_len, 0x00, nonce_len);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/newhope/newhope_noise.h b/src/libstrongswan/plugins/newhope/newhope_noise.h
new file mode 100644
index 0000000..d7819d3
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/newhope_noise.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup newhope_noise newhope_noise
+ * @{ @ingroup newhope_p
+ */
+
+#ifndef NEWHOPE_NOISE_H_
+#define NEWHOPE_NOISE_H_
+
+typedef struct newhope_noise_t newhope_noise_t;
+
+#include <library.h>
+
+/**
+ * Generate pseudo random noise using a ChaCha20 stream
+ * initialized with a 256 bit seed and an 8 bit nonce
+ */
+struct newhope_noise_t {
+
+	/**
+	 * Return n pseudo random bytes with a uniform distribution
+	 *
+	 * @param nonce		Nonce determining the pseudo random stream
+	 * @param n			Number of pseudo random bytes to be returned
+	 * @return			Return array with n peudo random bytes
+	 */
+	uint8_t* (*get_uniform_bytes)(newhope_noise_t *this, uint8_t nonce,
+								  uint16_t n);
+
+	/**
+	 * Return n pseudo random 32-bit words with a Psi16 binomial distribution
+	 *
+	 * @param nonce		Nonce determining the pseudo random stream
+	 * @param n			Number of pseudo random Psi16 words to be returned
+	 * @param q			Prime number q determining the ring
+	 * @return			Return array with n pseudo random 32 bit words
+	 */
+	uint32_t* (*get_binomial_words)(newhope_noise_t *this, uint8_t nonce,
+									uint16_t n, uint16_t q);
+
+	/**
+	 * Destroy a newhope_noise_t object
+	 */
+	void (*destroy)(newhope_noise_t *this);
+};
+
+/**
+ * Creates a new newhope_noise_t object.
+ *
+ * @param seed			256 bit seed (32 byte chunk)
+ * @return				newhope_noise_t object, NULL if not supported
+ */
+newhope_noise_t *newhope_noise_create(chunk_t seed);
+
+#endif /** NEWHOPE_NOISE_H_ @}*/
+
diff --git a/src/libcharon/plugins/maemo/maemo_plugin.c b/src/libstrongswan/plugins/newhope/newhope_plugin.c
similarity index 55%
rename from src/libcharon/plugins/maemo/maemo_plugin.c
rename to src/libstrongswan/plugins/newhope/newhope_plugin.c
index ddf9cdb..444e61a 100644
--- a/src/libcharon/plugins/maemo/maemo_plugin.c
+++ b/src/libstrongswan/plugins/newhope/newhope_plugin.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,59 +13,56 @@
  * for more details.
  */
 
-#include "maemo_plugin.h"
-#include "maemo_service.h"
+#include "newhope_plugin.h"
+#include "newhope_ke.h"
 
-#include <daemon.h>
+#include <library.h>
 
-typedef struct private_maemo_plugin_t private_maemo_plugin_t;
+typedef struct private_newhope_plugin_t private_newhope_plugin_t;
 
 /**
- * private data of maemo plugin
+ * private data of newhope_plugin
  */
-struct private_maemo_plugin_t {
+struct private_newhope_plugin_t {
 
 	/**
-	 * implements plugin interface
+	 * public functions
 	 */
-	maemo_plugin_t public;
-
-	/**
-	 * service
-	 */
-	maemo_service_t *service;
+	newhope_plugin_t public;
 };
 
 METHOD(plugin_t, get_name, char*,
-	private_maemo_plugin_t *this)
+	private_newhope_plugin_t *this)
 {
-	return "maemo";
+	return "newhope";
 }
 
 METHOD(plugin_t, get_features, int,
-	private_maemo_plugin_t *this, plugin_feature_t *features[])
+	private_newhope_plugin_t *this, plugin_feature_t *features[])
 {
 	static plugin_feature_t f[] = {
-		PLUGIN_NOOP,
-			PLUGIN_PROVIDE(CUSTOM, "maemo"),
+		PLUGIN_REGISTER(DH, newhope_ke_create),
+			PLUGIN_PROVIDE(DH, NH_128_BIT),
+				PLUGIN_DEPENDS(XOF, XOF_SHAKE_128),
+				PLUGIN_DEPENDS(XOF, XOF_CHACHA20),
 	};
 	*features = f;
+
 	return countof(f);
 }
 
 METHOD(plugin_t, destroy, void,
-	private_maemo_plugin_t *this)
+	private_newhope_plugin_t *this)
 {
-	this->service->destroy(this->service);
 	free(this);
 }
 
 /*
- * See header
+ * see header file
  */
-plugin_t *maemo_plugin_create()
+plugin_t *newhope_plugin_create()
 {
-	private_maemo_plugin_t *this;
+	private_newhope_plugin_t *this;
 
 	INIT(this,
 		.public = {
@@ -77,11 +74,5 @@ plugin_t *maemo_plugin_create()
 		},
 	);
 
-	this->service = maemo_service_create();
-	if (!this->service)
-	{
-		return NULL;
-	}
-
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/maemo/maemo_service.h b/src/libstrongswan/plugins/newhope/newhope_plugin.h
similarity index 50%
rename from src/libcharon/plugins/maemo/maemo_service.h
rename to src/libstrongswan/plugins/newhope/newhope_plugin.h
index b0240cb..b04792f 100644
--- a/src/libcharon/plugins/maemo/maemo_service.h
+++ b/src/libstrongswan/plugins/newhope/newhope_plugin.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,36 +14,29 @@
  */
 
 /**
- * @defgroup maemo_service maemo_service
- * @{ @ingroup maemo
+ * @defgroup newhope_p newhope
+ * @ingroup plugins
+ *
+ * @defgroup newhope_plugin newhope_plugin
+ * @{ @ingroup newhope_p
  */
 
-#ifndef MAEMO_SERVICE_H_
-#define MAEMO_SERVICE_H_
+#ifndef NEWHOPE_PLUGIN_H_
+#define NEWHOPE_PLUGIN_H_
 
-#include <bus/listeners/listener.h>
+#include <plugins/plugin.h>
 
-typedef struct maemo_service_t maemo_service_t;
+typedef struct newhope_plugin_t newhope_plugin_t;
 
 /**
- * Maemo connection management.
+ * Plugin implementing New Hope-based key exchange
  */
-struct maemo_service_t {
-
-	/**
-	 * Implements listener_t.
-	 */
-	listener_t listener;
+struct newhope_plugin_t {
 
 	/**
-	 * Destroy a maemo_service_t.
+	 * implements plugin interface
 	 */
-	void (*destroy)(maemo_service_t *this);
+	plugin_t plugin;
 };
 
-/**
- * Create an instance of maemo_service_t.
- */
-maemo_service_t *maemo_service_create();
-
-#endif /** MAEMO_SERVICE_H_ @}*/
+#endif /** NEWHOPE_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/newhope/newhope_reconciliation.c b/src/libstrongswan/plugins/newhope/newhope_reconciliation.c
new file mode 100644
index 0000000..4aed60e
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/newhope_reconciliation.c
@@ -0,0 +1,217 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Based on public domain code by Erdem Alkim, Léo Ducas, Thomas Pöppelmann,
+ * and Peter Schwabe.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ * 
+ */
+
+#include "newhope_reconciliation.h"
+
+typedef struct private_newhope_reconciliation_t private_newhope_reconciliation_t;
+
+/**
+ * Private data of an newhope_reconciliation_t object.
+ */
+struct private_newhope_reconciliation_t {
+
+	/**
+	 * Public newhope_reconciliation_t interface.
+	 */
+	newhope_reconciliation_t public;
+
+	/**
+	 * Array sizes
+	 */
+	int n, n4;
+
+	/**
+	 * Multiples of modulus q
+	 */
+	int32_t q, q2, q4, q8, q16;
+};
+
+
+static inline int32_t rec_abs(int32_t v)
+{
+  int32_t mask = v >> 31;
+
+  return (v ^ mask) - mask;
+}
+
+/**
+ * Auxiliary function used by help_reconcile() method
+ */
+static int32_t rec_f(private_newhope_reconciliation_t *this,
+					 int32_t v, uint8_t r, int32_t *v0, int32_t *v1)
+{
+	int32_t x, xit, t, b;
+
+	x = 8 * v + 2 * r;
+
+	/* compute t = x/q */
+	b = x * 2730;
+	t = b >> 25;
+	b = x - t * this->q;
+	b = this->q - 1 - b;
+	b >>= 31;
+	t -= b;
+
+	r = t & 0x01;
+	xit = (t >> 1);
+	*v0 = xit + r ; /* v0 = round(x/(2q)) */
+
+	t -= 1;
+	r = t & 0x01;
+	*v1 = ( t>> 1) + r;
+
+	return rec_abs(x - (*v0) * this->q2);
+}
+
+/**
+ * Auxiliary function used by reconcile() method
+ */
+static int32_t rec_g(private_newhope_reconciliation_t *this, int32_t x)
+{
+	int32_t t, r, b;
+
+	/*  t = x/(4*q) */
+	b = x * 2730;
+	t = b >> 27;
+	b = x - t * this->q4;
+	b = this->q4 - 1 - b;
+	b >>= 31;
+	t -= b;
+
+	r = t & 0x01;
+	t = (t >> 1) + r; /* t = round(x/(8q)) */
+	t *= this->q8;
+
+  return abs(t - x);
+}
+
+METHOD(newhope_reconciliation_t, help_reconcile, uint8_t*,
+	private_newhope_reconciliation_t *this, uint32_t *v, uint8_t *rbits)
+{
+	int32_t v0[4], v1[4], v_tmp[4], k;
+	int i, i0, i1, i2, i3, j;
+	uint8_t *r, rbit;
+
+	/* allocate output vector */
+	r = (uint8_t*)malloc(this->n);
+
+	for (i = 0; i < this->n4/8; i++)
+	{
+		for (j = 0; j < 8; j++)
+		{
+			i0 = 8*i  + j;
+			i1 = i0 + this->n4;
+			i2 = i1 + this->n4;
+			i3 = i2 + this->n4;
+
+			/* iterate through all 256 random bits */
+			rbit = (rbits[i] >> j) & 0x01;
+
+			k  = rec_f(this, v[i0], rbit, &v0[0], &v1[0]);
+			k += rec_f(this, v[i1], rbit, &v0[1], &v1[1]);
+			k += rec_f(this, v[i2], rbit, &v0[2], &v1[2]);
+			k += rec_f(this, v[i3], rbit, &v0[3], &v1[3]);
+
+			k = (this->q2 - 1 - k) >> 31;
+
+			v_tmp[0] = ((~k) & v0[0]) ^ (k & v1[0]);
+			v_tmp[1] = ((~k) & v0[1]) ^ (k & v1[1]);
+			v_tmp[2] = ((~k) & v0[2]) ^ (k & v1[2]);
+			v_tmp[3] = ((~k) & v0[3]) ^ (k & v1[3]);
+
+			r[i0] = (v_tmp[0] -     v_tmp[3]) & 0x03;
+			r[i1] = (v_tmp[1] -     v_tmp[3]) & 0x03;
+			r[i2] = (v_tmp[2] -     v_tmp[3]) & 0x03;
+			r[i3] = (v_tmp[3] - k + v_tmp[3]) & 0x03;
+		}
+	}
+
+	return r;
+}
+
+METHOD(newhope_reconciliation_t, reconcile, chunk_t,
+	private_newhope_reconciliation_t *this, uint32_t *v, uint8_t *r)
+{
+	size_t key_len;
+	uint8_t *key;
+	int32_t tmp[4], t;
+	int i, i0, i1, i2, i3, j;
+
+	key_len = this->n4 / 8;
+	key = (uint8_t*)malloc(key_len);
+	memset(key, 0x00, key_len);
+
+	for (i = 0; i < key_len; i++)
+	{
+		for (j = 0; j < 8; j++)
+		{
+			i0 = 8*i + j;
+			i1 = i0 + this->n4;
+			i2 = i1 + this->n4;
+			i3 = i2 + this->n4;
+
+			tmp[0] = this->q16 + 8 * (int32_t)v[i0] - 
+					 this->q  * (2*r[i0] + r[i3]);
+			tmp[1] = this->q16 + 8 * (int32_t)v[i1] -
+					 this->q  * (2*r[i1] + r[i3]);
+			tmp[2] = this->q16 + 8 * (int32_t)v[i2] -
+					 this->q  * (2*r[i2] + r[i3]);
+			tmp[3] = this->q16 + 8 * (int32_t)v[i3] -
+					 this->q *  (          r[i3]);
+
+			t = rec_g(this, tmp[0]) + rec_g(this, tmp[1]) +
+				rec_g(this, tmp[2]) + rec_g(this, tmp[3]) - this->q8;
+
+			key[i] |= ((t >> 31) & 0x01) << j;
+		}
+	}
+
+	return chunk_create(key, key_len);
+}
+
+METHOD(newhope_reconciliation_t, destroy, void,
+	private_newhope_reconciliation_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+newhope_reconciliation_t *newhope_reconciliation_create(int n, int32_t q)
+{
+	private_newhope_reconciliation_t *this;
+
+	INIT(this,
+		.public = {
+			.help_reconcile = _help_reconcile,
+			.reconcile = _reconcile,
+			.destroy = _destroy,
+		},
+		.n   =  n,
+		.n4  =  n / 4,
+		.q   =      q,
+		.q2  =  2 * q,
+		.q4  =  4 * q,
+		.q8  =  8 * q,
+		.q16 = 16 * q,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/newhope/newhope_reconciliation.h b/src/libstrongswan/plugins/newhope/newhope_reconciliation.h
new file mode 100644
index 0000000..7cbf0d2
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/newhope_reconciliation.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup newhope_reconciliation newhope_reconciliation
+ * @{ @ingroup newhope_p
+ */
+
+#ifndef NEWHOPE_RECONCILIATION_H_
+#define NEWHOPE_RECONCILIATION_H_
+
+typedef struct newhope_reconciliation_t newhope_reconciliation_t;
+
+#include <library.h>
+
+/**
+ * Class assisting the error reconciliation
+ * resulting in a key exchange error rate < 2^(-60)
+ */
+struct newhope_reconciliation_t {
+
+	/**
+	 * Generate reconciliation polynomial
+	 *
+	 * @param v			polynomial v
+	 * @param rbits		pseudo random bit array	
+	 * @return			return array with reconciliation polynomial
+	 */
+	uint8_t* (*help_reconcile)(newhope_reconciliation_t *this,
+							   uint32_t *v, uint8_t *rbits);
+
+	/**
+	 * Use reconciliation polynomial r to derive shared secret
+	 *
+	 * @param v			polynomial v or v'
+	 * @param r			reconciliation polynomial r
+	 * @return			Return shared secret
+	 */
+	chunk_t (*reconcile)(newhope_reconciliation_t *this,
+						uint32_t *v, uint8_t *r);
+
+	/**
+	 * Destroy a newhope_reconciliation_t object
+	 */
+	void (*destroy)(newhope_reconciliation_t *this);
+};
+
+/**
+ * Creates a new newhope_reconciliation_t object.
+ *
+ * @param n				array size
+ * @param q				prime modulus
+ * @return				newhope_reconciliation_t object
+ */
+newhope_reconciliation_t *newhope_reconciliation_create(int n, int32_t q);
+
+#endif /** NEWHOPE_RECONCILIATION_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/newhope/tests/Makefile.am b/src/libstrongswan/plugins/newhope/tests/Makefile.am
new file mode 100644
index 0000000..3992e26
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/tests/Makefile.am
@@ -0,0 +1,25 @@
+TESTS = newhope_tests
+
+check_PROGRAMS = $(TESTS)
+
+newhope_tests_SOURCES = \
+	suites/test_newhope_ke.c \
+	suites/test_newhope_noise.c \
+	suites/test_newhope_reconciliation.c \
+	newhope_tests.h newhope_tests.c
+
+newhope_tests_CFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/tests \
+	-I$(top_srcdir)/src/libstrongswan/math/libnttfft \
+	-I$(top_srcdir)/src/libstrongswan/plugins/newhope \
+	-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
+	-DPLUGINS=\""${s_plugins}\"" \
+	@COVERAGE_CFLAGS@
+
+newhope_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+newhope_tests_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
+	../libnewhope.la
diff --git a/src/libtls/tests/Makefile.in b/src/libstrongswan/plugins/newhope/tests/Makefile.in
similarity index 71%
copy from src/libtls/tests/Makefile.in
copy to src/libstrongswan/plugins/newhope/tests/Makefile.in
index e00de3f..07ded5d 100644
--- a/src/libtls/tests/Makefile.in
+++ b/src/libstrongswan/plugins/newhope/tests/Makefile.in
@@ -87,9 +87,9 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-TESTS = tls_tests$(EXEEXT)
+TESTS = newhope_tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
-subdir = src/libtls/tests
+subdir = src/libstrongswan/plugins/newhope/tests
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -108,22 +108,26 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__EXEEXT_1 = tls_tests$(EXEEXT)
+am__EXEEXT_1 = newhope_tests$(EXEEXT)
 am__dirstamp = $(am__leading_dot)dirstamp
-am_tls_tests_OBJECTS = suites/tls_tests-test_socket.$(OBJEXT) \
-	suites/tls_tests-test_suites.$(OBJEXT) \
-	tls_tests-tls_tests.$(OBJEXT)
-tls_tests_OBJECTS = $(am_tls_tests_OBJECTS)
-tls_tests_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la \
+am_newhope_tests_OBJECTS =  \
+	suites/newhope_tests-test_newhope_ke.$(OBJEXT) \
+	suites/newhope_tests-test_newhope_noise.$(OBJEXT) \
+	suites/newhope_tests-test_newhope_reconciliation.$(OBJEXT) \
+	newhope_tests-newhope_tests.$(OBJEXT)
+newhope_tests_OBJECTS = $(am_newhope_tests_OBJECTS)
+newhope_tests_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libstrongswan/tests/libtest.la
+	$(top_builddir)/src/libstrongswan/tests/libtest.la \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
+	../libnewhope.la
 AM_V_lt = $(am__v_lt_ at AM_V@)
 am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
-tls_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(tls_tests_CFLAGS) \
-	$(CFLAGS) $(tls_tests_LDFLAGS) $(LDFLAGS) -o $@
+newhope_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(newhope_tests_CFLAGS) \
+	$(CFLAGS) $(newhope_tests_LDFLAGS) $(LDFLAGS) -o $@
 AM_V_P = $(am__v_P_ at AM_V@)
 am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -158,8 +162,8 @@ AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(tls_tests_SOURCES)
-DIST_SOURCES = $(tls_tests_SOURCES)
+SOURCES = $(newhope_tests_SOURCES)
+DIST_SOURCES = $(newhope_tests_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -347,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -381,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -436,27 +437,32 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-tls_tests_SOURCES = \
-	suites/test_socket.c \
-	suites/test_suites.c \
-	tls_tests.h tls_tests.c
+newhope_tests_SOURCES = \
+	suites/test_newhope_ke.c \
+	suites/test_newhope_noise.c \
+	suites/test_newhope_reconciliation.c \
+	newhope_tests.h newhope_tests.c
 
-tls_tests_CFLAGS = \
-	-I$(top_srcdir)/src/libtls \
+newhope_tests_CFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libstrongswan/tests \
+	-I$(top_srcdir)/src/libstrongswan/math/libnttfft \
+	-I$(top_srcdir)/src/libstrongswan/plugins/newhope \
 	-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
 	-DPLUGINS=\""${s_plugins}\"" \
 	@COVERAGE_CFLAGS@
 
-tls_tests_LDFLAGS = @COVERAGE_LDFLAGS@
-tls_tests_LDADD = \
-	$(top_builddir)/src/libtls/libtls.la \
+newhope_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+newhope_tests_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libstrongswan/tests/libtest.la
+	$(top_builddir)/src/libstrongswan/tests/libtest.la \
+	$(top_builddir)/src/libstrongswan/math/libnttfft/libnttfft.la \
+	../libnewhope.la
 
 all: all-am
 
@@ -471,9 +477,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libtls/tests/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/newhope/tests/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libtls/tests/Makefile
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/newhope/tests/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -506,14 +512,16 @@ suites/$(am__dirstamp):
 suites/$(DEPDIR)/$(am__dirstamp):
 	@$(MKDIR_P) suites/$(DEPDIR)
 	@: > suites/$(DEPDIR)/$(am__dirstamp)
-suites/tls_tests-test_socket.$(OBJEXT): suites/$(am__dirstamp) \
-	suites/$(DEPDIR)/$(am__dirstamp)
-suites/tls_tests-test_suites.$(OBJEXT): suites/$(am__dirstamp) \
-	suites/$(DEPDIR)/$(am__dirstamp)
+suites/newhope_tests-test_newhope_ke.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/newhope_tests-test_newhope_noise.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/newhope_tests-test_newhope_reconciliation.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
 
-tls_tests$(EXEEXT): $(tls_tests_OBJECTS) $(tls_tests_DEPENDENCIES) $(EXTRA_tls_tests_DEPENDENCIES) 
-	@rm -f tls_tests$(EXEEXT)
-	$(AM_V_CCLD)$(tls_tests_LINK) $(tls_tests_OBJECTS) $(tls_tests_LDADD) $(LIBS)
+newhope_tests$(EXEEXT): $(newhope_tests_OBJECTS) $(newhope_tests_DEPENDENCIES) $(EXTRA_newhope_tests_DEPENDENCIES) 
+	@rm -f newhope_tests$(EXEEXT)
+	$(AM_V_CCLD)$(newhope_tests_LINK) $(newhope_tests_OBJECTS) $(newhope_tests_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -522,9 +530,10 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_tests-tls_tests.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tls_tests-test_socket.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tls_tests-test_suites.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/newhope_tests-newhope_tests.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/newhope_tests-test_newhope_ke.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/newhope_tests-test_newhope_noise.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/newhope_tests-test_newhope_reconciliation.Po at am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -550,47 +559,61 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
-suites/tls_tests-test_socket.o: suites/test_socket.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_socket.Tpo -c -o suites/tls_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_socket.Tpo suites/$(DEPDIR)/tls_tests-test_socket.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_socket.c' object='suites/tls_tests-test_socket.o' libtool=no @AMDEPBACKSLASH@
+suites/newhope_tests-test_newhope_ke.o: suites/test_newhope_ke.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -MT suites/newhope_tests-test_newhope_ke.o -MD -MP -MF suites/$(DEPDIR)/newhope_tests-test_newhope_ke.Tpo -c -o suites/newhope_tests-test_newhope_ke.o `test -f 'suites/test_newhope_ke.c' || echo '$(srcdir)/'`suites/test_newhope_ke.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/newhope_tests-test_newhope_ke.Tpo suites/$(DEPDIR)/newhope_tests-test_newhope_ke.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_newhope_ke.c' object='suites/newhope_tests-test_newhope_ke.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -c -o suites/newhope_tests-test_newhope_ke.o `test -f 'suites/test_newhope_ke.c' || echo '$(srcdir)/'`suites/test_newhope_ke.c
 
-suites/tls_tests-test_socket.obj: suites/test_socket.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_socket.Tpo -c -o suites/tls_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi`
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_socket.Tpo suites/$(DEPDIR)/tls_tests-test_socket.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_socket.c' object='suites/tls_tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@
+suites/newhope_tests-test_newhope_ke.obj: suites/test_newhope_ke.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -MT suites/newhope_tests-test_newhope_ke.obj -MD -MP -MF suites/$(DEPDIR)/newhope_tests-test_newhope_ke.Tpo -c -o suites/newhope_tests-test_newhope_ke.obj `if test -f 'suites/test_newhope_ke.c'; then $(CYGPATH_W) 'suites/test_newhope_ke.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_newhope_ke.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/newhope_tests-test_newhope_ke.Tpo suites/$(DEPDIR)/newhope_tests-test_newhope_ke.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_newhope_ke.c' object='suites/newhope_tests-test_newhope_ke.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi`
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -c -o suites/newhope_tests-test_newhope_ke.obj `if test -f 'suites/test_newhope_ke.c'; then $(CYGPATH_W) 'suites/test_newhope_ke.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_newhope_ke.c'; fi`
 
-suites/tls_tests-test_suites.o: suites/test_suites.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_suites.o -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_suites.Tpo -c -o suites/tls_tests-test_suites.o `test -f 'suites/test_suites.c' || echo '$(srcdir)/'`suites/test_suites.c
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_suites.Tpo suites/$(DEPDIR)/tls_tests-test_suites.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_suites.c' object='suites/tls_tests-test_suites.o' libtool=no @AMDEPBACKSLASH@
+suites/newhope_tests-test_newhope_noise.o: suites/test_newhope_noise.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -MT suites/newhope_tests-test_newhope_noise.o -MD -MP -MF suites/$(DEPDIR)/newhope_tests-test_newhope_noise.Tpo -c -o suites/newhope_tests-test_newhope_noise.o `test -f 'suites/test_newhope_noise.c' || echo '$(srcdir)/'`suites/test_newhope_noise.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/newhope_tests-test_newhope_noise.Tpo suites/$(DEPDIR)/newhope_tests-test_newhope_noise.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_newhope_noise.c' object='suites/newhope_tests-test_newhope_noise.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_suites.o `test -f 'suites/test_suites.c' || echo '$(srcdir)/'`suites/test_suites.c
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -c -o suites/newhope_tests-test_newhope_noise.o `test -f 'suites/test_newhope_noise.c' || echo '$(srcdir)/'`suites/test_newhope_noise.c
 
-suites/tls_tests-test_suites.obj: suites/test_suites.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_suites.obj -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_suites.Tpo -c -o suites/tls_tests-test_suites.obj `if test -f 'suites/test_suites.c'; then $(CYGPATH_W) 'suites/test_suites.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_suites.c'; fi`
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_suites.Tpo suites/$(DEPDIR)/tls_tests-test_suites.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_suites.c' object='suites/tls_tests-test_suites.obj' libtool=no @AMDEPBACKSLASH@
+suites/newhope_tests-test_newhope_noise.obj: suites/test_newhope_noise.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -MT suites/newhope_tests-test_newhope_noise.obj -MD -MP -MF suites/$(DEPDIR)/newhope_tests-test_newhope_noise.Tpo -c -o suites/newhope_tests-test_newhope_noise.obj `if test -f 'suites/test_newhope_noise.c'; then $(CYGPATH_W) 'suites/test_newhope_noise.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_newhope_noise.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/newhope_tests-test_newhope_noise.Tpo suites/$(DEPDIR)/newhope_tests-test_newhope_noise.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_newhope_noise.c' object='suites/newhope_tests-test_newhope_noise.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_suites.obj `if test -f 'suites/test_suites.c'; then $(CYGPATH_W) 'suites/test_suites.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_suites.c'; fi`
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -c -o suites/newhope_tests-test_newhope_noise.obj `if test -f 'suites/test_newhope_noise.c'; then $(CYGPATH_W) 'suites/test_newhope_noise.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_newhope_noise.c'; fi`
 
-tls_tests-tls_tests.o: tls_tests.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT tls_tests-tls_tests.o -MD -MP -MF $(DEPDIR)/tls_tests-tls_tests.Tpo -c -o tls_tests-tls_tests.o `test -f 'tls_tests.c' || echo '$(srcdir)/'`tls_tests.c
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tls_tests-tls_tests.Tpo $(DEPDIR)/tls_tests-tls_tests.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tls_tests.c' object='tls_tests-tls_tests.o' libtool=no @AMDEPBACKSLASH@
+suites/newhope_tests-test_newhope_reconciliation.o: suites/test_newhope_reconciliation.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -MT suites/newhope_tests-test_newhope_reconciliation.o -MD -MP -MF suites/$(DEPDIR)/newhope_tests-test_newhope_reconciliation.Tpo -c -o suites/newhope_tests-test_newhope_reconciliation.o `test -f 'suites/test_newhope_reconciliation.c' || echo '$(srcdir)/'`suites/test_newhope_reconciliation.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/newhope_tests-test_newhope_reconciliation.Tpo suites/$(DEPDIR)/newhope_tests-test_newhope_reconciliation.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_newhope_reconciliation.c' object='suites/newhope_tests-test_newhope_reconciliation.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o tls_tests-tls_tests.o `test -f 'tls_tests.c' || echo '$(srcdir)/'`tls_tests.c
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -c -o suites/newhope_tests-test_newhope_reconciliation.o `test -f 'suites/test_newhope_reconciliation.c' || echo '$(srcdir)/'`suites/test_newhope_reconciliation.c
 
-tls_tests-tls_tests.obj: tls_tests.c
- at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT tls_tests-tls_tests.obj -MD -MP -MF $(DEPDIR)/tls_tests-tls_tests.Tpo -c -o tls_tests-tls_tests.obj `if test -f 'tls_tests.c'; then $(CYGPATH_W) 'tls_tests.c'; else $(CYGPATH_W) '$(srcdir)/tls_tests.c'; fi`
- at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tls_tests-tls_tests.Tpo $(DEPDIR)/tls_tests-tls_tests.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tls_tests.c' object='tls_tests-tls_tests.obj' libtool=no @AMDEPBACKSLASH@
+suites/newhope_tests-test_newhope_reconciliation.obj: suites/test_newhope_reconciliation.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -MT suites/newhope_tests-test_newhope_reconciliation.obj -MD -MP -MF suites/$(DEPDIR)/newhope_tests-test_newhope_reconciliation.Tpo -c -o suites/newhope_tests-test_newhope_reconciliation.obj `if test -f 'suites/test_newhope_reconciliation.c'; then $(CYGPATH_W) 'suites/test_newhope_reconciliation.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_newhope_reco [...]
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/newhope_tests-test_newhope_reconciliation.Tpo suites/$(DEPDIR)/newhope_tests-test_newhope_reconciliation.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_newhope_reconciliation.c' object='suites/newhope_tests-test_newhope_reconciliation.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o tls_tests-tls_tests.obj `if test -f 'tls_tests.c'; then $(CYGPATH_W) 'tls_tests.c'; else $(CYGPATH_W) '$(srcdir)/tls_tests.c'; fi`
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -c -o suites/newhope_tests-test_newhope_reconciliation.obj `if test -f 'suites/test_newhope_reconciliation.c'; then $(CYGPATH_W) 'suites/test_newhope_reconciliation.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_newhope_reconciliation.c'; fi`
+
+newhope_tests-newhope_tests.o: newhope_tests.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -MT newhope_tests-newhope_tests.o -MD -MP -MF $(DEPDIR)/newhope_tests-newhope_tests.Tpo -c -o newhope_tests-newhope_tests.o `test -f 'newhope_tests.c' || echo '$(srcdir)/'`newhope_tests.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/newhope_tests-newhope_tests.Tpo $(DEPDIR)/newhope_tests-newhope_tests.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='newhope_tests.c' object='newhope_tests-newhope_tests.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -c -o newhope_tests-newhope_tests.o `test -f 'newhope_tests.c' || echo '$(srcdir)/'`newhope_tests.c
+
+newhope_tests-newhope_tests.obj: newhope_tests.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -MT newhope_tests-newhope_tests.obj -MD -MP -MF $(DEPDIR)/newhope_tests-newhope_tests.Tpo -c -o newhope_tests-newhope_tests.obj `if test -f 'newhope_tests.c'; then $(CYGPATH_W) 'newhope_tests.c'; else $(CYGPATH_W) '$(srcdir)/newhope_tests.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/newhope_tests-newhope_tests.Tpo $(DEPDIR)/newhope_tests-newhope_tests.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='newhope_tests.c' object='newhope_tests-newhope_tests.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(newhope_tests_CFLAGS) $(CFLAGS) -c -o newhope_tests-newhope_tests.obj `if test -f 'newhope_tests.c'; then $(CYGPATH_W) 'newhope_tests.c'; else $(CYGPATH_W) '$(srcdir)/newhope_tests.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libstrongswan/plugins/newhope/tests/newhope_tests.c
similarity index 70%
copy from src/libcharon/tests/libcharon_tests.c
copy to src/libstrongswan/plugins/newhope/tests/newhope_tests.c
index e25e543..1cc9a2d 100644
--- a/src/libcharon/tests/libcharon_tests.c
+++ b/src/libstrongswan/plugins/newhope/tests/newhope_tests.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2014 Martin Willi
- * Copyright (C) 2014 revosec AG
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,21 +14,18 @@
  */
 
 #include <test_runner.h>
-#include <daemon.h>
+
+#include <library.h>
 
 /* declare test suite constructors */
 #define TEST_SUITE(x) test_suite_t* x();
-#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
-#include "libcharon_tests.h"
+#include "newhope_tests.h"
 #undef TEST_SUITE
-#undef TEST_SUITE_DEPEND
 
 static test_configuration_t tests[] = {
 #define TEST_SUITE(x) \
 	{ .suite = x, },
-#define TEST_SUITE_DEPEND(x, type, ...) \
-	{ .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) },
-#include "libcharon_tests.h"
+#include "newhope_tests.h"
 	{ .suite = NULL, }
 };
 
@@ -38,10 +35,7 @@ static bool test_runner_init(bool init)
 	{
 		char *plugins, *plugindir;
 
-		libcharon_init();
-
-		plugins = getenv("TESTS_PLUGINS") ?:
-					lib->settings->get_str(lib->settings,
+		plugins = lib->settings->get_str(lib->settings,
 										"tests.load", PLUGINS);
 		plugindir = lib->settings->get_str(lib->settings,
 										"tests.plugindir", PLUGINDIR);
@@ -53,12 +47,14 @@ static bool test_runner_init(bool init)
 	}
 	else
 	{
-		libcharon_deinit();
+		lib->processor->set_threads(lib->processor, 0);
+		lib->processor->cancel(lib->processor);
+		lib->plugins->unload(lib->plugins);
 	}
 	return TRUE;
 }
 
 int main(int argc, char *argv[])
 {
-	return test_runner_run("libcharon", tests, test_runner_init);
+	return test_runner_run("newhope", tests, test_runner_init);
 }
diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h b/src/libstrongswan/plugins/newhope/tests/newhope_tests.h
similarity index 65%
copy from src/libstrongswan/plugins/bliss/tests/bliss_tests.h
copy to src/libstrongswan/plugins/newhope/tests/newhope_tests.h
index f0959cc..3f81434 100644
--- a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
+++ b/src/libstrongswan/plugins/newhope/tests/newhope_tests.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,11 +13,6 @@
  * for more details.
  */
 
-TEST_SUITE(bliss_fft_suite_create)
-TEST_SUITE(bliss_bitpacker_suite_create)
-TEST_SUITE(bliss_huffman_suite_create)
-TEST_SUITE(bliss_keys_suite_create)
-TEST_SUITE(bliss_sampler_suite_create)
-TEST_SUITE(bliss_signature_suite_create)
-TEST_SUITE(bliss_sign_suite_create)
-
+TEST_SUITE(newhope_ke_suite_create)
+TEST_SUITE(newhope_noise_suite_create)
+TEST_SUITE(newhope_reconciliation_suite_create)
diff --git a/src/libstrongswan/plugins/newhope/tests/suites/test_newhope_ke.c b/src/libstrongswan/plugins/newhope/tests/suites/test_newhope_ke.c
new file mode 100644
index 0000000..33b744f
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/tests/suites/test_newhope_ke.c
@@ -0,0 +1,193 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <newhope_ke.h>
+
+#include <library.h>
+
+#include <time.h>
+
+const int count = 1000;
+
+START_TEST(test_newhope_ke_good)
+{
+	chunk_t i_msg, r_msg, i_shared_secret, r_shared_secret;
+	diffie_hellman_t *i_nh, *r_nh;
+	struct timespec start, stop;
+	int i;
+
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &start);
+
+	for (i = 0; i < count; i++)
+	{
+		i_nh = lib->crypto->create_dh(lib->crypto, NH_128_BIT);
+		ck_assert(i_nh != NULL);
+		ck_assert(i_nh->get_dh_group(i_nh) == NH_128_BIT);
+
+		ck_assert(i_nh->get_my_public_value(i_nh, &i_msg));
+		ck_assert(i_msg.len = 1824);
+
+		r_nh = lib->crypto->create_dh(lib->crypto, NH_128_BIT);
+		ck_assert(r_nh != NULL);
+
+		ck_assert(r_nh->set_other_public_value(r_nh, i_msg));
+		ck_assert(r_nh->get_my_public_value(r_nh, &r_msg));
+		ck_assert(r_msg.len == 2048);
+
+		ck_assert(r_nh->get_shared_secret(r_nh, &r_shared_secret));
+		ck_assert(r_shared_secret.len == 32);
+
+		ck_assert(i_nh->set_other_public_value(i_nh, r_msg));
+		ck_assert(i_nh->get_shared_secret(i_nh, &i_shared_secret));
+		ck_assert(i_shared_secret.len == 32);
+		ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
+
+		/* cleanup */
+		chunk_clear(&i_shared_secret);
+		chunk_clear(&r_shared_secret);
+		chunk_free(&i_msg);
+		chunk_free(&r_msg);
+		i_nh->destroy(i_nh);
+		r_nh->destroy(r_nh);
+	}
+
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &stop);
+
+	DBG0(DBG_LIB, "%d Newhope DH loops in %d ms\n", count,
+				  (stop.tv_nsec - start.tv_nsec) / 1000000 +
+				  (stop.tv_sec - start.tv_sec) * 1000);
+}
+END_TEST
+
+START_TEST(test_newhope_ke_wrong)
+{
+	chunk_t i_msg, r_msg, i_shared_secret, r_shared_secret;
+	diffie_hellman_t *i_nh, *r_nh;
+
+	i_nh = lib->crypto->create_dh(lib->crypto, NH_128_BIT);
+	ck_assert(i_nh != NULL);
+	ck_assert(i_nh->get_my_public_value(i_nh, &i_msg));
+
+	r_nh = lib->crypto->create_dh(lib->crypto, NH_128_BIT);
+	ck_assert(r_nh != NULL);
+	ck_assert(r_nh->set_other_public_value(r_nh, i_msg));
+	ck_assert(r_nh->get_my_public_value(r_nh, &r_msg));
+
+	/* destroy 1st instance of i_nh */
+	i_nh->destroy(i_nh);
+	chunk_free(&i_msg);
+
+	/* create 2nd instance of i_nh */
+	i_nh = lib->crypto->create_dh(lib->crypto, NH_128_BIT);
+	ck_assert(i_nh != NULL);
+	ck_assert(i_nh->get_my_public_value(i_nh, &i_msg));
+	ck_assert(i_nh->set_other_public_value(i_nh, r_msg));
+
+	ck_assert(r_nh->get_shared_secret(r_nh, &r_shared_secret));
+	ck_assert(i_nh->get_shared_secret(i_nh, &i_shared_secret));
+	ck_assert(!chunk_equals(i_shared_secret, r_shared_secret));
+
+	/* cleanup */
+	chunk_clear(&i_shared_secret);
+	chunk_clear(&r_shared_secret);
+	chunk_free(&i_msg);
+	chunk_free(&r_msg);
+	i_nh->destroy(i_nh);
+	r_nh->destroy(r_nh);
+}
+END_TEST
+
+START_TEST(test_newhope_ke_fail_i)
+{
+	diffie_hellman_t *i_nh;
+	char buf_ff[2048];
+	int i;
+
+	chunk_t i_msg;
+
+	chunk_t r_msg[] = {
+		chunk_empty,
+		chunk_from_chars(0x00),
+		chunk_create(buf_ff, 2047),
+		chunk_create(buf_ff, 2048),
+	};
+
+	memset(buf_ff, 0xff, sizeof(buf_ff));
+
+		for (i = 0; i < countof(r_msg); i++)
+	{
+		i_nh = lib->crypto->create_dh(lib->crypto, NH_128_BIT);
+		ck_assert(i_nh != NULL);
+		ck_assert(i_nh->get_my_public_value(i_nh, &i_msg));
+		ck_assert(!i_nh->set_other_public_value(i_nh, r_msg[i]));
+		chunk_free(&i_msg);
+		i_nh->destroy(i_nh);
+	}
+}
+END_TEST
+
+START_TEST(test_newhope_ke_fail_r)
+{
+	diffie_hellman_t *r_nh;
+	char buf_ff[1824];
+	int i;
+
+	chunk_t i_msg[] = {
+		chunk_empty,
+		chunk_from_chars(0x00),
+		chunk_create(buf_ff, 1823),
+		chunk_create(buf_ff, 1824),
+	};
+
+	memset(buf_ff, 0xff, sizeof(buf_ff));
+
+	for (i = 0; i < countof(i_msg); i++)
+	{
+		r_nh = lib->crypto->create_dh(lib->crypto, NH_128_BIT);
+		ck_assert(r_nh != NULL);
+		ck_assert(!r_nh->set_other_public_value(r_nh, i_msg[i]));
+		r_nh->destroy(r_nh);
+	}
+}
+END_TEST
+
+Suite *newhope_ke_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("newhope_ke");
+
+	tc = tcase_create("ke_good");
+	test_case_set_timeout(tc, 30);
+	tcase_add_test(tc, test_newhope_ke_good);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ke_wrong");
+	tcase_add_test(tc, test_newhope_ke_wrong);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ke_fail_i");
+	tcase_add_test(tc, test_newhope_ke_fail_i);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ke_fail_r");
+	tcase_add_test(tc, test_newhope_ke_fail_r);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/plugins/newhope/tests/suites/test_newhope_noise.c b/src/libstrongswan/plugins/newhope/tests/suites/test_newhope_noise.c
new file mode 100644
index 0000000..96dd167
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/tests/suites/test_newhope_noise.c
@@ -0,0 +1,676 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <newhope_noise.h>
+
+#include <library.h>
+
+static const uint16_t n = 1024;
+static const uint16_t q = 12289;
+
+static const size_t seed_len = 32;
+
+typedef struct {
+	uint8_t key;
+	uint8_t nonce;
+	uint8_t uniform[64];
+	uint32_t poly[1024];
+} noise_t;
+
+static noise_t noises[] = {
+	{ 0x00, 0x00,	/* polynomial s */
+	  { 0x9f, 0x07, 0xe7, 0xbe, 0x55, 0x51, 0x38, 0x7a, 0x98, 0xba,
+		0x97, 0x7c, 0x73, 0x2d, 0x08, 0x0d, 0xcb, 0x0f, 0x29, 0xa0,
+		0x48, 0xe3, 0x65, 0x69, 0x12, 0xc6, 0x53, 0x3e, 0x32, 0xee,
+		0x7a, 0xed, 0x29, 0xb7, 0x21, 0x76, 0x9c, 0xe6, 0x4e, 0x43,
+		0xd5, 0x71, 0x33, 0xb0, 0x74, 0xd8, 0x39, 0xd5, 0x31, 0xed,
+		0x1f, 0x28, 0x51, 0x0a, 0xfb, 0x45, 0xac, 0xe1, 0x0a, 0x1f,
+		0x4b, 0x79, 0x4d, 0x6f },
+	  { 12286, 12288, 12287,     5,     4, 12288, 12286, 12287,     2,     2,
+		    2, 12288,     2, 12284,     1, 12288, 12288, 12288,     6, 12288,
+		    0,     4,     1, 12285, 12286,     2, 12284, 12287,     1,     5,
+		    5, 12286, 12288,     2, 12286,     0,     3,     1,     0,     2,
+		    0,     0,     4, 12283, 12284,     4,     0, 12288,     3, 12288,
+		    0,     4,     1, 12288, 12286,     0,     3,     1, 12286, 12287,
+		12285,     3,     2,     3, 12286,     0,     6,     6, 12288, 12284,
+		    0, 12282,     1,     0,     4,     1,     0,     3,     2,     2,
+		    3,     3,     2, 12288,     3,     1, 12287, 12285,     0, 12288,
+		    0,     0, 12288, 12287, 12284, 12286,     0, 12288,     4,     4,
+		12288,     5, 12286,     2, 12288,     5,     1, 12283,     1, 12288,
+		    1, 12288, 12287, 12285,     2,     2, 12285, 12284,     0, 12285,
+		12287,     0,     1,     0,     2, 12288, 12288, 12287,     0,     4,
+		12288, 12285, 12288,     0,     2,     1, 12287,     3,     1,     3,
+		    5, 12286,     1,     0, 12286,     0,     4,     0, 12288,     1,
+		12288,     4,     5, 12283, 12288,     1,     3, 12283, 12286,     5,
+		    1, 12286, 12287, 12286,     0, 12287, 12285,     1,     0,     0,
+		    1,     3,     0,     0,     0, 12284, 12286,     2,     4, 12288,
+		    6,     1,     2, 12288,     1, 12287, 12286, 12284, 12287,     1,
+		    3, 12284,     0,     0,     6, 12286,     7,     5,     2,     3,
+		12285, 12287, 12285,     2,     3, 12283,     2, 12284, 12288,     3,
+		12288,     1,     4, 12287,     2, 12288, 12288,     1, 12286, 12284,
+		    2,     1,     5, 12286,     0, 12288,     0,     0,     0, 12287,
+		    1,     0,     3,     0,     0,     6,     2, 12283,     1,     3,
+		    3, 12284,     3,     1, 12286,     2, 12288,     0,     6,     1,
+		    1, 12285, 12287, 12288,     4,     2, 12288,     3, 12286, 12288,
+		12287,     3,     3,     2,     7,     4, 12287, 12286, 12287,     2,
+		    2, 12287,     1, 12288,     1, 12287, 12283, 12287, 12288,     1,
+		12283,     0, 12286, 12288,     4, 12287, 12286, 12286,     2,     2,
+		12287,     5, 12288,     4,     0, 12287,     1,     3, 12286,     2,
+		    1,     1, 12288, 12287,     5, 12288,     0,     0,     1,     0,
+		12286,     6,     2,     1,     2,     5, 12286,     6, 12286, 12288,
+		    0, 12286,     3, 12283, 12288, 12284,     0,     7,     2,     6,
+		    1, 12288, 12285, 12284,     1,     0,     0,     2, 12288, 12288,
+		12288,     3,     3,     1,     3, 12286,     4,     3, 12284,     4,
+		    1, 12287, 12287, 12285,     0, 12287, 12287, 12287, 12286, 12288,
+		    1, 12287,     1,     0, 12288,     2,     0,     4,     0, 12287,
+		12285, 12285,     5,     3, 12282,     0, 12287,     5, 12287,     1,
+		12283, 12288, 12288,     3,     1,     1,     3, 12288, 12283,     5,
+		12288, 12288,     5,     5,     1, 12286, 12286, 12288,     1,     2,
+		    1,     3, 12287, 12288, 12284, 12287,     1, 12287,     0, 12286,
+		12285,     1, 12287, 12282, 12286, 12287,     0, 12285,     4,     2,
+		    1, 12282,     0,     1, 12288, 12285, 12284, 12286, 12286, 12287,
+		12288,     1, 12288,     4, 12287,     4, 12287, 12287,     0,     1,
+		12287,     3,     1, 12286, 12286,     4,     6, 12288,     1, 12285,
+		12286, 12287,     0, 12287, 12287,     1, 12286,     5,     0,     2,
+		12283, 12284,     1, 12286,     0, 12287, 12286, 12288,     1,     4,
+		    4, 12283,     2,     6,     1, 12288, 12286,     2,     7,     2,
+		    1, 12288,     5, 12284, 12288, 12288,     1,     7,     3, 12283,
+		    1, 12286,     2, 12288, 12287,     1, 12286,     1, 12286, 12288,
+		12287,     3,     2,     2,     0, 12284, 12287,     1,     1, 12284,
+		12286,     1,     2,     1,     0, 12285,     1,     0,     1,     2,
+		    2,     4, 12288,     1, 12288,     5,     0, 12287, 12288,     2,
+		    0, 12288, 12287,     0, 12288, 12288,     0,     0, 12285,     4,
+		    2, 12288,     0,     2,     0, 12288,     1,     3, 12287, 12288,
+		12288, 12288, 12286,     0, 12285, 12286, 12287,     3,     0, 12286,
+		    2,     1, 12285,     2, 12288,     0,     5,     0,     1, 12288,
+		12288,     4,     3,     3, 12286,     2, 12288,     4, 12288,     6,
+		    2, 12286,     4, 12287,     2, 12287,     0, 12284, 12288,     0,
+		12286, 12288,     3,     4, 12286, 12288,     1,     3, 12286,     3,
+		    4,     1,     1,     6,     3,     1,     1,     0, 12288,     4,
+		    0, 12288,     0,     0,     0, 12288,     2,     4,     2, 12287,
+		    0,     0,     3,     2,     3,     4,     0,     3,     2, 12288,
+		    2,     4,     6, 12286, 12284, 12287,     1,     0,     0,     4,
+		    1,     3, 12282,     1,     2,     2,     0,     3, 12282,     2,
+		12287,     2, 12288,     4, 12288,     3,     3, 12283, 12288, 12288,
+		12286, 12287,     5,     4,     3,     3, 12288, 12284,     2,     2,
+		    0, 12288,     1,     3,     3,     4, 12284, 12288,     0,     1,
+		12284,     0, 12286, 12287,     0,     0, 12287,     0,     1,     6,
+		12288,     1, 12284, 12287, 12282, 12288,     4, 12287,     1, 12286,
+		    1, 12286, 12286,     1,     4,     0, 12288,     1, 12288,     1,
+		12285,     3,     1,     0,     1,     0, 12288, 12287,     2,     2,
+		    0, 12288,     3, 12284,     2, 12288, 12288, 12288, 12287,     3,
+		    3,     0, 12286, 12286,     1,     2, 12286, 12287,     0,     1,
+		12288, 12287, 12287, 12288, 12288,     1,     9,     1, 12288, 12287,
+		    2,     1,     1,     0, 12287, 12287,     2,     2, 12288, 12285,
+		    1, 12287,     4,     0,     2,     1,     1,     3, 12284, 12286,
+		    1,     2, 12288, 12287,     4,     1, 12285,     0,     1,     2,
+		12288,     1,     3,     0, 12286,     0, 12288, 12286, 12287, 12286,
+		    1, 12284,     1,     2,     2, 12288,     0, 12288,     1, 12284,
+		    2,     3, 12287,     1, 12285, 12288,     0,     1, 12284,     2,
+		12288, 12286, 12286,     3, 12288, 12282,     3, 12287, 12288, 12287,
+		    4, 12287,     1,     2,     9, 12283, 12286, 12286,     0,     4,
+		12288, 12288,     4,     0,     1,     1,     2, 12284,     1,     1,
+		    0, 12288,     1,     0, 12287,     1,     1,     5,     2,     1,
+		12288,     3, 12287,     5,     4,     1,     4, 12287, 12285,     3,
+		12286,     1,     3,     0, 12287,     0, 12286, 12287, 12287, 12287,
+		    3,     2, 12286, 12284,     2, 12288,     1,     1, 12288,     3,
+		    1,     3, 12284,     3, 12282, 12288,     3,     0,     2, 12288,
+		    0,     5,     0,     2,     0, 12281, 12285,     4,     3,     4,
+		    2, 12284,     0,     0,     2,     2, 12287, 12284,     2, 12286,
+		    1, 12288,     1, 12286, 12286, 12287,     4,     0,     6,     3,
+		    0,     3, 12288, 12288, 12288, 12287,     3,     1,     1,     1,
+		    2, 12287, 12284,     3, 12286, 12280,     3, 12284, 12287, 12288,
+		    5, 12288, 12284,     2, 12285,     4,     3, 12286,     6,     2,
+		    1, 12287,     0,     1,     2, 12286,     1,     0, 12287,     0,
+		    1,     1, 12286,     2, 12285,     0,     1, 12288,     0,     1,
+		12288,     1, 12288, 12287, 12287, 12285, 12282, 12288,     2, 12288,
+		    2, 12284,     1, 12284, 12287, 12286, 12288,     0, 12288,     1,
+		12283, 12286,     5,     3,     0, 12286, 12286,     3,     1,     0,
+		    1, 12288, 12288,     4,     1, 12286, 12287, 12285,     2,     0,
+		    2, 12287,     1, 12285, 12288, 12286, 12288,     2,     2, 12285,
+		    3, 12286, 12285, 12287 }
+	},
+	{ 0x00, 0x01,	/* polynomial e */
+	  { 0x46, 0xf0, 0xf6, 0xef, 0xee, 0x15, 0xc8, 0xf1, 0xb1, 0x98,
+		0xcb, 0x49, 0xd9, 0x2b, 0x99, 0x08, 0x67, 0x90, 0x51, 0x59,
+		0x44, 0x0c, 0xc7, 0x23, 0x91, 0x6d, 0xc0, 0x01, 0x28, 0x26,
+		0x98, 0x10, 0x39, 0xce, 0x17, 0x66, 0xaa, 0x25, 0x42, 0xb0,
+		0x5d, 0xb3, 0xbd, 0x80, 0x9a, 0xb1, 0x42, 0x48, 0x9d, 0x5d,
+		0xbf, 0xe1, 0x27, 0x3e, 0x73, 0x99, 0x63, 0x7b, 0x4b, 0x32,
+		0x13, 0x76, 0x8a, 0xaa }, 
+	  { 12283,     1, 12288,     4,     0, 12285,     5,     1,     1,     2,
+		    3,     4, 12288,     0,     3,     1,     1,     0, 12286,     6,
+		    1,     0,     1,     0,     4,     2, 12288,     3,     0,     5,
+		    1,     5,     2, 12285,     4, 12288,     3,     2, 12288,     2,
+		12288, 12285, 12287,     6, 12282,     1, 12286,     7, 12287,     4,
+		    2,     2, 12288, 12285,     0,     2,     0, 12288,     1, 12287,
+		12287,     2,     1,     2,     1, 12285, 12288, 12286,     1,     2,
+		12287, 12288, 12288,     1,     0, 12287,     0,     4,     2,     6,
+		12287, 12285, 12283, 12285,     5, 12283, 12286,     1, 12283,     2,
+		    3, 12286, 12285,     2,     5, 12286,     3,     0,     3, 12286,
+		    5, 12285, 12287, 12288,     1,     5,     3,     5,     1,     1,
+		    1, 12288,     5,     0, 12288,     3,     2, 12288, 12285, 12288,
+		    5,     6,     0,     2,     1, 12287, 12288, 12287,     3, 12284,
+		    2,     0,     3,     0,     0, 12288,     0,     2,     2,     2,
+		    0,     1,     2,     2,     0,     0, 12287, 12285,     0,     4,
+		    1, 12283,     3,     5, 12288, 12286, 12287,     6,     2,     0,
+		    0, 12287,     2,     2, 12288,     0,     2, 12288, 12287, 12288,
+		12288,     1, 12288,     1, 12288,     2,     4,     2,     1,     1,
+		    0, 12287,     3,     2,     6,     2,     1, 12288, 12285,     6,
+		    0,     1, 12284, 12287, 12287, 12286,     5,     4,     0,     5,
+		12287, 12286, 12288, 12286,     0,     3,     1, 12287, 12287, 12288,
+		12288, 12286,     1,     0,     3, 12287,     3,     1, 12283,     1,
+		12288,     5,     1,     4, 12286, 12287,     2,     0,     0,     0,
+		12281, 12286,     0,     8,     5,     0,     4,     0, 12287,     5,
+		    1,     3,     2, 12286, 12286, 12288, 12285, 12285, 12287,     0,
+		12284, 12287,     1,     0,     2,     1, 12286, 12288,     2, 12285,
+		    0,     0,     0,     1,     0,     6,     1, 12288, 12287, 12287,
+		    0,     3, 12288, 12288, 12287,     0, 12287,     1,     3,     0,
+		    0, 12286, 12286,     4,     4, 12287,     1,     3,     4, 12287,
+		12284,     2, 12288, 12286, 12283, 12285,     1,     3,     1, 12288,
+		    0,     3,     3, 12284, 12285,     5,     3, 12288,     3,     4,
+		    3,     1, 12288,     0, 12288,     1,     0,     0,     3,     0,
+		    3,     2, 12287, 12288,     0, 12288,     0,     2, 12285,     4,
+		    0, 12287, 12287,     1,     1,     1, 12287, 12285,     4, 12282,
+		    3,     1,     1, 12288,     2,     4, 12285, 12286,     3,     1,
+		    0, 12287, 12283, 12285,     2,     5,     1,     1, 12288, 12288,
+		    0,     8,     3, 12287, 12285, 12287, 12286, 12284,     1, 12286,
+		    1, 12288,     2,     3, 12288, 12288,     2, 12288, 12284, 12285,
+		    0,     3, 12288, 12288,     2,     3,     7, 12287,     3,     3,
+		    3, 12284,     0,     0,     1, 12283,     5,     0,     1, 12288,
+		    3, 12286, 12287, 12286,     0,     0, 12287, 12283,     4, 12283,
+		    0,     0,     3, 12285,     5, 12286, 12282, 12288,     1, 12287,
+		12288,     1,     5,     2, 12287,     2, 12288,     7, 12288,     3,
+		    5,     1,     0, 12287,     1, 12287,     3,     2,     4,     2,
+		12287, 12286, 12288,     2,     5,     1, 12286,     4,     0,     2,
+		    6, 12286,     2, 12286,     3, 12288,     5, 12285,     0,     2,
+		12287,     5, 12286, 12284,     7, 12285, 12286, 12284, 12287,     1,
+		12288, 12284, 12286,     2,     4,     2,     2, 12283, 12286,     2,
+		    2, 12283,     1, 12286,     1,     0, 12284,     3,     0,     4,
+		    1,     0,     4, 12288,     0, 12287, 12287, 12287, 12286, 12284,
+		12288,     3,     1, 12285,     0,     3,     8,     4,     2, 12288,
+		    3, 12287, 12287,     2,     3, 12288, 12286,     2, 12286, 12288,
+		    0,     1, 12287, 12285,     0, 12285, 12288, 12287,     1, 12287,
+		    0, 12284,     0,     1,     1, 12285,     0,     0,     0, 12287,
+		12287,     3,     0,     4, 12288,     1, 12288, 12285, 12283,     0,
+		12286, 12286, 12285, 12285, 12287,     1,     0,     2,     3,     1,
+		    2, 12286, 12288,     3, 12286, 12288, 12288,     6,     2,     2,
+		    0, 12288,     2,     5, 12288,     0, 12284, 12282, 12286,     1,
+		12288, 12288, 12286, 12288,     3, 12286,     2,     0, 12283,     0,
+		    4,     2, 12288,     0, 12286,     0,     4,     3, 12286, 12287,
+		    4, 12288,     3,     2, 12283,     1,     1,     1,     3, 12286,
+		    4,     0, 12288, 12285, 12287,     0,     0, 12286,     4,     0,
+		12286,     2, 12288, 12288, 12285, 12283,     5,     3, 12286, 12288,
+		    4,     1, 12283,     0, 12288,     0, 12287, 12287,     0,     3,
+		12287, 12287,     2,     2,     3,     0,     1,     4, 12288,     3,
+		    3,     0, 12284, 12285,     4, 12288,     1, 12287,     0,     1,
+		12283,     1, 12284, 12287, 12286, 12285,     0,     0,     3, 12285,
+		    3,     1, 12288, 12287, 12284, 12282,     5,     3,     3,     2,
+		12285,     4, 12288,     0,     3, 12288,     4,     0, 12283, 12288,
+		    2, 12285, 12288, 12282,     0,     2, 12285,     3,     1, 12284,
+		    1,     5,     7, 12286,     5, 12285,     1,     2,     0,     4,
+		12283, 12287, 12286,     2, 12280, 12287, 12288,     2, 12285, 12286,
+		    2,     1,     2,     1,     2,     2,     3,     3,     0,     0,
+		    4,     2, 12288, 12286,     4,     0,     1, 12288,     2, 12287,
+		12288, 12288,     1,     3, 12283, 12288,     1, 12287,     1,     1,
+		    3, 12288, 12288,     1,     2,     1,     1, 12283,     7, 12286,
+		12288,     1, 12288, 12287, 12284,     7,     2, 12285, 12286,     0,
+		    0,     0,     2,     4, 12288,     0, 12284, 12285, 12286,     2,
+		12284,     2,     4,     6,     3, 12287, 12288, 12285,     1,     2,
+		12286,     0,     0, 12287, 12288,     0, 12286,     2,     1,     1,
+		    1,     3,     1, 12285,     4,     0, 12287, 12288, 12287,     0,
+		12288, 12287, 12288, 12287, 12288, 12288,     0, 12287, 12284,     0,
+		12288, 12285,     3,     2,     4,     2, 12284,     3,     1,     3,
+		    4, 12288, 12285, 12284, 12287,     1,     4,     0,     2, 12288,
+		    4, 12288, 12287,     3,     1,     0,     0, 12284, 12287,     2,
+		    4, 12287,     2, 12288,     0,     2,     2,     3, 12287, 12286,
+		    8, 12286, 12285,     0, 12285,     2,     3,     5, 12287, 12288,
+		    6, 12288, 12284,     0,     0,     3,     1,     2, 12284,     2,
+		    1,     3,     2,     0,     0, 12288, 12287, 12288,     1, 12288,
+		    4,     3, 12284,     1,     3, 12288, 12283, 12288,     1,     1,
+		    2,     1,     1,     3,     1, 12288,     0, 12288,     2,     0,
+		    0, 12284, 12283,     3, 12288,     0,     2, 12287,     0,     0,
+		12286, 12286,     0,     0,     2,     4, 12288,     1,     2,     3,
+		    2, 12286, 12286,     1,     2,     4, 12288, 12288, 12284, 12287,
+		    6,     2, 12288, 12286,     0,     0,     3, 12286, 12288, 12287,
+		12286, 12287,     3,     1, 12286,     0,     4,     3, 12286,     5,
+		    2,     1, 12287, 12286,     4, 12287,     0,     5, 12288,     0,
+		12288,     2,     2,     1,     1,     0,     0, 12288, 12288, 12288,
+		    0,     0, 12288, 12287,     5,     1, 12288,     1,    10,     1,
+		    0,     0,     2,     2,     2,     0, 12288,     4,     2, 12283,
+		    3,     1,     1, 12285,     2, 12285,     5,     7,     5, 12288,
+		    0, 12287,     5,     1, 12288, 12286, 12287,     0,     0,     0,
+		12287,     1,     3, 12288 }
+	},
+	{ 0x01, 0x00,	/* polynomial s' */
+	  { 0x3a, 0xeb, 0x52, 0x24, 0xec, 0xf8, 0x49, 0x92, 0x9b, 0x9d,
+		0x82, 0x8d, 0xb1, 0xce, 0xd4, 0xdd, 0x83, 0x20, 0x25, 0xe8,
+		0x01, 0x8b, 0x81, 0x60, 0xb8, 0x22, 0x84, 0xf3, 0xc9, 0x49,
+		0xaa, 0x5a, 0x8e, 0xca, 0x00, 0xbb, 0xb4, 0xa7, 0x3b, 0xda,
+		0xd1, 0x92, 0xb5, 0xc4, 0x2f, 0x73, 0xf2, 0xfd, 0x4e, 0x27,
+		0x36, 0x44, 0xc8, 0xb3, 0x61, 0x25, 0xa6, 0x4a, 0xdd, 0xeb,
+		0x00, 0x6c, 0x13, 0xa0 }, 
+	  {     5,     4,     4, 12288, 12286,     1, 12287, 12288,     2, 12288,
+		12288, 12287,     2,     2, 12284, 12288, 12288,     3,     2,     3,
+		12287,     2,     2,     0,     0,     2,     5, 12285,     5, 12287,
+		    2, 12282, 12286,     2,     1,     2,     1,     1, 12288, 12285,
+		12287, 12286,     2,     0,     0, 12285,     0,     0, 12287, 12286,
+		12285, 12286,     2, 12288, 12288,     0,     1,     2, 12286,     2,
+		    1,     0,     0,     2,     1, 12288,     1, 12287,     1,     0,
+		    0,     2, 12285,     2,     2, 12288, 12286,     3, 12287,     0,
+		    1,     1,     0,     2, 12287,     2,     1,     2,     3,     0,
+		    0,     1, 12288, 12288,     2, 12287, 12286, 12286,     6, 12288,
+		    0,     0,     4,     0, 12286,     0,     4, 12288, 12288,     5,
+		12287, 12288, 12285,     2, 12285, 12288,     1,     0,     2, 12288,
+		12286,     1,     3, 12285,     2,     2,     1,     1, 12288, 12288,
+		12287,     1, 12288,     3,     0, 12285,     4, 12285, 12287,     2,
+		    2, 12287, 12287, 12286, 12288, 12284,     2, 12286,     4,     1,
+		    0, 12286, 12284,     3, 12286,     3, 12286,     3,     4,     1,
+		12288, 12282,     2,     2, 12284,     0, 12286, 12283,     3,     0,
+		    4,     2,     4,     2, 12285,    10, 12288,     8,     3,     2,
+		    2,     0,     1,     0,     0, 12286,     2, 12284,     4,     1,
+		12287, 12287,     1,     1, 12286,     1,     0, 12285, 12288, 12286,
+		12287,     2,     1, 12284, 12288, 12285, 12285,     3,     0,     1,
+		    4,     4,     1,     0,     2,     1, 12288,     1, 12287,     0,
+		12286,     4,     2,     3,     3, 12285, 12288, 12288,     5,     2,
+		    0,     4,     3, 12287, 12287,     5,     2,     3, 12284,     0,
+		    8,     1,     1,     0,     5, 12288, 12288, 12288, 12286,     6,
+		    3, 12288, 12286, 12287,     4, 12288,     2, 12288, 12284, 12287,
+		    4, 12288,     0,     0,     3,     0,     4,     4, 12287,     0,
+		    3,     0, 12285, 12287, 12288, 12288,     0,     0, 12287, 12288,
+		12286,     0,     0, 12285, 12288,     4, 12287,     1,     2, 12288,
+		12285,     5,     4, 12283,     2,     0, 12288,     2,     0,     0,
+		12286, 12284,     3,     3,     3, 12287,     1,     1,     0,     1,
+		    3, 12288,     4,     4,     0,     2,     0,     1, 12286, 12284,
+		    2,     2, 12287,     3,     2, 12288,     3, 12286,     2, 12286,
+		12288,     4,     3, 12288,     2, 12288,     2,     1, 12288, 12288,
+		    7, 12288, 12288,     0, 12288,     1, 12284, 12288, 12288, 12287,
+		12287,     1, 12285, 12287, 12287,     1,     0,     2, 12286,     3,
+		12288, 12288, 12287,     3,     5,     0,     0, 12287,     2, 12287,
+		12288,     8, 12287,     1,     2, 12288, 12284,     3,     0, 12287,
+		12284,     3,     0,     2,     1,     3,     4, 12287, 12286, 12288,
+		12286,     0,     0, 12287, 12285,     0, 12286,     2,     1, 12287,
+		12288,     5, 12287, 12287, 12286,     2, 12283,     0,     0, 12286,
+		    2, 12284,     5,     0,     1, 12287,     0,     3,     1, 12285,
+		12288,     0,     3, 12287,     2, 12286,     0,     1, 12288,     1,
+		12284, 12281, 12284, 12288, 12285,     2,     5,     4, 12286,     0,
+		12287, 12288, 12286, 12285,     3, 12282,     1, 12287,     2,     0,
+		    6, 12288,     4, 12286,     3, 12288, 12286, 12284,     3,     1,
+		    6,     3,     2,     1,     2,     1,     1, 12288, 12287,     1,
+		    3,     3,     1,     0,     0, 12288,     3, 12284, 12285, 12284,
+		    1,     3, 12286,     0,     1, 12285, 12287,     1, 12285,     2,
+		    0,     1, 12287,     1,     4,     3,     1, 12287,     0,     5,
+		    1, 12288,     2,     1,     1,     4,     3, 12286,     3,     3,
+		    2, 12287,     3, 12286,     0, 12288, 12285,     2,     3, 12286,
+		    0, 12287,     5,     4,     1,     1, 12287, 12288,     2,     0,
+		    0,     0,     2,     0, 12286,     4, 12288, 12288, 12285, 12286,
+		    2, 12288, 12288,     0, 12288, 12286, 12284, 12287,     1,     5,
+		    0, 12285, 12287,     2,     4,     3, 12285, 12287, 12288,     0,
+		12288, 12287, 12286,     2, 12288, 12286, 12284,     1,     2, 12287,
+		    4,     1,     4,     4, 12284,     2,     0, 12288,     3,     1,
+		    0,     4,     1,     6,     0, 12286, 12288, 12287, 12287,     0,
+		12284, 12285,     2, 12286,     1,     0,     3, 12288,     1,     2,
+		12284, 12286, 12285, 12283, 12285,     0, 12285,     2,     0,     2,
+		    1,     3,     1, 12286, 12288,     1,     4,     0,     0, 12287,
+		12287, 12286,     0,     1, 12286,     0,     2, 12288,     2, 12287,
+		    0,     0, 12286, 12287,     4,     6, 12286,     0, 12288,     0,
+		    0, 12287,     2,     3,     4,     1,     3, 12286,     4,     0,
+		12288, 12286, 12287, 12287, 12288,     4, 12285,     1, 12286, 12286,
+		    2, 12288,     0,     0,     1,     5, 12285,     1, 12281,     3,
+		12281,     2,     3,     0, 12284, 12288,     5,     0,     0, 12288,
+		    0,     0, 12288, 12286,     3, 12287,     0,     2, 12288,     0,
+		    3, 12288, 12286,     0, 12286, 12287, 12284,     0, 12286,     1,
+		12287, 12282, 12287, 12288,     0,     5, 12288,     2,     1, 12288,
+		    1, 12285,     5,     2, 12286, 12285, 12287,     0,     2, 12288,
+		    1, 12288,     1, 12286,     0,     2, 12287, 12287,     6, 12286,
+		12288,     0, 12286,     4,     6, 12287, 12287,     2,     2, 12285,
+		    1, 12288, 12285, 12286,     5, 12288,     1,     2,     1,     7,
+		12286,     5, 12288, 12287, 12286, 12284,     1,     2, 12287,     4,
+		    1,     1,     0,     1,     2, 12285,     2, 12288, 12284,     1,
+		    1, 12287, 12286, 12285, 12287,     1, 12287,     3,     1, 12286,
+		    0, 12286,     3,     3, 12288,     2, 12288,     5, 12288,     1,
+		    2,     0, 12287,     1, 12287,     7,     2,     3,     0, 12287,
+		    2, 12284, 12284, 12281, 12286, 12285, 12287, 12287,     0, 12288,
+		    3,     4,     3,     2,     3,     1, 12288, 12286,     0, 12288,
+		12286,     1, 12286,     6, 12287,     1,     6,     5,     3,     1,
+		12286,     2,     1,     3,     1, 12286, 12285,     3,     2,     0,
+		    0, 12284,     1,     1,     3,     3,     1,     1, 12288,     0,
+		12284,     1, 12288,     0,     0, 12287,     0,     4, 12285,     0,
+		    4, 12283,     1,     1,     0, 12285,     0, 12286,     0,     0,
+		    1,     0, 12286,     0, 12288,     3,     4,     0,     2,     1,
+		12287,     2, 12288,     1,     0, 12288,     0, 12288,     6, 12288,
+		12287, 12286,     3, 12284,     0, 12288, 12284, 12286, 12287, 12288,
+		12288, 12288,     4,     0,     2,     6, 12286,     1,     4, 12288,
+		    2,     1,     0,     5,     2,     1, 12285,     0,     0, 12285,
+		    4, 12286,     5,     1,     3,     2, 12287,     2,     0,     2,
+		    7, 12283, 12288, 12288,     3,     0,     3, 12288,     3, 12286,
+		12288, 12287, 12288,     3,     0,     2,     4,     1, 12284,     2,
+		12288, 12286, 12287,     1,     1, 12288,     0, 12288, 12283,     6,
+		    2,     1, 12288,     3, 12287, 12288,     1,     1, 12285,     0,
+		12286, 12287, 12288,     1,     2, 12287,     0,     4,     0, 12286,
+		    2,     1, 12288, 12285, 12287,     0,     2, 12287,     6,     2,
+		    0, 12287, 12288,     2, 12288, 12284, 12288, 12285,     4,     1,
+		12288, 12284, 12287,     4, 12284,     1,     3, 12284, 12282,     0,
+		12286, 12287,     2, 12286,     3,     4,     2, 12288,     3,     3,
+		    1,     3, 12287, 12283 } 
+	},
+	{ 0x01, 0x01,	/* polynomial e' */
+	  { 0x58, 0xd8, 0x6a, 0xcd, 0xe2, 0x79, 0x61, 0x98, 0xfd, 0xea,
+		0xcf, 0x2a, 0xc0, 0xfd, 0xf0, 0x72, 0x86, 0x32, 0xdc, 0xe9,
+		0xc6, 0x45, 0x81, 0x80, 0x67, 0x06, 0x72, 0x28, 0xa6, 0xfe,
+		0x41, 0x2b, 0x78, 0x88, 0x58, 0x6d, 0x58, 0x47, 0x3e, 0xb7,
+		0x46, 0x60, 0xd8, 0x2f, 0xa0, 0x83, 0xe4, 0xbc, 0x81, 0xdd,
+		0xc6, 0x29, 0x8b, 0xee, 0xf9, 0xec, 0x90, 0x39, 0x9d, 0x46,
+		0xbf, 0x2d, 0x7c, 0xdf }, 
+	  { 12287,     3,     3,     1, 12285,     4,     1,     5, 12287, 12285,
+		12285, 12285,     1, 12288, 12287, 12288,     2,     3, 12283, 12288,
+		12285,     0,     0, 12286, 12287, 12288, 12288, 12288, 12288,     1,
+		12288,     2,     2,     5,     5,     0, 12287, 12286,     3,     3,
+		    2,     2,     1,     0,     2, 12287, 12285,     3,     1,     3,
+		    5,     2, 12287, 12287,     2,     0,     4,     2,     0,     0,
+		    1,     5, 12288,     6,     4, 12287,     1,     0, 12283,     0,
+		    1, 12286,     2,     0,     2,     1, 12284, 12282,     0,     6,
+		    1,     2,     5, 12288,     6, 12288, 12284,     2,     1,     2,
+		12288, 12283, 12288,     3, 12288, 12288,     2, 12286, 12283,     1,
+		12285,     0,     0, 12286, 12288, 12286, 12288, 12286,     4,     0,
+		    1, 12285,     3,     1,     2, 12285, 12287, 12284, 12287, 12285,
+		12286,     1, 12288,     3,     5,     5,     3, 12285, 12286, 12288,
+		    0,     1, 12287, 12284,     2,     4, 12288, 12287,     0, 12288,
+		12288, 12285, 12288, 12284,     3,     0,     2,     0,     2,     0,
+		    1,     1,     1, 12287,     1, 12284, 12285,     0, 12284,     1,
+		12284,     2, 12288,     5,     4,     1,     1, 12284,     1,     3,
+		    2,     6,     3,     2,     3, 12284,     0,     0,     4,     2,
+		    6,     2,     2,     2,     6, 12288,     0,     1, 12286,     1,
+		    5,     1, 12283,     2,     0, 12284,     1, 12286,     4,     1,
+		    2,     4,     6, 12288, 12288, 12284,     1,     0,     3, 12286,
+		    1,     0,     3, 12288, 12287,     2,     2,     0, 12285, 12286,
+		    0, 12288,     4,     2, 12282, 12287,     1, 12288, 12287, 12286,
+		12284,     1,     4,     2,     7, 12288, 12283, 12288,     5, 12288,
+		12288, 12287,     3,     2, 12287,     5, 12287, 12286, 12288, 12287,
+		    0, 12282, 12288, 12288,     0,     3, 12287,     2, 12287, 12284,
+		    6, 12285,     2,     3,     3, 12284,     2,     4, 12286,     5,
+		    0,     2, 12287,     3,     0, 12284, 12286,     0,     2, 12286,
+		12287,     3,     1,     4,     1, 12286, 12288,     1,     2,     0,
+		12285, 12287,     2,     0,     0,     0,     3, 12286, 12287,     2,
+		    0,     0,     0, 12286,     4,     1, 12287,     0,     0,     2,
+		    5,     0, 12284,     1,     1, 12288,     2, 12286, 12288,     2,
+		    2, 12282,     1, 12286,     4, 12286,     3, 12287, 12287, 12286,
+		    5,     5,     0, 12288,     3, 12285,     1, 12287,     7, 12286,
+		    2, 12287,     1, 12285,     2, 12287, 12288,     0,     4, 12281,
+		    0, 12286,     3,     1, 12285,     2,     2, 12285,     5,     0,
+		12285,     2, 12288,     1,     3, 12287,     1, 12288,     1,     5,
+		12287,     1,     0,     3,     2, 12286, 12286, 12288,     3,     0,
+		12287, 12288,     0, 12286, 12285,     0, 12286, 12288,     3, 12287,
+		12288,     2,     6,     0,     2, 12285,     1,     1,     7,     7,
+		12284, 12284,     5,     0, 12288, 12288,     4,     3,     1,     2,
+		12287,     0, 12288, 12284,     2,     5,     1,     2,     0, 12288,
+		    1, 12284,     2,     3,     0, 12287, 12285,     2, 12288, 12288,
+		    7,     1, 12287,     1, 12286,     2,     3,     4, 12288, 12288,
+		12286, 12286,     3, 12288,     1, 12286, 12286,     0, 12283, 12288,
+		    2,     0,     7,     2, 12287,     0,     0, 12286,     4,     1,
+		12288, 12288,     1,     2, 12287, 12282,     3,     5,     0, 12288,
+		12288, 12286, 12286, 12286,     4,     2,     0,     1, 12284,     3,
+		12283,     5, 12287,     2,     2, 12288,     1, 12284,     1,     0,
+		    1,     3, 12288,     2, 12287,     1, 12286, 12288,     0, 12287,
+		12288,     2,     2, 12286,     0, 12287, 12288, 12284,     0,     2,
+		    2,     2,     1,     3, 12285, 12285,     1, 12285,     2,     6,
+		    2,     0, 12288,     0,     0,     3,     2, 12287,     1, 12286,
+		    0, 12287,     0,     1, 12285, 12287,     6, 12288,     2,     0,
+		12286,     2,     4, 12288,     2,     5, 12285, 12286,     0, 12284,
+		12288,     3,     3,     3, 12287,     4,     2,     0, 12283,     2,
+		12287,     0,     1, 12287,     2, 12288, 12287,     3,     2,     7,
+		    7,     1, 12287, 12288,     2,     6,     1,     3,     2,     0,
+		    2,     2,     3, 12288,     3,     4,     2,     0,     5, 12285,
+		    3, 12285,     3, 12285,     1,     1, 12287, 12285,     2, 12285,
+		    5,     0,     7,     2, 12284,     0, 12285,     7,     1, 12288,
+		12288,     0, 12288, 12287,     5,     0,     2,     0,     2, 12286,
+		    1, 12286,     0, 12286, 12285,     4, 12286,     2, 12288, 12287,
+		12287,     1, 12286, 12287, 12287, 12286, 12287, 12288,     6,     5,
+		    2,     5, 12283, 12286, 12286, 12288,     1,     0,     3, 12286,
+		    5,     0, 12287, 12288, 12288, 12287, 12286,     2,     1,     0,
+		    1,     2,     3,     1, 12286,     2,     1,     6, 12288,     1,
+		12286,     1, 12288,     0,     1,     0, 12283,     0,     2, 12288,
+		    3,     1, 12287, 12288,     4,     0,     3, 12286,     0,     1,
+		12283,     4,     1,     4, 12287,     5,     0, 12287, 12288,     3,
+		    3, 12282,     1,     4,     2,     3,     0,     2,     6, 12282,
+		12285, 12288, 12287, 12288,     2, 12285,     1,     0, 12287, 12288,
+		12286,     0,     0,     4, 12288, 12287,     1,     0,     2,     5,
+		    2, 12287,     1,     7, 12284,     0, 12287, 12286,     2,     1,
+		12287,     0,     1, 12284, 12287, 12287, 12285, 12285,     3, 12282,
+		12286,     1,     1, 12288, 12282, 12287,     1,     1,     2,     2,
+		    3,     1, 12287,     5, 12282,     0,     0, 12287,     1,     3,
+		12288,     3, 12285, 12286,     2,     0, 12288, 12288,     5, 12285,
+		    4, 12288, 12287,     0,     1,     4,     1,     2, 12288,     0,
+		    2,     1, 12288,     4,     6, 12288,     1, 12287,     4,     1,
+		12285, 12288,     3,     0, 12288, 12285,     2,     0, 12286,     2,
+		    1, 12288,     1, 12288, 12284,     3,     0,     2,     2, 12288,
+		12287, 12286,     4, 12288,     2,     0,     0,     3,     4,     0,
+		12288, 12282,     6,     2, 12283, 12287,     2,     6,     1,     2,
+		12288,     2, 12283,     3, 12287,     3,     4,     0,     0, 12285,
+		    0, 12288, 12287, 12284, 12286,     3,     1, 12286,     2,     0,
+		12287, 12286, 12286, 12288,     5,     2, 12288, 12286,     0, 12287,
+		    0,     3,     2, 12287, 12286,     0,     1, 12287,     2,     0,
+		12286,     5, 12285, 12288, 12288, 12288, 12286,     4,     1, 12285,
+		12284, 12288, 12286,     1,     1, 12287,     2, 12286,     3,     2,
+		12283, 12283,     4,     2, 12283,     5,     0,     1,     0,     5,
+		12287,     1,     1,     0,     3,    10, 12287,     3, 12288, 12288,
+		12287,     2,     2,     0,     4, 12288, 12283, 12288,     1, 12287,
+		    3,     0,     0,     1, 12288, 12284,     0, 12286, 12287,     0,
+		12287,     2,     1,     7, 12288, 12287,     0,     4, 12287, 12286,
+		    3,     4, 12287, 12288, 12285, 12287, 12288, 12285, 12286,     7,
+		    1,     1, 12288,     3, 12287,     3,     1,     4,     2,     5,
+		12282,     3,     0, 12286, 12288,     0, 12285,     0,     2,     3,
+		    0, 12286,     3,     2, 12285,     0,     0, 12287,     1,     0,
+		    0,     6,     2, 12287, 12284,     7,     5,     0,     1,     6,
+		    2,     4,     1, 12286, 12288,     2, 12287,     3,     4, 12283,
+		    0, 12288,     2,     2, 12286,     0,     2,     2, 12288, 12285,
+		12287, 12285, 12288,     0 }
+	},
+	{ 0x01, 0x02,	/* polynomial e'' */
+	  { 0x20, 0x37, 0x77, 0x8a, 0x9c, 0x19, 0xde, 0xf0, 0x65, 0x9e,
+		0x0f, 0xa5, 0xfc, 0x0e, 0x78, 0xfe, 0x55, 0x89, 0xc9, 0x88,
+		0x41, 0xa2, 0x5a, 0x1e, 0xa4, 0x66, 0xcd, 0x3a, 0x29, 0x42,
+		0xd1, 0x25, 0xf2, 0x84, 0xd7, 0xee, 0xd5, 0x53, 0x86, 0x5b,
+		0xa3, 0x93, 0x4e, 0xee, 0xc7, 0x5b, 0xe5, 0x52, 0x68, 0x19,
+		0xdf, 0x63, 0xfb, 0x91, 0x3d, 0xe9, 0x5d, 0xd6, 0xeb, 0x81,
+		0x3d, 0xac, 0xf1, 0xad }, 
+	  { 12286, 12286,     1, 12287,     1, 12286, 12287, 12287, 12284,     1,
+		12287,     2, 12284,     0,     2, 12288,     0,     1,     0, 12285,
+		12288,     4,     2, 12287, 12282, 12288, 12285, 12288,     2, 12288,
+		    6,     7, 12286, 12286,     1,     4, 12287, 12287,     3,     1,
+		    3,     3,     2, 12285,     0,     1, 12288,     1,     1, 12287,
+		    0,     0,     1,     0, 12287, 12283, 12283, 12288, 12287,     0,
+		    0,     2, 12286,     3,     3,     0, 12286, 12282,     3,     6,
+		    3,     3, 12285,     1,     1, 12288,     1,     0, 12288,     0,
+		12287,     4,     1,     0, 12285, 12288,     1,     1,     1,     3,
+		12286,     0, 12288,     0, 12287, 12287,     3,     5,     1, 12287,
+		12287,     0,     0,     0, 12283,     0,     0, 12288,     0, 12287,
+		12286, 12284, 12286,     0, 12286,     3,     5, 12287,     0, 12287,
+		    1,     3,     2,     6,     1, 12287,     1,     1, 12285,     4,
+		12282, 12288, 12288,     3,     2, 12287,     3,     3, 12288, 12286,
+		    2,     5, 12288, 12287, 12288,     3,     0, 12283,     3,     3,
+		    1,     0, 12288,     2,     2, 12287, 12286,     4, 12287, 12288,
+		    0,     0, 12286,     1,     4,     4, 12286, 12287,     4, 12288,
+		    2,     1,     1, 12288, 12287,     3, 12287, 12286, 12285, 12288,
+		    4,     1,     0, 12287,     3, 12286, 12287,     4,     0, 12287,
+		12286, 12287,     3,     1,     1, 12285, 12287,     0, 12285,     2,
+		    5,     2, 12285,     3,     2, 12285, 12287,     2,     0, 12288,
+		    2,     5,     2, 12283,     1,     1,     0, 12286, 12288,     3,
+		    1, 12286, 12283,     0,     1,     2,     2,     1, 12287, 12287,
+		    4,     4,     1,     0,     0, 12288, 12287, 12284, 12284,     7,
+		    0, 12288,     5,     4, 12288, 12288,     1,     0,     1,     1,
+		    2, 12288, 12288,     5,     1,     0, 12287,     3,     3,     0,
+		    1, 12288, 12288,     3, 12285, 12288,     3,     5,     4,     1,
+		12285, 12285, 12288, 12285, 12288, 12285,     4,     1,     3, 12285,
+		    4,     0, 12288, 12286,     5, 12287, 12285, 12288,     4, 12288,
+		    0, 12287, 12286,     0, 12286, 12283,     0, 12287, 12284,     1,
+		12288, 12288,     3, 12286,     1,     2, 12286,     3,     1, 12285,
+		12286, 12285,     0, 12285, 12288,     0,     2, 12283,     0,     1,
+		    2,     1,     2,     3,     3, 12285,     0,     0,     0, 12288,
+		12283,     4, 12286,     2,     1,     3,     3, 12284,     2,     4,
+		    3, 12286, 12282, 12286,     0, 12286, 12287,     3, 12288, 12288,
+		    2, 12287, 12286,     3,     0, 12286,     1,     1,     0, 12287,
+		    2,     0,     0,     1, 12286,     1,     0, 12283,     0, 12288,
+		    2,     5, 12288, 12287,     2,     1, 12288,     2,     2,     5,
+		    2, 12286, 12286,     2, 12284, 12287,     0, 12284,     0, 12284,
+		12286, 12286, 12288, 12287, 12287,     2,     1, 12287, 12287,     1,
+		    5,     0,     0, 12288,     2, 12285,     6,     2, 12288, 12288,
+		12286,     2, 12285,     0,     0,     0, 12288,     3, 12286,     1,
+		    1,     0,     3,     0, 12286, 12288, 12287,     3,     2, 12287,
+		12288,     1, 12288, 12282,     2,     0, 12288, 12286, 12285, 12281,
+		    4,     1,     7, 12283, 12287, 12288,     1,     6,     0, 12288,
+		    5,     1,     1, 12286, 12286,     0, 12287, 12285, 12287,     1,
+		12288, 12286, 12286, 12288,     2, 12287, 12287, 12288, 12286, 12288,
+		12282, 12284, 12286,     0, 12285, 12285,     3, 12288, 12287, 12288,
+		    2,     0,     2,     0, 12288, 12286,     3, 12288, 12286, 12287,
+		    1,     1,     1,     0,     5,     5, 12285, 12288,     3, 12286,
+		    1,     2, 12285,     1,     4, 12288,     1,     4,     1,     3,
+		    4, 12286,     0,     7,     2, 12288,     2, 12287,     0,     2,
+		12283, 12286,     0, 12288, 12286,     4,     1, 12284,     7, 12285,
+		    0, 12284, 12287,     0,     0,     3,     4, 12284,     0,     1,
+		    0,     1, 12285,     1, 12286, 12284, 12287,     0,     7,     1,
+		    4, 12282, 12288,     0,     2, 12285, 12288, 12287, 12287, 12283,
+		    0,     1,     3, 12285, 12286,     3, 12288, 12288, 12284, 12286,
+		12288,     1,     0,     2, 12287,     0, 12286,     4, 12288,     0,
+		12284,     0,     0,     2, 12286,     0,     0, 12286, 12287,     1,
+		12288,     0, 12284,     1, 12288, 12288,     1,     1, 12282, 12284,
+		12288, 12285, 12285, 12288,     1, 12286,     2,     0,     0, 12284,
+		    2, 12288,     0,     0, 12285,     0,     3,     0,     0, 12285,
+		12286,     5,     3, 12287,     5,     2, 12287,     0,     1, 12286,
+		12287,     1, 12286,     1, 12288,     0,     0, 12282,     5, 12282,
+		12287, 12288, 12287,     1,     0,     3,     4,     6,     1,     1,
+		12287, 12284, 12286, 12287, 12286,     2,     1, 12288,     3,     0,
+		    3,     0, 12286,     1,     0, 12288,     1, 12284,     4,     0,
+		    4, 12288,     1,     4,     1, 12286,     4,     0,     2,     1,
+		    1,     4, 12287,     2,     1, 12288,     4,     3,     2, 12287,
+		    0,     1, 12287,     1, 12285, 12286,     2,     2,     0, 12286,
+		12287,     0, 12288, 12285,     5, 12288,     0,     0, 12288,     3,
+		12288,     0,     4,     0, 12288, 12286, 12287,     0,     0,     2,
+		12283,     0, 12281,     1,     1,     3,     4,     2, 12284,     5,
+		12288,     2,     3,     4, 12287,     3, 12288, 12287, 12288,     2,
+		12286,     2,     0, 12286, 12286,     5, 12288,     2, 12288,     7,
+		12286, 12286,     4, 12288, 12288, 12288,     5, 12287,     7, 12286,
+		12282,     2, 12284,     0, 12288,     0,     2, 12283,     2,     5,
+		    4,     1, 12288, 12283,     5, 12288, 12288,     0,     0,     0,
+		    6,     1, 12286,     6,     4, 12287,     2, 12288, 12287, 12286,
+		    4,     5,     0,     1,     2,     1,     4, 12286,     1,     2,
+		    1,     1,     0, 12288, 12282,     1,     1,     3, 12284, 12288,
+		    0, 12287,     1, 12286, 12288,     6,     1,     5, 12287, 12285,
+		    2, 12288, 12288, 12284,     0, 12287,     2,     3,     5,     1,
+		12286,     1, 12287,     0, 12284,     1,     5, 12283,     1,     1,
+		12287, 12283, 12288,     0, 12287,     3,     0, 12288, 12286, 12287,
+		    8,     0,     0, 12288,     1,     3,     2,     3, 12287,     9,
+		    2,     3,     4, 12288,     3,     0, 12288, 12283,     0,     0,
+		    2,     4, 12287,     2, 12287, 12286, 12287,     2, 12287,     2,
+		    3,     1,     3,     1,     0,     1,     1,     5,     3, 12285,
+		    1, 12281, 12287, 12286,     1,     4, 12287, 12286, 12285,     4,
+		    2,     0, 12288, 12288, 12286, 12287, 12288,     1,     3,     4,
+		    0,     1, 12285,     4,     3, 12284,     1, 12288, 12285, 12288,
+		    0, 12281, 12288, 12285, 12285,     1, 12284, 12286, 12287,     0,
+		    0, 12287,     1, 12282,     4,     4, 12288,     1,     4, 12286,
+		    5,     4,     1,     5,     3,     1,     0,     6, 12288,     0,
+		12288,     2, 12286, 12287,     6,     0, 12288,     0, 12287,     1,
+		    4,     0, 12282,     4,     1, 12286,     1, 12282,     3, 12285,
+		12283, 12286, 12288,     4, 12284, 12286, 12286,     0, 12286,     0,
+		    0,     1, 12286,     1,     1,     4, 12284,     0,     3,     2,
+		12288,     1,     2, 12287,     2,     1, 12288,     0,     1,     2,
+		12286,     0,     6, 12285,     0,     1,     4,     0,     0,     3,
+		    2, 12287, 12285,     7,     1,     3,     1,     0, 12286, 12288,
+		    0, 12287,     1, 12286 }
+	}
+};
+
+START_TEST(test_newhope_noise_uniform)
+{
+	newhope_noise_t *noise;
+	uint8_t seed_buf[seed_len], *uniform;
+	chunk_t seed = { seed_buf, seed_len };
+
+	memset(seed_buf, 0x00, seed_len - 1);
+	seed_buf[seed_len - 1] = noises[_i].key;
+
+	noise = newhope_noise_create(seed);
+	ck_assert(noise != NULL);
+	uniform = noise->get_uniform_bytes(noise, noises[_i].nonce, 64);
+	ck_assert(uniform != NULL);
+	ck_assert(memeq(uniform, noises[_i].uniform, 64));
+	free(uniform);
+	noise->destroy(noise);
+}
+END_TEST
+
+START_TEST(test_newhope_noise_poly)
+{
+	newhope_noise_t *noise;
+	uint8_t seed_buf[seed_len];
+	uint32_t *poly;
+	int i;
+	chunk_t seed = { seed_buf, seed_len };
+
+	memset(seed_buf, 0x00, seed_len - 1);
+	seed_buf[seed_len - 1] = noises[_i].key;
+
+	noise = newhope_noise_create(seed);
+	ck_assert(noise != NULL);
+	poly = noise->get_binomial_words(noise, noises[_i].nonce, n, q);
+	ck_assert(poly != NULL);
+	for (i = 0; i < n; i++)
+	{
+		ck_assert(poly[i] == noises[_i].poly[i]);
+	}
+	free(poly);
+	noise->destroy(noise);
+}
+END_TEST
+
+static size_t seed_lengths[] = { 0, 1, 31, 33 };
+
+START_TEST(test_newhope_noise_fail)
+{
+	newhope_noise_t *noise;
+	chunk_t seed;
+
+	seed = chunk_alloc(seed_lengths[_i]);
+	memset(seed.ptr, 0x00, seed.len);
+
+	noise = newhope_noise_create(seed);
+	ck_assert(noise == NULL);
+	chunk_free(&seed);
+}
+END_TEST
+
+Suite *newhope_noise_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("newhope_noise");
+
+	tc = tcase_create("noise_uniform");
+	tcase_add_loop_test(tc, test_newhope_noise_uniform, 0, countof(noises));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("noise_poly");
+	tcase_add_loop_test(tc, test_newhope_noise_poly, 0, countof(noises));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("noise_fail");
+	tcase_add_loop_test(tc, test_newhope_noise_fail, 0, countof(seed_lengths));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/plugins/newhope/tests/suites/test_newhope_reconciliation.c b/src/libstrongswan/plugins/newhope/tests/suites/test_newhope_reconciliation.c
new file mode 100644
index 0000000..4432e34
--- /dev/null
+++ b/src/libstrongswan/plugins/newhope/tests/suites/test_newhope_reconciliation.c
@@ -0,0 +1,344 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <newhope_reconciliation.h>
+
+#include <library.h>
+
+static const uint16_t n = 1024;
+static const uint16_t q = 12289;
+
+static uint32_t r_v[] = {
+	 7832,  2714,  1942, 12135,  6869, 11272, 11601,  1783,  9639,  1465,
+	 4603,  8158,  1418,  6162,  3907,  6653,  1091,  3026,  4540,  4797,
+	 2751,    29,   768,  5580,  1304,  5262,  1644, 11294, 12257, 10466,
+	  170,  8458,  7185,  6850,  8790, 11277, 10980,  5507, 10693,  9766,
+	 7230,  3980,   796, 11125,  8042,  9022, 10207,  7577,  5041,   192,
+	10308,  7905,  8520,  3814,  3372, 11772, 11290,   418,  2744,  4782,
+	 3072, 10921, 10721,  6100,  1021,  7943,  7426,  2142,  6618,   757,
+	 5033,  9336,  9332,  3410,  6613, 11776,  1525,  9567,  5371,  1290,
+	 3685, 11054, 11228, 10703,    70, 11215,  8992,  2855,  2962, 10104,
+	10083,  8146,  7599,  3428,  4316, 10056,  1245,  9776,  7867,  1381,
+	 6540, 11273,  6626,  3708,  5348,  4521,  3760,  1771, 12037,  2681,
+	 3044, 10226,  5133,  5013,  7851,  7187,  1965,  6776,   223,  3003,
+	 4800, 10128,  9592,  8917, 10664,  7076,  2081,  5621,  2694,  8245,
+	10979,   929, 10593, 10429,  6890,  6222,  5891,  6633, 12124,  1508,
+	  508,  9650,  2480, 10302,  3958,  4519,  5309,  8675,  6963,  5281,
+	 8265,  4851,  7173,  2537,  1176,   259,  6422,  6782,  1429,  7231,
+	 4948,  8137, 11341, 12090,  5395,  8087,  3098,  6724,  7462,  9973,
+	  149,  7331,   562,  9753,  1227,   768,  7520, 12107,  6199,  6503,
+	 9876,   306,  3876,  1903,  6306, 10288, 10184,  9401,    68,  5246,
+	  630, 10136,   133, 12082,   648,  8537,  3896,  4482, 12011,  5407,
+	 5305,  4301,  6551,   714,  5902, 11915,  3121,  5428,  5441,  5140,
+	10139,  2091,   875,  9478, 11576,  8663, 10514,  1018,  8780,  6445,
+	 2501,  4204,  1276,  7474, 10594,  3808,  4367, 11469,  4875,  1899,
+	 9136,  1507,  6235,  6367,  3851,  7341,  9925,  4629,  9588,  3150,
+	 4739,  6109,  4850,  9944, 11565,  4995,  8383,  9623,  6248,  3020,
+	 1730,  3368,  3431,  8617,  6478,  7182,  8720,  1927,  6493,  9285,
+	 9779,  2800,  3730,  1754,  3772,  3124,  7569, 10008,  9240,  2493,
+	 4402,  5851,  2050,  8630,  5054,  8421,  1536,  7671,  5467,  9075,
+	 5881,  4355,  4554, 11354,  4048, 10335, 11033,  4252,  2558,  4363,
+	10448,   327,  1675,  4755,  8227,  7705,   398, 10398,  9913,  4129,
+	 6571, 10743,   280,  6634,   796,  7264,  3916, 11349,  1415,  1187,
+	  692,  9980,  1647,  4267,  1001, 12229,  6040,   268,  1308,   531,
+	 3141,  7209,  1941,  4684, 10261,  1415,  8381,  4919, 11450,  1494,
+	 8237, 11023,  3380,  4448, 10101,  9232, 11040,  7799,  4958,   741,
+	 2234, 10436, 11442,  5073,  2908,  2355,    31,  7222,  5457,  3746,
+	 8920,   122,  8960,  5708,  1750, 11161,  4847,  3199,  7954,  2151,
+	 9419, 11678,  8997, 12016,  9690,  9605, 10718,  3735,  1617,  9574,
+	10384, 11604,  9311,   687,  7145, 11891,  6529,  5052,  1342,  8735,
+	 7644,  6062,  6338,  8563,  2502,  5284,   220,  5224,  3771, 11067,
+	11609,  2972,  3799,  2566,  7488,  6369,  7704,  6095,  3598, 12112,
+	 8545,  2026,   746,  3206,  2814,  8740,  1491,  5950,  8413,  4043,
+	12036,  6082,  4131,  1941,  6942,  9396, 11267,  8912,  7344, 10371,
+	 9205,  9520, 12038,  4345,  8024, 10999,  8408,  4673,  6682,  8893,
+	 8668, 10099,  7658, 11896,  4276,  2042, 10707,  9793,  3152, 11961,
+	 3269,  5512,  5736,  5938,  9457, 10439, 10777,  6656,  3174,  9043,
+	 6046,  2519, 11912,  5244,  6214,  2071, 11317,  5285,   891,  6184,
+	 3819,  1563,  1474,   654,  5147,  2380, 10760,  4816,  3378,  1414,
+	 7784, 10067,  1809,  6320,  4789,  9359,  2747,  9424,  9074,  9473,
+	 3300,  6244,   104,  7612,  1105,  4276,   573,  1988,   923, 12047,
+	 7948,  4860,  3949,  4971,  6956,  2831,  2034,   289, 10946,  6970,
+	 3191,  5122,  2175,  1300,  6198,   256,  6433, 11646,  9119,  9723,
+	 1046,  5967,  1124,  6449,  2817,   692,  4649,  3089,  5050, 11261,
+	 2220,  3052, 12012, 10110,  1394,  2877, 10089, 11696,  4462,  5504,
+	   66,  2500,  5384,  7461,  5712,  8649,  9536,  7670,  2385,  3469,
+	  782,  2876,  7772,  6118,   142,  5396, 10951, 10556,  3450, 10602,
+	 1604,  7909,  3323,    39, 10258,  2262,  7113, 11313, 10203, 10846,
+	 9275,  4316,   965,  6006,  4458,  7926,  3171,  1797,  4659,  5336,
+	 5543,   250,  9230, 10720, 11970,  4511,  4311, 11763,  1283,  4044,
+	 2643,  3744,  4490,  5984,  8868,  8760, 11738,  6037,  9164,  7601,
+	 7544, 11117,  7322,  2081,  4034, 10791, 11491,  7027,  1615,  5338,
+	 8528,  3424,  2126,   927,  1650,  6068,  3812, 10958,  7574, 11032,
+	 6954,  6132,  2598,  9458, 11346,  1974,  3273,  1040, 10331,  8587,
+	11017,  6864,  8246,  5328, 11330,  6779,  8761,  4342,  4595,  8610,
+	  161,  4622,  6411, 10708,  7896, 11431, 12097,  9500,  3376,  9561,
+	10730,  2248,  3069,  1434,  8838,   566,  6397,  5881,  4956,  4203,
+	 8362,  6047,  3484,  4784,  9901,  8989,   862,  8817, 12186,  9876,
+	 9748,  1905,  5696,  9028,  5721,  2940, 10235,  2326,  2134,  6167,
+	 1019, 10851,  1253,  5588,  9149,  6532,  3959, 11598,  4068,  3299,
+	 8264,  9787,  7089,  2829,  6755,  6156,   455,  5900,  2839,  5921,
+	 2140,  7428,  2688, 11175,  9247,  6727, 11711,  1762,  6244,  3336,
+	 2308,  9922,  7883,  7007, 10890,  7013,  8452,  2743,  1482,  6927,
+	 7846,  6128,  5114,  4868,  7487,  4584,  6785,   460,  6747,  8894,
+	 9855, 12242,  3365,  1450,  6614,  3974,  5200,  3247,  2779,  8695,
+	  828, 10940,  2304,   376,  3027,  3898, 10351,  1879, 10262,  2512,
+	 5487,  4280, 10297,  8480,  9481,  7905,   197,  8361,  4927,   705,
+	 9671,  6722,  2589,  8772,  1078,   333,  8696,  6267,  7420,  4471,
+	 8994,  5038,  5318,  1846,  2574,  8779, 10724,   825,  7399,  7073,
+	 4422,  8385,  5171,  8849, 11344, 10735,  8483,  2241, 11738,  6581,
+	10699,  2777,  6531,  4678,  7608, 10871,  3501,  9239,  7252, 11828,
+	 7873,  9606,  4526,  5958,  8505, 11233,  9638,  2421,  5652,  3095,
+	 9049, 11347,  6274,  1405, 11114, 11208,  5703, 10774,  3011, 11633,
+	 5741,  9601,  5507,  4527,  3501,  5707,  8698,   178, 12091,   325,
+	 6056,   635,  3772, 12169, 10509,  6528,  3573,  3675,  3389,  3161,
+	 1148,  2687,  3509,  6639, 10452, 11804,  5355,  1085,  9580,  7106,
+	 1396,  8279,  4881,  3402,  7803,  8801,  6142,  7623,  4386,  9291,
+	 1502,   500, 11809,  6655,  2674, 10061,  1650,  5422,  8936, 10011,
+	 1193,  9619,  1435,  8285,  4038,  9984,  9732,  4477,  1251,  7106,
+	 7817, 10062,  3378,  5608,  2395,  2563,  1957,  3768,  4160,  7267,
+	11631,  2171,  4771,  6927,  4330, 10482,  6204, 11022,  7895,  1924,
+	 3648,  1991,  6628, 10136,  2916,  5416,  7827,  1479,  2312,  9991,
+	 7915,  5431, 10911, 10979,  4527,   436, 10521,  5725,  2201, 10198,
+	  662,  1691,  8867, 10008,  9359,  5291,   567,  5725, 10329,  4772,
+	 2813,  7323,  5646,  1861,  9922,  1831,  9356,  1219,  4107,  9999,
+	 4569,  9092,   833,  1602,  4258,  1443,  1484,  4036,  5415,  3767,
+	 9992,   412,  9343,  2251, 10513,  9067,  1494, 11893,   744,  1978,
+	11259,  3614,  7459,  5254,  4232,  5148,  4119, 11550,  6425,  4933,
+	 4292, 10521,  9657,  9632,  4613,  7738,  5561,  8806,  3501,  3731,
+	11329,  2693, 11581,  6393, 10176, 10773,  1790,  1809,  9186, 12085,
+	 5418,  7223,  1077,  1527, 10917,  4236,  7668, 11754,  6655,  7696,
+	 1809, 11512,  3618,  5857,  7512,  1044,  7970,  6825,  4897,  2870,
+	  126,  8619, 10445,  3883,  4238,  4051,   399,  1580,  9893, 11046,
+	 2955,  6520,  5435,  1891,  1254, 12135,  4122, 10512, 11960,  6196,
+	 3443, 10118,  1689, 10877
+};
+
+static uint32_t i_v[] = {
+	 8355,  2010,  1416, 12110,  6361, 11296, 11668,  1446,  9822,   947,
+	 5422,  8211,  1824,  6158,  3458,  6435,   685,  2707,  4804,  4929,
+	 3204, 12158,   674,  5703,  1125,  5085,  1358, 10956, 12216, 11164,
+	12112,  8359,  7018,  7038,  9099, 11789, 10574,  5991, 10736,  9335,
+	 7898,  4429,   587, 11156,  7912,  9063,  9673,  6792,  5530,   648,
+	10203,  7284,  7935,  4177,  3514, 11488, 10998, 12254,  2913,  4827,
+	 2446, 10965, 10718,  5569,  1023,  8150,  7440,  1928,  6384,   802,
+	 4726,  9738, 10374,  3842,  6761, 11788,  1133,  9413,  5818,  1099,
+	 3710, 11315, 11667, 10285, 12431, 11195,  9193,  2842,  2267,  9902,
+	10076,  7409,  6751,  3748,  4487,  9961,  1547, 10060,  7443,  1276,
+	 6827, 10798,  6323,  4038,  5508,  4006,  3300,  1774,   255,  2688,
+	 3238, 10275,  4911,  5648,  7842,  7506,  1769,  6425,   195,  3176,
+	 4455, 10337,  9451,  8912, 10445,  7646,  2837,  5109,  3033,  8668,
+	10295,   744, 10869, 10204,  6825,  6326,  6299,  7208, 11886,  1246,
+	  704,  9626,  2538, 10932,  3903,  4545,  5111,  9006,  6698,  5008,
+	 8464,  4679,  7230,  2223,   707,   705,  6592,  6207,  1114,  7645,
+	 5374,  7595, 11064,   746,  5585,  8248,  2921,  7004,  6595,  9985,
+	  506,  7147,   793,  9605,   596,   962,  8223, 11771,  6438,  6663,
+	 9519, 12013,  4302,  2216,  6633, 10351, 10096,  9645,   347,  4601,
+	  596, 10448, 12051, 12376,  1544,  8939,  5114,  4052, 11408,  5947,
+	 5368,  4270,  6747,   423,  6283, 11211,  2574,  5974,  5533,  5143,
+	 9757,  2155,   729,  9776, 11989,  8808, 11057,  1519,  9187,  5996,
+	 2966,  3865,  1409,  8023, 10648,  4397,  5082, 10832,  4769,  2068,
+	 9226,  1790,  5911,  6534,  3780,  7312,  9388,  5014,  9054,  3445,
+	 4659,  6203,  5234,  9490, 11060,  4214,  8978,  9789,  6201,  3088,
+	 1988,  3057,  3762,  8725,  7322,  7583,  8233,  1394,  6534,  9221,
+	 9736,  2738,  3837,  2595,  4012,  3674,  7505, 10231,  8080,  2402,
+	 3977,  5928,  1942,  8421,  5507,  8422,  1238,  6909,  5800,  9613,
+	 6083,  4382,  4669, 11670,  4032, 10762, 11623,  4387,  3728,  4656,
+	 9701,   722,  1255,  4495,  8158,  7762,   792, 10307,  9813,  3904,
+	 6081, 11003, 12045,  6718,  1089,  7327,  4381, 11188,   943,  1740,
+	  563, 10251,   756,  5027,   848,   325,  6547, 12288,  1222, 12189,
+	 3641,  7314,  2049,  5254, 10043,  1068,  7906,  4741, 11639,  1981,
+	 7660, 10911,  2746,  4536, 10068,  9700, 11057,  8114,  5556,   253,
+	 2292, 10686, 11848,  5306,  3092,  2570, 12167,  7101,  5245,  3463,
+	 8627, 12513,  9010,  5356,  1633, 10462,  4545,  3614,  7245,  1887,
+	 9738, 11902,  8716, 12035,  9958,  9421, 11063,  3759,   883,  9754,
+	10730, 11706,  9132,   540,  6726, 11382,  7038,  4407,  1225,  8606,
+	 7689,  5894,  6553,  7908,  2454,  4939,   613,  5811,  3580, 11792,
+	11364,  3153,  3698,  2604,  7470,  6053,  7699,  6018,  4289, 11497,
+	 8580,  2249,   718,  2444,  2972,  8812,  1710,  6317,  8718,  4194,
+	12288,  5837,  3698,  2216,  7402,  9045, 11194,  8500,  7238, 10686,
+	 9409,  9867, 12264,  3859,  7673, 11659,  8496,  4618,  6465,  8811,
+	 9114, 10740,  7738, 11850,  4142,  2493, 11136,  9623,  3071, 11701,
+	 2925,  5043,  6151,  6221,  9642, 10846, 11145,  6315,  3741,  9123,
+	 5131,  2585, 11337,  4786,  5844,  1485, 11505,  5205,   797,  5955,
+	 3717,  1756,  1551,  1122,  5057,  2585, 10857,  5129,  3557,  1254,
+	 7750,  9688,  2462,  6415,  4345,  9460,  2957,  8793,  9210,  9242,
+	 3487,  6506, 11888,  7563,  1078,  4486,   406,  2261,   867, 11965,
+	 7979,  4533,  3654,  4747,  6636,  3166,  2114,   380,  9715,  7132,
+	 2982,  5024,  1817,  1231,  6210, 12377,  6280, 10882,  9937,  9587,
+	  633,  5668,   899,  6176,  2431,   956,  5022,  3094,  4658, 11168,
+	 2989,  2654, 11990, 10494,  1691,  3017, 10044, 11882,  4020,  5342,
+	11911,  2426,  5748,  7592,  6340,  9214,  9357,  7169,  2109,  3210,
+	  415,  3024,  7791,  5684,   246,  5134, 11335, 10092,  3133, 10427,
+	 1502,  7739,  3272,   169,  9521,  2550,  7327, 11309, 10815, 10146,
+	 9157,  4579,  1022,  6447,  4233,  8488,  2958,  1715,  4215,  4965,
+	 5728,   551,  8942, 10845, 11881,  4472,  4331,   304,  1183,  3798,
+	 1968,  3993,  4889,  6145,  8841,  8816, 11283,  6578,  9212,  8161,
+	 7003, 11574,  7764,  1678,  4138, 10444, 11880,  7101,  1390,  4743,
+	 8320,  3026,  2338,  1203,  1562,  6502,  3103, 10770,  7608, 11097,
+	 6745,  6037,  2926,  9489, 10782,  1853,  3482,   524, 11063,  8299,
+	11092,  6838,  7779,  4598, 11245,  7274,  8908,  3886,  4440,  8651,
+	11949,  5344,  6954, 11015,  8333, 11347, 12677,  8716,  3514,  9892,
+	10366,  2029,  2875,  1540,  9013,   250,  6393,  5618,  4565,  3687,
+	 8340,  6420,  3632,  5032,  9408,  9738,   961,  8653, 12315, 10459,
+	 9883,  2074,  5357,  9341,  4850,  2514,  9746,  2605,  2394,  5928,
+	  808, 10443,  1589,  5673,  9176,  6593,  3404, 12254,  4230,  3630,
+	 7958, 10065,  7471,  2432,  6626,  6517,   382,  6131,  2888,  5440,
+	 1571,  7341,  2841, 11202,  9462,  7180, 11206,  1433,  6183,  3882,
+	 2105,  9906,  8076,  7074, 10572,  7262,  8456,  2979,  1095,  6891,
+	 8025,  5914,  5380,  4300,  7363,  4989,  6788,  1043,  6836,  8710,
+	10099, 12310,  3997,  2102,  7002,  4041,  4948,  2601,  2958,  8665,
+	  984, 10820,  1940,   541,  3377,  3533,  9357,  2049, 10721,  2732,
+	 5355,  4280, 10281,  8056,  9557,  7749,   611,  8255,  4854,   708,
+	 9199,  7033,  2582,  8343,   820,   944,  8651,  5547,  7052,  4723,
+	 8972,  5594,  5314,  1938,  2539,  8789, 10341, 12368,  7475,  6903,
+	 4436,  8346,  5391,  8336, 10864, 10397,  8517,  2078, 12127,  6612,
+	10511,  2970,  6576,  5166,  7744, 10934,  3186,  9515,  6831, 12085,
+	 7284,  9791,  4755,  6341,  8713, 11526,  9392,  2122,  5743,  2776,
+	 9581, 11396,  7006,  1465, 11235, 10997,  5776, 10401,  2929, 11732,
+	 5847,  9512,  6068,  3934,  3730,  5813,  9195,   410, 11698,   896,
+	 6321,  1310,  3478, 11649, 10201,  6850,  3612,  3451,  3569,  3266,
+	  747,  3151,  3352,  6497, 10445, 11501,  5306,  1026,  9712,  7294,
+	  813,  8005,  5090,  2905,  7903,  8358,  6290,  7756,  3955,  9471,
+	 1858,   699, 11847,  7292,  2165, 10556,  1038,  5289,  8693,  9698,
+	 1702, 10228,  1412,  8681,  3330, 10042,  8888,  4257,  1201,  7422,
+	 7956, 10019,  3011,  5956,  2188,  2407,  1986,  3847,  4345,  7427,
+	12091,  1763,  3885,  6731,  4172, 10828,  6129, 10972,  7878,  2189,
+	 3988,  2125,  6536, 10663,  3100,  5129,  7656,  1053,  2303, 10149,
+	 8087,  5666, 11151, 10962,  4905,   779, 10113,  5451,  1509,  9590,
+	  735,  1626,  8419, 10607,  9293,  5778,   907,  5527, 10408,  5454,
+	 2266,  7131,  6332,  2055, 10105,  1188,  9842,  2059,  4417, 10026,
+	 4339,  9779,   680,  1731,  4958,  1589,  1866,  3797,  5058,  3735,
+	 9899,   543,  9330,  2436, 10757,  9010,  1270, 12232,  1122,  2222,
+	10945,  3733,  7454,  5251,  4185,  5118,  4331, 12022,  5900,  4767,
+	 4393, 10252,  9957,  9653,  4674,  7705,  5694,  9123,  3882,  3137,
+	11627,  2712, 11985,  6346,  9990, 10760,  1869,  1778,  8899, 12168,
+	 5207,  7250,  1088,  1131, 11567,  4337,  8286, 11660,  7152,  8010,
+	 2286, 11335,  2984,  5740,  7114,   806,  7579,  7119,  5122,  2917,
+	  541,  7913, 10555,  3684,  4720,  3954,   517,  1526,  9712, 10854,
+	 1921,  6897,  4704,  2141,  1602, 11880,  4548, 10569, 11521,  6408,
+	 3609,  9752,  1960, 10934
+};
+
+static uint8_t rbits[] = {
+	0x3f, 0xff, 0xaf, 0x0f, 0x6b, 0xb2, 0xb8, 0x46, 0x53, 0x44,
+	0x95, 0x98, 0x0a, 0x85, 0x0c, 0xfc, 0xc4, 0x86, 0xcc, 0x69,
+	0xc6, 0xd9, 0xfa, 0xee, 0x19, 0xa6, 0x34, 0x0f, 0x35, 0xc4,
+	0xdc, 0x08
+};
+
+static uint8_t r_ref[] = {
+	0, 3, 3, 1, 1, 1, 0, 1, 0, 3, 2, 0, 1, 1, 3, 0, 2, 1, 0, 3, 
+	2, 1, 2, 3, 3, 0, 2, 0, 1, 3, 3, 2, 3, 3, 0, 3, 0, 2, 2, 0, 
+	1, 1, 2, 0, 1, 1, 2, 1, 3, 0, 0, 3, 1, 1, 0, 0, 0, 2, 0, 1, 
+	0, 2, 3, 1, 3, 0, 3, 1, 0, 0, 2, 1, 3, 3, 1, 3, 2, 1, 0, 2, 
+	0, 0, 3, 3, 0, 1, 2, 2, 0, 1, 0, 3, 2, 2, 1, 1, 3, 0, 3, 3, 
+	2, 2, 0, 2, 1, 0, 0, 0, 3, 0, 3, 1, 2, 1, 1, 0, 3, 3, 2, 1, 
+	3, 3, 2, 2, 1, 3, 0, 0, 2, 2, 3, 1, 1, 2, 2, 2, 0, 2, 0, 2, 
+	0, 0, 1, 2, 2, 2, 3, 1, 2, 0, 3, 0, 1, 3, 2, 3, 3, 1, 1, 2, 
+	0, 0, 2, 1, 2, 2, 0, 2, 2, 2, 2, 1, 1, 3, 1, 3, 3, 1, 2, 2, 
+	3, 0, 1, 0, 0, 2, 2, 1, 3, 2, 2, 2, 3, 1, 1, 0, 0, 3, 2, 3, 
+	0, 0, 3, 3, 2, 2, 2, 2, 1, 1, 0, 1, 2, 1, 3, 2, 0, 3, 0, 2, 
+	3, 3, 3, 3, 2, 3, 3, 3, 3, 2, 1, 0, 2, 3, 2, 1, 2, 0, 3, 0, 
+	2, 2, 1, 1, 2, 1, 2, 0, 1, 2, 1, 3, 0, 0, 2, 3, 0, 3, 1, 0, 
+	2, 2, 2, 1, 2, 0, 3, 1, 0, 0, 3, 0, 2, 3, 1, 0, 2, 3, 3, 0, 
+	0, 0, 3, 0, 2, 3, 2, 0, 2, 2, 1, 0, 1, 2, 1, 3, 3, 3, 1, 2, 
+	1, 2, 3, 1, 1, 2, 2, 0, 3, 0, 3, 3, 1, 3, 3, 3, 1, 3, 0, 3, 
+	0, 0, 1, 2, 1, 0, 3, 0, 0, 2, 1, 3, 3, 3, 1, 1, 2, 3, 1, 0, 
+	1, 1, 3, 3, 0, 3, 1, 3, 1, 2, 2, 2, 1, 3, 1, 2, 1, 3, 0, 1, 
+	2, 2, 2, 3, 3, 2, 2, 3, 1, 2, 2, 1, 2, 1, 0, 0, 0, 1, 3, 2, 
+	0, 3, 1, 1, 2, 1, 3, 2, 3, 2, 0, 1, 0, 1, 3, 0, 2, 3, 1, 3, 
+	0, 1, 1, 3, 1, 1, 1, 0, 2, 3, 2, 1, 2, 0, 3, 3, 2, 0, 1, 0, 
+	3, 3, 3, 1, 2, 2, 1, 0, 3, 3, 0, 2, 3, 1, 1, 1, 3, 3, 1, 3, 
+	3, 0, 1, 0, 2, 0, 1, 1, 0, 0, 3, 2, 2, 3, 0, 2, 2, 0, 1, 1, 
+	1, 3, 1, 1, 1, 0, 1, 2, 3, 2, 2, 3, 1, 1, 3, 3, 3, 1, 2, 0, 
+	0, 0, 2, 2, 2, 3, 2, 0, 0, 1, 3, 0, 0, 0, 2, 0, 1, 0, 3, 0, 
+	3, 1, 0, 1, 1, 1, 2, 2, 2, 0, 0, 2, 2, 0, 3, 1, 0, 2, 2, 0, 
+	2, 0, 0, 1, 1, 0, 1, 2, 3, 2, 3, 2, 3, 3, 3, 0, 2, 1, 2, 2, 
+	1, 0, 1, 1, 1, 2, 1, 3, 2, 0, 3, 3, 0, 0, 1, 1, 1, 2, 2, 2, 
+	0, 1, 1, 2, 0, 2, 0, 1, 2, 0, 1, 3, 2, 2, 3, 0, 0, 1, 1, 2, 
+	3, 1, 2, 0, 3, 0, 2, 1, 0, 0, 0, 1, 1, 1, 1, 3, 0, 0, 0, 3, 
+	2, 3, 2, 1, 0, 3, 1, 1, 1, 1, 3, 0, 0, 1, 1, 1, 0, 3, 2, 2, 
+	3, 1, 1, 3, 0, 1, 1, 3, 0, 3, 2, 2, 0, 3, 1, 3, 1, 0, 0, 1, 
+	1, 0, 0, 1, 0, 3, 2, 2, 0, 1, 3, 0, 1, 3, 3, 2, 1, 3, 1, 1, 
+	3, 3, 2, 1, 1, 3, 1, 0, 2, 1, 1, 3, 3, 3, 1, 3, 1, 3, 0, 1, 
+	2, 2, 0, 3, 3, 2, 1, 1, 1, 3, 0, 2, 0, 3, 3, 1, 2, 3, 1, 3, 
+	0, 0, 0, 1, 3, 3, 0, 2, 3, 0, 1, 3, 0, 0, 3, 0, 2, 2, 3, 3, 
+	3, 3, 2, 1, 0, 3, 1, 1, 1, 2, 2, 0, 3, 2, 0, 2, 2, 3, 1, 0, 
+	3, 3, 1, 2, 3, 0, 1, 1, 0, 3, 3, 1, 1, 3, 0, 2, 1, 2, 2, 2, 
+	2, 3, 2, 3, 0, 0, 3, 1, 1, 0, 3, 2, 3, 2, 3, 3, 2, 2, 3, 1, 
+	3, 2, 1, 0, 1, 0, 2, 2, 1, 3, 1, 2, 3, 3, 1, 3, 2, 1, 3, 2, 
+	2, 3, 1, 1, 3, 3, 3, 3, 2, 0, 0, 3, 3, 3, 2, 3, 2, 0, 3, 0, 
+	3, 1, 2, 0, 3, 0, 2, 2, 2, 3, 1, 2, 2, 1, 3, 3, 0, 1, 3, 0, 
+	0, 1, 3, 2, 1, 1, 0, 1, 3, 3, 1, 1, 0, 1, 2, 2, 2, 0, 2, 3, 
+	1, 2, 1, 1, 3, 2, 3, 3, 1, 0, 1, 3, 2, 3, 2, 2, 1, 2, 3, 1, 
+	3, 2, 3, 1, 3, 3, 0, 3, 1, 1, 3, 2, 1, 2, 2, 0, 1, 1, 2, 3, 
+	1, 3, 0, 0, 3, 0, 3, 0, 1, 2, 0, 2, 2, 3, 2, 0, 0, 0, 3, 0, 
+	2, 0, 0, 2, 2, 2, 3, 1, 3, 2, 3, 2, 0, 1, 2, 1, 1, 3, 0, 3, 
+	2, 0, 2, 2, 3, 2, 1, 0, 1, 1, 0, 2, 0, 3, 2, 0, 2, 3, 1, 3, 
+	2, 2, 2, 2, 3, 1, 0, 2, 3, 3, 3, 2, 0, 0, 3, 3, 1, 2, 2, 3, 
+	0, 1, 1, 1, 3, 2, 1, 0, 0, 1, 2, 3, 3, 0, 1, 1, 1, 1, 0, 1, 
+	0, 2, 3, 3, 3, 3, 0, 2, 3, 0, 1, 0, 0, 1, 1, 3, 2, 2, 0, 0, 
+	2, 2, 1, 3
+};
+
+static chunk_t shared_secret = chunk_from_chars(
+	0x14, 0x22, 0x06, 0xe3, 0x48, 0xf3, 0xfa, 0xfc, 0x21, 0x0d,
+	0x5d, 0x51, 0x19, 0x7f, 0x16, 0x4e, 0xe6, 0xd3, 0x10, 0xa9,
+	0xf5, 0xab, 0xfc, 0x96, 0x11, 0x1b, 0xc3, 0x4a, 0x89, 0xf9,
+	0x66, 0x55
+);
+
+START_TEST(test_newhope_rec_good)
+{
+	newhope_reconciliation_t *rec;
+	chunk_t i_shared_secret, r_shared_secret;
+	uint8_t *r;
+
+	rec = newhope_reconciliation_create(n, q);
+	ck_assert(rec != NULL);
+
+	r = rec->help_reconcile(rec, r_v, rbits);
+	ck_assert(memeq(r, r_ref, n));
+
+	r_shared_secret = rec->reconcile(rec, r_v, r);
+	ck_assert(chunk_equals(r_shared_secret, shared_secret));
+
+	i_shared_secret = rec->reconcile(rec, i_v, r);
+	ck_assert(chunk_equals(i_shared_secret, shared_secret));
+
+	/* cleanup */
+	rec->destroy(rec);
+	chunk_free(&i_shared_secret);
+	chunk_free(&r_shared_secret);
+	free(r);
+}
+END_TEST
+
+Suite *newhope_reconciliation_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("newhope_reconciliation");
+
+	tc = tcase_create("rec_good");
+	tcase_add_test(tc, test_newhope_rec_good);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 58a2750..a19b2c4 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in
index fd123a1..5cbba39 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.in
+++ b/src/libstrongswan/plugins/ntru/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c
index efc660b..17309b1 100644
--- a/src/libstrongswan/plugins/ntru/ntru_ke.c
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.c
@@ -25,22 +25,22 @@
 typedef struct private_ntru_ke_t private_ntru_ke_t;
 
 /* Best bandwidth and speed, no X9.98 compatibility */
-static ntru_param_set_id_t param_sets_optimum[] = {
+static const ntru_param_set_id_t param_sets_optimum[] = {
 	NTRU_EES401EP2, NTRU_EES439EP1, NTRU_EES593EP1, NTRU_EES743EP1
 };
 
 /* X9.98/IEEE 1363.1 parameter sets for best speed */
-static ntru_param_set_id_t param_sets_x9_98_speed[] = {
+static const ntru_param_set_id_t param_sets_x9_98_speed[] = {
 	NTRU_EES659EP1, NTRU_EES761EP1, NTRU_EES1087EP1, NTRU_EES1499EP1
 };
 
 /* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
-static ntru_param_set_id_t param_sets_x9_98_bandwidth[] = {
+static const ntru_param_set_id_t param_sets_x9_98_bandwidth[] = {
 	NTRU_EES401EP1, NTRU_EES449EP1, NTRU_EES677EP1, NTRU_EES1087EP2
 };
 
 /* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */
-static ntru_param_set_id_t param_sets_x9_98_balance[] = {
+static const ntru_param_set_id_t param_sets_x9_98_balance[] = {
 	NTRU_EES541EP1, NTRU_EES613EP1, NTRU_EES887EP1, NTRU_EES1171EP1
 };
 
@@ -61,7 +61,7 @@ struct private_ntru_ke_t {
 	/**
 	 * NTRU Parameter Set
 	 */
-	ntru_param_set_t *param_set;
+	const ntru_param_set_t *param_set;
 
 	/**
 	 * Cryptographical strength in bits of the NTRU Parameter Set
@@ -243,7 +243,8 @@ METHOD(diffie_hellman_t, destroy, void,
 ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
 {
 	private_ntru_ke_t *this;
-	ntru_param_set_id_t *param_sets, param_set_id;
+	const ntru_param_set_id_t *param_sets;
+	ntru_param_set_id_t param_set_id;
 	rng_t *entropy;
 	ntru_drbg_t *drbg;
 	char *parameter_set;
diff --git a/src/libstrongswan/plugins/ntru/ntru_param_set.c b/src/libstrongswan/plugins/ntru/ntru_param_set.c
index 4af1e30..3b2716e 100644
--- a/src/libstrongswan/plugins/ntru/ntru_param_set.c
+++ b/src/libstrongswan/plugins/ntru/ntru_param_set.c
@@ -41,7 +41,7 @@ ENUM(ntru_param_set_id_names, NTRU_EES401EP1, NTRU_EES743EP1,
 /**
  * NTRU encryption parameter set definitions
  */
-static ntru_param_set_t ntru_param_sets[] = {
+static const ntru_param_set_t ntru_param_sets[] = {
 
 	/* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
     {
@@ -340,7 +340,7 @@ static ntru_param_set_t ntru_param_sets[] = {
 /**
  * See header.
  */
-ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id)
+const ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id)
 {
 	int i;
 
@@ -358,7 +358,7 @@ ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id)
 /**
  * See header.
  */
-ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid)
+const ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid)
 {
 	int i;
 
diff --git a/src/libstrongswan/plugins/ntru/ntru_param_set.h b/src/libstrongswan/plugins/ntru/ntru_param_set.h
index df4e553..3ec0f83 100644
--- a/src/libstrongswan/plugins/ntru/ntru_param_set.h
+++ b/src/libstrongswan/plugins/ntru/ntru_param_set.h
@@ -80,23 +80,81 @@ extern enum_name_t *ntru_param_set_id_names;
  * NTRU encryption parameter set definitions
  */
 struct ntru_param_set_t {
-	ntru_param_set_id_t id;     /* NTRU parameter set ID */
-	uint8_t  oid[NTRU_OID_LEN]; /* pointer to OID */
-	uint8_t  der_id;            /* parameter-set DER id */
-	uint8_t  N_bits;            /* no. of bits in N (i.e. in an index */
-	uint16_t N;                 /* ring dimension */
-	uint16_t sec_strength_len;  /* no. of octets of security strength */
-	uint16_t q;                 /* big modulus */
-	uint8_t  q_bits;            /* no. of bits in q (i.e. in a coefficient */
-	bool     is_product_form;   /* if product form used */
-	uint32_t dF_r;              /* no. of +1 or -1 coefficients in ring elements
-                                   F, r */
-	uint16_t dg;                /* no. - 1 of +1 coefficients or
-                                   no. of -1 coefficients in ring element g */
-	uint16_t m_len_max;         /* max no. of plaintext octets */
-	uint16_t min_msg_rep_wt;    /* min. message representative weight */
-	uint8_t  c_bits;            /* no. bits in candidate for deriving an index */
-	uint8_t  m_len_len;         /* no. of octets to hold mLenOctets */
+
+    /**
+	 * NTRU parameter set ID
+	 */
+	const ntru_param_set_id_t id;
+
+	/**
+	 * pointer to OID
+	 */
+	const uint8_t oid[NTRU_OID_LEN];
+
+	/**
+	 * parameter-set DER id
+	 */
+	const uint8_t der_id;
+
+	/**
+	 * no. of bits in N (i.e. in an index
+	 */
+	const uint8_t N_bits;
+
+	/**
+	 * ring dimension
+	 */
+	const uint16_t N;
+
+	/**
+	 * no. of octets of security strength
+	 */
+	const uint16_t sec_strength_len;
+
+	/**
+	 * big modulus
+	 */
+	const uint16_t q;
+
+	/**
+	 * no. of bits in q (i.e. in a coefficient)
+	 */
+	const uint8_t q_bits;
+
+	/**
+	 * if product form used
+	 */
+	const bool is_product_form;
+
+	/**
+	 * no. of +1 or -1 coefficients in ring elements F, r
+	 */
+	const uint32_t dF_r;
+
+	/**
+	 * no. - 1 of +1 coefficients or no. of -1 coefficients in ring element g
+	 */
+	const uint16_t dg;
+
+	/**
+	 * max no. of plaintext octets
+	 */
+	const uint16_t m_len_max;
+
+	/**
+	 * min. message representative weight
+	 */
+	const uint16_t min_msg_rep_wt;
+
+	/**
+	 * no. bits in candidate for deriving an index
+	 */
+	const uint8_t  c_bits;
+
+	/**
+	 * no. of octets to hold mLenOctets
+	 */
+	const uint8_t  m_len_len;
 };
 
 /**
@@ -105,7 +163,7 @@ struct ntru_param_set_t {
  * @param id	NTRU parameter set ID
  * @return		NTRU parameter set
 */
-ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id);
+const ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id);
 
 /**
  * Get NTRU encryption parameter set by NTRU parameter set OID
@@ -113,6 +171,6 @@ ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id);
  * @param oid	NTRU parameter set OID
  * @return		NTRU parameter set
 */
-ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid);
+const ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid);
 
 #endif /** NTRU_PARAM_SET_H_ @}*/
diff --git a/src/libstrongswan/plugins/ntru/ntru_plugin.c b/src/libstrongswan/plugins/ntru/ntru_plugin.c
index 66be7c7..dc6bd31 100644
--- a/src/libstrongswan/plugins/ntru/ntru_plugin.c
+++ b/src/libstrongswan/plugins/ntru/ntru_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -43,13 +43,21 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_REGISTER(DH, ntru_ke_create),
 			PLUGIN_PROVIDE(DH, NTRU_112_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_TRUE),
+				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256),
+				PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA1),
 			PLUGIN_PROVIDE(DH, NTRU_128_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_TRUE),
+				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256),
+				PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA1),
 			PLUGIN_PROVIDE(DH, NTRU_192_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_TRUE),
+				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256),
+				PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA256),
 			PLUGIN_PROVIDE(DH, NTRU_256_BIT),
 				PLUGIN_DEPENDS(RNG, RNG_TRUE),
 				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256),
-				PLUGIN_DEPENDS(HASHER, HASH_SHA256),
-				PLUGIN_SDEPEND(HASHER, HASH_SHA1)
+				PLUGIN_DEPENDS(XOF, XOF_MGF1_SHA256),
 	};
 	*features = f;
 
diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_poly.c
index cb11601..b2fca2f 100644
--- a/src/libstrongswan/plugins/ntru/ntru_poly.c
+++ b/src/libstrongswan/plugins/ntru/ntru_poly.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2009-2013  Security Innovation
@@ -17,7 +17,7 @@
 
 #include "ntru_poly.h"
 
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof_bitspender.h>
 #include <utils/debug.h>
 #include <utils/test.h>
 
@@ -290,8 +290,9 @@ static private_ntru_poly_t* ntru_poly_create(uint16_t N, uint16_t q,
 /*
  * Described in header.
  */
-ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
-										uint8_t c_bits, uint16_t N, uint16_t q,
+ntru_poly_t *ntru_poly_create_from_seed(ext_out_function_t mgf1_type,
+										chunk_t seed, uint8_t c_bits,
+										uint16_t N, uint16_t q,
 										uint32_t indices_len_p,
 										uint32_t indices_len_m,
 										bool is_product_form)
@@ -300,9 +301,9 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
 	int n, num_indices, index_i = 0;
 	uint32_t index, limit;
 	uint8_t *used;
-	mgf1_bitspender_t *bitspender;
+	xof_bitspender_t *bitspender;
 
-	bitspender = mgf1_bitspender_create(alg, seed, TRUE);
+	bitspender = xof_bitspender_create(mgf1_type, seed, TRUE);
 	if (!bitspender)
 	{
 	    return NULL;
diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.h b/src/libstrongswan/plugins/ntru/ntru_poly.h
index 87c7710..765b72b 100644
--- a/src/libstrongswan/plugins/ntru/ntru_poly.h
+++ b/src/libstrongswan/plugins/ntru/ntru_poly.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
 typedef struct ntru_poly_t ntru_poly_t;
 
 #include <library.h>
+#include <crypto/xofs/xof.h>
 
 /**
  * Implements a trinary polynomial storing the indices of non-zero coefficients 
@@ -63,9 +64,9 @@ struct ntru_poly_t {
 };
 
 /**
- * Create a trits polynomial from a seed using MGF1 with a base hash function
+ * Create a trits polynomial from a seed using MGF1
  *
- * @param alg				hash algorithm to be used by MGF1
+ * @param alg				MGF1 algorithm used(XOF_MGF1_SHA1 or XOF_MGF_SHA256)
  * @param seed				seed used by MGF1 to generate trits from
  * @param N					ring dimension, number of polynomial coefficients
  * @param q					large modulus
@@ -74,7 +75,7 @@ struct ntru_poly_t {
  * @param indices_len_m		number of indices for -1 coefficients
  * @param is_product_form	generate multiple polynomials
  */
-ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
+ntru_poly_t *ntru_poly_create_from_seed(ext_out_function_t alg,	chunk_t seed,
 										uint8_t c_bits, uint16_t N, uint16_t q,
 										uint32_t indices_len_p,
 										uint32_t indices_len_m,
diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.c b/src/libstrongswan/plugins/ntru/ntru_private_key.c
index fa87fe9..844c8ba 100644
--- a/src/libstrongswan/plugins/ntru/ntru_private_key.c
+++ b/src/libstrongswan/plugins/ntru/ntru_private_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2009-2013  Security Innovation
@@ -38,7 +38,7 @@ struct private_ntru_private_key_t {
 	/**
 	 * NTRU Parameter Set
 	 */
-	ntru_param_set_t *params;
+	const ntru_param_set_t *params;
 
 	/**
 	 * Polynomial F which is the private key
@@ -178,7 +178,7 @@ bool ntru_check_min_weight(uint16_t N, uint8_t  *t, uint16_t min_wt)
 METHOD(ntru_private_key_t, decrypt, bool,
 	private_ntru_private_key_t *this, chunk_t ciphertext, chunk_t *plaintext)
 {
-	hash_algorithm_t hash_algid;
+	ext_out_function_t alg;
 	size_t t_len, seed1_len, seed2_len;
 	uint16_t *t1, *t2, *t = NULL;
     uint16_t mod_q_mask, q_mod_p, cmprime_len, cm_len = 0, num_zeros;
@@ -206,9 +206,9 @@ METHOD(ntru_private_key_t, decrypt, bool,
 	Mtrin = (uint8_t *)t1;
 	M = Mtrin + this->params->N;
 
-	/* set hash algorithm based on security strength */
-	hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 :
-														  HASH_SHA256;
+	/* set MGF1 algorithm type based on security strength */
+	alg = (this->params->sec_strength_len <= 20) ? XOF_MGF1_SHA1 :
+												   XOF_MGF1_SHA256;
 
 	/* set constants */
 	mod_q_mask = this->params->q - 1;
@@ -307,7 +307,7 @@ METHOD(ntru_private_key_t, decrypt, bool,
 	ntru_coeffs_mod4_2_octets(this->params->N, t2, seed.ptr);
 
 	/* form mask */
-	mask = ntru_trits_create(this->params->N, hash_algid, seed);
+	mask = ntru_trits_create(this->params->N, alg, seed);
 	if (!mask)
 	{
 		DBG1(DBG_LIB, "mask creation failed");
@@ -390,9 +390,8 @@ METHOD(ntru_private_key_t, decrypt, bool,
 
 	/* generate cr */
 	DBG2(DBG_LIB, "generate polynomial r");
-	r_poly = ntru_poly_create_from_seed(hash_algid, seed,
-						this->params->c_bits, this->params->N,
-						this->params->q, this->params->dF_r,
+	r_poly = ntru_poly_create_from_seed(alg, seed, this->params->c_bits,
+						this->params->N, this->params->q, this->params->dF_r,
 						this->params->dF_r, this->params->is_product_form);
 	if (!r_poly)
 	{
@@ -642,13 +641,13 @@ static bool ring_inv(uint16_t *a, uint16_t N, uint16_t q, uint16_t *t,
  * Described in header.
  */
 ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
-											ntru_param_set_t *params)
+											const ntru_param_set_t *params)
 {
 	private_ntru_private_key_t *this;
 	size_t t_len;
 	uint16_t *t1, *t2, *t = NULL;
 	uint16_t mod_q_mask;
-    hash_algorithm_t hash_algid;
+    ext_out_function_t alg;
 	ntru_poly_t *g_poly;
 	chunk_t	seed;
 	int i;
@@ -667,14 +666,8 @@ ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
 	);
 
 	/* set hash algorithm and seed length based on security strength */
-	if (params->sec_strength_len <= 20)
-	{
-		hash_algid = HASH_SHA1;
-	}
-	else
-	{
-		hash_algid = HASH_SHA256;
-	}
+	alg = (params->sec_strength_len <= 20) ? XOF_MGF1_SHA1 :
+											 XOF_MGF1_SHA256;
 	seed =chunk_alloc(params->sec_strength_len + 8);
 
 	/* get random seed for generating trinary F as a list of indices */
@@ -685,7 +678,7 @@ ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
 	}
 
 	DBG2(DBG_LIB, "generate polynomial F");
-	this->privkey = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+	this->privkey = ntru_poly_create_from_seed(alg, seed, params->c_bits,
 											   params->N, params->q,
 											   params->dF_r, params->dF_r,
 											   params->is_product_form);
@@ -729,7 +722,7 @@ ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
 	}
 
 	DBG2(DBG_LIB, "generate polynomial g");
-	g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+	g_poly = ntru_poly_create_from_seed(alg, seed, params->c_bits,
 										params->N, params->q, params->dg + 1,
 										params->dg, FALSE);
 	if (!g_poly)
@@ -775,7 +768,7 @@ ntru_private_key_t *ntru_private_key_create_from_data(ntru_drbg_t *drbg,
 	size_t privkey_packed_trits_len, privkey_packed_indices_len;
 	uint8_t *privkey_packed, tag;
 	uint16_t *indices, dF;
-	ntru_param_set_t *params;
+	const ntru_param_set_t *params;
 
 	header_len = 2 + NTRU_OID_LEN;
 
diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.h b/src/libstrongswan/plugins/ntru/ntru_private_key.h
index c6f0844..ced806d 100644
--- a/src/libstrongswan/plugins/ntru/ntru_private_key.h
+++ b/src/libstrongswan/plugins/ntru/ntru_private_key.h
@@ -77,7 +77,8 @@ struct ntru_private_key_t {
  * @param drbg			Digital Random Bit Generator used for key generation
  * @param params		NTRU encryption parameter set to be used
  */
-ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params);
+ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
+											const ntru_param_set_t *params);
 
 /**
  * Creates an NTRU encryption private key from encoding
diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.c b/src/libstrongswan/plugins/ntru/ntru_public_key.c
index a2ff1b2..36d9abf 100644
--- a/src/libstrongswan/plugins/ntru/ntru_public_key.c
+++ b/src/libstrongswan/plugins/ntru/ntru_public_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2009-2013  Security Innovation
@@ -37,7 +37,7 @@ struct private_ntru_public_key_t {
 	/**
 	 * NTRU Parameter Set
 	 */
-	ntru_param_set_t *params;
+	const ntru_param_set_t *params;
 
 	/**
 	 * Polynomial h which is the public key
@@ -102,7 +102,7 @@ extern bool ntru_check_min_weight(uint16_t N, uint8_t  *t, uint16_t min_wt);
 METHOD(ntru_public_key_t, encrypt, bool,
 	private_ntru_public_key_t *this, chunk_t plaintext, chunk_t *ciphertext)
 {
-	hash_algorithm_t hash_algid;
+	ext_out_function_t alg;
 	size_t t_len, seed1_len, seed2_len;
 	uint16_t *t1, *t = NULL;
 	uint8_t b[MAX_SEC_STRENGTH_LEN];
@@ -139,8 +139,8 @@ METHOD(ntru_public_key_t, encrypt, bool,
 	M = Mtrin + this->params->N;
 
 	/* set hash algorithm based on security strength */
-	hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 :
-														  HASH_SHA256;
+	alg = (this->params->sec_strength_len <= 20) ? XOF_MGF1_SHA1 :
+												   XOF_MGF1_SHA256;
 	/* set constants */
 	mod_q_mask = this->params->q - 1;
 
@@ -173,7 +173,7 @@ METHOD(ntru_public_key_t, encrypt, bool,
 		seed.len = seed2_len;
 
 		DBG2(DBG_LIB, "generate polynomial r");
-		r_poly = ntru_poly_create_from_seed(hash_algid, seed, this->params->c_bits,
+		r_poly = ntru_poly_create_from_seed(alg, seed, this->params->c_bits,
 											this->params->N, this->params->q,
 											this->params->dF_r, this->params->dF_r,
 											this->params->is_product_form);
@@ -191,7 +191,7 @@ METHOD(ntru_public_key_t, encrypt, bool,
 		seed.len = seed1_len;
 
 		/* form mask */
-		mask = ntru_trits_create(this->params->N, hash_algid, seed);
+		mask = ntru_trits_create(this->params->N, alg, seed);
 		if (!mask)
 		{
 			DBG1(DBG_LIB, "mask creation failed");
@@ -320,7 +320,7 @@ METHOD(ntru_public_key_t, destroy, void,
  * Described in header.
  */
 ntru_public_key_t *ntru_public_key_create(ntru_drbg_t *drbg,
-										  ntru_param_set_t *params,
+										  const ntru_param_set_t *params,
 										  uint16_t *pubkey)
 {
 	private_ntru_public_key_t *this;
@@ -357,7 +357,7 @@ ntru_public_key_t *ntru_public_key_create_from_data(ntru_drbg_t *drbg,
 {
 	private_ntru_public_key_t *this;
 	size_t header_len, pubkey_packed_len;
-	ntru_param_set_t *params;
+	const ntru_param_set_t *params;
 
 	header_len = 2 + NTRU_OID_LEN;
 
diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.h b/src/libstrongswan/plugins/ntru/ntru_public_key.h
index baa8eab..4f098f2 100644
--- a/src/libstrongswan/plugins/ntru/ntru_public_key.h
+++ b/src/libstrongswan/plugins/ntru/ntru_public_key.h
@@ -71,7 +71,7 @@ struct ntru_public_key_t {
  * @param pubkey		Coefficients of public key polynomial h
  */
 ntru_public_key_t *ntru_public_key_create(ntru_drbg_t *drbg,
-										  ntru_param_set_t *params,
+										  const ntru_param_set_t *params,
 										  uint16_t *pubkey);
 
 /**
diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.c b/src/libstrongswan/plugins/ntru/ntru_trits.c
index 57b3532..0bbbcc1 100644
--- a/src/libstrongswan/plugins/ntru/ntru_trits.c
+++ b/src/libstrongswan/plugins/ntru/ntru_trits.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,7 +16,7 @@
 #include "ntru_trits.h"
 #include "ntru_convert.h"
 
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof_bitspender.h>
 #include <utils/debug.h>
 #include <utils/test.h>
 
@@ -67,14 +67,15 @@ METHOD(ntru_trits_t, destroy, void,
 /*
  * Described in header.
  */
-ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed)
+ntru_trits_t *ntru_trits_create(size_t len, ext_out_function_t alg,
+								chunk_t seed)
 {
 	private_ntru_trits_t *this;
 	uint8_t octet, buf[5], *trits;
 	size_t trits_needed;
-	mgf1_bitspender_t *bitspender;
+	xof_bitspender_t *bitspender;
 
-	bitspender = mgf1_bitspender_create(alg, seed, TRUE);
+	bitspender = xof_bitspender_create(alg, seed, TRUE);
 	if (!bitspender)
 	{
 	    return NULL;
diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.h b/src/libstrongswan/plugins/ntru/ntru_trits.h
index 524c51b..e489aae 100644
--- a/src/libstrongswan/plugins/ntru/ntru_trits.h
+++ b/src/libstrongswan/plugins/ntru/ntru_trits.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
 typedef struct ntru_trits_t ntru_trits_t;
 
 #include <library.h>
+#include <crypto/xofs/xof.h>
 
 /**
  * Implements an array of trinary elements (trits) 
@@ -52,10 +53,11 @@ struct ntru_trits_t {
  * Create a trits array from a seed using MGF1 with a base hash function
  *
  * @param size			size of the trits array
- * @param alg			hash algorithm to be used by MGF1
+ * @param alg			MGF1 algorithm used (XOF_MGF1_SHA1 or XOF_MGF_SHA256)
  * @param seed			seed used by MGF1 to generate trits from
  */
-ntru_trits_t *ntru_trits_create(size_t size, hash_algorithm_t alg, chunk_t seed);
+ntru_trits_t *ntru_trits_create(size_t size, ext_out_function_t alg,
+								chunk_t seed);
 
 #endif /** NTRU_TRITS_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index f453f43..dd8a17e 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -360,7 +360,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -394,8 +393,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -449,6 +446,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 24fe623..22bbf6d 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -304,7 +304,26 @@ static private_openssl_ec_private_key_t *create_empty(void)
 	return this;
 }
 
-/**
+/*
+ * See header.
+ */
+private_key_t *openssl_ec_private_key_create(EVP_PKEY *key)
+{
+	private_openssl_ec_private_key_t *this;
+	EC_KEY *ec;
+
+	ec = EVP_PKEY_get1_EC_KEY(key);
+	EVP_PKEY_free(key);
+	if (!ec)
+	{
+		return NULL;
+	}
+	this = create_empty();
+	this->ec = ec;
+	return &this->public.key;
+}
+
+/*
  * See header.
  */
 openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
index f56c95a..84314f6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2008-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -21,6 +21,8 @@
 #ifndef OPENSSL_EC_PRIVATE_KEY_H_
 #define OPENSSL_EC_PRIVATE_KEY_H_
 
+#include <openssl/evp.h>
+
 #include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
@@ -61,4 +63,12 @@ openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
 openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type,
 													  va_list args);
 
+/**
+ * Wrap an EVP_PKEY object of type EVP_PKEY_EC
+ *
+ * @param key		EVP_PKEY_EC key object (adopted)
+ * @return 			loaded key, NULL on failure
+ */
+private_key_t *openssl_ec_private_key_create(EVP_PKEY *key);
+
 #endif /** OPENSSL_EC_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.c b/src/libstrongswan/plugins/openssl/openssl_gcm.c
index 6bbe4af..5ef885b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_gcm.c
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.c
@@ -255,13 +255,13 @@ aead_t *openssl_gcm_create(encryption_algorithm_t algo,
 					key_size = 16;
 					/* FALL */
 				case 16:
-					this->cipher = EVP_get_cipherbyname("aes-128-gcm");
+					this->cipher = EVP_aes_128_gcm();
 					break;
 				case 24:
-					this->cipher = EVP_get_cipherbyname("aes-192-gcm");
+					this->cipher = EVP_aes_192_gcm();
 					break;
 				case 32:
-					this->cipher = EVP_get_cipherbyname("aes-256-gcm");
+					this->cipher = EVP_aes_256_gcm();
 					break;
 				default:
 					free(this);
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
index 705e96c..bbd400c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
@@ -23,10 +23,6 @@
 #include <library.h>
 #include <credentials/sets/mem_cred.h>
 
-#ifdef OPENSSL_IS_BORINGSSL
-#define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type)
-#endif
-
 typedef struct private_pkcs12_t private_pkcs12_t;
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 3e3b986..ab73d71 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2008-2013 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -269,6 +269,53 @@ static bool seed_rng()
 	return TRUE;
 }
 
+/**
+ * Generic key loader
+ */
+static private_key_t *openssl_private_key_load(key_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+	EVP_PKEY *key;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (blob.ptr)
+	{
+		key = d2i_AutoPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
+		if (key)
+		{
+			switch (EVP_PKEY_base_id(key))
+			{
+#ifndef OPENSSL_NO_RSA
+				case EVP_PKEY_RSA:
+					return openssl_rsa_private_key_create(key);
+#endif
+#ifndef OPENSSL_NO_ECDSA
+				case EVP_PKEY_EC:
+					return openssl_ec_private_key_create(key);
+#endif
+				default:
+					EVP_PKEY_free(key);
+					break;
+			}
+		}
+	}
+	return NULL;
+}
+
 METHOD(plugin_t, get_name, char*,
 	private_openssl_plugin_t *this)
 {
@@ -438,16 +485,16 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
 #endif
 #ifndef OPENSSL_NO_SHA256
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA224),
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA256),
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA224),
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_224),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_256),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_224),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_256),
 #endif
 #ifndef OPENSSL_NO_SHA512
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA384),
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA512),
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA384),
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA512),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_384),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_512),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_384),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_512),
 #endif
 #ifndef OPENSSL_NO_MD5
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5),
@@ -504,6 +551,9 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
 #endif
 #endif /* OPENSSL_NO_ECDSA */
+		/* generic key loader */
+		PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
 		PLUGIN_REGISTER(RNG, openssl_rng_create),
 			PLUGIN_PROVIDE(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(RNG, RNG_WEAK),
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 485e0bb..54ecf25 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -1,7 +1,7 @@
 /*
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -158,16 +158,16 @@ METHOD(private_key_t, sign, bool,
 	{
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return build_emsa_pkcs1_signature(this, NID_undef, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA1:
-			return build_emsa_pkcs1_signature(this, NID_sha1, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA224:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_224:
 			return build_emsa_pkcs1_signature(this, NID_sha224, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA256:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_256:
 			return build_emsa_pkcs1_signature(this, NID_sha256, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA384:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_384:
 			return build_emsa_pkcs1_signature(this, NID_sha384, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA512:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 			return build_emsa_pkcs1_signature(this, NID_sha512, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return build_emsa_pkcs1_signature(this, NID_sha1, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 			return build_emsa_pkcs1_signature(this, NID_md5, data, signature);
 		default:
@@ -327,7 +327,7 @@ static private_openssl_rsa_private_key_t *create_empty()
 	return this;
 }
 
-/**
+/*
  * See header.
  */
 openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
@@ -383,7 +383,26 @@ error:
 	return NULL;
 }
 
-/**
+/*
+ * See header
+ */
+private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key)
+{
+	private_openssl_rsa_private_key_t *this;
+	RSA *rsa;
+
+	rsa = EVP_PKEY_get1_RSA(key);
+	EVP_PKEY_free(key);
+	if (!rsa)
+	{
+		return NULL;
+	}
+	this = create_empty();
+	this->rsa = rsa;
+	return &this->public.key;
+}
+
+/*
  * See header
  */
 openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
@@ -528,7 +547,7 @@ static bool login(ENGINE *engine, chunk_t keyid)
 }
 #endif /* OPENSSL_NO_ENGINE */
 
-/**
+/*
  * See header.
  */
 openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
index 60889d6..34ce4c7 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2008-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -21,6 +21,8 @@
 #ifndef OPENSSL_RSA_PRIVATE_KEY_H_
 #define OPENSSL_RSA_PRIVATE_KEY_H_
 
+#include <openssl/evp.h>
+
 #include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
@@ -62,6 +64,14 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 														va_list args);
 
 /**
+ * Wrap an EVP_PKEY object of type EVP_PKEY_RSA
+ *
+ * @param key		EVP_PKEY_RSA key object (adopted)
+ * @return 			loaded key, NULL on failure
+ */
+private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key);
+
+/**
  * Connect to a RSA private key on a smartcard.
  *
  * Accepts the BUILD_SMARTCARD_KEYID and the BUILD_SMARTCARD_PIN
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index d66d501..d3a644f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -143,16 +143,16 @@ METHOD(public_key_t, verify, bool,
 	{
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return verify_emsa_pkcs1_signature(this, NID_undef, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA1:
-			return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA224:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_224:
 			return verify_emsa_pkcs1_signature(this, NID_sha224, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA256:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_256:
 			return verify_emsa_pkcs1_signature(this, NID_sha256, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA384:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_384:
 			return verify_emsa_pkcs1_signature(this, NID_sha384, data, signature);
-		case SIGN_RSA_EMSA_PKCS1_SHA512:
+		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 			return verify_emsa_pkcs1_signature(this, NID_sha512, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 			return verify_emsa_pkcs1_signature(this, NID_md5, data, signature);
 		default:
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
index f4186e8..7c5c367 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.h
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -136,6 +136,13 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj);
 time_t openssl_asn1_to_time(ASN1_TIME *time);
 
 /**
+ * Compatibility macros
+ */
+#ifdef OPENSSL_IS_BORINGSSL
+#define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type)
+#endif
+
+/**
  * Macros to define fallback getters/setters to access keys (BIGNUM*) for types
  * that were made opaque with OpenSSL 1.1.0.
  */
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index e1cf497..abca5f7 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
index 107ade0..30040da 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
@@ -16,7 +16,6 @@
 
 #include <string.h>
 #include <arpa/inet.h>
-#include <byteswap.h>
 
 #include "padlock_sha1_hasher.h"
 
@@ -66,11 +65,11 @@ static void sha1(chunk_t data, uint32_t *digest)
 
 	padlock_sha1(data.len, data.ptr, (u_char*)hash);
 
-	digest[0] = bswap_32(hash[0]);
-	digest[1] = bswap_32(hash[1]);
-	digest[2] = bswap_32(hash[2]);
-	digest[3] = bswap_32(hash[3]);
-	digest[4] = bswap_32(hash[4]);
+	digest[0] = __builtin_bswap32(hash[0]);
+	digest[1] = __builtin_bswap32(hash[1]);
+	digest[2] = __builtin_bswap32(hash[2]);
+	digest[3] = __builtin_bswap32(hash[3]);
+	digest[4] = __builtin_bswap32(hash[4]);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 3e6b8d0..8cafb9e 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index e9c85e5..0bddf9c 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index a61eb1a..708f5a6 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index 767b3ac..766832d 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -1,8 +1,8 @@
 /*
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2000-2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -204,7 +204,6 @@ static private_key_t *parse_rsa_private_key(chunk_t blob)
 			case PRIV_KEY_VERSION:
 				if (object.len > 0 && *object.ptr != 0)
 				{
-					DBG1(DBG_ASN, "PKCS#1 private key format is not version 1");
 					goto end;
 				}
 				break;
@@ -249,6 +248,63 @@ end:
 }
 
 /**
+ * Check if the ASN.1 structure looks like an EC private key according to
+ * RFC 5915.
+ *
+ * ECPrivateKey :=: SEQUENCE {
+ *   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+ *   privateKey     OCTET STRING,
+ *   parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+ *   publicKey  [1] BIT STRING OPTIONAL
+ * }
+ *
+ * While the parameters and publicKey fields are OPTIONAL, RFC 5915 says that
+ * paramaters MUST be included and publicKey SHOULD be.
+ */
+static bool is_ec_private_key(chunk_t blob)
+{
+	chunk_t data;
+	return asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE &&
+		   asn1_unwrap(&blob, &data) == ASN1_INTEGER &&
+		   asn1_parse_integer_uint64(data) == 1 &&
+		   asn1_unwrap(&blob, &data) == ASN1_OCTET_STRING &&
+		   asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_0 &&
+		   asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_1;
+}
+
+/**
+ * Check if the ASN.1 structure looks like a BLISS private key.
+ */
+static bool is_bliss_private_key(chunk_t blob)
+{
+	chunk_t data;
+	return asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE &&
+		   asn1_unwrap(&blob, &data) == ASN1_OID &&
+		   asn1_unwrap(&blob, &data) == ASN1_BIT_STRING &&
+		   asn1_unwrap(&blob, &data) == ASN1_BIT_STRING &&
+		   asn1_unwrap(&blob, &data) == ASN1_BIT_STRING;
+}
+
+/**
+ * Load a private key from an ASN.1 encoded blob trying to detect the type
+ * automatically.
+ */
+static private_key_t *parse_private_key(chunk_t blob)
+{
+	if (is_ec_private_key(blob))
+	{
+		return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+								  BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+	}
+	else if (is_bliss_private_key(blob))
+	{
+		return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+								  BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+	}
+	return parse_rsa_private_key(blob);
+}
+
+/**
  * See header.
  */
 public_key_t *pkcs1_public_key_load(key_type_t type, va_list args)
@@ -301,6 +357,14 @@ private_key_t *pkcs1_private_key_load(key_type_t type, va_list args)
 		}
 		break;
 	}
-	return parse_rsa_private_key(blob);
+	switch (type)
+	{
+		case KEY_ANY:
+			return parse_private_key(blob);
+		case KEY_RSA:
+			return parse_rsa_private_key(blob);
+		default:
+			return NULL;
+	}
 }
 
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index eb0903d..ec1bdf5 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -43,6 +43,10 @@ METHOD(plugin_t, get_features, int,
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_REGISTER(PRIVKEY, pkcs1_private_key_load, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
+		PLUGIN_REGISTER(PRIVKEY, pkcs1_private_key_load, FALSE),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
 		PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index 61919e3..6c10c08 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index aec4550..1d10169 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2015 Tobias Brunner
+ * Copyright (C) 2011-2016 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2010 Martin Willi
@@ -15,6 +15,27 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
+/*
+ * Copyright (C) 2016 EDF S.A.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 
 #include "pkcs11_private_key.h"
 
@@ -112,13 +133,13 @@ CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme,
 	} mappings[] = {
 		{SIGN_RSA_EMSA_PKCS1_NULL,		{CKM_RSA_PKCS,			NULL, 0},
 		 KEY_RSA, 0,									   HASH_UNKNOWN},
-		{SIGN_RSA_EMSA_PKCS1_SHA1,		{CKM_SHA1_RSA_PKCS,		NULL, 0},
+		{SIGN_RSA_EMSA_PKCS1_SHA2_256,	{CKM_SHA256_RSA_PKCS,	NULL, 0},
 		 KEY_RSA, 0,									   HASH_UNKNOWN},
-		{SIGN_RSA_EMSA_PKCS1_SHA256,	{CKM_SHA256_RSA_PKCS,	NULL, 0},
+		{SIGN_RSA_EMSA_PKCS1_SHA2_384,	{CKM_SHA384_RSA_PKCS,	NULL, 0},
 		 KEY_RSA, 0,									   HASH_UNKNOWN},
-		{SIGN_RSA_EMSA_PKCS1_SHA384,	{CKM_SHA384_RSA_PKCS,	NULL, 0},
+		{SIGN_RSA_EMSA_PKCS1_SHA2_512,	{CKM_SHA512_RSA_PKCS,	NULL, 0},
 		 KEY_RSA, 0,									   HASH_UNKNOWN},
-		{SIGN_RSA_EMSA_PKCS1_SHA512,	{CKM_SHA512_RSA_PKCS,	NULL, 0},
+		{SIGN_RSA_EMSA_PKCS1_SHA1,		{CKM_SHA1_RSA_PKCS,		NULL, 0},
 		 KEY_RSA, 0,									   HASH_UNKNOWN},
 		{SIGN_RSA_EMSA_PKCS1_MD5,		{CKM_MD5_RSA_PKCS,		NULL, 0},
 		 KEY_RSA, 0,									   HASH_UNKNOWN},
@@ -496,6 +517,120 @@ static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot,
 }
 
 /**
+ * Find the PKCS#11 lib and CKA_ID of the certificate object of a given
+ * subjectKeyIdentifier and optional slot
+ */
+static pkcs11_library_t* find_lib_and_keyid_by_skid(chunk_t keyid_chunk,
+													chunk_t *ckaid, int *slot)
+{
+	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE type = CKC_X_509;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+	};
+	CK_ATTRIBUTE attr[] = {
+		{CKA_VALUE, NULL, 0},
+		{CKA_ID, NULL, 0},
+	};
+	CK_OBJECT_HANDLE object;
+	CK_SESSION_HANDLE session;
+	CK_RV rv;
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator, *certs;
+	identification_t *keyid;
+	pkcs11_library_t *p11, *found = NULL;
+	CK_SLOT_ID current;
+	linked_list_t *raw;
+	certificate_t *cert;
+	struct {
+		chunk_t value;
+		chunk_t ckaid;
+	} *entry;
+
+	manager = lib->get(lib, "pkcs11-manager");
+	if (!manager)
+	{
+		return NULL;
+	}
+
+	keyid = identification_create_from_encoding(ID_KEY_ID, keyid_chunk);
+	/* store result in a temporary list, avoid recursive operation */
+	raw = linked_list_create();
+
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &current))
+	{
+		if (*slot != -1 && *slot != current)
+		{
+			continue;
+		}
+		rv = p11->f->C_OpenSession(current, CKF_SERIAL_SESSION, NULL, NULL,
+								   &session);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "opening PKCS#11 session failed: %N",
+				 ck_rv_names, rv);
+			continue;
+		}
+		certs = p11->create_object_enumerator(p11, session, tmpl, countof(tmpl),
+											  attr, countof(attr));
+		while (certs->enumerate(certs, &object))
+		{
+			INIT(entry,
+				.value = chunk_clone(
+							chunk_create(attr[0].pValue, attr[0].ulValueLen)),
+				.ckaid = chunk_clone(
+							chunk_create(attr[1].pValue, attr[1].ulValueLen)),
+			);
+			raw->insert_last(raw, entry);
+		}
+		certs->destroy(certs);
+
+		while (raw->remove_first(raw, (void**)&entry) == SUCCESS)
+		{
+			if (!found)
+			{
+				cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+										  CERT_X509, BUILD_BLOB_ASN1_DER,
+										  entry->value, BUILD_END);
+				if (cert)
+				{
+					if (cert->has_subject(cert, keyid))
+					{
+						DBG1(DBG_CFG, "found cert with keyid '%#B' on PKCS#11 "
+							 "token '%s':%d", &keyid_chunk, p11->get_name(p11),
+							 current);
+						found = p11;
+						*ckaid = chunk_clone(entry->ckaid);
+						*slot = current;
+					}
+					cert->destroy(cert);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "parsing cert with CKA_ID '%#B' on PKCS#11 "
+						 "token '%s':%d failed", &entry->ckaid,
+						 p11->get_name(p11), current);
+				}
+			}
+			chunk_free(&entry->value);
+			chunk_free(&entry->ckaid);
+			free(entry);
+		}
+		p11->f->C_CloseSession(session);
+		if (found)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	keyid->destroy(keyid);
+	raw->destroy(raw);
+	return found;
+}
+
+/**
  * Find the key on the token
  */
 static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
@@ -645,7 +780,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 {
 	private_pkcs11_private_key_t *this;
 	char *module = NULL;
-	chunk_t keyid = chunk_empty;
+	chunk_t keyid = chunk_empty, ckaid = chunk_empty;
 	int slot = -1;
 	CK_RV rv;
 
@@ -713,6 +848,10 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 		}
 		if (!this->lib)
 		{
+			this->lib = find_lib_and_keyid_by_skid(keyid, &ckaid, &slot);
+		}
+		if (!this->lib)
+		{
 			DBG1(DBG_CFG, "no PKCS#11 module found having a keyid %#B", &keyid);
 			free(this);
 			return NULL;
@@ -738,8 +877,17 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 		return NULL;
 	}
 
+	if (ckaid.ptr)
+	{
+		DBG1(DBG_CFG, "using CKA_ID '%#B' for key with keyid '%#B'",
+			 &ckaid, &keyid);
+		keyid = ckaid;
+	}
+
 	if (!find_key(this, keyid))
 	{
+		DBG1(DBG_CFG, "did not find the key with %s '%#B'",
+			 ckaid.ptr ? "CKA_ID" : "keyid", &keyid);
 		destroy(this);
 		return NULL;
 	}
@@ -751,11 +899,11 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 		if (!this->pubkey)
 		{
 			DBG1(DBG_CFG, "no public key or certificate found for private key "
-				 "on '%s':%d", module, slot);
+				 "(%s '%#B') on '%s':%d", ckaid.ptr ? "CKA_ID" : "keyid",
+				 &keyid, module, slot);
 			destroy(this);
 			return NULL;
 		}
 	}
-
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
index 02b7d29..7e81b05 100644
--- a/src/libstrongswan/plugins/pkcs12/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index 5a758aa..cbd1996 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -354,7 +354,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -388,8 +387,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -443,6 +440,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 92f751a..3d27d61 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c
index 4c92c41..39d86c8 100644
--- a/src/libstrongswan/plugins/plugin_feature.c
+++ b/src/libstrongswan/plugins/plugin_feature.c
@@ -30,6 +30,7 @@ ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM,
 	"SIGNER",
 	"HASHER",
 	"PRF",
+	"XOF",
 	"DH",
 	"RNG",
 	"NONCE_GEN",
@@ -87,6 +88,9 @@ uint32_t plugin_feature_hash(plugin_feature_t *feature)
 		case FEATURE_PRF:
 			data = chunk_from_thing(feature->arg.prf);
 			break;
+		case FEATURE_XOF:
+			data = chunk_from_thing(feature->arg.xof);
+			break;
 		case FEATURE_DH:
 			data = chunk_from_thing(feature->arg.dh_group);
 			break;
@@ -160,6 +164,8 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 				return a->arg.hasher == b->arg.hasher;
 			case FEATURE_PRF:
 				return a->arg.prf == b->arg.prf;
+			case FEATURE_XOF:
+				return a->arg.xof == b->arg.xof;
 			case FEATURE_DH:
 				return a->arg.dh_group == b->arg.dh_group;
 			case FEATURE_RNG:
@@ -218,6 +224,7 @@ bool plugin_feature_equals(plugin_feature_t *a, plugin_feature_t *b)
 			case FEATURE_SIGNER:
 			case FEATURE_HASHER:
 			case FEATURE_PRF:
+			case FEATURE_XOF:
 			case FEATURE_DH:
 			case FEATURE_NONCE_GEN:
 			case FEATURE_RESOLVER:
@@ -305,6 +312,13 @@ char* plugin_feature_get_string(plugin_feature_t *feature)
 				return str;
 			}
 			break;
+		case FEATURE_XOF:
+			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
+					ext_out_function_names, feature->arg.xof) > 0)
+			{
+				return str;
+			}
+			break;
 		case FEATURE_DH:
 			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
 					diffie_hellman_group_names, feature->arg.dh_group) > 0)
@@ -465,6 +479,10 @@ bool plugin_feature_load(plugin_t *plugin, plugin_feature_t *feature,
 			lib->crypto->add_prf(lib->crypto, feature->arg.prf,
 								name, reg->arg.reg.f);
 			break;
+		case FEATURE_XOF:
+			lib->crypto->add_xof(lib->crypto, feature->arg.xof,
+								name, reg->arg.reg.f);
+			break;
 		case FEATURE_DH:
 			lib->crypto->add_dh(lib->crypto, feature->arg.dh_group,
 								name, reg->arg.reg.f);
@@ -552,6 +570,9 @@ bool plugin_feature_unload(plugin_t *plugin, plugin_feature_t *feature,
 		case FEATURE_PRF:
 			lib->crypto->remove_prf(lib->crypto, reg->arg.reg.f);
 			break;
+		case FEATURE_XOF:
+			lib->crypto->remove_xof(lib->crypto, reg->arg.reg.f);
+			break;
 		case FEATURE_DH:
 			lib->crypto->remove_dh(lib->crypto, reg->arg.reg.f);
 			break;
diff --git a/src/libstrongswan/plugins/plugin_feature.h b/src/libstrongswan/plugins/plugin_feature.h
index ee7808a..8cc6277 100644
--- a/src/libstrongswan/plugins/plugin_feature.h
+++ b/src/libstrongswan/plugins/plugin_feature.h
@@ -110,6 +110,8 @@ struct plugin_feature_t {
 		FEATURE_HASHER,
 		/** prf_t */
 		FEATURE_PRF,
+		/** xof_t */
+		FEATURE_XOF,
 		/** diffie_hellman_t */
 		FEATURE_DH,
 		/** rng_t */
@@ -171,6 +173,8 @@ struct plugin_feature_t {
 		integrity_algorithm_t signer;
 		/** FEATURE_PRF */
 		pseudo_random_function_t prf;
+		/** FEATURE_XOFF */
+		ext_out_function_t xof;
 		/** FEATURE_HASHER */
 		hash_algorithm_t hasher;
 		/** FEATURE_DH */
@@ -278,6 +282,7 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_SIGNER(kind, alg)					__PLUGIN_FEATURE(kind, SIGNER, .signer = alg)
 #define _PLUGIN_FEATURE_HASHER(kind, alg)					__PLUGIN_FEATURE(kind, HASHER, .hasher = alg)
 #define _PLUGIN_FEATURE_PRF(kind, alg)						__PLUGIN_FEATURE(kind, PRF, .prf = alg)
+#define _PLUGIN_FEATURE_XOF(kind, alg)						__PLUGIN_FEATURE(kind, XOF, .xof = alg)
 #define _PLUGIN_FEATURE_DH(kind, group)						__PLUGIN_FEATURE(kind, DH, .dh_group = group)
 #define _PLUGIN_FEATURE_RNG(kind, quality)					__PLUGIN_FEATURE(kind, RNG, .rng_quality = quality)
 #define _PLUGIN_FEATURE_NONCE_GEN(kind, ...)				__PLUGIN_FEATURE(kind, NONCE_GEN, .custom = NULL)
@@ -310,6 +315,7 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_REGISTER_SIGNER(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_HASHER(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_PRF(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
+#define _PLUGIN_FEATURE_REGISTER_XOF(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_DH(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_RNG(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_NONCE_GEN(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index c5decc3..40fd626 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index b78e627..edd8eda 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
index 51f6a17..0fd1ad9 100644
--- a/src/libstrongswan/plugins/rc2/Makefile.in
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index ff853b6..88bc0af 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index e6ce519..4ec73ef 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index fdcb990..f2e3cdd 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -404,6 +404,26 @@ static bool verify_crl(certificate_t *crl)
 }
 
 /**
+ * Report the given CRL's validity and cache it if valid and requested
+ */
+static bool is_crl_valid(certificate_t *crl, bool cache)
+{
+	time_t valid_until;
+
+	if (crl->get_validity(crl, NULL, NULL, &valid_until))
+	{
+		DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
+		if (cache)
+		{
+			lib->credmgr->cache_cert(lib->credmgr, crl);
+		}
+		return TRUE;
+	}
+	DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
+	return FALSE;
+}
+
+/**
  * Get the better of two CRLs, and check for usable CRL info
  */
 static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
@@ -411,7 +431,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 					bool cache, crl_t *base)
 {
 	enumerator_t *enumerator;
-	time_t revocation, valid_until;
+	time_t revocation;
 	crl_reason_t reason;
 	chunk_t serial;
 	crl_t *crl = (crl_t*)cand;
@@ -447,8 +467,6 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 	{
 		if (chunk_equals(serial, subject->get_serial(subject)))
 		{
-			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
-				 &revocation, TRUE, crl_reason_names, reason);
 			if (reason != CRL_REASON_CERTIFICATE_HOLD)
 			{
 				*valid = VALIDATION_REVOKED;
@@ -458,6 +476,9 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 				/* if the cert is on hold, a newer CRL might not contain it */
 				*valid = VALIDATION_ON_HOLD;
 			}
+			is_crl_valid(cand, cache);
+			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
+				 &revocation, TRUE, crl_reason_names, reason);
 			enumerator->destroy(enumerator);
 			DESTROY_IF(best);
 			return cand;
@@ -470,18 +491,12 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 	{
 		DESTROY_IF(best);
 		best = cand;
-		if (best->get_validity(best, NULL, NULL, &valid_until))
+		if (is_crl_valid(best, cache))
 		{
-			DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
 			*valid = VALIDATION_GOOD;
-			if (cache)
-			{	/* we cache non-stale crls only, as a stale crls are refetched */
-				lib->credmgr->cache_cert(lib->credmgr, best);
-			}
 		}
 		else
 		{
-			DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
 			*valid = VALIDATION_STALE;
 		}
 	}
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 14d3430..1933aa0 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index de34150..3fbb081 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/sha3/Makefile.am b/src/libstrongswan/plugins/sha3/Makefile.am
index 7ccf58c..a776b1d 100644
--- a/src/libstrongswan/plugins/sha3/Makefile.am
+++ b/src/libstrongswan/plugins/sha3/Makefile.am
@@ -11,6 +11,9 @@ plugin_LTLIBRARIES = libstrongswan-sha3.la
 endif
 
 libstrongswan_sha3_la_SOURCES = \
-	sha3_plugin.h sha3_plugin.c sha3_hasher.c sha3_hasher.h
+	sha3_plugin.h sha3_plugin.c \
+	sha3_hasher.c sha3_hasher.h \
+	sha3_shake.h sha3_shake.c \
+	sha3_keccak.h sha3_keccak.c
 
 libstrongswan_sha3_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/sha3/Makefile.in b/src/libstrongswan/plugins/sha3/Makefile.in
index 0d29fcb..9e237a9 100644
--- a/src/libstrongswan/plugins/sha3/Makefile.in
+++ b/src/libstrongswan/plugins/sha3/Makefile.in
@@ -137,7 +137,8 @@ am__uninstall_files_from_dir = { \
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sha3_la_LIBADD =
-am_libstrongswan_sha3_la_OBJECTS = sha3_plugin.lo sha3_hasher.lo
+am_libstrongswan_sha3_la_OBJECTS = sha3_plugin.lo sha3_hasher.lo \
+	sha3_shake.lo sha3_keccak.lo
 libstrongswan_sha3_la_OBJECTS = $(am_libstrongswan_sha3_la_OBJECTS)
 AM_V_lt = $(am__v_lt_ at AM_V@)
 am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
@@ -350,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -451,7 +451,10 @@ AM_CFLAGS = \
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-sha3.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-sha3.la
 libstrongswan_sha3_la_SOURCES = \
-	sha3_plugin.h sha3_plugin.c sha3_hasher.c sha3_hasher.h
+	sha3_plugin.h sha3_plugin.c \
+	sha3_hasher.c sha3_hasher.h \
+	sha3_shake.h sha3_shake.c \
+	sha3_keccak.h sha3_keccak.c
 
 libstrongswan_sha3_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -544,7 +547,9 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/sha3_hasher.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/sha3_keccak.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/sha3_plugin.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/sha3_shake.Plo at am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
diff --git a/src/libstrongswan/plugins/sha3/sha3_hasher.c b/src/libstrongswan/plugins/sha3/sha3_hasher.c
index b34a025..0fbcbb8 100644
--- a/src/libstrongswan/plugins/sha3/sha3_hasher.c
+++ b/src/libstrongswan/plugins/sha3/sha3_hasher.c
@@ -1,53 +1,25 @@
 /*
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
- * Based on the implementation by the Keccak, Keyak and Ketje Teams, namely,
- * Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche and
- * Ronny Van Keer, hereby denoted as "the implementer".
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  *
- * To the extent possible under law, the implementer has waived all copyright
- * and related or neighboring rights to the source code in this file.
- * http://creativecommons.org/publicdomain/zero/1.0/
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
  */
 
 #include <string.h>
 
 #include "sha3_hasher.h"
+#include "sha3_keccak.h"
 
 typedef struct private_sha3_hasher_t private_sha3_hasher_t;
 
-#define KECCAK_STATE_SIZE	 200	/* bytes */
-#define KECCAK_MAX_RATE		 144	/* bytes */
-#define DELIMITED_SUFFIX	0x06
-
-static const uint64_t round_constants[] = {
-    0x0000000000000001ULL,
-    0x0000000000008082ULL,
-    0x800000000000808aULL,
-    0x8000000080008000ULL,
-    0x000000000000808bULL,
-    0x0000000080000001ULL,
-    0x8000000080008081ULL,
-    0x8000000000008009ULL,
-    0x000000000000008aULL,
-    0x0000000000000088ULL,
-    0x0000000080008009ULL,
-    0x000000008000000aULL,
-    0x000000008000808bULL,
-    0x800000000000008bULL,
-    0x8000000000008089ULL,
-    0x8000000000008003ULL,
-    0x8000000000008002ULL,
-    0x8000000000000080ULL,
-    0x000000000000800aULL,
-    0x800000008000000aULL,
-    0x8000000080008081ULL,
-    0x8000000000008080ULL,
-    0x0000000080000001ULL,
-    0x8000000080008008ULL
-};
-
 /**
  * Private data structure with hashing context for SHA-3
  */
@@ -64,309 +36,16 @@ struct private_sha3_hasher_t {
 	hash_algorithm_t algorithm;
 
 	/**
-	 * Internal state of 1600 bits as defined by FIPS-202
-	 */
-	uint8_t state[KECCAK_STATE_SIZE];
-
-	/**
-	 * Rate in bytes
+	 * SHA-3 Keccak state
 	 */
-	u_int rate;
-
-	/**
-	 * Rate input buffer
-	 */
-	uint8_t rate_buffer[KECCAK_MAX_RATE];
-
-	/**
-	 * Index pointing to the current position in the rate buffer
-	 */
-	u_int rate_index;
+	sha3_keccak_t *keccak;
 
 };
 
-#if BYTE_ORDER != LITTLE_ENDIAN
-/**
- * Function to load a 64-bit value using the little-endian (LE) convention.
- * On a LE platform, this could be greatly simplified using a cast.
- */
-static uint64_t load64(const uint8_t *x)
-{
-	int i;
-	uint64_t u = 0;
-
-	for (i = 7; i >= 0; --i)
-	{
-		u <<= 8;
-		u |= x[i];
-	}
-	return u;
-}
-
-/**
- * Function to store a 64-bit value using the little-endian (LE) convention.
- * On a LE platform, this could be greatly simplified using a cast.
- */
-static void store64(uint8_t *x, uint64_t u)
-{
-	u_int i;
-
-	for (i = 0; i < 8; ++i)
-	{
-		x[i] = u;
-		u >>= 8;
-	}
-}
-
-/**
- * Function to XOR into a 64-bit value using the little-endian (LE) convention.
- * On a LE platform, this could be greatly simplified using a cast.
- */
-static void xor64(uint8_t *x, uint64_t u)
-{
-	u_int i;
-
-	for (i = 0; i < 8; ++i)
-	{
-		x[i] ^= u;
-		u >>= 8;
-	}
-}
-#endif
-
-/**
- * Some macros used by the Keccak-f[1600] permutation.
- */
-#define ROL64(a, offset) ((((uint64_t)a) << offset) ^ (((uint64_t)a) >> (64-offset)))
-
-#if BYTE_ORDER == LITTLE_ENDIAN
-    #define readLane(i)          (((uint64_t*)state)[i])
-    #define writeLane(i, lane)   (((uint64_t*)state)[i])  = (lane)
-    #define XORLane(i, lane)     (((uint64_t*)state)[i]) ^= (lane)
-#elif BYTE_ORDER == BIG_ENDIAN
-    #define readLane(i)          load64((uint8_t*)state+sizeof(uint64_t)*i))
-    #define writeLane(i, lane)   store64((uint8_t*)state+sizeof(uint64_t)*i, lane)
-    #define XORLane(i, lane)     xor64((uint8_t*)state+sizeof(uint64_t)*i, lane)
-#endif
-
-/**
- * Function that computes the Keccak-f[1600] permutation on the given state.
- */
-static void keccak_f1600_state_permute(void *state)
-{
-	int round;
-
-	for (round = 0; round < 24; round++)
-	{
-		{   /* θ step (see [Keccak Reference, Section 2.3.2]) */
-
-			uint64_t C[5], D;
-
-			/* Compute the parity of the columns */
-			C[0] = readLane(0) ^ readLane( 5) ^ readLane(10)
-							   ^ readLane(15) ^ readLane(20);
-			C[1] = readLane(1) ^ readLane( 6) ^ readLane(11)
-							   ^ readLane(16) ^ readLane(21);
-			C[2] = readLane(2) ^ readLane( 7) ^ readLane(12)
-							   ^ readLane(17) ^ readLane(22);
-			C[3] = readLane(3) ^ readLane( 8) ^ readLane(13)
-							   ^ readLane(18) ^ readLane(23);
-			C[4] = readLane(4) ^ readLane( 9) ^ readLane(14)
-							   ^ readLane(19) ^ readLane(24);
-
-			/* Compute and add the θ effect to the whole column */
-			D = C[4] ^ ROL64(C[1], 1);
-			XORLane( 0, D);
-			XORLane( 5, D);
-			XORLane(10, D);
-			XORLane(15, D);
-			XORLane(20, D);
-
-			D = C[0] ^ ROL64(C[2], 1);
-			XORLane( 1, D);
-			XORLane( 6, D);
-			XORLane(11, D);
-			XORLane(16, D);
-			XORLane(21, D);
-
-			D = C[1] ^ ROL64(C[3], 1);
-			XORLane( 2, D);
-			XORLane( 7, D);
-			XORLane(12, D);
-			XORLane(17, D);
-			XORLane(22, D);
-
-			D = C[2] ^ ROL64(C[4], 1);
-			XORLane( 3, D);
-			XORLane( 8, D);
-			XORLane(13, D);
-			XORLane(18, D);
-			XORLane(23, D);
-
-			D = C[3] ^ ROL64(C[0], 1);
-			XORLane( 4, D);
-			XORLane( 9, D);
-			XORLane(14, D);
-			XORLane(19, D);
-			XORLane(24, D);
-		}
-
-		{   /* ρ and π steps (see [Keccak Reference, Sections 2.3.3 and 2.3.4]) */
-
-			uint64_t t1, t2;
-
-			t1 = readLane( 1);
-
-			t2 = readLane(10);
-			writeLane(10, ROL64(t1,  1));
-
-			t1 = readLane( 7);
-			writeLane( 7, ROL64(t2,  3));
-
-			t2 = readLane(11);
-			writeLane(11, ROL64(t1,  6));
-
-			t1 = readLane(17);
-			writeLane(17, ROL64(t2, 10));
-
-			t2 = readLane(18);
-			writeLane(18, ROL64(t1, 15));
-
-			t1 = readLane( 3);
-			writeLane( 3, ROL64(t2, 21));
-
-			t2 = readLane( 5);
-			writeLane( 5, ROL64(t1, 28));
-
-			t1 = readLane(16);
-			writeLane(16, ROL64(t2, 36));
-
-			t2 = readLane( 8);
-			writeLane( 8, ROL64(t1, 45));
-
-			t1 = readLane(21);
-			writeLane(21, ROL64(t2, 55));
-
-			t2 = readLane(24);
-			writeLane(24, ROL64(t1,  2));
-
-			t1 = readLane( 4);
-			writeLane( 4, ROL64(t2, 14));
-
-			t2 = readLane(15);
-			writeLane(15, ROL64(t1, 27));
-
-			t1 = readLane(23);
-			writeLane(23, ROL64(t2, 41));
-
-			t2 = readLane(19);
-			writeLane(19, ROL64(t1, 56));
-
-			t1 = readLane(13);
-			writeLane(13, ROL64(t2,  8));
-
-			t2 = readLane(12);
-			writeLane(12, ROL64(t1, 25));
-
-			t1 = readLane( 2);
-			writeLane( 2, ROL64(t2, 43));
-
-			t2 = readLane(20);
-			writeLane(20, ROL64(t1, 62));
-
-			t1 = readLane(14);
-			writeLane(14, ROL64(t2, 18));
-
-			t2 = readLane(22);
-			writeLane(22, ROL64(t1, 39));
-
-			t1 = readLane( 9);
-			writeLane( 9, ROL64(t2, 61));
-
-			t2 = readLane( 6);
-			writeLane( 6, ROL64(t1, 20));
-
-			writeLane( 1, ROL64(t2, 44));
-		}
-
-		{   /* χ step (see [Keccak Reference, Section 2.3.1]) */
-
-			uint64_t t[5];
-
-			t[0] = readLane(0);
-			t[1] = readLane(1);
-			t[2] = readLane(2);
-			t[3] = readLane(3);
-			t[4] = readLane(4);
-
-			writeLane(0, t[0] ^ ((~t[1]) & t[2]));
-			writeLane(1, t[1] ^ ((~t[2]) & t[3]));
-			writeLane(2, t[2] ^ ((~t[3]) & t[4]));
-			writeLane(3, t[3] ^ ((~t[4]) & t[0]));
-			writeLane(4, t[4] ^ ((~t[0]) & t[1]));
-
-			t[0] = readLane(5);
-			t[1] = readLane(6);
-			t[2] = readLane(7);
-			t[3] = readLane(8);
-			t[4] = readLane(9);
-
-			writeLane(5, t[0] ^ ((~t[1]) & t[2]));
-			writeLane(6, t[1] ^ ((~t[2]) & t[3]));
-			writeLane(7, t[2] ^ ((~t[3]) & t[4]));
-			writeLane(8, t[3] ^ ((~t[4]) & t[0]));
-			writeLane(9, t[4] ^ ((~t[0]) & t[1]));
-
-			t[0] = readLane(10);
-			t[1] = readLane(11);
-			t[2] = readLane(12);
-			t[3] = readLane(13);
-			t[4] = readLane(14);
-
-			writeLane(10, t[0] ^ ((~t[1]) & t[2]));
-			writeLane(11, t[1] ^ ((~t[2]) & t[3]));
-			writeLane(12, t[2] ^ ((~t[3]) & t[4]));
-			writeLane(13, t[3] ^ ((~t[4]) & t[0]));
-			writeLane(14, t[4] ^ ((~t[0]) & t[1]));
-
-			t[0] = readLane(15);
-			t[1] = readLane(16);
-			t[2] = readLane(17);
-			t[3] = readLane(18);
-			t[4] = readLane(19);
-
-			writeLane(15, t[0] ^ ((~t[1]) & t[2]));
-			writeLane(16, t[1] ^ ((~t[2]) & t[3]));
-			writeLane(17, t[2] ^ ((~t[3]) & t[4]));
-			writeLane(18, t[3] ^ ((~t[4]) & t[0]));
-			writeLane(19, t[4] ^ ((~t[0]) & t[1]));
-
-			t[0] = readLane(20);
-			t[1] = readLane(21);
-			t[2] = readLane(22);
-			t[3] = readLane(23);
-			t[4] = readLane(24);
-
-			writeLane(20, t[0] ^ ((~t[1]) & t[2]));
-			writeLane(21, t[1] ^ ((~t[2]) & t[3]));
-			writeLane(22, t[2] ^ ((~t[3]) & t[4]));
-			writeLane(23, t[3] ^ ((~t[4]) & t[0]));
-			writeLane(24, t[4] ^ ((~t[0]) & t[1]));
-		}
-
-		{   /* ι step (see [Keccak Reference, Section 2.3.5]) */
-
-			XORLane(0, round_constants[round]);
-		}
-	}
-}
-
 METHOD(hasher_t, reset, bool,
 	private_sha3_hasher_t *this)
 {
-    memset(this->state, 0x00, KECCAK_STATE_SIZE);
-	this->rate_index = 0;
-
+	this->keccak->reset(this->keccak);
 	return TRUE;
 }
 
@@ -388,79 +67,17 @@ METHOD(hasher_t, get_hash_size, size_t,
 	}
 }
 
-static void sha3_absorb(private_sha3_hasher_t *this, chunk_t data)
-{
-	uint64_t *buffer_lanes, *state_lanes;
-	size_t len, rate_lanes;
-	int i;
-
-	buffer_lanes = (uint64_t*)this->rate_buffer;
-	state_lanes  = (uint64_t*)this->state;
-	rate_lanes = this->rate / sizeof(uint64_t);
-
-	while (data.len)
-	{
-		len = min(data.len, this->rate - this->rate_index);
-		memcpy(this->rate_buffer + this->rate_index, data.ptr, len);
-		this->rate_index += len;
-		data.ptr += len;
-		data.len -= len;
-
-		if (this->rate_index == this->rate)
-		{
-			for (i = 0; i < rate_lanes; i++)
-			{
-				state_lanes[i] ^= buffer_lanes[i];
-			}
-			this->rate_index = 0;
-
-			keccak_f1600_state_permute(this->state);
-		}
-	}
-}
-
-static void sha3_final(private_sha3_hasher_t *this)
-{
-	uint64_t *buffer_lanes, *state_lanes;
-	size_t rate_lanes, remainder;
-	int i;
-
-	/* Add the delimitedSuffix as the first bit of padding */
-	this->rate_buffer[this->rate_index++] = DELIMITED_SUFFIX;
-
-	buffer_lanes = (uint64_t*)this->rate_buffer;
-	state_lanes  = (uint64_t*)this->state;
-	rate_lanes = this->rate_index / sizeof(uint64_t);
-
-	remainder = this->rate_index - rate_lanes * sizeof(uint64_t);
-	if (remainder)
-	{
-		memset(this->rate_buffer + this->rate_index, 0x00,
-			   sizeof(uint64_t) - remainder);
-		rate_lanes++;
-	}
-	for (i = 0; i < rate_lanes; i++)
-	{
-		state_lanes[i] ^= buffer_lanes[i];
-	}
-
-	/* Add the second bit of padding */
-	this->state[this->rate - 1] ^= 0x80;
-
-	/* Switch to the squeezing phase */
-	keccak_f1600_state_permute(this->state);
-}
 
 METHOD(hasher_t, get_hash, bool,
 	private_sha3_hasher_t *this, chunk_t chunk, uint8_t *buffer)
 {
-	sha3_absorb(this, chunk);
+	this->keccak->absorb(this->keccak, chunk);
 
 	if (buffer != NULL)
 	{
-		sha3_final(this);
-		memcpy(buffer, this->state, get_hash_size(this));
-		reset(this);
+		this->keccak->finalize(this->keccak);
+		this->keccak->squeeze(this->keccak, get_hash_size(this), buffer);
+		this->keccak->reset(this->keccak);
 	}
 	return TRUE;
 }
@@ -470,22 +87,24 @@ METHOD(hasher_t, allocate_hash, bool,
 {
 	chunk_t allocated_hash;
 
-	sha3_absorb(this, chunk);
+	this->keccak->absorb(this->keccak, chunk);
 
 	if (hash != NULL)
 	{
-		sha3_final(this);
+		this->keccak->finalize(this->keccak);
 		allocated_hash = chunk_alloc(get_hash_size(this));
-		memcpy(allocated_hash.ptr, this->state, allocated_hash.len);
-		reset(this);
+		this->keccak->squeeze(this->keccak, allocated_hash.len,
+											allocated_hash.ptr);
+		this->keccak->reset(this->keccak);
 		*hash = allocated_hash;
 	}
 	return TRUE;
 }
 
 METHOD(hasher_t, destroy, void,
-	sha3_hasher_t *this)
+	private_sha3_hasher_t *this)
 {
+	this->keccak->destroy(this->keccak);
 	free(this);
 }
 
@@ -510,18 +129,22 @@ sha3_hasher_t *sha3_hasher_create(hash_algorithm_t algorithm)
 	INIT(this,
 		.public = {
 			.hasher_interface = {
-			.reset = _reset,
-			.get_hash_size = _get_hash_size,
-			.get_hash = _get_hash,
-			.allocate_hash = _allocate_hash,
-			.destroy = _destroy,
+				.reset = _reset,
+				.get_hash_size = _get_hash_size,
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.destroy = _destroy,
 			},
 		},
 		.algorithm = algorithm,
 	);
 
-	this->rate = KECCAK_STATE_SIZE - 2*get_hash_size(this);
-	reset(this);
+	this->keccak = sha3_keccak_create(2*get_hash_size(this), 0x06);
+	if (!this->keccak)
+	{
+		free(this);
+		return NULL;
+	}
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/sha3/sha3_hasher.c b/src/libstrongswan/plugins/sha3/sha3_keccak.c
similarity index 82%
copy from src/libstrongswan/plugins/sha3/sha3_hasher.c
copy to src/libstrongswan/plugins/sha3/sha3_keccak.c
index b34a025..1be1db1 100644
--- a/src/libstrongswan/plugins/sha3/sha3_hasher.c
+++ b/src/libstrongswan/plugins/sha3/sha3_keccak.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Based on the implementation by the Keccak, Keyak and Ketje Teams, namely,
@@ -13,13 +13,12 @@
 
 #include <string.h>
 
-#include "sha3_hasher.h"
+#include "sha3_keccak.h"
 
-typedef struct private_sha3_hasher_t private_sha3_hasher_t;
+typedef struct private_sha3_keccak_t private_sha3_keccak_t;
 
 #define KECCAK_STATE_SIZE	 200	/* bytes */
-#define KECCAK_MAX_RATE		 144	/* bytes */
-#define DELIMITED_SUFFIX	0x06
+#define KECCAK_MAX_RATE		 168	/* bytes */
 
 static const uint64_t round_constants[] = {
     0x0000000000000001ULL,
@@ -51,17 +50,12 @@ static const uint64_t round_constants[] = {
 /**
  * Private data structure with hashing context for SHA-3
  */
-struct private_sha3_hasher_t {
+struct private_sha3_keccak_t {
 
 	/**
 	 * Public interface for this hasher.
 	 */
-	sha3_hasher_t public;
-
-	/**
-	 * SHA-3 algorithm to be used
-	 */
-	hash_algorithm_t algorithm;
+	sha3_keccak_t public;
 
 	/**
 	 * Internal state of 1600 bits as defined by FIPS-202
@@ -83,6 +77,11 @@ struct private_sha3_hasher_t {
 	 */
 	u_int rate_index;
 
+	/**
+	 * Suffix delimiting the input message
+	 */
+	uint8_t delimited_suffix;
+
 };
 
 #if BYTE_ORDER != LITTLE_ENDIAN
@@ -361,34 +360,22 @@ static void keccak_f1600_state_permute(void *state)
 	}
 }
 
-METHOD(hasher_t, reset, bool,
-	private_sha3_hasher_t *this)
+METHOD(sha3_keccak_t, get_rate, u_int,
+	private_sha3_keccak_t *this)
 {
-    memset(this->state, 0x00, KECCAK_STATE_SIZE);
-	this->rate_index = 0;
-
-	return TRUE;
+	return this->rate;
 }
 
-METHOD(hasher_t, get_hash_size, size_t,
-	private_sha3_hasher_t *this)
+METHOD(sha3_keccak_t, reset, void,
+	private_sha3_keccak_t *this)
 {
-	switch (this->algorithm)
-	{
-		case HASH_SHA3_224:
-			return HASH_SIZE_SHA224;
-		case HASH_SHA3_256:
-			return HASH_SIZE_SHA256;
-		case HASH_SHA3_384:
-			return HASH_SIZE_SHA384;
-		case HASH_SHA3_512:
-			return HASH_SIZE_SHA512;
-		default:
-			return 0;
-	}
+    memset(this->state, 0x00, KECCAK_STATE_SIZE);
+	this->rate_index = 0;
 }
 
-static void sha3_absorb(private_sha3_hasher_t *this, chunk_t data)
+
+METHOD(sha3_keccak_t, absorb, void,
+	private_sha3_keccak_t *this, chunk_t data)
 {
 	uint64_t *buffer_lanes, *state_lanes;
 	size_t len, rate_lanes;
@@ -419,14 +406,15 @@ static void sha3_absorb(private_sha3_hasher_t *this, chunk_t data)
 	}
 }
 
-static void sha3_final(private_sha3_hasher_t *this)
+METHOD(sha3_keccak_t, finalize, void,
+	private_sha3_keccak_t *this)
 {
 	uint64_t *buffer_lanes, *state_lanes;
 	size_t rate_lanes, remainder;
 	int i;
 
 	/* Add the delimitedSuffix as the first bit of padding */
-	this->rate_buffer[this->rate_index++] = DELIMITED_SUFFIX;
+	this->rate_buffer[this->rate_index++] = this->delimited_suffix;
 
 	buffer_lanes = (uint64_t*)this->rate_buffer;
 	state_lanes  = (uint64_t*)this->state;
@@ -449,42 +437,31 @@ static void sha3_final(private_sha3_hasher_t *this)
 
 	/* Switch to the squeezing phase */
 	keccak_f1600_state_permute(this->state);
+	this->rate_index = 0;
 }
 
-METHOD(hasher_t, get_hash, bool,
-	private_sha3_hasher_t *this, chunk_t chunk, uint8_t *buffer)
-{
-	sha3_absorb(this, chunk);
-
-	if (buffer != NULL)
-	{
-		sha3_final(this);
-		memcpy(buffer, this->state, get_hash_size(this));
-		reset(this);
-	}
-	return TRUE;
-}
-
-METHOD(hasher_t, allocate_hash, bool,
-	private_sha3_hasher_t *this, chunk_t chunk, chunk_t *hash)
+METHOD(sha3_keccak_t, squeeze, void,
+	private_sha3_keccak_t *this, size_t out_len, uint8_t *out)
 {
-	chunk_t allocated_hash;
+	size_t index = 0, len;
 
-	sha3_absorb(this, chunk);
-
-	if (hash != NULL)
+	while (index < out_len)
 	{
-		sha3_final(this);
-		allocated_hash = chunk_alloc(get_hash_size(this));
-		memcpy(allocated_hash.ptr, this->state, allocated_hash.len);
-		reset(this);
-		*hash = allocated_hash;
+		if (this->rate_index == this->rate)
+		{
+			keccak_f1600_state_permute(this->state);
+			this->rate_index = 0;
+		}
+		len = min(out_len - index, this->rate - this->rate_index);
+		memcpy(out, &this->state[this->rate_index], len);
+		out += len;
+		index += len;
+		this->rate_index += len;
 	}
-	return TRUE;
 }
 
-METHOD(hasher_t, destroy, void,
-	sha3_hasher_t *this)
+METHOD(sha3_keccak_t, destroy, void,
+	private_sha3_keccak_t *this)
 {
 	free(this);
 }
@@ -492,36 +469,30 @@ METHOD(hasher_t, destroy, void,
 /*
  * Described in header.
  */
-sha3_hasher_t *sha3_hasher_create(hash_algorithm_t algorithm)
+sha3_keccak_t *sha3_keccak_create(u_int capacity, uint8_t delimited_suffix)
 {
-	private_sha3_hasher_t *this;
+	private_sha3_keccak_t *this;
+	int rate;
+
+	rate = KECCAK_STATE_SIZE - capacity;
 
-	switch (algorithm)
+	if (rate <= 0 || rate > KECCAK_MAX_RATE)
 	{
-		case HASH_SHA3_224:
-		case HASH_SHA3_256:
-		case HASH_SHA3_384:
-		case HASH_SHA3_512:
-			break;
-		default:
-			return NULL;
+		return NULL;
 	}
 
 	INIT(this,
 		.public = {
-			.hasher_interface = {
+			.get_rate = _get_rate,
 			.reset = _reset,
-			.get_hash_size = _get_hash_size,
-			.get_hash = _get_hash,
-			.allocate_hash = _allocate_hash,
+			.absorb = _absorb,
+			.finalize = _finalize,
+			.squeeze = _squeeze,
 			.destroy = _destroy,
-			},
 		},
-		.algorithm = algorithm,
+		.rate = rate,
+		.delimited_suffix = delimited_suffix,
 	);
 
-	this->rate = KECCAK_STATE_SIZE - 2*get_hash_size(this);
-	reset(this);
-
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/sha3/sha3_keccak.h b/src/libstrongswan/plugins/sha3/sha3_keccak.h
new file mode 100644
index 0000000..eeea9d7
--- /dev/null
+++ b/src/libstrongswan/plugins/sha3/sha3_keccak.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+n */
+
+/**
+ * @defgroup sha3_keccak sha3_keccak
+ * @{ @ingroup sha3_p
+ */
+
+#ifndef SHA3_KECCAK_H_
+#define SHA3_KECCAK_H_
+
+typedef struct sha3_keccak_t sha3_keccak_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implements the Keccak-f[1600] sponge function as defined by FIPS-202.
+ */
+struct sha3_keccak_t {
+
+	/**
+	 * Get the available rate in bytes
+	 *
+	 * @return			rate in bytes
+	 */
+	u_int (*get_rate)(sha3_keccak_t *this);
+
+	/**
+	 * Resets the internal Keccak state
+	 */
+	void (*reset)(sha3_keccak_t *this);
+
+	/**
+	 * Absorbs data into the Keccak state
+	 *
+	 * @param data		data to be absorbed
+	 */
+	void (*absorb)(sha3_keccak_t *this, chunk_t data);
+
+	/**
+	 * Finalize the absorption phase and switch to the squeeze phase
+	 */
+	void (*finalize)(sha3_keccak_t *this);
+
+	/**
+	 * Squeeze the Keccak state to get output data
+	 * Can be called multiple times
+	 *
+	 * @param out_len	number of output bytes requested
+	 * @param out		output buffer, must comprise at least out_len bytes
+	 */
+	void (*squeeze)(sha3_keccak_t *this, size_t out_len, uint8_t *out);
+
+	/**
+	 * Destroy the sha3_keccak_t object
+	 */
+	void (*destroy)(sha3_keccak_t *this);
+
+};
+
+/**
+ * Creates a new sha3_keccak_t.
+ *
+ * @param	capacity		required capacity to achieve a given security level
+ * @param delimited_suffix	bits delimiting the input message
+ * @return					sha3_keccak_t object, NULL if capacity too big
+ */
+sha3_keccak_t *sha3_keccak_create(u_int capacity, uint8_t delimited_suffix);
+
+#endif /** SHA3_KECCAK_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha3/sha3_plugin.c b/src/libstrongswan/plugins/sha3/sha3_plugin.c
index 28068f3..8268e67 100644
--- a/src/libstrongswan/plugins/sha3/sha3_plugin.c
+++ b/src/libstrongswan/plugins/sha3/sha3_plugin.c
@@ -14,9 +14,10 @@
  */
 
 #include "sha3_plugin.h"
+#include "sha3_hasher.h"
+#include "sha3_shake.h"
 
 #include <library.h>
-#include "sha3_hasher.h"
 
 typedef struct private_sha3_plugin_t private_sha3_plugin_t;
 
@@ -46,6 +47,9 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(HASHER, HASH_SHA3_256),
 			PLUGIN_PROVIDE(HASHER, HASH_SHA3_384),
 			PLUGIN_PROVIDE(HASHER, HASH_SHA3_512),
+		PLUGIN_REGISTER(XOF, sha3_shake_create),
+			PLUGIN_PROVIDE(XOF, XOF_SHAKE_128),
+			PLUGIN_PROVIDE(XOF, XOF_SHAKE_256),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libstrongswan/plugins/sha3/sha3_shake.c b/src/libstrongswan/plugins/sha3/sha3_shake.c
new file mode 100644
index 0000000..0f1af39
--- /dev/null
+++ b/src/libstrongswan/plugins/sha3/sha3_shake.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sha3_shake.h"
+#include "sha3_keccak.h"
+
+typedef struct private_sha3_shake_t private_sha3_shake_t;
+
+
+/**
+ * Private data structure with hashing context for SHA-3
+ */
+struct private_sha3_shake_t {
+
+	/**
+	 * Public interface for this hasher.
+	 */
+	sha3_shake_t public;
+
+	/**
+	 * XOF algorithm to be used (XOF_SHAKE_128 or XOF_SHAKE_256)
+	 */
+	ext_out_function_t algorithm;
+
+	/**
+	 * SHA-3 Keccak state
+	 */
+	sha3_keccak_t *keccak;
+
+	/**
+	 * Capacity in bytes of the SHA-3 Keccak state
+	 */
+	u_int capacity;
+
+};
+
+METHOD(xof_t, get_type, ext_out_function_t,
+	private_sha3_shake_t *this)
+{
+	return this->algorithm;
+}
+
+METHOD(xof_t, get_bytes, bool,
+	private_sha3_shake_t *this, size_t out_len, uint8_t *buffer)
+{
+	this->keccak->squeeze(this->keccak, out_len, buffer);
+	return TRUE;
+}
+
+METHOD(xof_t, allocate_bytes, bool,
+	private_sha3_shake_t *this, size_t out_len, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(out_len);
+	this->keccak->squeeze(this->keccak, out_len, chunk->ptr);
+	return TRUE;
+}
+
+METHOD(xof_t, get_block_size, size_t,
+	private_sha3_shake_t *this)
+{
+	return this->keccak->get_rate(this->keccak);
+}
+
+METHOD(xof_t, get_seed_size, size_t,
+	private_sha3_shake_t *this)
+{
+	return this->capacity;
+}
+
+METHOD(xof_t, set_seed, bool,
+	private_sha3_shake_t *this, chunk_t seed)
+{
+	this->keccak->reset(this->keccak);
+	this->keccak->absorb(this->keccak, seed);
+	this->keccak->finalize(this->keccak);
+	return TRUE;
+}
+
+
+METHOD(xof_t, destroy, void,
+	private_sha3_shake_t *this)
+{
+	this->keccak->destroy(this->keccak);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+sha3_shake_t* sha3_shake_create(ext_out_function_t algorithm)
+{
+	private_sha3_shake_t *this;
+	u_int capacity = 0;
+
+	switch (algorithm)
+	{
+		case XOF_SHAKE_128:
+			capacity = 32;
+			break;
+		case XOF_SHAKE_256:
+			capacity = 64;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.xof_interface = {
+				.get_type = _get_type,
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_block_size = _get_block_size,
+				.get_seed_size = _get_seed_size,
+				.set_seed = _set_seed,
+				.destroy = _destroy,
+			},
+		},
+		.algorithm = algorithm,
+		.capacity = capacity,
+	);
+
+	this->keccak = sha3_keccak_create(capacity, 0x1f);
+	if (!this->keccak)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/sha3/sha3_shake.h b/src/libstrongswan/plugins/sha3/sha3_shake.h
new file mode 100644
index 0000000..a8643ed
--- /dev/null
+++ b/src/libstrongswan/plugins/sha3/sha3_shake.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sha3_shake sha3_shake
+ * @{ @ingroup sha3_p
+ */
+
+#ifndef SHA3_SHAKE_H_
+#define SHA3_SHAKE_H_
+
+typedef struct sha3_shake_t sha3_shake_t;
+
+#include <crypto/xofs/xof.h>
+
+/**
+ * Implementation of xof_t interface using the SHA-3 XOF algorithm family
+ * SHAKE128 and SHAKE256 as defined by FIPS-202.
+ */
+struct sha3_shake_t {
+
+	/**
+	 * Generic xof_t interface for this Extended Output Function (XOF).
+	 */
+	xof_t xof_interface;
+};
+
+/**
+ * Creates a new sha3_shake_t.
+ *
+ * @param	algorithm	XOF_SHAKE_128 or XOF_SHAKE_256
+ * @return				sha3_shake_t object, NULL if not supported
+ */
+sha3_shake_t* sha3_shake_create(ext_out_function_t algorithm);
+
+#endif /** SHA3_SHAKE_H_ @}*/
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 6563f83..97ab307 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -351,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -385,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -440,6 +437,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 268730e..4551ff7 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
index d50b295..47e2234 100644
--- a/src/libstrongswan/plugins/sshkey/Makefile.in
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index ab540e7..c29b6fd 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -20,6 +20,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/aes_ccm.c \
 	test_vectors/aes_gcm.c \
 	test_vectors/chacha20poly1305.c \
+	test_vectors/chacha20_xof.c \
 	test_vectors/blowfish.c \
 	test_vectors/camellia_cbc.c \
 	test_vectors/camellia_ctr.c \
@@ -41,6 +42,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/sha2.c \
 	test_vectors/sha2_hmac.c \
 	test_vectors/sha3.c \
+	test_vectors/sha3_shake.c \
 	test_vectors/fips_prf.c \
 	test_vectors/modp.c \
 	test_vectors/modpsub.c \
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 6721909..56ae8dc 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -143,18 +143,19 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
 	test_vectors/aes_ctr.lo test_vectors/aes_xcbc.lo \
 	test_vectors/aes_cmac.lo test_vectors/aes_ccm.lo \
 	test_vectors/aes_gcm.lo test_vectors/chacha20poly1305.lo \
-	test_vectors/blowfish.lo test_vectors/camellia_cbc.lo \
-	test_vectors/camellia_ctr.lo test_vectors/camellia_xcbc.lo \
-	test_vectors/cast.lo test_vectors/des.lo test_vectors/idea.lo \
-	test_vectors/null.lo test_vectors/rc2.lo test_vectors/rc5.lo \
+	test_vectors/chacha20_xof.lo test_vectors/blowfish.lo \
+	test_vectors/camellia_cbc.lo test_vectors/camellia_ctr.lo \
+	test_vectors/camellia_xcbc.lo test_vectors/cast.lo \
+	test_vectors/des.lo test_vectors/idea.lo test_vectors/null.lo \
+	test_vectors/rc2.lo test_vectors/rc5.lo \
 	test_vectors/serpent_cbc.lo test_vectors/twofish_cbc.lo \
 	test_vectors/md2.lo test_vectors/md4.lo test_vectors/md5.lo \
 	test_vectors/md5_hmac.lo test_vectors/sha1.lo \
 	test_vectors/sha1_hmac.lo test_vectors/sha2.lo \
 	test_vectors/sha2_hmac.lo test_vectors/sha3.lo \
-	test_vectors/fips_prf.lo test_vectors/modp.lo \
-	test_vectors/modpsub.lo test_vectors/ecp.lo \
-	test_vectors/ecpbp.lo test_vectors/rng.lo
+	test_vectors/sha3_shake.lo test_vectors/fips_prf.lo \
+	test_vectors/modp.lo test_vectors/modpsub.lo \
+	test_vectors/ecp.lo test_vectors/ecpbp.lo test_vectors/rng.lo
 libstrongswan_test_vectors_la_OBJECTS =  \
 	$(am_libstrongswan_test_vectors_la_OBJECTS)
 AM_V_lt = $(am__v_lt_ at AM_V@)
@@ -369,7 +370,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -403,8 +403,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -458,6 +456,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -479,6 +479,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/aes_ccm.c \
 	test_vectors/aes_gcm.c \
 	test_vectors/chacha20poly1305.c \
+	test_vectors/chacha20_xof.c \
 	test_vectors/blowfish.c \
 	test_vectors/camellia_cbc.c \
 	test_vectors/camellia_ctr.c \
@@ -500,6 +501,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/sha2.c \
 	test_vectors/sha2_hmac.c \
 	test_vectors/sha3.c \
+	test_vectors/sha3_shake.c \
 	test_vectors/fips_prf.c \
 	test_vectors/modp.c \
 	test_vectors/modpsub.c \
@@ -609,6 +611,8 @@ test_vectors/aes_gcm.lo: test_vectors/$(am__dirstamp) \
 	test_vectors/$(DEPDIR)/$(am__dirstamp)
 test_vectors/chacha20poly1305.lo: test_vectors/$(am__dirstamp) \
 	test_vectors/$(DEPDIR)/$(am__dirstamp)
+test_vectors/chacha20_xof.lo: test_vectors/$(am__dirstamp) \
+	test_vectors/$(DEPDIR)/$(am__dirstamp)
 test_vectors/blowfish.lo: test_vectors/$(am__dirstamp) \
 	test_vectors/$(DEPDIR)/$(am__dirstamp)
 test_vectors/camellia_cbc.lo: test_vectors/$(am__dirstamp) \
@@ -651,6 +655,8 @@ test_vectors/sha2_hmac.lo: test_vectors/$(am__dirstamp) \
 	test_vectors/$(DEPDIR)/$(am__dirstamp)
 test_vectors/sha3.lo: test_vectors/$(am__dirstamp) \
 	test_vectors/$(DEPDIR)/$(am__dirstamp)
+test_vectors/sha3_shake.lo: test_vectors/$(am__dirstamp) \
+	test_vectors/$(DEPDIR)/$(am__dirstamp)
 test_vectors/fips_prf.lo: test_vectors/$(am__dirstamp) \
 	test_vectors/$(DEPDIR)/$(am__dirstamp)
 test_vectors/modp.lo: test_vectors/$(am__dirstamp) \
@@ -688,6 +694,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/camellia_ctr.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/camellia_xcbc.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/cast.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/chacha20_xof.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/chacha20poly1305.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/des.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/ecp.Plo at am__quote@
@@ -710,6 +717,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha2.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha2_hmac.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha3.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha3_shake.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/twofish_cbc.Plo at am__quote@
 
 .c.o:
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index 3ff211d..43633e3 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -258,6 +258,21 @@ TEST_VECTOR_PRF(sha512_hmac_p5)
 TEST_VECTOR_PRF(sha512_hmac_p6)
 TEST_VECTOR_PRF(fips_prf_1)
 
+TEST_VECTOR_XOF(shake_128_0)
+TEST_VECTOR_XOF(shake_128_32)
+TEST_VECTOR_XOF(shake_128_167)
+TEST_VECTOR_XOF(shake_128_168)
+TEST_VECTOR_XOF(shake_128_255)
+TEST_VECTOR_XOF(shake_256_0)
+TEST_VECTOR_XOF(shake_256_64)
+TEST_VECTOR_XOF(shake_256_135)
+TEST_VECTOR_XOF(shake_256_136)
+TEST_VECTOR_XOF(shake_256_255)
+TEST_VECTOR_XOF(chacha20_xof_1)
+TEST_VECTOR_XOF(chacha20_xof_2)
+TEST_VECTOR_XOF(chacha20_xof_3)
+TEST_VECTOR_XOF(chacha20_xof_4)
+
 TEST_VECTOR_RNG(rng_monobit_1)
 TEST_VECTOR_RNG(rng_monobit_2)
 TEST_VECTOR_RNG(rng_monobit_3)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20_xof.c b/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20_xof.c
new file mode 100644
index 0000000..2c602c6
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20_xof.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * ChaCha20 Stream Test Vector from RFC 7539, Section 2.3.2 
+ */
+xof_test_vector_t chacha20_xof_1 = {
+	.alg = XOF_CHACHA20, .len = 44,
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x00\x00\x00\x09\x00\x00\x00\x4a\x00\x00\x00\x00",
+	.out_len = 64,
+	.out	= "\x10\xf1\xe7\xe4\xd1\x3b\x59\x15\x50\x0f\xdd\x1f\xa3\x20\x71\xc4"
+			  "\xc7\xd1\xf4\xc7\x33\xc0\x68\x03\x04\x22\xaa\x9a\xc3\xd4\x6c\x4e"
+			  "\xd2\x82\x64\x46\x07\x9f\xaa\x09\x14\xc2\xd7\x05\xd9\x8b\x02\xa2"
+			  "\xb5\x12\x9c\xd1\xde\x16\x4e\xb9\xcb\xd0\x83\xe8\xa2\x50\x3c\x4e"
+};
+
+/**
+ * ChaCha20 Stream Test Vector from RFC 7539, Section 2.4.2 
+ */
+xof_test_vector_t chacha20_xof_2 = {
+	.alg = XOF_CHACHA20, .len = 44,
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x00\x00\x00\x00\x00\x00\x00\x4a\x00\x00\x00\x00",
+	.out_len = 114,
+	.out	= "\x22\x4f\x51\xf3\x40\x1b\xd9\xe1\x2f\xde\x27\x6f\xb8\x63\x1d\xed"
+			  "\x8c\x13\x1f\x82\x3d\x2c\x06\xe2\x7e\x4f\xca\xec\x9e\xf3\xcf\x78"
+			  "\x8a\x3b\x0a\xa3\x72\x60\x0a\x92\xb5\x79\x74\xcd\xed\x2b\x93\x34"
+			  "\x79\x4c\xba\x40\xc6\x3e\x34\xcd\xea\x21\x2c\x4c\xf0\x7d\x41\xb7"
+			  "\x69\xa6\x74\x9f\x3f\x63\x0f\x41\x22\xca\xfe\x28\xec\x4d\xc4\x7e"
+			  "\x26\xd4\x34\x6d\x70\xb9\x8c\x73\xf3\xe9\xc5\x3a\xc4\x0c\x59\x45"
+			  "\x39\x8b\x6e\xda\x1a\x83\x2c\x89\xc1\x67\xea\xcd\x90\x1d\x7e\x2b"
+			  "\xf3\x63"
+};
+
+/**
+ * ChaCha20 Stream Test Vector #2 from RFC 7539, Section A1. 
+ */
+xof_test_vector_t chacha20_xof_3 = {
+	.alg = XOF_CHACHA20, .len = 44,
+	.seed	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.out_len = 64,
+	.out	= "\x9f\x07\xe7\xbe\x55\x51\x38\x7a\x98\xba\x97\x7c\x73\x2d\x08\x0d"
+			  "\xcb\x0f\x29\xa0\x48\xe3\x65\x69\x12\xc6\x53\x3e\x32\xee\x7a\xed"
+			  "\x29\xb7\x21\x76\x9c\xe6\x4e\x43\xd5\x71\x33\xb0\x74\xd8\x39\xd5"
+			  "\x31\xed\x1f\x28\x51\x0a\xfb\x45\xac\xe1\x0a\x1f\x4b\x79\x4d\x6f"
+};
+
+/**
+ * ChaCha20 Stream Test Vector #3 from RFC 7539, Section A1. 
+ */
+xof_test_vector_t chacha20_xof_4 = {
+	.alg = XOF_CHACHA20, .len = 44,
+	.seed	= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
+			  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.out_len = 64,
+	.out	= "\x3a\xeb\x52\x24\xec\xf8\x49\x92\x9b\x9d\x82\x8d\xb1\xce\xd4\xdd"
+			  "\x83\x20\x25\xe8\x01\x8b\x81\x60\xb8\x22\x84\xf3\xc9\x49\xaa\x5a"
+			  "\x8e\xca\x00\xbb\xb4\xa7\x3b\xda\xd1\x92\xb5\xc4\x2f\x73\xf2\xfd"
+			  "\x4e\x27\x36\x44\xc8\xb3\x61\x25\xa6\x4a\xdd\xeb\x00\x6c\x13\xa0"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c
index e659f66..d8212f8 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c
@@ -23,7 +23,6 @@ hasher_test_vector_t sha3_224_0 = {
 	.data	= "",
 	.hash	= "\x6B\x4E\x03\x42\x36\x67\xDB\xB7\x3B\x6E\x15\x45\x4F\x0E\xB1\xAB"
 			  "\xD4\x59\x7F\x9A\x1B\x07\x8E\x3F\x5B\x5A\x6B\xC7"
-
 };
 
 hasher_test_vector_t sha3_224_1 = {
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha3_shake.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha3_shake.c
new file mode 100644
index 0000000..0150d0a
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha3_shake.c
@@ -0,0 +1,472 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * SHAKE-128 vectors from "https://github.com/gvanas/KeccakCodePackage/"
+ */
+xof_test_vector_t shake_128_0 = {
+	.alg = XOF_SHAKE_128, .len = 0,
+	.seed	= "",
+	.out_len = 512,
+	.out	= "\x7F\x9C\x2B\xA4\xE8\x8F\x82\x7D\x61\x60\x45\x50\x76\x05\x85\x3E"
+			  "\xD7\x3B\x80\x93\xF6\xEF\xBC\x88\xEB\x1A\x6E\xAC\xFA\x66\xEF\x26"
+			  "\x3C\xB1\xEE\xA9\x88\x00\x4B\x93\x10\x3C\xFB\x0A\xEE\xFD\x2A\x68"
+			  "\x6E\x01\xFA\x4A\x58\xE8\xA3\x63\x9C\xA8\xA1\xE3\xF9\xAE\x57\xE2"
+			  "\x35\xB8\xCC\x87\x3C\x23\xDC\x62\xB8\xD2\x60\x16\x9A\xFA\x2F\x75"
+			  "\xAB\x91\x6A\x58\xD9\x74\x91\x88\x35\xD2\x5E\x6A\x43\x50\x85\xB2"
+			  "\xBA\xDF\xD6\xDF\xAA\xC3\x59\xA5\xEF\xBB\x7B\xCC\x4B\x59\xD5\x38"
+			  "\xDF\x9A\x04\x30\x2E\x10\xC8\xBC\x1C\xBF\x1A\x0B\x3A\x51\x20\xEA"
+			  "\x17\xCD\xA7\xCF\xAD\x76\x5F\x56\x23\x47\x4D\x36\x8C\xCC\xA8\xAF"
+			  "\x00\x07\xCD\x9F\x5E\x4C\x84\x9F\x16\x7A\x58\x0B\x14\xAA\xBD\xEF"
+			  "\xAE\xE7\xEE\xF4\x7C\xB0\xFC\xA9\x76\x7B\xE1\xFD\xA6\x94\x19\xDF"
+			  "\xB9\x27\xE9\xDF\x07\x34\x8B\x19\x66\x91\xAB\xAE\xB5\x80\xB3\x2D"
+			  "\xEF\x58\x53\x8B\x8D\x23\xF8\x77\x32\xEA\x63\xB0\x2B\x4F\xA0\xF4"
+			  "\x87\x33\x60\xE2\x84\x19\x28\xCD\x60\xDD\x4C\xEE\x8C\xC0\xD4\xC9"
+			  "\x22\xA9\x61\x88\xD0\x32\x67\x5C\x8A\xC8\x50\x93\x3C\x7A\xFF\x15"
+			  "\x33\xB9\x4C\x83\x4A\xDB\xB6\x9C\x61\x15\xBA\xD4\x69\x2D\x86\x19"
+			  "\xF9\x0B\x0C\xDF\x8A\x7B\x9C\x26\x40\x29\xAC\x18\x5B\x70\xB8\x3F"
+			  "\x28\x01\xF2\xF4\xB3\xF7\x0C\x59\x3E\xA3\xAE\xEB\x61\x3A\x7F\x1B"
+			  "\x1D\xE3\x3F\xD7\x50\x81\xF5\x92\x30\x5F\x2E\x45\x26\xED\xC0\x96"
+			  "\x31\xB1\x09\x58\xF4\x64\xD8\x89\xF3\x1B\xA0\x10\x25\x0F\xDA\x7F"
+			  "\x13\x68\xEC\x29\x67\xFC\x84\xEF\x2A\xE9\xAF\xF2\x68\xE0\xB1\x70"
+			  "\x0A\xFF\xC6\x82\x0B\x52\x3A\x3D\x91\x71\x35\xF2\xDF\xF2\xEE\x06"
+			  "\xBF\xE7\x2B\x31\x24\x72\x1D\x4A\x26\xC0\x4E\x53\xA7\x5E\x30\xE7"
+			  "\x3A\x7A\x9C\x4A\x95\xD9\x1C\x55\xD4\x95\xE9\xF5\x1D\xD0\xB5\xE9"
+			  "\xD8\x3C\x6D\x5E\x8C\xE8\x03\xAA\x62\xB8\xD6\x54\xDB\x53\xD0\x9B"
+			  "\x8D\xCF\xF2\x73\xCD\xFE\xB5\x73\xFA\xD8\xBC\xD4\x55\x78\xBE\xC2"
+			  "\xE7\x70\xD0\x1E\xFD\xE8\x6E\x72\x1A\x3F\x7C\x6C\xCE\x27\x5D\xAB"
+			  "\xE6\xE2\x14\x3F\x1A\xF1\x8D\xA7\xEF\xDD\xC4\xC7\xB7\x0B\x5E\x34"
+			  "\x5D\xB9\x3C\xC9\x36\xBE\xA3\x23\x49\x1C\xCB\x38\xA3\x88\xF5\x46"
+			  "\xA9\xFF\x00\xDD\x4E\x13\x00\xB9\xB2\x15\x3D\x20\x41\xD2\x05\xB4"
+			  "\x43\xE4\x1B\x45\xA6\x53\xF2\xA5\xC4\x49\x2C\x1A\xDD\x54\x45\x12"
+			  "\xDD\xA2\x52\x98\x33\x46\x2B\x71\xA4\x1A\x45\xBE\x97\x29\x0B\x6F"
+};
+
+xof_test_vector_t shake_128_32 = {
+	.alg = XOF_SHAKE_128, .len = 32,
+	.seed	= "\x9F\x2F\xCC\x7C\x90\xDE\x09\x0D\x6B\x87\xCD\x7E\x97\x18\xC1\xEA"
+			  "\x6C\xB2\x11\x18\xFC\x2D\x5D\xE9\xF9\x7E\x5D\xB6\xAC\x1E\x9C\x10",
+	.out_len = 512,
+	.out	= "\xFC\xDE\xAD\x82\xF3\x9C\xDF\xCE\xF9\x9C\x1B\xAB\xB6\x74\xA9\xA8"
+			  "\xE2\x4A\xC5\x94\x64\x6C\x31\xD0\x20\xA4\xCD\x2B\xC2\x55\x4A\xFD"
+			  "\x78\xC4\xE4\x13\xF7\x80\x4F\xA1\x70\x8B\x9F\x40\x00\xFD\x86\x0E"
+			  "\x30\x70\xF2\xE1\xBA\x9E\xEE\x38\x05\x35\x2A\xAD\x65\x5B\x4B\x0A"
+			  "\x72\x8F\x2D\x5F\xCC\x43\x24\x38\x25\xBC\x0D\xCE\x33\xCA\x71\x66"
+			  "\x26\xDC\x76\xE9\x20\xD7\x25\x75\xE2\x6D\xDD\x71\x10\xD0\xF9\x91"
+			  "\xA9\x12\x00\xB5\x13\xAE\xE2\x3A\xC9\xBC\x70\x43\xA1\x52\xAC\xE0"
+			  "\xCD\x0B\x49\x18\x1D\x2B\xB6\xBD\x36\xE9\x3C\x0B\x62\x7A\xCA\x9C"
+			  "\x6A\xB6\xC8\x5E\xD7\x0C\xE7\x62\x42\x9C\x8F\x26\x27\x08\x10\x32"
+			  "\x84\xC0\xA7\x92\x13\x8F\x10\xE8\x56\x8E\xFB\x23\x99\xB3\x8A\x31"
+			  "\x05\x5C\x11\x88\xBA\x59\x34\x4E\x6A\x2B\x73\xD5\xC0\x4A\xA5\x24"
+			  "\x05\x66\x49\x84\x4D\x1D\xAD\xCD\x07\xD3\x5D\xF5\xD8\x51\xEB\xAF"
+			  "\xFC\xA5\x70\x3B\x80\x15\x3E\xA6\x27\xB1\xBA\xDF\xB2\x88\x5F\x70"
+			  "\xF7\x86\xD3\x4F\x56\x50\xFE\x73\xE3\x69\x0A\x8A\x96\x61\x00\x59"
+			  "\x25\x3D\xD3\xAB\xB5\xFA\x7C\x54\xCF\x6E\x77\x69\x5D\x24\xA6\x59"
+			  "\x40\x77\xEE\x4D\x36\x73\xF9\xFC\x56\xC6\x2F\xC7\xF7\x10\xCF\x87"
+			  "\x20\x14\xC0\xA7\xDE\x8B\x1C\xA6\xAE\x8C\xEF\xAA\xDE\xAF\x5F\x4D"
+			  "\x05\x5F\xF7\x65\xAD\x41\x87\x13\xF2\xDD\x08\xEA\xFB\x5E\x16\xEE"
+			  "\xD9\xFE\x34\x4E\xE8\xD4\x38\x8F\xDC\x22\x35\x1F\x63\x83\x40\x17"
+			  "\xB5\x39\xE3\xFF\x14\x3F\x39\x4B\x5B\x74\xD0\x6F\x65\xE9\x6A\x7A"
+			  "\x3D\x02\x8F\xD1\x4F\x6C\x70\x01\xEB\x7A\xD2\xDC\xFC\xF4\xB2\x44"
+			  "\x7A\xA1\x73\xA2\xAE\x8E\xDB\x58\x1B\x5B\xBD\x89\xE8\xA4\x68\xFE"
+			  "\x0A\x38\x50\x75\x30\xB9\x79\x5D\xA3\xBC\xEC\x6D\xDE\xBC\xE9\xEB"
+			  "\x31\x32\xEF\x18\xC9\xC2\xA8\xB9\x36\xA4\x31\xC8\xB1\x21\xFA\x99"
+			  "\x6F\xF9\xBA\x5C\xE5\x22\x98\x6B\x67\x8A\x5E\xC9\x9A\x10\x3A\x91"
+			  "\xCF\x33\x19\x6E\x08\xC8\x2D\xC6\x5E\x68\xAE\xD2\x38\xA9\x31\x6A"
+			  "\x73\xE7\x1C\xF5\xA6\x7C\xE4\x40\xB9\x3B\xDB\x84\x5B\x3A\x60\x53"
+			  "\x9E\xCC\xDC\xE4\x1B\xC7\x23\xEC\x9A\x14\xEE\x4E\x08\x2F\x60\xC0"
+			  "\xBE\x3D\x5E\x50\xDF\xC8\xBE\x1E\x86\xA9\x7E\xCE\xE9\xD8\x8E\x2B"
+			  "\xB2\xA3\xAF\xF4\x7F\xBD\x6D\x66\x75\xD8\x1E\xFE\x07\x08\x92\x6B"
+			  "\x81\xAB\x31\x4A\x52\x4F\xC7\x45\x09\x01\x62\xD2\xAC\x72\x3C\x43"
+			  "\x26\xE0\xF9\xE1\x6F\xBD\xBA\x2B\x1E\x99\x14\xBB\xEE\xDF\xF9\x6B"
+};
+
+xof_test_vector_t shake_128_167 = {
+	.alg = XOF_SHAKE_128, .len = 167,
+	.seed	= "\x0D\x8D\x09\xAE\xD1\x9F\x10\x13\x96\x9C\xE5\xE7\xEB\x92\xF8\x3A"
+			  "\x20\x9A\xE7\x6B\xE3\x1C\x75\x48\x44\xEA\x91\x16\xCE\xB3\x9A\x22"
+			  "\xEB\xB6\x00\x30\x17\xBB\xCF\x26\x55\x5F\xA6\x62\x41\x85\x18\x7D"
+			  "\xB8\xF0\xCB\x35\x64\xB8\xB1\xC0\x6B\xF6\x85\xD4\x7F\x32\x86\xED"
+			  "\xA2\x0B\x83\x35\x8F\x59\x9D\x20\x44\xBB\xF0\x58\x3F\xAB\x8D\x78"
+			  "\xF8\x54\xFE\x0A\x59\x61\x83\x23\x0C\x5E\xF8\xE5\x44\x26\x75\x0E"
+			  "\xAF\x2C\xC4\xE2\x9D\x3B\xDD\x03\x7E\x73\x4D\x86\x3C\x2B\xD9\x78"
+			  "\x9B\x4C\x24\x30\x96\x13\x8F\x76\x72\xC2\x32\x31\x4E\xFF\xDF\xC6"
+			  "\x51\x34\x27\xE2\xDA\x76\x91\x6B\x52\x48\x93\x3B\xE3\x12\xEB\x5D"
+			  "\xDE\x4C\xF7\x08\x04\xFB\x25\x8A\xC5\xFB\x82\xD5\x8D\x08\x17\x7A"
+			  "\xC6\xF4\x75\x60\x17\xFF\xF5",
+	.out_len = 512,
+	.out	= "\xC7\x3D\x8F\xAA\xB5\xD0\xB4\xD6\x60\xBD\x50\x82\xE4\x4C\x3C\xAC"
+			  "\x97\xE6\x16\x48\xBE\x0A\x04\xB1\x16\x72\x4E\x6F\x6B\x65\x76\x84"
+			  "\x67\x4B\x4B\x0E\x90\xD0\xAE\x96\xC0\x85\x3E\xBD\x83\x7B\xD8\x24"
+			  "\x9A\xDB\xD3\xB6\x0A\x1A\xD1\xFC\xF8\xA6\xAB\x8E\x2F\x5A\xA7\xFF"
+			  "\x19\x7A\x3D\x7D\xBE\xDE\xFB\x43\x3B\x61\x35\x36\xAE\xC4\xD6\x55"
+			  "\xB7\xBC\xD7\x78\x52\x6B\xE6\x67\x84\x7A\xCD\x2E\x05\x64\xD9\x6C"
+			  "\xE5\x14\x0C\x91\x35\x7F\xAD\xE0\x00\xEF\xCB\x40\x45\x7E\x1B\x6C"
+			  "\xED\x41\xFA\x10\x2E\x36\xE7\x99\x79\x2D\xB0\x3E\x9A\x40\xC7\x99"
+			  "\xBC\xA9\x12\x62\x94\x8E\x17\x60\x50\x65\xFB\xF6\x38\xFB\x40\xA1"
+			  "\x57\xB4\x5C\xF7\x91\x1A\x75\x3D\x0D\x20\x5D\xF8\x47\x16\xA5\x71"
+			  "\x12\xBE\xAB\x44\xF6\x20\x1F\xF7\x5A\xAD\xE0\xBA\xFB\xA5\x04\x74"
+			  "\x5C\xFE\x23\xE4\xE6\x0E\x67\xE3\x99\x36\x22\xAE\xD7\x3A\x1D\xD6"
+			  "\xA4\x65\xBD\x45\x3D\xD3\xC5\xBA\x7D\x2C\xDF\x3F\x1D\x39\x37\x6A"
+			  "\x67\xC2\x3E\x55\x5F\x5A\xCF\x25\xBC\xE1\xE5\x5F\x30\x72\x52\xB9"
+			  "\xAA\xC2\xC0\xA3\x9C\x88\x5C\x7E\x44\xF2\x04\xCB\x82\x1C\x0D\x37"
+			  "\xA2\x2D\xE3\xA7\x1F\x3A\x19\x09\xB1\x1B\x71\x81\xC4\x2B\xE9\xB7"
+			  "\x8A\xA0\xD0\xA1\x54\x44\xF3\x30\x00\x75\x54\xBC\xFC\xC0\xD8\xFD"
+			  "\x87\xD6\x43\x1F\xB9\x3C\x7C\xC3\x87\x67\xA5\x5D\x30\xD3\x54\x55"
+			  "\x60\xBD\x38\x0D\xB8\xC4\xC0\xED\xA9\x39\x9F\x68\xF8\x54\x64\x42"
+			  "\x66\xC1\xB7\x95\x8B\x27\x0E\x75\xB7\x91\x34\xAA\x01\xE7\xDC\xF1"
+			  "\xE6\xFD\xB6\xD9\xAE\x5D\x02\xCC\xE8\xCE\x8E\x48\x04\x75\xE9\x61"
+			  "\x7C\xC4\x2A\x91\xC0\x8D\x9A\xF6\xE5\x10\x1B\x8A\xC5\x83\x4A\xDB"
+			  "\x2C\x66\x98\x7F\x42\xA5\x80\xBB\x50\x3A\x4B\x34\xA9\xF1\x5A\xDC"
+			  "\xD0\xE2\x3D\x0D\x40\x29\x47\x97\x64\x83\x1D\x06\xB5\xCA\xF3\xF1"
+			  "\x4B\x91\x44\x9F\x15\xA2\x91\xF4\xAC\x25\x0B\x27\x0B\x6C\xB3\xC3"
+			  "\x04\x72\x5C\x99\xE3\x26\x45\xE1\xFC\x02\xA0\xCD\xDD\x9E\x71\x79"
+			  "\x11\xF2\x34\x2D\x94\x82\xF8\xE0\x97\x99\x85\xA0\x17\x0D\x72\x5D"
+			  "\xAB\x4E\xA6\x6D\x44\xF6\x26\xBA\x47\x59\x25\xFA\x39\xFC\x9D\xEE"
+			  "\x92\x9C\x06\xD0\x09\x41\x6C\x0A\xDC\x1D\x98\x7C\xD6\x25\xA2\x0A"
+			  "\xCB\xA4\xCC\x87\xF7\x2F\x61\x08\x67\xC3\xA7\xA9\x28\xA3\xA0\x37"
+			  "\x96\x76\xE8\xFE\x25\x71\x07\xAB\x2F\x5C\x03\x0B\xD2\x48\x0E\x3D"
+			  "\x18\x63\x56\x2E\x1F\xD0\x79\x02\x80\x33\x3E\xD9\xD5\xDD\x5A\x5C"
+};
+
+xof_test_vector_t shake_128_168 = {
+	.alg = XOF_SHAKE_128, .len = 168,
+	.seed	= "\xC3\x23\x6B\x73\xDE\xB7\x66\x2B\xF3\xF3\xDA\xA5\x8F\x13\x7B\x35"
+			  "\x8B\xA6\x10\x56\x0E\xF7\x45\x57\x85\xA9\xBE\xFD\xB0\x35\xA0\x66"
+			  "\xE9\x07\x04\xF9\x29\xBD\x96\x89\xCE\xF0\xCE\x3B\xDA\x5A\xCF\x44"
+			  "\x80\xBC\xEB\x8D\x09\xD1\x0B\x09\x8A\xD8\x50\x0D\x9B\x60\x71\xDF"
+			  "\xC3\xA1\x4A\xF6\xC7\x75\x11\xD8\x1E\x3A\xA8\x84\x49\x86\xC3\xBE"
+			  "\xA6\xF4\x69\xF9\xE0\x21\x94\xC9\x28\x68\xCD\x5F\x51\x64\x62\x56"
+			  "\x79\x8F\xF0\x42\x49\x54\xC1\x43\x4B\xDF\xED\x9F\xAC\xB3\x90\xB0"
+			  "\x7D\x34\x2E\x99\x29\x36\xE0\xF8\x8B\xFD\x0E\x88\x4A\x0D\xDB\x67"
+			  "\x9D\x05\x47\xCC\xDE\xC6\x38\x42\x85\xA4\x54\x29\xD1\x15\xAC\x7D"
+			  "\x23\x5A\x71\x72\x42\x02\x1D\x1D\xC3\x56\x41\xF5\xF0\xA4\x8E\x84"
+			  "\x45\xDB\xA5\x8E\x6C\xB2\xC8\xEA",
+	.out_len = 512,
+	.out	= "\x4A\x05\xF2\xEF\x1A\xAD\x5F\xF4\x30\x64\x29\xEC\x0F\x19\x04\x40"
+			  "\x77\xFB\x64\xBF\xE1\xDC\xC5\x0F\x74\xC3\xF0\x45\xE9\xA9\xC3\xDE"
+			  "\x4A\x3B\x59\x63\xAE\xF7\x71\xB0\x49\x11\x1B\x7B\x46\x40\xE2\x0B"
+			  "\x1B\xA8\x4E\xD7\xAF\xEE\x32\x55\x71\xAC\xF3\x47\xE3\x11\xF3\x3C"
+			  "\x1D\x42\x1F\x21\xD6\x63\x06\x5C\x4D\xAD\xDB\xD1\x78\x5C\x5D\xAC"
+			  "\x0D\x55\x4C\xED\xB1\xA4\x5A\x32\xE2\x81\x45\xE9\x8F\x49\xDE\xE2"
+			  "\x85\xB3\x3D\xE1\x4C\x33\x6D\x10\x95\x0E\xCC\x30\x96\x6B\x79\xE8"
+			  "\x61\x3F\xFE\xBB\x70\x2F\xCC\x00\xA1\xC4\x25\x0D\xD3\x85\xAB\xB5"
+			  "\x37\xA2\x84\xE9\x10\x8D\x16\xB6\xF0\x8F\x4E\x10\x3F\x2C\x5E\x9E"
+			  "\x5C\x87\x9C\xB5\x09\x55\x34\x15\x1E\x3C\x9A\x31\x6D\x06\xDC\xE5"
+			  "\x3B\x7F\x01\xB4\x24\xD3\x75\xB5\x64\xFE\x68\x39\xD1\xD1\xF0\x0A"
+			  "\x2E\x62\x60\x40\x60\xA9\x74\x8B\xCD\xC8\x14\x37\x37\x95\x9F\xAB"
+			  "\xBC\xAE\x18\x51\x21\x3E\x6D\xC2\x8B\xEF\xDA\x48\x14\x9D\xE6\xAA"
+			  "\xF4\xA6\x0D\x46\x15\xBE\xD6\x7D\x11\x79\x6F\x61\x73\xC3\xDC\xF1"
+			  "\x39\x03\x7B\x31\xEE\xC9\xA8\x40\x4D\xF0\x75\x97\xBC\x26\x6D\x3C"
+			  "\x7D\x9E\xB9\xA7\xCA\xBF\x74\x9F\xB4\x4E\x40\xD7\x46\xD0\xE9\xDF"
+			  "\xB5\xC8\xBB\xEB\x25\xE3\xF1\x61\x2D\x03\xD3\xEB\x0C\x15\x4D\xE4"
+			  "\xB2\x70\x8C\x4F\x8A\x89\x76\x2E\x17\x1F\x74\x45\x18\xAE\xC1\x34"
+			  "\xA0\x2E\xEA\xF4\x9D\xB2\xE2\xC6\xC9\x91\x47\x11\x28\x8D\x6B\x0C"
+			  "\xE8\x77\x86\x1D\x9B\x10\xAC\xFC\xC1\x96\x43\x73\x82\x87\xDA\x00"
+			  "\x52\x82\xF3\xFC\x82\xF9\xF5\x0A\xA6\x81\xF2\xF5\x5F\xE1\x80\x9C"
+			  "\x9E\x23\xA3\xA5\x9E\x51\xC2\xE8\x94\xF7\x18\x37\x2F\x9F\xA1\x56"
+			  "\x4B\x47\xAB\x3F\x43\xF0\x74\x7A\x17\x83\x9E\x93\x33\x69\xB6\x77"
+			  "\x80\x53\xE1\x76\x4F\x52\xC5\xF3\x19\xE3\x3C\x8B\x25\x67\x8F\x72"
+			  "\x33\x2E\x33\xCC\xA9\x7C\x68\xF1\x9E\x05\x8E\x70\xC3\x14\x10\xDF"
+			  "\x4D\xE7\xE0\x81\x69\xD6\x09\x6B\x7B\x4E\xA4\x82\x71\xEB\x68\x4F"
+			  "\xEE\x9F\xC8\xB5\x61\xC3\xFE\xE2\xDC\xE8\x3D\x09\x2B\x14\x2B\xEC"
+			  "\x14\x78\xD2\x6B\x48\xC3\xC6\xE5\x97\xA7\xB2\xE4\x40\x27\xE1\xEC"
+			  "\xA2\x31\x78\xD3\xAF\xCC\x67\xBB\x53\x0A\x52\x9C\x7E\x13\x36\xE1"
+			  "\xAD\xAE\x74\xEF\x0B\xE9\xCD\x61\xE9\x1C\x6A\xEA\x57\xF7\xCC\xB2"
+			  "\x3B\x64\xB2\xF8\x48\x61\xCE\x15\x92\x09\xFE\xF7\xA8\x97\xA1\x6A"
+			  "\x87\x1A\xA9\x9E\x63\xA5\x12\x6D\xF2\xB0\x33\x87\xE4\x2C\x3D\x18"
+};
+
+xof_test_vector_t shake_128_255 = {
+	.alg = XOF_SHAKE_128, .len = 255,
+	.seed	= "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B"
+			  "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5"
+			  "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A"
+			  "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A"
+			  "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD"
+			  "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0"
+			  "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE"
+			  "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64"
+			  "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5"
+			  "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43"
+			  "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4"
+			  "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D"
+			  "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4"
+			  "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08"
+			  "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7"
+			  "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1",
+	.out_len = 512,
+	.out	= "\x14\x23\x6E\x75\xB9\x78\x4D\xF4\xF5\x79\x35\xF9\x45\x35\x6C\xBE"
+			  "\x38\x3F\xE5\x13\xED\x30\x28\x6F\x91\x06\x07\x59\xBC\xB0\xEF\x4B"
+			  "\xAA\xC8\x58\xEC\xAE\x7C\x6E\x7E\xDD\x49\x8F\x01\xA0\x82\xB6\x3F"
+			  "\xA5\x7D\x22\x54\x02\x31\xE2\xE2\x5C\x83\xEF\xB3\xB3\xF2\x95\x3A"
+			  "\x5F\x67\x45\x02\xAB\x63\x52\x26\x44\x6B\x84\x93\x76\x43\xDC\xD5"
+			  "\x78\x9E\xE7\x3F\x1D\x73\x4B\xC8\xFE\x5F\x7F\x08\x83\xAB\x10\x96"
+			  "\x1B\x9A\x31\xFF\x60\xDE\xE1\x61\x59\xBC\x69\x82\xEF\xB0\x85\x45"
+			  "\x98\x4B\xF7\x1F\xED\x1C\x4C\xD8\x1C\x09\x14\xB4\xC1\x9F\xCF\xEE"
+			  "\xF5\x4A\xF4\xBB\xE3\x72\xF1\x8C\xFC\xD3\xA1\x86\x57\xF5\xB9\x45"
+			  "\x0F\x99\xA7\x8F\x0F\xA2\xC3\xCD\xCA\x74\x61\xC4\xED\x75\x69\x53"
+			  "\x68\x83\xB6\x6C\xD8\x7E\x9C\x20\x09\x62\x90\x2E\xAA\x16\xA5\x4D"
+			  "\xB6\xA0\xA5\xCC\x26\xD8\x89\x03\x8C\x07\x60\x81\x0B\x5B\xB4\xF3"
+			  "\x3F\x1E\x5D\x63\x9B\x6F\x9B\xC7\xCA\x62\xBA\x6F\x8C\x9F\x8D\xE7"
+			  "\x70\x26\x0A\xFE\x47\xF4\xE0\xF8\x2F\x10\x21\x98\xEB\xA2\x7F\x54"
+			  "\x32\x52\xAC\x8D\xDD\x83\xE1\xB8\xDB\x0A\x91\xAC\x65\x63\x3F\xD1"
+			  "\x2A\x55\x0E\xBE\x96\xF9\x3A\xA6\x70\x4E\xD5\x90\x5C\x23\x4F\xA6"
+			  "\xD9\x20\x39\x10\xCB\xD0\x2D\xE1\x66\xC4\xC3\x34\x8F\xB8\x1E\xF7"
+			  "\xB8\x4A\xE1\x45\x5F\xE3\x18\xB5\xFD\x17\x08\x83\xF4\x9B\xA2\xF2"
+			  "\x42\x89\xC4\x79\xA2\xC7\x53\x14\x06\xBA\x98\x9B\xEA\xEF\x3A\x79"
+			  "\xF6\x59\x02\x86\x42\xE9\xB0\x33\xF7\xDE\xB9\xEC\xEC\x3A\x7A\x9F"
+			  "\x1D\xBD\x24\x51\xFC\xB4\x7C\x81\xE2\x1E\x91\xD2\x0B\x92\x4C\x6B"
+			  "\xD0\x4C\x1F\x0B\x27\x10\xD2\xE5\x70\xCD\x24\xBA\xD5\xB5\xDE\x4E"
+			  "\x49\xAA\x80\xB6\xAD\xD5\x50\x7B\x4D\x2E\x51\x03\x70\xC7\xAF\xA8"
+			  "\x14\xD7\xE1\xA7\xE2\x78\xE5\x3D\x7C\xCF\x49\xA0\xA8\x66\xCA\x3A"
+			  "\x7B\x5B\xB7\x1E\xF3\x42\x5E\x46\x0F\xEE\xB2\x91\x49\xF2\x17\x06"
+			  "\x66\x13\x69\x5F\x85\x50\x6A\x09\x46\xCF\x68\x97\x9F\x04\xAE\x07"
+			  "\x3A\xF8\x02\x89\x76\xBF\x0C\x5B\xDC\x22\x12\xE8\xC3\x64\x58\x3D"
+			  "\xE9\xFB\xD0\x3B\x34\xDD\xEE\x5E\xC4\xCF\xA8\xED\x8C\xE5\x92\x97"
+			  "\x1D\x01\x08\xFA\xF7\x6C\x89\x40\xE2\x5E\x6C\x5F\x86\x55\x84\xC3"
+			  "\x4A\x23\x3C\x14\xF0\x05\x32\x67\x3F\xDB\xE3\x88\xCC\x7E\x98\xA5"
+			  "\xB8\x67\xB1\xC5\x91\x30\x7A\x90\x15\x11\x2B\x56\x7F\xF6\xB4\xF3"
+			  "\x18\x11\x41\x11\xFC\x95\xE5\xBD\x7C\x9C\x60\xB7\x4C\x1F\x87\x25"
+};
+
+/**
+ * SHAKE-256 vectors from "https://github.com/gvanas/KeccakCodePackage/"
+ */
+xof_test_vector_t shake_256_0 = {
+	.alg = XOF_SHAKE_256, .len = 0,
+	.seed	= "",
+	.out_len = 512,
+	.out	= "\x46\xB9\xDD\x2B\x0B\xA8\x8D\x13\x23\x3B\x3F\xEB\x74\x3E\xEB\x24"
+			  "\x3F\xCD\x52\xEA\x62\xB8\x1B\x82\xB5\x0C\x27\x64\x6E\xD5\x76\x2F"
+			  "\xD7\x5D\xC4\xDD\xD8\xC0\xF2\x00\xCB\x05\x01\x9D\x67\xB5\x92\xF6"
+			  "\xFC\x82\x1C\x49\x47\x9A\xB4\x86\x40\x29\x2E\xAC\xB3\xB7\xC4\xBE"
+			  "\x14\x1E\x96\x61\x6F\xB1\x39\x57\x69\x2C\xC7\xED\xD0\xB4\x5A\xE3"
+			  "\xDC\x07\x22\x3C\x8E\x92\x93\x7B\xEF\x84\xBC\x0E\xAB\x86\x28\x53"
+			  "\x34\x9E\xC7\x55\x46\xF5\x8F\xB7\xC2\x77\x5C\x38\x46\x2C\x50\x10"
+			  "\xD8\x46\xC1\x85\xC1\x51\x11\xE5\x95\x52\x2A\x6B\xCD\x16\xCF\x86"
+			  "\xF3\xD1\x22\x10\x9E\x3B\x1F\xDD\x94\x3B\x6A\xEC\x46\x8A\x2D\x62"
+			  "\x1A\x7C\x06\xC6\xA9\x57\xC6\x2B\x54\xDA\xFC\x3B\xE8\x75\x67\xD6"
+			  "\x77\x23\x13\x95\xF6\x14\x72\x93\xB6\x8C\xEA\xB7\xA9\xE0\xC5\x8D"
+			  "\x86\x4E\x8E\xFD\xE4\xE1\xB9\xA4\x6C\xBE\x85\x47\x13\x67\x2F\x5C"
+			  "\xAA\xAE\x31\x4E\xD9\x08\x3D\xAB\x4B\x09\x9F\x8E\x30\x0F\x01\xB8"
+			  "\x65\x0F\x1F\x4B\x1D\x8F\xCF\x3F\x3C\xB5\x3F\xB8\xE9\xEB\x2E\xA2"
+			  "\x03\xBD\xC9\x70\xF5\x0A\xE5\x54\x28\xA9\x1F\x7F\x53\xAC\x26\x6B"
+			  "\x28\x41\x9C\x37\x78\xA1\x5F\xD2\x48\xD3\x39\xED\xE7\x85\xFB\x7F"
+			  "\x5A\x1A\xAA\x96\xD3\x13\xEA\xCC\x89\x09\x36\xC1\x73\xCD\xCD\x0F"
+			  "\xAB\x88\x2C\x45\x75\x5F\xEB\x3A\xED\x96\xD4\x77\xFF\x96\x39\x0B"
+			  "\xF9\xA6\x6D\x13\x68\xB2\x08\xE2\x1F\x7C\x10\xD0\x4A\x3D\xBD\x4E"
+			  "\x36\x06\x33\xE5\xDB\x4B\x60\x26\x01\xC1\x4C\xEA\x73\x7D\xB3\xDC"
+			  "\xF7\x22\x63\x2C\xC7\x78\x51\xCB\xDD\xE2\xAA\xF0\xA3\x3A\x07\xB3"
+			  "\x73\x44\x5D\xF4\x90\xCC\x8F\xC1\xE4\x16\x0F\xF1\x18\x37\x8F\x11"
+			  "\xF0\x47\x7D\xE0\x55\xA8\x1A\x9E\xDA\x57\xA4\xA2\xCF\xB0\xC8\x39"
+			  "\x29\xD3\x10\x91\x2F\x72\x9E\xC6\xCF\xA3\x6C\x6A\xC6\xA7\x58\x37"
+			  "\x14\x30\x45\xD7\x91\xCC\x85\xEF\xF5\xB2\x19\x32\xF2\x38\x61\xBC"
+			  "\xF2\x3A\x52\xB5\xDA\x67\xEA\xF7\xBA\xAE\x0F\x5F\xB1\x36\x9D\xB7"
+			  "\x8F\x3A\xC4\x5F\x8C\x4A\xC5\x67\x1D\x85\x73\x5C\xDD\xDB\x09\xD2"
+			  "\xB1\xE3\x4A\x1F\xC0\x66\xFF\x4A\x16\x2C\xB2\x63\xD6\x54\x12\x74"
+			  "\xAE\x2F\xCC\x86\x5F\x61\x8A\xBE\x27\xC1\x24\xCD\x8B\x07\x4C\xCD"
+			  "\x51\x63\x01\xB9\x18\x75\x82\x4D\x09\x95\x8F\x34\x1E\xF2\x74\xBD"
+			  "\xAB\x0B\xAE\x31\x63\x39\x89\x43\x04\xE3\x58\x77\xB0\xC2\x8A\x9B"
+			  "\x1F\xD1\x66\xC7\x96\xB9\xCC\x25\x8A\x06\x4A\x8F\x57\xE2\x7F\x2A"
+};
+
+xof_test_vector_t shake_256_64 = {
+	.alg = XOF_SHAKE_256, .len = 64,
+	.seed	= "\xE9\x26\xAE\x8B\x0A\xF6\xE5\x31\x76\xDB\xFF\xCC\x2A\x6B\x88\xC6"
+			  "\xBD\x76\x5F\x93\x9D\x3D\x17\x8A\x9B\xDE\x9E\xF3\xAA\x13\x1C\x61"
+			  "\xE3\x1C\x1E\x42\xCD\xFA\xF4\xB4\xDC\xDE\x57\x9A\x37\xE1\x50\xEF"
+			  "\xBE\xF5\x55\x5B\x4C\x1C\xB4\x04\x39\xD8\x35\xA7\x24\xE2\xFA\xE7",
+	.out_len = 512,
+	.out	= "\x77\xB7\x49\x6E\xD0\x8C\x39\x33\xBD\x75\x98\x3C\x0C\x04\x94\xBD"
+			  "\xD8\x26\x24\x93\xA4\xB5\x5D\xDC\xCC\x64\x16\x7E\x67\xEA\xC0\xF6"
+			  "\xE6\x30\x7A\xCC\x15\xC3\x3F\x39\x63\x74\x4E\x26\xCA\x6C\x50\x4D"
+			  "\x39\x3B\x3E\xE8\x16\x5E\x4D\x49\xEB\x3B\x6E\x64\x92\x07\x65\x30"
+			  "\x48\xF8\xB8\x22\xFF\x88\x4D\xC7\x49\x37\x44\x3B\x1C\x4A\x88\x8C"
+              "\x7A\x76\x8C\x63\xD5\xB5\xD2\x9E\x74\x46\x87\x39\x23\xB9\xD7\xA5"
+			  "\x6F\xA5\xD9\xE9\x07\x60\xAB\x86\xD5\x71\x8E\x34\x64\x82\x1B\x79"
+			  "\xEB\x46\xD1\x69\x14\x1F\xF1\x61\x20\xBF\xB6\x50\xC7\x6D\x4B\x3E"
+			  "\x5B\x3F\x6C\xE6\x1F\xEB\xDB\xE0\x9A\xED\x7F\x4C\x91\x06\x6D\x90"
+			  "\x3A\xF6\xE5\x65\x31\xE8\xFF\x71\x54\x95\x08\xB6\xE4\x20\xCA\xC6"
+			  "\xBE\xDF\xE0\xCB\xEA\xE6\xBC\x22\x84\x76\xBC\x8C\x00\xEA\xE4\x3D"
+			  "\x40\xC8\x2C\xBD\xF6\xB4\x60\xC3\x76\xD7\xC1\x16\x48\xEB\x28\x15"
+			  "\xB6\x50\x6A\xBD\x43\x39\xB2\x5D\x58\xD4\x5C\xDD\x0A\x0B\x9E\x35"
+			  "\xA8\x8E\x25\x1F\xDC\x34\xD4\x81\x0D\x65\x9D\x17\x9F\x59\xEB\xD0"
+			  "\x37\x17\xFD\x31\xA6\x39\x4C\xE1\x2C\xD5\x56\x90\x66\xE1\x38\x88"
+			  "\x5C\xB2\xBD\xEB\xBA\x06\x36\x75\x57\xCE\x84\x9E\xB8\x69\xF3\xCA"
+			  "\xC3\x88\x00\xD5\x1C\x22\xB6\x66\xAE\x27\x01\xE5\x80\x79\x63\x94"
+			  "\xDF\xA0\x2F\x49\x10\xBF\x5F\x86\xAA\xB5\x39\x51\x23\x33\x64\xEA"
+			  "\x20\xCD\xA3\x5A\xFB\xAB\x44\x5B\xE7\xF6\x86\x64\x38\x56\xF8\x25"
+			  "\x39\x4B\xE7\xB4\xB6\xD2\xC9\x18\xD0\x15\x1F\x46\xFB\x9A\xEE\x8A"
+			  "\x7B\xA2\xD7\x06\xE4\x8C\xB0\xBC\x42\x9B\x06\x42\x62\xC1\xA0\xEB"
+			  "\x35\x24\xFF\x14\x63\x2F\x51\x84\x57\x5C\x15\xF6\xF4\xA3\x44\x6E"
+			  "\x93\xCB\x4E\x86\xB6\xA9\x31\xBA\x26\x84\x09\xCE\x30\xB4\x59\x5F"
+			  "\xD2\x05\x9A\x27\x18\x3B\x3B\xA8\xD0\xAC\xE8\xE4\x82\x86\x6D\x5C"
+			  "\x7D\x5B\x03\xDB\x8D\xBD\x24\xB9\x9D\x59\xEB\x6E\xEF\xFD\x20\x9E"
+			  "\x12\x45\x35\xD1\x54\xB9\x8F\x99\x91\xD8\x4F\xE1\xAA\x76\x3C\x51"
+			  "\x33\xD4\x1E\xCC\x23\x39\x30\x95\x7D\xCE\xB7\x89\x6A\xF7\x0F\x73"
+			  "\x5A\x2F\x5C\x1E\x79\x48\x0A\xFD\x50\x94\x3B\xC5\x01\x4B\xCF\x0A"
+			  "\x73\x54\xAA\x7F\x71\x31\x63\xB5\x5A\x1E\x41\xBD\xD0\x5F\xBB\xA9"
+			  "\xC1\xDB\x2C\x69\x04\x3E\xD9\xEE\xA4\xFA\x45\xC9\x90\xCC\xB4\xA8"
+			  "\xDC\x41\xAF\xAB\x18\x16\x40\x18\xE5\x4C\x47\xAC\x5B\xD6\x98\x0F"
+			  "\xD7\x96\xAC\xF0\xDD\xB4\x2C\x70\x42\xA4\x87\x7E\x8B\xE3\xDE\x29"
+};
+
+xof_test_vector_t shake_256_135 = {
+	.alg = XOF_SHAKE_256, .len = 135,
+	.seed	= "\xB7\x71\xD5\xCE\xF5\xD1\xA4\x1A\x93\xD1\x56\x43\xD7\x18\x1D\x2A"
+			  "\x2E\xF0\xA8\xE8\x4D\x91\x81\x2F\x20\xED\x21\xF1\x47\xBE\xF7\x32"
+			  "\xBF\x3A\x60\xEF\x40\x67\xC3\x73\x4B\x85\xBC\x8C\xD4\x71\x78\x0F"
+			  "\x10\xDC\x9E\x82\x91\xB5\x83\x39\xA6\x77\xB9\x60\x21\x8F\x71\xE7"
+			  "\x93\xF2\x79\x7A\xEA\x34\x94\x06\x51\x28\x29\x06\x5D\x37\xBB\x55"
+			  "\xEA\x79\x6F\xA4\xF5\x6F\xD8\x89\x6B\x49\xB2\xCD\x19\xB4\x32\x15"
+			  "\xAD\x96\x7C\x71\x2B\x24\xE5\x03\x2D\x06\x52\x32\xE0\x2C\x12\x74"
+			  "\x09\xD2\xED\x41\x46\xB9\xD7\x5D\x76\x3D\x52\xDB\x98\xD9\x49\xD3"
+			  "\xB0\xFE\xD6\xA8\x05\x2F\xBB",
+	.out_len = 512,
+	.out	= "\x6C\x60\x95\x5D\xCB\x8A\x66\x3B\x6D\xC7\xF5\xEF\x7E\x06\x9C\xA8"
+			  "\xFE\x3D\xA9\x9A\x66\xDF\x65\x96\x92\x5D\x55\x7F\xED\x91\xF4\x70"
+			  "\x91\x40\x7D\x6F\xDE\x32\x02\x3B\x57\xE2\xEE\x4C\x6A\xC9\x7B\x07"
+			  "\x76\x24\xFA\xC2\x5F\x6E\x13\xF4\x19\x16\x96\xB4\x0A\x4D\xF7\x5F"
+			  "\x61\xCD\x55\x21\xD9\x82\xC6\xD0\x9D\x83\x42\xC1\x7A\x36\x6E\xC6"
+			  "\x34\x6E\x35\x28\xB2\x6C\xFF\x91\x5B\xE9\x44\x2B\x9E\xBC\xC3\x0F"
+			  "\xF2\xF6\xAD\xD0\xE8\x2B\xA9\x04\xC7\x37\x00\xCC\x99\xAC\xFF\x48"
+			  "\x0C\xAF\x04\x87\xCE\xE5\x4C\xBA\x37\x53\xB6\xA5\xDD\x6F\x0D\xFE"
+			  "\x65\x71\xF0\x11\x5E\x87\x37\xB0\x71\x03\x10\x23\xB6\xBB\x0D\x79"
+			  "\x86\x4C\x3F\x33\x16\x2E\x78\x26\x9C\xEE\x23\xFC\xE4\x7B\x91\xB4"
+			  "\xFD\xF9\x1F\x98\x46\x4A\x1D\x21\xE7\x99\xD1\x7F\x76\xC1\xBB\x80"
+			  "\x7D\xEE\x66\x7B\x0B\x27\x30\x54\xBE\x29\x82\x99\xBD\x12\xB7\xA8"
+			  "\x0F\xB3\x54\xCE\x3E\x6D\x1A\xCF\x98\x44\x38\x79\xA5\x54\xEC\xA6"
+			  "\xB9\x6D\xF0\x61\xD0\x4A\x11\x7C\x98\xAE\xEC\x1C\xDE\x1A\xFA\x9C"
+			  "\xEF\x62\xDD\x68\x6D\xA9\x1B\xB2\xB1\xF1\x23\x79\xBB\xDC\x9F\xA3"
+			  "\x2A\x6B\x69\x98\xB7\x7E\x8E\xB0\xB5\x05\x07\x86\x2A\xFA\x77\x99"
+			  "\xD0\x18\xE2\x72\x09\x1F\x51\xCA\xDD\x81\xAD\xB5\x87\xEF\x67\xBA"
+			  "\x67\x61\x8C\x45\xD1\xF3\xD5\x59\xDB\xD2\x99\xAB\xC2\x6E\xC7\x12"
+			  "\xDA\x8F\xA3\x4B\xA3\x3B\xFF\x40\x0D\x1F\x0F\x8B\x63\x45\xCF\x57"
+			  "\x26\x9B\x85\x85\x78\xC0\x07\x2A\x91\xA6\x3E\xF8\x5F\x9D\x37\x89"
+			  "\x00\xCD\x1A\x55\xD2\xBD\x46\x30\xDB\x82\x9E\xB4\x84\xD8\x9C\xE7"
+			  "\xA4\x14\xAC\xA1\x73\xC5\x25\x34\xAD\x5F\x93\x55\xE8\x0E\x39\x5E"
+			  "\x79\x15\x6D\x75\x1A\x93\x0F\x7F\x8B\x5D\x9F\x4D\x5A\x2C\x9A\x75"
+			  "\x37\x23\x08\x3C\x5E\x8E\xC6\xCB\x24\xD8\xEF\x93\xC8\xFE\xF2\xD1"
+			  "\xBE\x4E\xCA\x22\x2C\x6E\x6C\x2A\xCF\xD6\x84\x89\x3C\xEA\x65\xCB"
+			  "\xF5\xB0\x96\xB3\xD8\x66\x00\x71\x36\x12\x6A\x33\xEF\x49\x6B\xF2"
+			  "\x31\x0F\x29\x3B\xFA\x4C\x93\xAB\x82\x68\x21\xE2\xB9\x32\x59\xC4"
+			  "\x64\xE0\xAE\xB0\x6D\x6D\xF8\xFF\xA3\x0B\x1C\x1E\x7E\x38\x4C\x7E"
+			  "\x42\x7A\x2B\xA3\xD9\x9F\xF8\xA6\x66\x38\x0C\x5C\x1B\x67\x8F\x74"
+			  "\x2C\x57\xB0\xC3\xB0\x88\x49\xFD\x65\x30\x0D\xF1\x34\x99\xDD\x89"
+			  "\x4E\xFC\x33\x11\x6E\x7D\x07\x74\x06\x43\x31\xFD\xD4\x07\x48\x74"
+			  "\x17\xD1\x3B\xBA\x42\x85\x29\x9A\xF6\x50\xD3\x06\x5D\x95\x11\x31"
+};
+
+xof_test_vector_t shake_256_136 = {
+	.alg = XOF_SHAKE_256, .len = 136,
+	.seed	= "\xB3\x2D\x95\xB0\xB9\xAA\xD2\xA8\x81\x6D\xE6\xD0\x6D\x1F\x86\x00"
+			  "\x85\x05\xBD\x8C\x14\x12\x4F\x6E\x9A\x16\x3B\x5A\x2A\xDE\x55\xF8"
+			  "\x35\xD0\xEC\x38\x80\xEF\x50\x70\x0D\x3B\x25\xE4\x2C\xC0\xAF\x05"
+			  "\x0C\xCD\x1B\xE5\xE5\x55\xB2\x30\x87\xE0\x4D\x7B\xF9\x81\x36\x22"
+			  "\x78\x0C\x73\x13\xA1\x95\x4F\x87\x40\xB6\xEE\x2D\x3F\x71\xF7\x68"
+			  "\xDD\x41\x7F\x52\x04\x82\xBD\x3A\x08\xD4\xF2\x22\xB4\xEE\x9D\xBD"
+			  "\x01\x54\x47\xB3\x35\x07\xDD\x50\xF3\xAB\x42\x47\xC5\xDE\x9A\x8A"
+			  "\xBD\x62\xA8\xDE\xCE\xA0\x1E\x3B\x87\xC8\xB9\x27\xF5\xB0\x8B\xEB"
+			  "\x37\x67\x4C\x6F\x8E\x38\x0C\x04",
+	.out_len = 512,
+	.out	= "\xCC\x2E\xAA\x04\xEE\xF8\x47\x9C\xDA\xE8\x56\x6E\xB8\xFF\xA1\x10"
+			  "\x0A\x40\x79\x95\xBF\x99\x9A\xE9\x7E\xDE\x52\x66\x81\xDC\x34\x90"
+			  "\x61\x6F\x28\x44\x2D\x20\xDA\x92\x12\x4C\xE0\x81\x58\x8B\x81\x49"
+			  "\x1A\xED\xF6\x5C\xAA\xF0\xD2\x7E\x82\xA4\xB0\xE1\xD1\xCA\xB2\x38"
+			  "\x33\x32\x8F\x1B\x8D\xA4\x30\xC8\xA0\x87\x66\xA8\x63\x70\xFA\x84"
+			  "\x8A\x79\xB5\x99\x8D\xB3\xCF\xFD\x05\x7B\x96\xE1\xE2\xEE\x0E\xF2"
+			  "\x29\xEC\xA1\x33\xC1\x55\x48\xF9\x83\x99\x02\x04\x37\x30\xE4\x4B"
+			  "\xC5\x2C\x39\xFA\xDC\x1D\xDE\xEA\xD9\x5F\x99\x39\xF2\x20\xCA\x30"
+			  "\x06\x61\x54\x0D\xF7\xED\xD9\xAF\x37\x8A\x5D\x4A\x19\xB2\xB9\x3E"
+			  "\x6C\x78\xF4\x9C\x35\x33\x43\xA0\xB5\xF1\x19\x13\x2B\x53\x12\xD0"
+			  "\x04\x83\x1D\x01\x76\x9A\x31\x6D\x2F\x51\xBF\x64\xCC\xB2\x0A\x21"
+			  "\xC2\xCF\x7A\xC8\xFB\x6F\x6E\x90\x70\x61\x26\xBD\xAE\x06\x11\xDD"
+			  "\x13\x96\x2E\x8B\x53\xD6\xEA\xE2\x6C\x7B\x0D\x25\x51\xDA\xF6\x24"
+			  "\x8E\x9D\x65\x81\x73\x82\xB0\x4D\x23\x39\x2D\x10\x8E\x4D\x34\x43"
+			  "\xDE\x5A\xDC\x72\x73\xC7\x21\xA8\xF8\x32\x0E\xCF\xE8\x17\x7A\xC0"
+			  "\x67\xCA\x8A\x50\x16\x9A\x6E\x73\x00\x0E\xBC\xDC\x1E\x4E\xE6\x33"
+			  "\x9F\xC8\x67\xC3\xD7\xAE\xAB\x84\x14\x63\x98\xD7\xBA\xDE\x12\x1D"
+			  "\x19\x89\xFA\x45\x73\x35\x56\x4E\x97\x57\x70\xA3\xA0\x02\x59\xCA"
+			  "\x08\x70\x61\x08\x26\x1A\xA2\xD3\x4D\xE0\x0F\x8C\xAC\x7D\x45\xD3"
+			  "\x5E\x5A\xA6\x3E\xA6\x9E\x1D\x1A\x2F\x7D\xAB\x39\x00\xD5\x1E\x0B"
+			  "\xC6\x53\x48\xA2\x55\x54\x00\x70\x39\xA5\x2C\x3C\x30\x99\x80\xD1"
+			  "\x7C\xAD\x20\xF1\x15\x63\x10\xA3\x9C\xD3\x93\x76\x0C\xFE\x58\xF6"
+			  "\xF8\xAD\xE4\x21\x31\x28\x82\x80\xA3\x5E\x1D\xB8\x70\x81\x83\xB9"
+			  "\x1C\xFA\xF5\x82\x7E\x96\xB0\xF7\x74\xC4\x50\x93\xB4\x17\xAF\xF9"
+			  "\xDD\x64\x17\xE5\x99\x64\xA0\x1B\xD2\xA6\x12\xFF\xCF\xBA\x18\xA0"
+			  "\xF1\x93\xDB\x29\x7B\x9A\x6C\xC1\xD2\x70\xD9\x7A\xAE\x8F\x8A\x3A"
+			  "\x6B\x26\x69\x5A\xB6\x64\x31\xC2\x02\xE1\x39\xD6\x3D\xD3\xA2\x47"
+			  "\x78\x67\x6C\xEF\xE3\xE2\x1B\x02\xEC\x4E\x8F\x5C\xFD\x66\x58\x7A"
+			  "\x12\xB4\x40\x78\xFC\xD3\x9E\xEE\x44\xBB\xEF\x4A\x94\x9A\x63\xC0"
+			  "\xDF\xD5\x8C\xF2\xFB\x2C\xD5\xF0\x02\xE2\xB0\x21\x92\x66\xCF\xC0"
+			  "\x31\x81\x74\x86\xDE\x70\xB4\x28\x5A\x8A\x70\xF3\xD3\x8A\x61\xD3"
+			  "\x15\x5D\x99\xAA\xF4\xC2\x53\x90\xD7\x36\x45\xAB\x3E\x8D\x80\xF0"
+};
+
+xof_test_vector_t shake_256_255 = {
+	.alg = XOF_SHAKE_256, .len = 255,
+	.seed	= "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B"
+			  "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5"
+			  "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A"
+			  "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A"
+			  "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD"
+			  "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0"
+			  "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE"
+			  "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64"
+			  "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5"
+			  "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43"
+			  "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4"
+			  "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D"
+			  "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4"
+			  "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08"
+			  "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7"
+			  "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1",
+	.out_len = 512,
+	.out	= "\x8A\x51\x99\xB4\xA7\xE1\x33\xE2\x64\xA8\x62\x02\x72\x06\x55\x89"
+			  "\x4D\x48\xCF\xF3\x44\xA9\x28\xCF\x83\x47\xF4\x83\x79\xCE\xF3\x47"
+			  "\xDF\xC5\xBC\xFF\xAB\x99\xB2\x7B\x1F\x89\xAA\x27\x35\xE2\x3D\x30"
+			  "\x08\x8F\xFA\x03\xB9\xED\xB0\x2B\x96\x35\x47\x0A\xB9\xF1\x03\x89"
+			  "\x85\xD5\x5F\x9C\xA7\x74\x57\x2D\xD0\x06\x47\x0E\xA6\x51\x45\x46"
+			  "\x96\x09\xF9\xFA\x08\x31\xBF\x1F\xFD\x84\x2D\xC2\x4A\xCA\xDE\x27"
+			  "\xBD\x98\x16\xE3\xB5\xBF\x28\x76\xCB\x11\x22\x32\xA0\xEB\x44\x75"
+			  "\xF1\xDF\xF9\xF5\xC7\x13\xD9\xFF\xD4\xCC\xB8\x9A\xE5\x60\x7F\xE3"
+			  "\x57\x31\xDF\x06\x31\x79\x49\xEE\xF6\x46\xE9\x59\x1C\xF3\xBE\x53"
+			  "\xAD\xD6\xB7\xDD\x2B\x60\x96\xE2\xB3\xFB\x06\xE6\x62\xEC\x8B\x2D"
+			  "\x77\x42\x2D\xAA\xD9\x46\x3C\xD1\x55\x20\x4A\xCD\xBD\x38\xE3\x19"
+			  "\x61\x3F\x39\xF9\x9B\x6D\xFB\x35\xCA\x93\x65\x16\x00\x66\xDB\x19"
+			  "\x83\x58\x88\xC2\x24\x1F\xF9\xA7\x31\xA4\xAC\xBB\x56\x63\x72\x7A"
+			  "\xAC\x34\xA4\x01\x24\x7F\xBA\xA7\x49\x9E\x7D\x5E\xE5\xB6\x9D\x31"
+			  "\x02\x5E\x63\xD0\x4C\x35\xC7\x98\xBC\xA1\x26\x2D\x56\x73\xA9\xCF"
+			  "\x09\x30\xB5\xAD\x89\xBD\x48\x55\x99\xDC\x18\x45\x28\xDA\x47\x90"
+			  "\xF0\x88\xEB\xD1\x70\xB6\x35\xD9\x58\x16\x32\xD2\xFF\x90\xDB\x79"
+			  "\x66\x5C\xED\x43\x00\x89\xAF\x13\xC9\xF2\x1F\x6D\x44\x3A\x81\x80"
+			  "\x64\xF1\x7A\xEC\x9E\x9C\x54\x57\x00\x1F\xA8\xDC\x6A\xFB\xAD\xBE"
+			  "\x31\x38\xF3\x88\xD8\x9D\x0E\x6F\x22\xF6\x66\x71\x25\x5B\x21\x07"
+			  "\x54\xED\x63\xD8\x1D\xCE\x75\xCE\x8F\x18\x9B\x53\x4E\x6D\x6B\x35"
+			  "\x39\xAA\x51\xE8\x37\xC4\x2D\xF9\xDF\x59\xC7\x1E\x61\x71\xCD\x49"
+			  "\x02\xFE\x1B\xDC\x73\xFB\x17\x75\xB5\xC7\x54\xA1\xED\x4E\xA7\xF3"
+			  "\x10\x5F\xC5\x43\xEE\x04\x18\xDA\xD2\x56\xF3\xF6\x11\x8E\xA7\x71"
+			  "\x14\xA1\x6C\x15\x35\x5B\x42\x87\x7A\x1D\xB2\xA7\xDF\x0E\x15\x5A"
+			  "\xE1\xD8\x67\x0A\xBC\xEC\x34\x50\xF4\xE2\xEE\xC9\x83\x8F\x89\x54"
+			  "\x23\xEF\x63\xD2\x61\x13\x8B\xAA\xF5\xD9\xF1\x04\xCB\x5A\x95\x7A"
+			  "\xEA\x06\xC0\xB9\xB8\xC7\x8B\x0D\x44\x17\x96\xDC\x03\x50\xDD\xEA"
+			  "\xBB\x78\xA3\x3B\x6F\x1F\x9E\x68\xED\xE3\xD1\x80\x5C\x7B\x7E\x2C"
+			  "\xFD\x54\xE0\xFA\xD6\x2F\x0D\x8C\xA6\x7A\x77\x5D\xC4\x54\x6A\xF9"
+			  "\x09\x6F\x2E\xDB\x22\x1D\xB4\x28\x43\xD6\x53\x27\x86\x12\x82\xDC"
+			  "\x94\x6A\x0B\xA0\x1A\x11\x86\x3A\xB2\xD1\xDF\xD1\x6E\x39\x73\xD4"
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index 0505e2c..c4d7184 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -24,6 +24,7 @@
 #define TEST_VECTOR_SIGNER(x) extern signer_test_vector_t x;
 #define TEST_VECTOR_HASHER(x) extern hasher_test_vector_t x;
 #define TEST_VECTOR_PRF(x) extern prf_test_vector_t x;
+#define TEST_VECTOR_XOF(x) extern xof_test_vector_t x;
 #define TEST_VECTOR_RNG(x) extern rng_test_vector_t x;
 #define TEST_VECTOR_DH(x) extern dh_test_vector_t x;
 
@@ -34,6 +35,7 @@
 #undef TEST_VECTOR_SIGNER
 #undef TEST_VECTOR_HASHER
 #undef TEST_VECTOR_PRF
+#undef TEST_VECTOR_XOF
 #undef TEST_VECTOR_RNG
 #undef TEST_VECTOR_DH
 
@@ -42,6 +44,7 @@
 #define TEST_VECTOR_SIGNER(x)
 #define TEST_VECTOR_HASHER(x)
 #define TEST_VECTOR_PRF(x)
+#define TEST_VECTOR_XOF(x)
 #define TEST_VECTOR_RNG(x)
 #define TEST_VECTOR_DH(x)
 
@@ -86,6 +89,14 @@ static prf_test_vector_t *prf[] = {
 #undef TEST_VECTOR_PRF
 #define TEST_VECTOR_PRF(x)
 
+#undef TEST_VECTOR_XOF
+#define TEST_VECTOR_XOF(x) &x,
+static xof_test_vector_t *xof[] = {
+#include "test_vectors.h"
+};
+#undef TEST_VECTOR_XOF
+#define TEST_VECTOR_XOF(x)
+
 #undef TEST_VECTOR_RNG
 #define TEST_VECTOR_RNG(x) &x,
 static rng_test_vector_t *rng[] = {
@@ -181,6 +192,11 @@ plugin_t *test_vectors_plugin_create()
 		lib->crypto->add_test_vector(lib->crypto,
 									 PSEUDO_RANDOM_FUNCTION, prf[i]);
 	}
+	for (i = 0; i < countof(xof); i++)
+	{
+		lib->crypto->add_test_vector(lib->crypto,
+									 EXTENDED_OUTPUT_FUNCTION, xof[i]);
+	}
 	for (i = 0; i < countof(rng); i++)
 	{
 		lib->crypto->add_test_vector(lib->crypto,
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index ea27fd3..665f770 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/unbound/unbound_response.c b/src/libstrongswan/plugins/unbound/unbound_response.c
index 6f6c25e..950df34 100644
--- a/src/libstrongswan/plugins/unbound/unbound_response.c
+++ b/src/libstrongswan/plugins/unbound/unbound_response.c
@@ -189,7 +189,7 @@ unbound_response_t *unbound_response_create_frm_libub_response(
 		 */
 		rr_list = linked_list_create();
 
-		orig_rr_list = ldns_pkt_get_section_clone(dns_pkt, LDNS_SECTION_ANSWER);
+		orig_rr_list = ldns_pkt_answer(dns_pkt);
 		orig_rr_count = ldns_rr_list_rr_count(orig_rr_list);
 
 		for (i = 0; i < orig_rr_count; i++)
@@ -253,7 +253,6 @@ unbound_response_t *unbound_response_create_frm_libub_response(
 		this->rr_set = rr_set_create(rr_list, rrsig_list);
 
 		ldns_pkt_free(dns_pkt);
-		ldns_rr_list_free(orig_rr_list);
 	}
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/unbound/unbound_rr.c b/src/libstrongswan/plugins/unbound/unbound_rr.c
index fc69eed..91b5cdb 100644
--- a/src/libstrongswan/plugins/unbound/unbound_rr.c
+++ b/src/libstrongswan/plugins/unbound/unbound_rr.c
@@ -154,11 +154,13 @@ unbound_rr_t *unbound_rr_create_frm_ldns_rr(ldns_rr *rr)
 	if (status != LDNS_STATUS_OK)
 	{
 		DBG1(DBG_LIB, "failed to get the RDATA field of a DNS RR");
+		ldns_buffer_free(buf);
 		_destroy(this);
 		return NULL;
 	}
 
 	this->rdata = ldns_buffer_export(buf);
+	ldns_buffer_free(buf);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/winhttp/Makefile.in b/src/libstrongswan/plugins/winhttp/Makefile.in
index 0bf311c..672ff5f 100644
--- a/src/libstrongswan/plugins/winhttp/Makefile.in
+++ b/src/libstrongswan/plugins/winhttp/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 6288e0f..c96dac0 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -352,7 +352,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -386,8 +385,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -441,6 +438,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 98fad6f..44021e4 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
index b762850..df6066b 100644
--- a/src/libstrongswan/processing/watcher.c
+++ b/src/libstrongswan/processing/watcher.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -27,6 +30,7 @@
 #include <fcntl.h>
 
 typedef struct private_watcher_t private_watcher_t;
+typedef struct entry_t entry_t;
 
 /**
  * Private data of an watcher_t object.
@@ -39,9 +43,19 @@ struct private_watcher_t {
 	watcher_t public;
 
 	/**
-	 * List of registered FDs, as entry_t
+	 * List of registered FDs
 	 */
-	linked_list_t *fds;
+	entry_t *fds;
+
+	/**
+	 * Last registered FD
+	 */
+	entry_t *last;
+
+	/**
+	 * Number of registered FDs
+	 */
+	u_int count;
 
 	/**
 	 * Pending update of FD list?
@@ -77,7 +91,7 @@ struct private_watcher_t {
 /**
  * Entry for a registered file descriptor
  */
-typedef struct {
+struct entry_t {
 	/** file descriptor */
 	int fd;
 	/** events to watch */
@@ -88,7 +102,53 @@ typedef struct {
 	void *data;
 	/** callback(s) currently active? */
 	int in_callback;
-} entry_t;
+	/** next registered fd */
+	entry_t *next;
+};
+
+/**
+ * Adds the given entry at the end of the list
+ */
+static void add_entry(private_watcher_t *this, entry_t *entry)
+{
+	if (this->last)
+	{
+		this->last->next = entry;
+		this->last = entry;
+	}
+	else
+	{
+		this->fds = this->last = entry;
+	}
+	this->count++;
+}
+
+/**
+ * Removes and frees the given entry
+ *
+ * Updates the previous entry and returns the next entry in the list, if any.
+ */
+static entry_t *remove_entry(private_watcher_t *this, entry_t *entry,
+							 entry_t *prev)
+{
+	entry_t *next = entry->next;
+
+	if (prev)
+	{
+		prev->next = next;
+	}
+	else
+	{
+		this->fds = next;
+	}
+	if (this->last == entry)
+	{
+		this->last = prev;
+	}
+	this->count--;
+	free(entry);
+	return next;
+}
 
 /**
  * Data we pass on for an async notification
@@ -153,13 +213,11 @@ static job_requeue_t notify_async(notify_data_t *data)
 static void notify_end(notify_data_t *data)
 {
 	private_watcher_t *this = data->this;
-	enumerator_t *enumerator;
-	entry_t *entry;
+	entry_t *entry, *prev = NULL;
 
 	/* reactivate the disabled entry */
 	this->mutex->lock(this->mutex);
-	enumerator = this->fds->create_enumerator(this->fds);
-	while (enumerator->enumerate(enumerator, &entry))
+	for (entry = this->fds; entry; prev = entry, entry = entry->next)
 	{
 		if (entry->fd == data->fd)
 		{
@@ -168,8 +226,7 @@ static void notify_end(notify_data_t *data)
 				entry->events &= ~data->event;
 				if (!entry->events)
 				{
-					this->fds->remove_at(this->fds, enumerator);
-					free(entry);
+					remove_entry(this, entry, prev);
 					break;
 				}
 			}
@@ -177,8 +234,6 @@ static void notify_end(notify_data_t *data)
 			break;
 		}
 	}
-	enumerator->destroy(enumerator);
-
 	update(this);
 	this->condvar->broadcast(this->condvar);
 	this->mutex->unlock(this->mutex);
@@ -219,19 +274,16 @@ static void notify(private_watcher_t *this, entry_t *entry,
  */
 static void activate_all(private_watcher_t *this)
 {
-	enumerator_t *enumerator;
 	entry_t *entry;
 
 	/* When the watcher thread gets cancelled, we have to reactivate any entry
 	 * and signal threads in remove() to go on. */
 
 	this->mutex->lock(this->mutex);
-	enumerator = this->fds->create_enumerator(this->fds);
-	while (enumerator->enumerate(enumerator, &entry))
+	for (entry = this->fds; entry; entry = entry->next)
 	{
 		entry->in_callback = 0;
 	}
-	enumerator->destroy(enumerator);
 	this->state = WATCHER_STOPPED;
 	this->condvar->broadcast(this->condvar);
 	this->mutex->unlock(this->mutex);
@@ -240,7 +292,7 @@ static void activate_all(private_watcher_t *this)
 /**
  * Find flagged revents in a pollfd set by fd
  */
-static int find_revents(struct pollfd *pfd, int count, int fd)
+static inline int find_revents(struct pollfd *pfd, int count, int fd)
 {
 	int i;
 
@@ -257,7 +309,8 @@ static int find_revents(struct pollfd *pfd, int count, int fd)
 /**
  * Check if entry is waiting for a specific event, and if it got signaled
  */
-static bool entry_ready(entry_t *entry, watcher_event_t event, int revents)
+static inline bool entry_ready(entry_t *entry, watcher_event_t event,
+							   int revents)
 {
 	if (entry->events & event)
 	{
@@ -279,7 +332,6 @@ static bool entry_ready(entry_t *entry, watcher_event_t event, int revents)
  */
 static job_requeue_t watch(private_watcher_t *this)
 {
-	enumerator_t *enumerator;
 	entry_t *entry;
 	struct pollfd *pfd;
 	int count = 0, res;
@@ -287,8 +339,8 @@ static job_requeue_t watch(private_watcher_t *this)
 
 	this->mutex->lock(this->mutex);
 
-	count = this->fds->get_count(this->fds);
-	if (count == 0)
+	count = this->count;
+	if (!count)
 	{
 		this->state = WATCHER_STOPPED;
 		this->mutex->unlock(this->mutex);
@@ -304,8 +356,7 @@ static job_requeue_t watch(private_watcher_t *this)
 	pfd[0].events = POLLIN;
 	count = 1;
 
-	enumerator = this->fds->create_enumerator(this->fds);
-	while (enumerator->enumerate(enumerator, &entry))
+	for (entry = this->fds; entry; entry = entry->next)
 	{
 		if (!entry->in_callback)
 		{
@@ -329,7 +380,6 @@ static job_requeue_t watch(private_watcher_t *this)
 			count++;
 		}
 	}
-	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
 
 	while (!rebuild)
@@ -378,8 +428,7 @@ static job_requeue_t watch(private_watcher_t *this)
 			}
 
 			this->mutex->lock(this->mutex);
-			enumerator = this->fds->create_enumerator(this->fds);
-			while (enumerator->enumerate(enumerator, &entry))
+			for (entry = this->fds; entry; entry = entry->next)
 			{
 				if (entry->in_callback)
 				{
@@ -406,7 +455,6 @@ static job_requeue_t watch(private_watcher_t *this)
 					}
 				}
 			}
-			enumerator->destroy(enumerator);
 			this->mutex->unlock(this->mutex);
 
 			if (this->jobs->get_count(this->jobs))
@@ -446,7 +494,7 @@ METHOD(watcher_t, add, void,
 	);
 
 	this->mutex->lock(this->mutex);
-	this->fds->insert_last(this->fds, entry);
+	add_entry(this, entry);
 	if (this->state == WATCHER_STOPPED)
 	{
 		this->state = WATCHER_QUEUED;
@@ -464,16 +512,15 @@ METHOD(watcher_t, add, void,
 METHOD(watcher_t, remove_, void,
 	private_watcher_t *this, int fd)
 {
-	enumerator_t *enumerator;
-	entry_t *entry;
+	entry_t *entry, *prev = NULL;
 
 	this->mutex->lock(this->mutex);
 	while (TRUE)
 	{
 		bool is_in_callback = FALSE;
 
-		enumerator = this->fds->create_enumerator(this->fds);
-		while (enumerator->enumerate(enumerator, &entry))
+		entry = this->fds;
+		while (entry)
 		{
 			if (entry->fd == fd)
 			{
@@ -482,11 +529,12 @@ METHOD(watcher_t, remove_, void,
 					is_in_callback = TRUE;
 					break;
 				}
-				this->fds->remove_at(this->fds, enumerator);
-				free(entry);
+				entry = remove_entry(this, entry, prev);
+				continue;
 			}
+			prev = entry;
+			entry = entry->next;
 		}
-		enumerator->destroy(enumerator);
 		if (!is_in_callback)
 		{
 			break;
@@ -515,7 +563,6 @@ METHOD(watcher_t, destroy, void,
 {
 	this->mutex->destroy(this->mutex);
 	this->condvar->destroy(this->condvar);
-	this->fds->destroy(this->fds);
 	if (this->notify[0] != -1)
 	{
 		close(this->notify[0]);
@@ -590,7 +637,6 @@ watcher_t *watcher_create()
 			.get_state = _get_state,
 			.destroy = _destroy,
 		},
-		.fds = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.jobs = linked_list_create(),
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index 4e53217..51ba9c0 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -390,7 +390,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -424,8 +423,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -479,6 +476,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/tests/suites/test_auth_cfg.c b/src/libstrongswan/tests/suites/test_auth_cfg.c
index e046725..139b730 100644
--- a/src/libstrongswan/tests/suites/test_auth_cfg.c
+++ b/src/libstrongswan/tests/suites/test_auth_cfg.c
@@ -22,19 +22,19 @@ struct {
 	signature_scheme_t sig[5];
 	signature_scheme_t ike[5];
 } sig_constraints_tests[] = {
-	{ "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}},
-	{ "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA512, 0 }, {0}},
+	{ "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {0}},
+	{ "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_512, 0 }, {0}},
 	{ "ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
-	{ "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
-	{ "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, {0}},
-	{ "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
-	{ "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
-	{ "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
-	{ "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }},
+	{ "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, {0}},
+	{ "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }},
+	{ "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }},
+	{ "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }},
+	{ "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }},
 	{ "rsa-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
 	{ "rsa-4096-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
 	{ "rsa-4096-ecdsa-256-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
-	{ "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}},
+	{ "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {0}},
 	{ "rsa4096-sha256", {0}, {0}},
 	{ "sha256", {0}, {0}},
 	{ "ike:sha256", {0}, {0}},
diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
index 067abf0..de285ca 100644
--- a/src/libstrongswan/tests/suites/test_hasher.c
+++ b/src/libstrongswan/tests/suites/test_hasher.c
@@ -87,29 +87,33 @@ typedef struct {
 }hasher_sig_scheme_t;
 
 static hasher_sig_scheme_t sig_schemes[] = {
-	{ SIGN_UNKNOWN,               HASH_UNKNOWN  },
-	{ SIGN_RSA_EMSA_PKCS1_NULL,   HASH_UNKNOWN  },
-	{ SIGN_RSA_EMSA_PKCS1_MD5,    HASH_MD5      },
-	{ SIGN_RSA_EMSA_PKCS1_SHA1,   HASH_SHA1     },
-	{ SIGN_RSA_EMSA_PKCS1_SHA224, HASH_SHA224   },
-	{ SIGN_RSA_EMSA_PKCS1_SHA256, HASH_SHA256   },
-	{ SIGN_RSA_EMSA_PKCS1_SHA384, HASH_SHA384   },
-	{ SIGN_RSA_EMSA_PKCS1_SHA512, HASH_SHA512   },
-	{ SIGN_ECDSA_WITH_SHA1_DER,   HASH_SHA1     },
-	{ SIGN_ECDSA_WITH_SHA256_DER, HASH_SHA256   },
-	{ SIGN_ECDSA_WITH_SHA384_DER, HASH_SHA384   },
-	{ SIGN_ECDSA_WITH_SHA512_DER, HASH_SHA512   },
-	{ SIGN_ECDSA_WITH_NULL,       HASH_UNKNOWN  },
-	{ SIGN_ECDSA_256,             HASH_SHA256   },
-	{ SIGN_ECDSA_384,             HASH_SHA384   },
-	{ SIGN_ECDSA_521,             HASH_SHA512   },
-	{ SIGN_BLISS_WITH_SHA2_256,   HASH_SHA256   },
-	{ SIGN_BLISS_WITH_SHA2_384,   HASH_SHA384   },
-	{ SIGN_BLISS_WITH_SHA2_512,   HASH_SHA512   },
-	{ SIGN_BLISS_WITH_SHA3_256,   HASH_SHA3_256 },
-	{ SIGN_BLISS_WITH_SHA3_384,   HASH_SHA3_384 },
-	{ SIGN_BLISS_WITH_SHA3_512,   HASH_SHA3_512 },
-	{ 30,						  HASH_UNKNOWN  }
+	{ SIGN_UNKNOWN,               HASH_UNKNOWN    },
+	{ SIGN_RSA_EMSA_PKCS1_NULL,   HASH_UNKNOWN    },
+	{ SIGN_RSA_EMSA_PKCS1_MD5,    HASH_MD5        },
+	{ SIGN_RSA_EMSA_PKCS1_SHA1,   HASH_SHA1       },
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_224, HASH_SHA224   },
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_256, HASH_SHA256   },
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_384, HASH_SHA384   },
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_512, HASH_SHA512   },
+	{ SIGN_RSA_EMSA_PKCS1_SHA3_224, HASH_SHA3_224 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA3_256, HASH_SHA3_256 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA3_384, HASH_SHA3_384 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA3_512, HASH_SHA3_512 },
+	{ SIGN_ECDSA_WITH_SHA1_DER,   HASH_SHA1       },
+	{ SIGN_ECDSA_WITH_SHA256_DER, HASH_SHA256     },
+	{ SIGN_ECDSA_WITH_SHA384_DER, HASH_SHA384     },
+	{ SIGN_ECDSA_WITH_SHA512_DER, HASH_SHA512     },
+	{ SIGN_ECDSA_WITH_NULL,       HASH_UNKNOWN    },
+	{ SIGN_ECDSA_256,             HASH_SHA256     },
+	{ SIGN_ECDSA_384,             HASH_SHA384     },
+	{ SIGN_ECDSA_521,             HASH_SHA512     },
+	{ SIGN_BLISS_WITH_SHA2_256,   HASH_SHA256     },
+	{ SIGN_BLISS_WITH_SHA2_384,   HASH_SHA384     },
+	{ SIGN_BLISS_WITH_SHA2_512,   HASH_SHA512     },
+	{ SIGN_BLISS_WITH_SHA3_256,   HASH_SHA3_256   },
+	{ SIGN_BLISS_WITH_SHA3_384,   HASH_SHA3_384   },
+	{ SIGN_BLISS_WITH_SHA3_512,   HASH_SHA3_512   },
+	{ 30,						  HASH_UNKNOWN    }
 };
 
 START_TEST(test_hasher_from_sig_scheme)
diff --git a/src/libstrongswan/tests/suites/test_mgf1.c b/src/libstrongswan/tests/suites/test_mgf1.c
index 9388b95..6945f5c 100644
--- a/src/libstrongswan/tests/suites/test_mgf1.c
+++ b/src/libstrongswan/tests/suites/test_mgf1.c
@@ -17,11 +17,12 @@
 
 #include <tests/utils/test_rng.h>
 #include <utils/test.h>
-#include <crypto/mgf1/mgf1.h>
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof.h>
+#include <crypto/xofs/xof_bitspender.h>
+#include <crypto/xofs/mgf1.h>
 
 typedef struct {
-	hash_algorithm_t alg;
+	ext_out_function_t alg;
 	size_t hash_size;
 	size_t ml1, ml2, ml3, seed_len;
 	chunk_t seed;
@@ -34,7 +35,7 @@ typedef struct {
  * MGF1 Mask Generation Function Test Vectors
  */
 mgf1_test_t mgf1_tests[] = {
-	{	HASH_SHA1, 20, 60, 20, 15, 24,
+	{	XOF_MGF1_SHA1, 20, 60, 20, 15, 24,
 		chunk_from_chars(
 						0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
 						0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
@@ -73,7 +74,7 @@ mgf1_test_t mgf1_tests[] = {
 		{ 0, 0, 0, 4, 1, 1, 46, 103, 38, 411, 848, 57, 3540, 4058, 12403,
 		  0x63, 0x2B, 0xC9, 0x17, 0x56, 669409, 0xA407A43B },
 	},
-	{	HASH_SHA256, 32, 64, 32, 33, 40,
+	{	XOF_MGF1_SHA256, 32, 64, 32, 33, 40,
 		chunk_from_chars(
 						0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53,
 						0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69,
@@ -127,6 +128,7 @@ mgf1_test_t mgf1_tests[] = {
 
 START_TEST(mgf1_test_mgf1)
 {
+	xof_t *xof;
 	mgf1_t *mgf1;
 	chunk_t mask, mask1, mask2, mask3;
 
@@ -137,72 +139,88 @@ START_TEST(mgf1_test_mgf1)
 	mask2.len = mgf1_tests[_i].ml2;
 	mask3.len = mgf1_tests[_i].ml3;
 
-	mgf1 = mgf1_create(HASH_UNKNOWN, mgf1_tests[_i].seed, TRUE);
-	ck_assert(mgf1 == NULL);
+	/* unknown XOF */
+	xof = lib->crypto->create_xof(lib->crypto, XOF_UNDEFINED);
+	ck_assert(xof == NULL);
 
-	mgf1 = mgf1_create(mgf1_tests[_i].alg, chunk_empty, TRUE);
-	ck_assert(mgf1 == NULL);
+	/* create MGF1 XOF */
+	xof = lib->crypto->create_xof(lib->crypto, mgf1_tests[_i].alg);
+	ck_assert(xof);
 
-	/* return mask in allocated chunk */
-	mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
-	ck_assert(mgf1);
+	/* hash the seed */
+	mgf1 = (mgf1_t*)xof;
+	mgf1->set_hash_seed(mgf1, TRUE);
 
-	/* check hash size */
-	ck_assert(mgf1->get_hash_size(mgf1) == mgf1_tests[_i].hash_size);
+	/* check MGF1 type */
+	ck_assert(xof->get_type(xof) == mgf1_tests[_i].alg);
 
-	/* get zero number of octets */
-	ck_assert(mgf1->allocate_mask(mgf1, 0, &mask));
+	/* check seed size */
+	ck_assert(xof->get_seed_size(xof) == mgf1_tests[_i].hash_size);
+
+	/* check block size */
+	ck_assert(xof->get_block_size(xof) == mgf1_tests[_i].hash_size);
+
+	/* empty seed */
+	ck_assert(!xof->set_seed(xof, chunk_empty));
+
+	/* initialize MGF1 with non-empty seed */
+	ck_assert(xof->set_seed(xof, mgf1_tests[_i].seed));
+
+	/* allocate zero number of octets */
+	ck_assert(xof->allocate_bytes(xof, 0, &mask));
 	ck_assert(mask.len == 0 && mask.ptr == NULL);
 
-	/* get non-zero number of octets */
-	ck_assert(mgf1->allocate_mask(mgf1, mgf1_tests[_i].mask.len, &mask));
+	/* allocate non-zero number of octets */
+	ck_assert(xof->allocate_bytes(xof, mgf1_tests[_i].mask.len, &mask));
 	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
-	mgf1->destroy(mgf1);
+
+	/* re-initialize MGF1 with non-empty seed */
+	ck_assert(xof->set_seed(xof, mgf1_tests[_i].seed));
 
 	/* copy mask to pre-allocated buffer */
-	mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
-	ck_assert(mgf1);
-	ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr));
+	ck_assert(xof->get_bytes(xof, mgf1_tests[_i].mask.len, mask.ptr));
 	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
-	mgf1->destroy(mgf1);
 
-	/* get mask in batches without hashing the seed */
-	mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].hashed_seed, FALSE);
-	ck_assert(mgf1);
+	/* do not hash the seed */
+	mgf1->set_hash_seed(mgf1, FALSE);
+
+	/* re-initialize MGF1 with non-empty seed */
+	ck_assert(xof->set_seed(xof, mgf1_tests[_i].hashed_seed));
 
 	/* first batch */
-	ck_assert(mgf1->get_mask(mgf1, mask1.len, mask.ptr));
+	ck_assert(xof->get_bytes(xof, mask1.len, mask.ptr));
 	mask.len = mask1.len;
 	ck_assert(chunk_equals(mask, mask1));
 
 	/* second batch */
-	ck_assert(mgf1->get_mask(mgf1, mask2.len, mask.ptr));
+	ck_assert(xof->get_bytes(xof, mask2.len, mask.ptr));
 	mask.len = mask2.len;
 	ck_assert(chunk_equals(mask, mask2));
 
 	/* third batch */
-	ck_assert(mgf1->get_mask(mgf1, mask3.len, mask.ptr));
+	ck_assert(xof->get_bytes(xof, mask3.len, mask.ptr));
 	mask.len = mask3.len;
 	ck_assert(chunk_equals(mask, mask3));
 
-	mgf1->destroy(mgf1);
+	/* clean up */
+	xof->destroy(xof);
 	chunk_free(&mask);
 }
 END_TEST
 
 START_TEST(mgf1_test_bitspender)
 {
-	mgf1_bitspender_t *bitspender;
+	xof_bitspender_t *bitspender;
 	uint32_t bits;
 	uint8_t byte;
 	int j;
 
-	bitspender = mgf1_bitspender_create(HASH_UNKNOWN,
-										mgf1_tests[_i].hashed_seed, FALSE);
+	bitspender = xof_bitspender_create(XOF_UNDEFINED,
+									   mgf1_tests[_i].hashed_seed, FALSE);
 	ck_assert(bitspender == NULL);
 
-	bitspender = mgf1_bitspender_create(mgf1_tests[_i].alg,
-										mgf1_tests[_i].hashed_seed, FALSE);
+	bitspender = xof_bitspender_create(mgf1_tests[_i].alg,
+									   mgf1_tests[_i].hashed_seed, FALSE);
 	ck_assert(bitspender);
 
 	for (j = 0; j < 15; j++)
diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c
index 0a6d24d..0b432e2 100644
--- a/src/libstrongswan/tests/suites/test_ntru.c
+++ b/src/libstrongswan/tests/suites/test_ntru.c
@@ -17,7 +17,7 @@
 
 #include <tests/utils/test_rng.h>
 #include <utils/test.h>
-#include <crypto/mgf1/mgf1.h>
+#include <crypto/xofs/xof.h>
 #include <plugins/ntru/ntru_drbg.h>
 #include <plugins/ntru/ntru_trits.h>
 #include <plugins/ntru/ntru_poly.h>
@@ -28,10 +28,10 @@ IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*,
 						  uint32_t strength, chunk_t pers_str, rng_t *entropy)
 
 IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_trits_create, ntru_trits_t*,
-						  size_t len, hash_algorithm_t alg, chunk_t seed)
+						  size_t len, ext_out_function_t alg, chunk_t seed)
 
 IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_seed, ntru_poly_t*,
-						  hash_algorithm_t alg, chunk_t seed, uint8_t c_bits,
+						  ext_out_function_t alg, chunk_t seed, uint8_t c_bits,
 						  uint16_t N, uint16_t q, uint32_t indices_len_p,
 						  uint32_t indices_len_m, bool is_product_form)
 
@@ -329,7 +329,7 @@ typedef struct {
 } poly_test_t;
 
 typedef struct {
-	hash_algorithm_t alg;
+	ext_out_function_t alg;
 	size_t hash_size;
 	size_t seed_len;
 	chunk_t seed;
@@ -384,7 +384,7 @@ uint16_t indices_ees1171ep1[] = {
  * Trits and Polynomial Test Vectors
  */
 static trits_test_t trits_tests[] = {
-	{	HASH_SHA1, 20, 24,
+	{	XOF_MGF1_SHA1, 20, 24,
 		chunk_from_chars(
 						0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
 						0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
@@ -432,7 +432,7 @@ static trits_test_t trits_tests[] = {
 			}
 		}
 	},
-	{	HASH_SHA256, 32, 40,
+	{	XOF_MGF1_SHA256, 32, 40,
 		chunk_from_chars(
 						0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53,
 						0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69,
@@ -501,7 +501,7 @@ START_TEST(test_ntru_trits)
 	chunk_t trits;
 
 	mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len,
-						 HASH_UNKNOWN, trits_tests[_i].seed);
+						 XOF_UNDEFINED, trits_tests[_i].seed);
 	ck_assert(mask == NULL);
 
 	mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len,
@@ -539,7 +539,7 @@ START_TEST(test_ntru_poly)
 	seed.len = trits_tests[_i].seed_len;
 
 	p = &trits_tests[_i].poly_test[0];
-	poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, HASH_UNKNOWN, seed,
+	poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, XOF_UNDEFINED, seed,
 						 p->c_bits, p->N, p->q, p->indices_len, p->indices_len,
 						 p->is_product_form);
 	ck_assert(poly == NULL);
diff --git a/src/libstrongswan/tests/suites/test_rsa.c b/src/libstrongswan/tests/suites/test_rsa.c
index 2c1c6fb..41e7835 100644
--- a/src/libstrongswan/tests/suites/test_rsa.c
+++ b/src/libstrongswan/tests/suites/test_rsa.c
@@ -24,10 +24,10 @@ static signature_scheme_t schemes[] = {
 	SIGN_RSA_EMSA_PKCS1_NULL,
 	SIGN_RSA_EMSA_PKCS1_MD5,
 	SIGN_RSA_EMSA_PKCS1_SHA1,
-	SIGN_RSA_EMSA_PKCS1_SHA224,
-	SIGN_RSA_EMSA_PKCS1_SHA256,
-	SIGN_RSA_EMSA_PKCS1_SHA384,
-	SIGN_RSA_EMSA_PKCS1_SHA512,
+	SIGN_RSA_EMSA_PKCS1_SHA2_224,
+	SIGN_RSA_EMSA_PKCS1_SHA2_256,
+	SIGN_RSA_EMSA_PKCS1_SHA2_384,
+	SIGN_RSA_EMSA_PKCS1_SHA2_512,
 };
 
 /**
diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c
index 1eb3c8b..de7b470 100644
--- a/src/libstrongswan/tests/suites/test_utils.c
+++ b/src/libstrongswan/tests/suites/test_utils.c
@@ -858,15 +858,22 @@ static struct {
 	int size;
 	signature_scheme_t expected[4];
 } scheme_data[] = {
-	{KEY_RSA,   1024, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
-	{KEY_RSA,   2048, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
-	{KEY_RSA,   4096, { SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
-	{KEY_RSA,   8192, { SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
-	{KEY_ECDSA,  256, { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
-	{KEY_ECDSA,  384, { SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
+	{KEY_RSA,   1024, { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_384,
+						SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }},
+	{KEY_RSA,   2048, { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_384,
+						SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }},
+	{KEY_RSA,   4096, { SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512,
+						SIGN_UNKNOWN }},
+	{KEY_RSA,   8192, { SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }},
+	{KEY_ECDSA,  256, { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_WITH_SHA384_DER,
+						SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
+	{KEY_ECDSA,  384, { SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER,
+						SIGN_UNKNOWN }},
 	{KEY_ECDSA,  512, { SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
-	{KEY_BLISS,  128, { SIGN_BLISS_WITH_SHA2_256, SIGN_BLISS_WITH_SHA2_384, SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }},
-	{KEY_BLISS,  192, { SIGN_BLISS_WITH_SHA2_384, SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }},
+	{KEY_BLISS,  128, { SIGN_BLISS_WITH_SHA2_256, SIGN_BLISS_WITH_SHA2_384,
+						SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }},
+	{KEY_BLISS,  192, { SIGN_BLISS_WITH_SHA2_384, SIGN_BLISS_WITH_SHA2_512,
+						SIGN_UNKNOWN }},
 	{KEY_BLISS,  256, { SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }},
 };
 
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index 824c880..fabfaa8 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -46,7 +46,7 @@ TEST_SUITE(pen_suite_create)
 TEST_SUITE(asn1_suite_create)
 TEST_SUITE(asn1_parser_suite_create)
 TEST_SUITE(test_rng_suite_create)
-TEST_SUITE_DEPEND(mgf1_sha1_suite_create, HASHER, HASH_SHA1)
-TEST_SUITE_DEPEND(mgf1_sha256_suite_create, HASHER, HASH_SHA256)
+TEST_SUITE_DEPEND(mgf1_sha1_suite_create, XOF, XOF_MGF1_SHA1)
+TEST_SUITE_DEPEND(mgf1_sha256_suite_create, XOF, XOF_MGF1_SHA256)
 TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
 TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://")
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index d0f646c..ad67c03 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -494,7 +494,7 @@ static bool register_hooks()
  * List of functions using static allocation buffers or should be suppressed
  * otherwise on leak report.
  */
-char *whitelist[] = {
+static char *whitelist[] = {
 	/* backtraces, including own */
 	"backtrace_create",
 	"strerror_safe",
@@ -551,6 +551,15 @@ char *whitelist[] = {
 	"xmlInitParserCtxt",
 	/* libcurl */
 	"Curl_client_write",
+	/* libsoup */
+	"soup_message_headers_append",
+	"soup_message_headers_clear",
+	"soup_message_headers_get_list",
+	"soup_message_headers_get_one",
+	"soup_session_abort",
+	"soup_session_get_type",
+	/* libldap */
+	"ldap_int_initialize",
 	/* ClearSilver */
 	"nerr_init",
 	/* libgcrypt */
@@ -575,17 +584,28 @@ char *whitelist[] = {
 	/* libapr */
 	"apr_pool_create_ex",
 	/* glib */
+	"g_output_stream_write",
+	"g_resolver_lookup_by_name",
+	"g_signal_connect_data",
+	"g_socket_connection_factory_lookup_type",
 	"g_type_init_with_debug_flags",
 	"g_type_register_static",
 	"g_type_class_ref",
 	"g_type_create_instance",
 	"g_type_add_interface_static",
 	"g_type_interface_add_prerequisite",
-	"g_socket_connection_factory_lookup_type",
+	"g_private_set",
+	"g_queue_pop_tail",
 	/* libgpg */
 	"gpg_err_init",
 	/* gnutls */
 	"gnutls_global_init",
+	/* Ada runtime */
+	"system__tasking__initialize",
+	"system__tasking__initialization__abort_defer",
+	"system__tasking__stages__create_task",
+	/* in case external threads call into our code */
+	"thread_current_id",
 };
 
 /**
diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h
index 18b17b1..0aed842 100644
--- a/src/libstrongswan/utils/utils.h
+++ b/src/libstrongswan/utils/utils.h
@@ -22,16 +22,20 @@
 #ifndef UTILS_H_
 #define UTILS_H_
 
+#define _GNU_SOURCE
 #include <sys/types.h>
 #include <stdlib.h>
 #include <stddef.h>
 #include <sys/time.h>
 #include <string.h>
 
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
 #ifdef WIN32
 # include "compat/windows.h"
 #else
-# define _GNU_SOURCE
 # include <arpa/inet.h>
 # include <sys/socket.h>
 # include <netdb.h>
diff --git a/src/libstrongswan/utils/utils/byteorder.h b/src/libstrongswan/utils/utils/byteorder.h
index 7c7e534..0665ef3 100644
--- a/src/libstrongswan/utils/utils/byteorder.h
+++ b/src/libstrongswan/utils/utils/byteorder.h
@@ -44,6 +44,21 @@
 #define BITFIELD5(t, a, b, c, d, e,...)	struct { t e; t d; t c; t b; t a; __VA_ARGS__}
 #endif
 
+#ifndef le16toh
+# if BYTE_ORDER == BIG_ENDIAN
+#  define le16toh(x) __builtin_bswap16(x)
+# else
+#  define le16toh(x) (x)
+# endif
+#endif
+#ifndef htole16
+# if BYTE_ORDER == BIG_ENDIAN
+#  define htole16(x) __builtin_bswap16(x)
+# else
+#  define htole16(x) (x)
+# endif
+#endif
+
 #ifndef le32toh
 # if BYTE_ORDER == BIG_ENDIAN
 #  define le32toh(x) __builtin_bswap32(x)
@@ -177,6 +192,33 @@ static inline uint64_t untoh64(void *network)
 }
 
 /**
+ * Read a 16-bit value in little-endian order from unaligned address.
+ *
+ * @param p			unaligned address to read little endian value from
+ * @return			host order value
+ */
+static inline uint16_t uletoh16(void *p)
+{
+	uint16_t ret;
+
+	memcpy(&ret, p, sizeof(ret));
+	ret = le16toh(ret);
+	return ret;
+}
+
+/**
+ * Write a 16-bit value in little-endian to an unaligned address.
+ *
+ * @param p			host order 16-bit value
+ * @param v			unaligned address to write little endian value to
+ */
+static inline void htoule16(void *p, uint16_t v)
+{
+	v = htole16(v);
+	memcpy(p, &v, sizeof(v));
+}
+
+/**
  * Read a 32-bit value in little-endian order from unaligned address.
  *
  * @param p			unaligned address to read little endian value from
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index 0bd5f74..ca49a0a 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -403,7 +403,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -437,8 +436,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -492,6 +489,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in
index e00de3f..7d8975a 100644
--- a/src/libtls/tests/Makefile.in
+++ b/src/libtls/tests/Makefile.in
@@ -347,7 +347,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -381,8 +380,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -436,6 +433,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 6bbd958..84b511f 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -1215,16 +1215,16 @@ static struct {
 	tls_hash_algorithm_t hash;
 	signature_scheme_t scheme;
 } schemes[] = {
-	{ TLS_SIG_ECDSA,	TLS_HASH_SHA256,	SIGN_ECDSA_WITH_SHA256_DER	},
-	{ TLS_SIG_ECDSA,	TLS_HASH_SHA384,	SIGN_ECDSA_WITH_SHA384_DER	},
-	{ TLS_SIG_ECDSA,	TLS_HASH_SHA512,	SIGN_ECDSA_WITH_SHA512_DER	},
-	{ TLS_SIG_ECDSA,	TLS_HASH_SHA1,		SIGN_ECDSA_WITH_SHA1_DER	},
-	{ TLS_SIG_RSA,		TLS_HASH_SHA256,	SIGN_RSA_EMSA_PKCS1_SHA256	},
-	{ TLS_SIG_RSA,		TLS_HASH_SHA384,	SIGN_RSA_EMSA_PKCS1_SHA384	},
-	{ TLS_SIG_RSA,		TLS_HASH_SHA512,	SIGN_RSA_EMSA_PKCS1_SHA512	},
-	{ TLS_SIG_RSA,		TLS_HASH_SHA224,	SIGN_RSA_EMSA_PKCS1_SHA224	},
-	{ TLS_SIG_RSA,		TLS_HASH_SHA1,		SIGN_RSA_EMSA_PKCS1_SHA1	},
-	{ TLS_SIG_RSA,		TLS_HASH_MD5,		SIGN_RSA_EMSA_PKCS1_MD5		},
+	{ TLS_SIG_ECDSA,	TLS_HASH_SHA256,	SIGN_ECDSA_WITH_SHA256_DER   },
+	{ TLS_SIG_ECDSA,	TLS_HASH_SHA384,	SIGN_ECDSA_WITH_SHA384_DER   },
+	{ TLS_SIG_ECDSA,	TLS_HASH_SHA512,	SIGN_ECDSA_WITH_SHA512_DER   },
+	{ TLS_SIG_ECDSA,	TLS_HASH_SHA1,		SIGN_ECDSA_WITH_SHA1_DER     },
+	{ TLS_SIG_RSA,		TLS_HASH_SHA256,	SIGN_RSA_EMSA_PKCS1_SHA2_256 },
+	{ TLS_SIG_RSA,		TLS_HASH_SHA384,	SIGN_RSA_EMSA_PKCS1_SHA2_384 },
+	{ TLS_SIG_RSA,		TLS_HASH_SHA512,	SIGN_RSA_EMSA_PKCS1_SHA2_512 },
+	{ TLS_SIG_RSA,		TLS_HASH_SHA224,	SIGN_RSA_EMSA_PKCS1_SHA2_224 },
+	{ TLS_SIG_RSA,		TLS_HASH_SHA1,		SIGN_RSA_EMSA_PKCS1_SHA1     },
+	{ TLS_SIG_RSA,		TLS_HASH_MD5,		SIGN_RSA_EMSA_PKCS1_MD5      },
 };
 
 METHOD(tls_crypto_t, get_signature_algorithms, void,
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index af02b75..1f4f22f 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -407,7 +407,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -441,8 +440,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -496,6 +493,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in
index d93bded..f8797f3 100644
--- a/src/libtnccs/plugins/tnc_imc/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imc/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in
index 3987e79..811dd0a 100644
--- a/src/libtnccs/plugins/tnc_imv/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.in
@@ -356,7 +356,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -390,8 +389,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -445,6 +442,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
index b4357b9..048c7cd 100644
--- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in
+++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in
index 653e1f4..2580d2f 100644
--- a/src/libtnccs/plugins/tnccs_11/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_11/Makefile.in
@@ -365,7 +365,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -399,8 +398,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -454,6 +451,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in
index 1a50c7b..43ab69a 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.in
@@ -368,7 +368,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -402,8 +401,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -457,6 +454,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
index 59efdbb..0d9a641 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
@@ -355,7 +355,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -389,8 +388,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -444,6 +441,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index 9d7ba9a..d3c74a2 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -317,7 +317,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -351,8 +350,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -406,6 +403,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libtpmtss/Makefile.am b/src/libtpmtss/Makefile.am
index 8fcb44f..e2c1597 100644
--- a/src/libtpmtss/Makefile.am
+++ b/src/libtpmtss/Makefile.am
@@ -1,6 +1,9 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan
 
+AM_CFLAGS = \
+	$(tss2_CFLAGS)
+
 AM_LDFLAGS = \
 	-no-undefined
 
@@ -16,7 +19,7 @@ libtpmtss_la_LIBADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
 if USE_TSS2
-libtpmtss_la_LIBADD += -ltctisocket -ltss2
+libtpmtss_la_LIBADD += $(tss2_LIBS)
 endif
 
 if USE_TROUSERS
diff --git a/src/libtpmtss/Makefile.in b/src/libtpmtss/Makefile.in
index fcee04f..46d8cf6 100644
--- a/src/libtpmtss/Makefile.in
+++ b/src/libtpmtss/Makefile.in
@@ -88,7 +88,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
- at USE_TSS2_TRUE@am__append_1 = -ltctisocket -ltss2
+ at USE_TSS2_TRUE@am__append_1 = $(tss2_LIBS)
 @USE_TROUSERS_TRUE at am__append_2 = -ltspi
 subdir = src/libtpmtss
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -139,9 +139,10 @@ am__uninstall_files_from_dir = { \
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
+ at USE_TSS2_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1)
 libtpmtss_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1)
 am_libtpmtss_la_OBJECTS = tpm_tss.lo tpm_tss_quote_info.lo \
 	tpm_tss_trousers.lo tpm_tss_tss2.lo tpm_tss_tss2_names.lo
 libtpmtss_la_OBJECTS = $(am_libtpmtss_la_OBJECTS)
@@ -350,7 +351,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +384,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,12 +437,17 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan
 
+AM_CFLAGS = \
+	$(tss2_CFLAGS)
+
 AM_LDFLAGS = \
 	-no-undefined
 
diff --git a/src/libtpmtss/tpm_tss_tss2.c b/src/libtpmtss/tpm_tss_tss2.c
index 39d9f2e..d0f76ac 100644
--- a/src/libtpmtss/tpm_tss_tss2.c
+++ b/src/libtpmtss/tpm_tss_tss2.c
@@ -22,8 +22,8 @@
 #include <asn1/oid.h>
 #include <bio/bio_reader.h>
 
-#include <tss2/tpm20.h>
-#include <tcti/tcti_socket.h>
+#include <tpm20.h>
+#include <tcti_socket.h>
 
 #define LABEL	"TPM 2.0 -"
 
@@ -276,7 +276,8 @@ static void finalize_context(private_tpm_tss_tss2_t *this)
 {
 	if (this->tcti_context)
 	{
-		TeardownSocketTcti(this->tcti_context);
+		tss2_tcti_finalize(this->tcti_context);
+		free(this->tcti_context);
 	}
 	if (this->sys_context)
 	{
diff --git a/src/libtpmtss/tpm_tss_tss2_names.c b/src/libtpmtss/tpm_tss_tss2_names.c
index 9185aa3..a613ac5 100644
--- a/src/libtpmtss/tpm_tss_tss2_names.c
+++ b/src/libtpmtss/tpm_tss_tss2_names.c
@@ -17,7 +17,7 @@
 
 #ifdef TSS_TSS2
 
-#include <tss2/tpm20.h>
+#include <tpm20.h>
 
 #ifndef TPM_ALG_ECMQV
 #define TPM_ALG_ECMQV		(TPM_ALG_ID)0x001D
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index a1ad709..90e2d5e 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -369,7 +369,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -403,8 +402,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -458,6 +455,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 44ed9f8..bd88b0d 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -358,7 +358,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -392,8 +391,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -447,6 +444,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 7b900f2..d9ffbf8 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -371,7 +371,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -405,8 +404,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -460,6 +457,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index fdc43d7..b15f901 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -117,6 +117,11 @@ static int issue()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
 				else if (!streq(arg, "pub"))
 				{
 					error = "invalid input type";
@@ -580,7 +585,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		issue, 'i', "issue",
 		"issue a certificate using a CA certificate and key",
-		{"[--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
+		{"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
 		 " --cacert file [--dn subject-dn] [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index 3bc62e7..f79120b 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -26,7 +26,7 @@
 static int keyid()
 {
 	credential_type_t type = CRED_PRIVATE_KEY;
-	int subtype = KEY_RSA;
+	int subtype = KEY_ANY;
 	certificate_t *cert;
 	private_key_t *private;
 	public_key_t *public;
@@ -42,21 +42,29 @@ static int keyid()
 			case 'h':
 				return command_usage(NULL);
 			case 't':
-				if (streq(arg, "rsa-priv"))
+				if (streq(arg, "rsa") ||
+					streq(arg, "rsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_RSA;
 				}
-				else if (streq(arg, "ecdsa-priv"))
+				else if (streq(arg, "ecdsa") ||
+						 streq(arg, "ecdsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
-				else if (streq(arg, "bliss-priv"))
+				else if (streq(arg, "bliss") ||
+						 streq(arg, "bliss-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -169,11 +177,11 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ keyid, 'k', "keyid",
 		"calculate key identifiers of a key/certificate",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"},
+		{"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
-			{"type",	't', 1, "type of key, default: rsa-priv"},
+			{"type",	't', 1, "type of key, default: priv"},
 		}
 	});
 }
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index c367a21..8cb0a7b 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -89,17 +89,25 @@ static int print()
 					type = CRED_CERTIFICATE;
 					subtype = CERT_TRUSTED_PUBKEY;
 				}
-				else if (streq(arg, "rsa-priv"))
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
+				else if (streq(arg, "rsa") ||
+						 streq(arg, "rsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_RSA;
 				}
-				else if (streq(arg, "ecdsa-priv"))
+				else if (streq(arg, "ecdsa") ||
+						 streq(arg, "ecdsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
-				else if (streq(arg, "bliss-priv"))
+				else if (streq(arg, "bliss") ||
+						 streq(arg, "bliss-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
@@ -173,7 +181,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ print, 'a', "print",
 		"print a credential in a human readable form",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"},
+		{"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index ccc3c42..1d876f6 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -28,7 +28,7 @@ static int pub()
 {
 	cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER;
 	credential_type_t type = CRED_PRIVATE_KEY;
-	int subtype = KEY_RSA;
+	int subtype = KEY_ANY;
 	certificate_t *cert;
 	private_key_t *private;
 	public_key_t *public;
@@ -59,6 +59,11 @@ static int pub()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -189,13 +194,13 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		pub, 'p', "pub",
 		"extract the public key from a private key/certificate",
-		{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]",
+		{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv|pub|pkcs10|x509]",
 		 "[--outform der|pem|dnskey|sshkey]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
 			{"keyid",	'x', 1, "keyid on smartcard of private key"},
-			{"type",	't', 1, "type of credential, default: rsa"},
+			{"type",	't', 1, "type of credential, default: priv"},
 			{"outform",	'f', 1, "encoding of extracted public key, default: der"},
 		}
 	});
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 68d6112..23d07a2 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -30,7 +30,7 @@
 static int req()
 {
 	cred_encoding_type_t form = CERT_ASN1_DER;
-	key_type_t type = KEY_RSA;
+	key_type_t type = KEY_ANY;
 	hash_algorithm_t digest = HASH_UNKNOWN;
 	certificate_t *cert = NULL;
 	private_key_t *private = NULL;
@@ -62,6 +62,10 @@ static int req()
 				{
 					type = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = KEY_ANY;
+				}
 				else
 				{
 					error = "invalid input type";
@@ -194,14 +198,14 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		req, 'r', "req",
 		"create a PKCS#10 certificate request",
-		{"  [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
+		{"  [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
 		 "[--san subjectAltName]+ [--password challengePassword]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
 		 "[--outform der|pem]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "private key input file, default: stdin"},
-			{"type",	't', 1, "type of input key, default: rsa"},
+			{"type",	't', 1, "type of input key, default: priv"},
 			{"dn",		'd', 1, "subject distinguished name"},
 			{"san",		'a', 1, "subjectAltName to include in cert request"},
 			{"password",'p', 1, "challengePassword to include in cert request"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index f4e83c7..6fb7b75 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -94,6 +94,10 @@ static int self()
 				{
 					type = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = KEY_ANY;
+				}
 				else
 				{
 					error = "invalid input type";
@@ -417,7 +421,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		self, 's', "self",
 		"create a self signed certificate",
-		{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
+		{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -431,7 +435,7 @@ static void __attribute__ ((constructor))reg()
 			{"help",			'h', 0, "show usage information"},
 			{"in",				'i', 1, "private key input file, default: stdin"},
 			{"keyid",			'x', 1, "keyid on smartcard of private key"},
-			{"type",			't', 1, "type of input key, default: rsa"},
+			{"type",			't', 1, "type of input key, default: priv"},
 			{"dn",				'd', 1, "subject and issuer distinguished name"},
 			{"san",				'a', 1, "subjectAltName to include in certificate"},
 			{"lifetime",		'l', 1, "days the certificate is valid, default: 1095"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 6c27289..b9cf9c4 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -369,18 +369,22 @@ static int sign_crl()
 	}
 	else
 	{
-		crl_serial = chunk_from_chars(0x00);
+		if (!crl_serial.ptr)
+		{
+			crl_serial = chunk_from_chars(0x00);
+		}
 		lastenum = enumerator_create_empty();
 	}
 
-	/* remove superfluous leading zeros */
-	while (crl_serial.len > 1 && crl_serial.ptr[0] == 0x00 &&
-		  (crl_serial.ptr[1] & 0x80) == 0x00)
+	if (!crl_serial.len || crl_serial.ptr[0] & 0x80)
+	{	/* add leading 0x00 to handle potential overflow if serial is encoded
+		 * incorrectly */
+		crl_serial = chunk_cat("cc", chunk_from_chars(0x00), crl_serial);
+	}
+	else
 	{
-		crl_serial = chunk_skip_zero(crl_serial);
+		crl_serial = chunk_clone(crl_serial);
 	}
-	crl_serial = chunk_clone(crl_serial);
-
 	/* increment the serial number by one */
 	chunk_increment(crl_serial);
 
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index 8cc633a..dd667fb 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -59,6 +60,18 @@ static int verify()
 				has_ca = TRUE;
 				creds->add_cert(creds, TRUE, cert);
 				continue;
+			case 'l':
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509_CRL,
+										  BUILD_FROM_FILE, arg, BUILD_END);
+				if (!cert)
+				{
+					fprintf(stderr, "parsing CRL failed\n");
+					goto end;
+				}
+				online = TRUE;
+				creds->add_crl(creds, (crl_t*)cert);
+				continue;
 			case 'o':
 				online = TRUE;
 				continue;
@@ -173,11 +186,12 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		verify, 'v', "verify",
 		"verify a certificate using the CA certificate",
-		{"[--in file] [--cacert file]"},
+		{"[--in file] [--cacert file] [--crl file]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "X.509 certificate to verify, default: stdin"},
 			{"cacert",	'c', 1, "CA certificate for trustchain verification"},
+			{"crl",		'l', 1, "CRL for trustchain verification"},
 			{"online",	'o', 0, "enable online CRL/OCSP revocation checking"},
 		}
 	});
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index 982a117..030d6be 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -308,7 +308,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -342,8 +341,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -397,6 +394,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 20238b7..bfc7bb1 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -67,9 +67,10 @@ Public key or PKCS#10 certificate request file to issue. If not given the
 key/request is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of the input. One of \fIpub\fR (public key), \fIrsa\fR (RSA private key),
-\fIecdsa\fR (ECDSA private key), or \fIpkcs10\fR (PKCS#10 certificate request),
-defaults to \fIpub\fR.
+Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
+\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS
+private key) or \fIpkcs10\fR (PKCS#10 certificate request), defaults to
+\fIpub\fR.
 .TP
 .BI "\-k, \-\-cakey " file
 CA private key file. Either this or
diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in
index 490f7af..c69f7cb 100644
--- a/src/pki/man/pki---keyid.1.in
+++ b/src/pki/man/pki---keyid.1.in
@@ -44,9 +44,10 @@ Read command line options from \fIfile\fR.
 Input file. If not given the input is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
-private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate
-request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR.
+Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
+\fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS private key),
+\fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate request),
+\fIx509\fR (X.509 certificate), defaults to \fIpriv\fR.
 .
 .SH "EXAMPLES"
 .
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
index 434d4ea..09f81cd 100644
--- a/src/pki/man/pki---print.1.in
+++ b/src/pki/man/pki---print.1.in
@@ -44,10 +44,11 @@ Read command line options from \fIfile\fR.
 Input file. If not given the input is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
-private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
-(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate),
-defaults to \fIx509\fR.
+Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate
+Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key),
+\fpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private
+key), \fIbliss\fR (BLISS private key), \fIpriv\fR (private key), defaults to
+\fIx509\fR.
 .
 .SH "SEE ALSO"
 .
diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in
index c57e03a..fe6c520 100644
--- a/src/pki/man/pki---pub.1.in
+++ b/src/pki/man/pki---pub.1.in
@@ -47,10 +47,9 @@ Read command line options from \fIfile\fR.
 Input file. If not given the input is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA
-private key), \fIpub\fR (public key),
-\fIpkcs10\fR (PKCS#10 certificate request), or \fIx509\fR (X.509 certificate),
-defaults to \fIrsa\fR.
+Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
+\fIecdsa\fR (ECDSA private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10
+certificate request), or \fIx509\fR (X.509 certificate), defaults to \fIpriv\fR.
 .TP
 .BI "\-f, \-\-outform " encoding
 Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
index a6f6a48..4a39c5c 100644
--- a/src/pki/man/pki---req.1.in
+++ b/src/pki/man/pki---req.1.in
@@ -49,7 +49,8 @@ Read command line options from \fIfile\fR.
 Private key input file. If not given the key is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
+defaults to \fIpriv\fR.
 .TP
 .BI "\-d, \-\-dn " distinguished-name
 Subject distinguished name (DN). Required.
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index 53f53f8..9461e3e 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -68,7 +68,8 @@ Private key input file. If not given the key is read from \fISTDIN\fR.
 Key ID of a private key on a smartcard.
 .TP
 .BI "\-t, \-\-type " type
-Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
+defaults to \fIpriv\fR.
 .TP
 .BI "\-d, \-\-dn " distinguished-name
 Subject and issuer distinguished name (DN). Required.
diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in
index dd0c0e9..74adaf1 100644
--- a/src/pki/man/pki---verify.1.in
+++ b/src/pki/man/pki---verify.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-VERIFY" 1 "2016-08-19" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -9,6 +9,7 @@ pki \-\-verify \- Verify a certificate using a CA certificate
 .SY pki\ \-\-verify
 .OP \-\-in file
 .OP \-\-cacert file
+.OP \-\-crl file
 .OP \-\-debug level
 .OP \-\-online
 .YS
@@ -48,6 +49,9 @@ X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
 CA certificate to use for trustchain verification. If not given the certificate
 is assumed to be self\-signed.
 .TP
+.BI "\-l, \-\-crl " file
+Local CRL to use for trustchain verification. Implies \fB-o\fR.
+.TP
 .BI "\-o, \-\-online
 Enable online CRL/OCSP revocation checking.
 .
diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in
index 8b73403..9ad2445 100644
--- a/src/pool/Makefile.in
+++ b/src/pool/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/pool/pool.c b/src/pool/pool.c
index 2659748..cd9fb62 100644
--- a/src/pool/pool.c
+++ b/src/pool/pool.c
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2011-2016 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -23,6 +24,7 @@
 
 #include <utils/debug.h>
 #include <library.h>
+#include <collections/array.h>
 #include <networking/host.h>
 #include <utils/identification.h>
 #include <attributes/attributes.h>
@@ -586,11 +588,11 @@ static void resize(char *name, host_t *end)
 /**
  * create the lease query using the filter string
  */
-static enumerator_t *create_lease_query(char *filter)
+static enumerator_t *create_lease_query(char *filter, array_t **to_free)
 {
 	enumerator_t *query;
-	identification_t *id = NULL;
-	host_t *addr = NULL;
+	chunk_t id_chunk = chunk_empty, addr_chunk = chunk_empty;
+	id_type_t id_type = 0;
 	u_int tstamp = 0;
 	bool online = FALSE, valid = FALSE, expired = FALSE;
 	char *value, *pos, *pool = NULL;
@@ -635,18 +637,29 @@ static enumerator_t *create_lease_query(char *filter)
 			case FIL_ID:
 				if (value)
 				{
+					identification_t *id;
+
 					id = identification_create_from_string(value);
+					id_type = id->get_type(id);
+					id_chunk = chunk_clone(id->get_encoding(id));
+					array_insert_create(to_free, ARRAY_TAIL, id_chunk.ptr);
+					id->destroy(id);
 				}
 				break;
 			case FIL_ADDR:
 				if (value)
 				{
+					host_t *addr;
+
 					addr = host_create_from_string(value, 0);
-				}
-				if (!addr)
-				{
-					fprintf(stderr, "invalid 'addr' in filter string.\n");
-					exit(EXIT_FAILURE);
+					if (!addr)
+					{
+						fprintf(stderr, "invalid 'addr' in filter string.\n");
+						exit(EXIT_FAILURE);
+					}
+					addr_chunk = chunk_clone(addr->get_address(addr));
+					array_insert_create(to_free, ARRAY_TAIL, addr_chunk.ptr);
+					addr->destroy(addr);
 				}
 				break;
 			case FIL_TSTAMP:
@@ -710,11 +723,11 @@ static enumerator_t *create_lease_query(char *filter)
 				"AND (? OR (identities.type = ? AND identities.data = ?)) "
 				"AND (? OR address = ?)",
 				DB_INT, pool == NULL, DB_TEXT, pool,
-				DB_INT, id == NULL,
-					DB_INT, id ? id->get_type(id) : 0,
-					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
-				DB_INT, addr == NULL,
-					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
+				DB_INT, !id_chunk.ptr,
+					DB_INT, id_type,
+					DB_BLOB, id_chunk,
+				DB_INT, !addr_chunk.ptr,
+					DB_BLOB, addr_chunk,
 				DB_INT, tstamp == 0, DB_UINT, tstamp, DB_UINT, tstamp,
 				DB_INT, !valid, DB_INT, time(NULL),
 				DB_INT, !expired, DB_INT, time(NULL),
@@ -722,14 +735,13 @@ static enumerator_t *create_lease_query(char *filter)
 				/* union */
 				DB_INT, !(valid || expired),
 				DB_INT, pool == NULL, DB_TEXT, pool,
-				DB_INT, id == NULL,
-					DB_INT, id ? id->get_type(id) : 0,
-					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
-				DB_INT, addr == NULL,
-					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
+				DB_INT, !id_chunk.ptr,
+					DB_INT, id_type,
+					DB_BLOB, id_chunk,
+				DB_INT, !addr_chunk.ptr,
+					DB_BLOB, addr_chunk,
 				/* res */
 				DB_TEXT, DB_BLOB, DB_INT, DB_BLOB, DB_UINT, DB_UINT, DB_UINT);
-	/* id and addr leak but we can't destroy them until query is destroyed. */
 	return query;
 }
 
@@ -739,6 +751,7 @@ static enumerator_t *create_lease_query(char *filter)
 static void leases(char *filter, bool utc)
 {
 	enumerator_t *query;
+	array_t *to_free = NULL;
 	chunk_t address_chunk, identity_chunk;
 	int identity_type;
 	char *name;
@@ -748,7 +761,7 @@ static void leases(char *filter, bool utc)
 	identification_t *identity;
 	bool found = FALSE;
 
-	query = create_lease_query(filter);
+	query = create_lease_query(filter, &to_free);
 	if (!query)
 	{
 		fprintf(stderr, "querying leases failed.\n");
@@ -809,6 +822,10 @@ static void leases(char *filter, bool utc)
 		identity->destroy(identity);
 	}
 	query->destroy(query);
+	if (to_free)
+	{
+		array_destroy_function(to_free, (void*)free, NULL);
+	}
 	if (!found)
 	{
 		fprintf(stderr, "no matching leases found.\n");
diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in
index b2c9c95..3a8ffb8 100644
--- a/src/pt-tls-client/Makefile.in
+++ b/src/pt-tls-client/Makefile.in
@@ -322,7 +322,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -356,8 +355,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -411,6 +408,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c
index b91997d..6f200c3 100644
--- a/src/pt-tls-client/pt-tls-client.c
+++ b/src/pt-tls-client/pt-tls-client.c
@@ -42,7 +42,7 @@ static void usage(FILE *out)
 {
 	fprintf(out,
 		"Usage: pt-tls  --connect <hostname|address> [--port <port>]\n"
-		"              [--cert <file>]+ [--key <file>]\n"
+		"              [--cert <file>]+ [--key <file>] [--key-type rsa|ecdsa]\n"
 		"              [--client <client-id>] [--secret <password>]\n"
 		"              [--optionsfrom <filename>] [--quiet] [--debug <level>]\n");
 }
@@ -121,11 +121,11 @@ static bool load_certificate(char *filename)
 /**
  * Load private key from file
  */
-static bool load_key(char *filename)
+static bool load_key(char *filename, key_type_t type)
 {
 	private_key_t *key;
 
-	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
 							 BUILD_FROM_FILE, filename, BUILD_END);
 	if (!key)
 	{
@@ -255,7 +255,8 @@ static void init()
 
 int main(int argc, char *argv[])
 {
-	char *address = NULL, *identity = "%any", *secret = NULL;
+	char *address = NULL, *identity = "%any", *secret = NULL, *key_file = NULL;
+	key_type_t key_type = KEY_RSA;
 	int port = PT_TLS_PORT;
 
 	init();
@@ -270,6 +271,7 @@ int main(int argc, char *argv[])
 			{"port",		required_argument,		NULL,		'p' },
 			{"cert",		required_argument,		NULL,		'x' },
 			{"key",			required_argument,		NULL,		'k' },
+			{"key-type",		required_argument,		NULL,		't' },
 			{"mutual",		no_argument,			NULL,		'm' },
 			{"quiet",		no_argument,			NULL,		'q' },
 			{"debug",		required_argument,		NULL,		'd' },
@@ -290,9 +292,20 @@ int main(int argc, char *argv[])
 				}
 				continue;
 			case 'k':			/* --key <file> */
-				if (!load_key(optarg))
+				key_file = optarg;
+				continue;
+			case 't':			/* --key-type <type> */
+				if (strcaseeq(optarg, "ecdsa"))
 				{
-					return 1;
+					key_type = KEY_ECDSA;
+				}
+				else if (strcaseeq(optarg, "rsa"))
+				{
+					key_type = KEY_RSA;
+				}
+				else
+				{
+					key_type = KEY_ANY;
 				}
 				continue;
 			case 'c':			/* --connect <hostname|address> */
@@ -339,12 +352,15 @@ int main(int argc, char *argv[])
 		usage(stderr);
 		return 1;
 	}
+	if (key_file && !load_key(key_file, key_type))
+	{
+		return 1;
+	}
 	if (secret)
 	{
 		creds->add_shared(creds, shared_key_create(SHARED_EAP,
 										chunk_clone(chunk_from_str(secret))),
 							identification_create_from_string(identity), NULL);
 	}
-
 	return client(address, port, identity);
 }
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 1fdea8a..1b36b91 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -350,7 +350,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -384,8 +383,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -439,6 +436,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 873c20a..a3c5812 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -39,7 +39,7 @@ starter_LDADD = \
 	libstarter.la \
 	$(SOCKLIB) $(PTHREADLIB) $(ATOMICLIB)
 
-EXTRA_DIST = keywords.txt ipsec.conf Android.mk
+EXTRA_DIST = keywords.txt ipsec.conf ipsec.secrets Android.mk
 MAINTAINERCLEANFILES = keywords.c
 BUILT_SOURCES = keywords.c parser/parser.h
 
@@ -47,10 +47,6 @@ if USE_LOAD_WARNING
   AM_CPPFLAGS += -DLOAD_WARNING
 endif
 
-if USE_SCEPCLIENT
-  AM_CPPFLAGS += -DGENERATE_SELFCERT
-endif
-
 keywords.c:	$(srcdir)/keywords.txt $(srcdir)/keywords.h
 		$(AM_V_GEN) \
 		$(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
@@ -66,3 +62,4 @@ install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
 		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
+		test -e "$(DESTDIR)$(sysconfdir)/ipsec.secrets" || $(INSTALL) -m 600 $(srcdir)/ipsec.secrets $(DESTDIR)$(sysconfdir)/ipsec.secrets || true
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 19753de..4cc0ab5 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -91,7 +91,6 @@ build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = starter$(EXEEXT)
 @USE_LOAD_WARNING_TRUE at am__append_1 = -DLOAD_WARNING
- at USE_SCEPCLIENT_TRUE@am__append_2 = -DGENERATE_SELFCERT
 subdir = src/starter
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -396,7 +395,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -430,8 +428,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -485,6 +481,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -509,8 +507,7 @@ AM_CPPFLAGS = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
 	-DIPSEC_SCRIPT=\"${ipsec_script}\" \
 	-DDEV_RANDOM=\"${random_device}\" \
 	-DDEV_URANDOM=\"${urandom_device}\" \
-	-DPLUGINS=\""${starter_plugins}\"" -DDEBUG $(am__append_1) \
-	$(am__append_2)
+	-DPLUGINS=\""${starter_plugins}\"" -DDEBUG $(am__append_1)
 AM_CFLAGS = \
 	@COVERAGE_CFLAGS@
 
@@ -521,7 +518,7 @@ starter_LDADD = \
 	libstarter.la \
 	$(SOCKLIB) $(PTHREADLIB) $(ATOMICLIB)
 
-EXTRA_DIST = keywords.txt ipsec.conf Android.mk
+EXTRA_DIST = keywords.txt ipsec.conf ipsec.secrets Android.mk
 MAINTAINERCLEANFILES = keywords.c
 BUILT_SOURCES = keywords.c parser/parser.h
 all: $(BUILT_SOURCES)
@@ -1007,6 +1004,7 @@ install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
 		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
+		test -e "$(DESTDIR)$(sysconfdir)/ipsec.secrets" || $(INSTALL) -m 600 $(srcdir)/ipsec.secrets $(DESTDIR)$(sysconfdir)/ipsec.secrets || true
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 33924b0..3fb750e 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -222,6 +222,7 @@ static void conn_defaults(starter_conn_t *conn)
 	conn->dpd_delay             =  30; /* seconds */
 	conn->dpd_timeout           = 150; /* seconds */
 	conn->replay_window         = SA_REPLAY_WINDOW_DEFAULT;
+	conn->fragmentation         = FRAGMENTATION_YES;
 
 	conn->left.sendcert = CERT_SEND_IF_ASKED;
 	conn->right.sendcert = CERT_SEND_IF_ASKED;
diff --git a/src/starter/ipsec.secrets b/src/starter/ipsec.secrets
new file mode 100644
index 0000000..dae7709
--- /dev/null
+++ b/src/starter/ipsec.secrets
@@ -0,0 +1 @@
+# ipsec.secrets - strongSwan IPsec secrets file
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 45c28d3..51a42a5 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -257,68 +257,6 @@ static void fatal_signal_handler(int signal)
 	abort();
 }
 
-#ifdef GENERATE_SELFCERT
-static void generate_selfcert()
-{
-	const char *secrets_file;
-	struct stat stb;
-
-	secrets_file = lib->settings->get_str(lib->settings,
-							"charon.plugins.stroke.secrets_file", SECRETS_FILE);
-
-	/* if ipsec.secrets file is missing then generate RSA default key pair */
-	if (stat(secrets_file, &stb) != 0)
-	{
-		mode_t oldmask;
-		FILE *f;
-		uid_t uid = 0;
-		gid_t gid = 0;
-
-#ifdef IPSEC_GROUP
-		{
-			char buf[1024];
-			struct group group, *grp;
-
-			if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 &&	grp)
-			{
-				gid = grp->gr_gid;
-			}
-		}
-#endif
-#ifdef IPSEC_USER
-		{
-			char buf[1024];
-			struct passwd passwd, *pwp;
-
-			if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 &&	pwp)
-			{
-				uid = pwp->pw_uid;
-			}
-		}
-#endif
-		ignore_result(setegid(gid));
-		ignore_result(seteuid(uid));
-		ignore_result(system(IPSEC_SCRIPT " scepclient --out pkcs1 --out cert-self --quiet"));
-		ignore_result(seteuid(0));
-		ignore_result(setegid(0));
-
-		/* ipsec.secrets is root readable only */
-		oldmask = umask(0066);
-
-		f = fopen(secrets_file, "w");
-		if (f)
-		{
-			fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
-			fprintf(f, "\n");
-			fprintf(f, ": RSA myKey.der\n");
-			fclose(f);
-		}
-		ignore_result(chown(secrets_file, uid, gid));
-		umask(oldmask);
-	}
-}
-#endif /* GENERATE_SELFCERT */
-
 static bool check_pid(char *pid_file)
 {
 	struct stat stb;
@@ -604,10 +542,6 @@ int main (int argc, char **argv)
 		exit(LSB_RC_SUCCESS);
 	}
 
-#ifdef GENERATE_SELFCERT
-	generate_selfcert();
-#endif
-
 	/* fork if we're not debugging stuff */
 	if (!no_fork)
 	{
diff --git a/src/starter/tests/Makefile.in b/src/starter/tests/Makefile.in
index 25e3e74..46d200f 100644
--- a/src/starter/tests/Makefile.in
+++ b/src/starter/tests/Makefile.in
@@ -347,7 +347,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -381,8 +380,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -436,6 +433,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 4673f59..39ca9fd 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -321,7 +321,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -355,8 +354,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -410,6 +407,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index 37a0224..9ca759e 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -13,6 +13,7 @@ swanctl_SOURCES = \
 	commands/list_certs.c \
 	commands/list_pools.c \
 	commands/list_algs.c \
+	commands/flush_certs.c \
 	commands/load_all.c \
 	commands/load_authorities.h  commands/load_authorities.c \
 	commands/load_conns.c commands/load_conns.h \
@@ -69,6 +70,7 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
 	test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
+	test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index ebe1aba..ff9dca0 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -119,7 +119,7 @@ am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \
 	commands/list_authorities.$(OBJEXT) \
 	commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \
 	commands/list_pools.$(OBJEXT) commands/list_algs.$(OBJEXT) \
-	commands/load_all.$(OBJEXT) \
+	commands/flush_certs.$(OBJEXT) commands/load_all.$(OBJEXT) \
 	commands/load_authorities.$(OBJEXT) \
 	commands/load_conns.$(OBJEXT) commands/load_creds.$(OBJEXT) \
 	commands/load_pools.$(OBJEXT) commands/log.$(OBJEXT) \
@@ -370,7 +370,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -404,8 +403,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -459,6 +456,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -475,6 +474,7 @@ swanctl_SOURCES = \
 	commands/list_certs.c \
 	commands/list_pools.c \
 	commands/list_algs.c \
+	commands/flush_certs.c \
 	commands/load_all.c \
 	commands/load_authorities.h  commands/load_authorities.c \
 	commands/load_conns.c commands/load_conns.h \
@@ -621,6 +621,8 @@ commands/list_pools.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/list_algs.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
+commands/flush_certs.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
 commands/load_all.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/load_authorities.$(OBJEXT): commands/$(am__dirstamp) \
@@ -653,6 +655,7 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/command.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/swanctl.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/flush_certs.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/initiate.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/install.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/list_algs.Po at am__quote@
@@ -1037,6 +1040,7 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
 	test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
+	test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
diff --git a/src/swanctl/command.h b/src/swanctl/command.h
index 8d0a2e6..7b92ae9 100644
--- a/src/swanctl/command.h
+++ b/src/swanctl/command.h
@@ -27,7 +27,7 @@
 /**
  * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 23
+#define MAX_COMMANDS 24
 
 /**
  * Maximum number of options in a command (+3)
diff --git a/src/swanctl/commands/flush_certs.c b/src/swanctl/commands/flush_certs.c
new file mode 100644
index 0000000..527419f
--- /dev/null
+++ b/src/swanctl/commands/flush_certs.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+
+#include "command.h"
+
+static int flush_certs(vici_conn_t *conn)
+{
+	vici_req_t *req;
+	vici_res_t *res;
+	command_format_options_t format = COMMAND_FORMAT_NONE;
+	char *arg, *type = NULL;
+	int ret;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 't':
+				type = arg;
+				continue;
+			case 'P':
+				format |= COMMAND_FORMAT_PRETTY;
+				/* fall through to raw */
+			case 'r':
+				format |= COMMAND_FORMAT_RAW;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --flush-certs option");
+		}
+		break;
+	}
+	req = vici_begin("flush-certs");
+
+	if (type)
+	{
+		vici_add_key_valuef(req, "type", "%s", type);
+	}
+	res = vici_submit(req, conn);
+
+	if (!res)
+	{
+		ret = errno;
+		fprintf(stderr, "flush-certs request failed: %s\n", strerror(errno));
+		return ret;
+	}
+	if (format & COMMAND_FORMAT_RAW)
+	{
+		vici_dump(res, "flush-certs reply", format & COMMAND_FORMAT_PRETTY,
+				  stdout);
+	}
+	vici_free_res(res);
+
+	return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		flush_certs, 'f', "flush-certs", "flush cached certificates",
+		{"[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]",
+		 "[--raw|--pretty]"},
+		{
+			{"help",		'h', 0, "show usage information"},
+			{"type",		't', 1, "filter by certificate type"},
+			{"raw",			'r', 0, "dump raw response message"},
+			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+		}
+	});
+}
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index 87526bc..2e443a9 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -221,7 +221,7 @@ static bool load_conn(vici_conn_t *conn, settings_t *cfg,
 	vici_req_t *req;
 	vici_res_t *res;
 	bool ret = TRUE;
-	char buf[128];
+	char buf[BUF_LEN];
 
 	snprintf(buf, sizeof(buf), "%s.%s", "connections", section);
 
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 4647934..6278f66 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -2,6 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -128,7 +129,8 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
 
 	req = vici_begin("load-key");
 
-	if (streq(type, "pkcs8"))
+	if (streq(type, "private") ||
+		streq(type, "pkcs8"))
 	{	/* as used by vici */
 		vici_add_key_valuef(req, "type", "any");
 	}
@@ -251,6 +253,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype,
 		credential_type_t credtype;
 		int subtype;
 	} map[] = {
+		{ "private",		CRED_PRIVATE_KEY,		KEY_ANY,			},
 		{ "pkcs8",			CRED_PRIVATE_KEY,		KEY_ANY,			},
 		{ "rsa",			CRED_PRIVATE_KEY,		KEY_RSA,			},
 		{ "ecdsa",			CRED_PRIVATE_KEY,		KEY_ECDSA,			},
@@ -565,6 +568,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
 		"eap",
 		"xauth",
 		"ike",
+		"private",
 		"rsa",
 		"ecdsa",
 		"bliss",
@@ -700,10 +704,11 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
 	load_certs(conn, format, "x509crl",  SWANCTL_X509CRLDIR);
 	load_certs(conn, format, "pubkey",   SWANCTL_PUBKEYDIR);
 
-	load_keys(conn, format, noprompt, cfg, "rsa",   SWANCTL_RSADIR);
-	load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
-	load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
-	load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
+	load_keys(conn, format, noprompt, cfg, "private", SWANCTL_PRIVATEDIR);
+	load_keys(conn, format, noprompt, cfg, "rsa",     SWANCTL_RSADIR);
+	load_keys(conn, format, noprompt, cfg, "ecdsa",   SWANCTL_ECDSADIR);
+	load_keys(conn, format, noprompt, cfg, "bliss",   SWANCTL_BLISSDIR);
+	load_keys(conn, format, noprompt, cfg, "pkcs8",   SWANCTL_PKCS8DIR);
 
 	load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
 
diff --git a/src/swanctl/swanctl.8.in b/src/swanctl/swanctl.8.in
index a307460..9c5a5a0 100644
--- a/src/swanctl/swanctl.8.in
+++ b/src/swanctl/swanctl.8.in
@@ -38,11 +38,9 @@ output.
 initiate a connection
 .TP
 .B "\-t, \-\-terminate"
-\-\-terminate\fR
 terminate a connection
 .TP
 .B "\-d, \-\-redirect"
-\-\-redirect\fR
 redirect an IKE_SA
 .TP
 .B "\-p, \-\-install"
@@ -93,7 +91,10 @@ trace logging output
 .B "\-S, \-\-stats"
 show daemon infos and statistics
 .TP
-.B "\-r, \-\-reload-settings"
+.B "\-f, \-\-flush\-certs"
+flush cached certificates
+.TP
+.B "\-r, \-\-reload\-settings"
 reload strongswan.conf(5) configuration
 .TP
 .B "\-v, \-\-version"
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index 6bc81be..eb46005 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -44,7 +44,7 @@
         # dpd_timeout = 0s
 
         # Use IKE UDP datagram fragmentation.  (yes, no or force).
-        # fragmentation = no
+        # fragmentation = yes
 
         # Send certificate requests payloads (yes or no).
         # send_certreq = yes
@@ -201,6 +201,9 @@
                 # Whether to install IPsec policies or not.
                 # policies = yes
 
+                # Whether to install outbound FWD IPsec policies or not.
+                # policies_fwd_out = no
+
                 # Action to perform on DPD timeout (clear, trap or restart).
                 # dpd_action = clear
 
@@ -278,6 +281,18 @@
 
     # }
 
+    # Private key decryption passphrase for a key in the private folder.
+    # private<suffix> {
+
+        # File name in the private folder for which this passphrase should be
+        # used.
+        # file =
+
+        # Value of decryption passphrase for private key.
+        # secret =
+
+    # }
+
     # Private key decryption passphrase for a key in the rsa folder.
     # rsa<suffix> {
 
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 013e35f..697bd40 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -151,22 +151,23 @@ compatibility reasons, with IKEv1 a custom interval may be specified; this
 option has no effect on connections using IKE2.
 
 .TP
-.BR connections.<conn>.fragmentation " [no]"
+.BR connections.<conn>.fragmentation " [yes]"
 Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
 fragmentation).  Acceptable  values  are
-.RI "" "yes" ","
+.RI "" "yes" ""
+(the        default),
 .RI "" "force" ""
 and
-.RI "" "no" ""
-(the default).
-Fragmented IKE messages sent by a peer are always accepted irrespective of  the
-value  of  this option. If set to
+.RI "" "no" "."
+Fragmented IKE messages sent by a peer are always accepted irrespective of
+the  value  of  this option. If set to
 .RI "" "yes" ","
-and the peer supports it, oversized IKE
-messages will be sent in fragments.  If set  to
+and the peer supports it,
+oversized IKE messages will be sent in fragments.  If set  to
 .RI "" "force" ""
-(only  supported  for
-IKEv1) the initial IKE message will already be fragmented if required.
+(only
+supported  for IKEv1) the initial IKE message will already be fragmented if
+required.
 
 .TP
 .BR connections.<conn>.send_certreq " [yes]"
@@ -594,7 +595,9 @@ the CHILD_SA configuration, which must be unique within the connection.
 AH proposals to offer for the CHILD_SA. A proposal is a set of algorithms. For
 AH, this includes an integrity algorithm and an optional Diffie\-Hellman group.
 If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation
-uses a separate Diffie\-Hellman exchange using the specified group.
+uses a separate Diffie\-Hellman exchange using the specified group (refer to
+.RI "" "esp_proposals" ""
+for details).
 
 In IKEv2, multiple algorithms of the same kind can be specified in a single
 proposal, from which one gets selected. In IKEv1, only one algorithm per kind is
@@ -617,14 +620,19 @@ algorithm, an optional Diffie\-Hellman group and an optional Extended Sequence
 Number Mode indicator. For AEAD proposals, a combined mode algorithm is used
 instead of the separate encryption/integrity algorithms.
 
-If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial (non
-IKE_AUTH piggybacked) negotiation uses a separate Diffie\-Hellman exchange using
-the specified group. Extended Sequence Number support may be indicated with the
+If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation
+use a separate Diffie\-Hellman exchange using the specified group. However, for
+IKEv2, the keys of the CHILD_SA created implicitly with the IKE_SA will always
+be derived from the IKE_SA's key material. So any DH group specified here will
+only apply when the CHILD_SA is later rekeyed or is created with a separate
+CREATE_CHILD_SA exchange. A proposal mismatch might, therefore, not immediately
+be noticed when the SA is established, but may later cause rekeying to fail.
+
+Extended Sequence Number support may be indicated with the
 .RI "" "esn" ""
 and
 .RI "" "noesn" ""
-values, both may be included to indicate support for both
-modes. If omitted,
+values, both may be included to indicate support for both modes. If omitted,
 .RI "" "noesn" ""
 is assumed.
 
@@ -821,6 +829,12 @@ Whether to install IPsec policies or not. Disabling this can be useful in some
 scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
 
 .TP
+.BR connections.<conn>.children.<child>.policies_fwd_out " [no]"
+Whether to install outbound FWD IPsec policies or not. Enabling this is required
+in case there is a drop policy that would match and block forwarded traffic for
+this CHILD_SA.
+
+.TP
 .BR connections.<conn>.children.<child>.dpd_action " [clear]"
 Action to perform for this CHILD_SA on DPD timeout. The default
 .RI "" "clear" ""
@@ -1022,6 +1036,23 @@ prefix, if a secret is shared between multiple
 peers.
 
 .TP
+.B secrets.private<suffix>
+.br
+Private key decryption passphrase for a key in the
+.RI "" "private" ""
+folder.
+
+.TP
+.BR secrets.private<suffix>.file " []"
+File name in the
+.RI "" "private" ""
+folder for which this passphrase should be used.
+
+.TP
+.BR secrets.private<suffix>.secret " []"
+Value of decryption passphrase for private key.
+
+.TP
 .B secrets.rsa<suffix>
 .br
 Private key decryption passphrase for a key in the
diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h
index 560e895..eac1fc6 100644
--- a/src/swanctl/swanctl.h
+++ b/src/swanctl/swanctl.h
@@ -2,6 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -65,6 +66,11 @@
 #define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
 
 /**
+ * Directory for private keys
+ */
+#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private"
+
+/**
  * Directory for RSA private keys
  */
 #define SWANCTL_RSADIR SWANCTLDIR "/rsa"
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index fe5b293..a7d6d9f 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -139,12 +139,12 @@ connections.<conn>.dpd_timeout = 0s
 	checking. For compatibility reasons, with IKEv1 a custom interval may be
 	specified; this option has no effect on connections using IKE2.
 
-connections.<conn>.fragmentation = no
+connections.<conn>.fragmentation = yes
 	Use IKE UDP datagram fragmentation.  (_yes_, _no_ or _force_).
 
 	Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
-	fragmentation).  Acceptable  values  are _yes_, _force_ and _no_ (the
-	default). Fragmented IKE messages sent by a peer are always accepted
+	fragmentation).  Acceptable  values  are _yes_ (the	default), _force_ and
+	_no_. Fragmented IKE messages sent by a peer are always accepted
 	irrespective of  the  value  of  this option. If set to _yes_, and the peer
 	supports it, oversized IKE messages will be sent in fragments.  If set  to
 	_force_  (only  supported  for IKEv1) the initial IKE message will already
@@ -472,7 +472,7 @@ connections.<conn>.children.<child>.ah_proposals =
 	For AH, this includes an integrity algorithm and an optional Diffie-Hellman
 	group. If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial
 	negotiation uses a separate Diffie-Hellman exchange using the specified
-	group.
+	group (refer to _esp_proposals_ for details).
 
 	In IKEv2, multiple algorithms of the same kind can be specified in a single
 	proposal, from which one gets selected. In IKEv1, only one algorithm per
@@ -495,11 +495,18 @@ connections.<conn>.children.<child>.esp_proposals = default
 	mode algorithm is used instead of the separate encryption/integrity
 	algorithms.
 
-	If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial (non
-	IKE_AUTH piggybacked) negotiation uses a separate Diffie-Hellman exchange
-	using the specified group. Extended Sequence Number support may be indicated
-	with the _esn_ and _noesn_ values, both may be included to indicate support
-	for both modes. If omitted, _noesn_ is assumed.
+	If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial
+	negotiation use a separate Diffie-Hellman exchange using the specified
+	group. However, for IKEv2, the keys of the CHILD_SA created implicitly with
+	the IKE_SA will always be derived from the IKE_SA's key material. So any DH
+	group specified here will only apply when the CHILD_SA is later rekeyed or
+	is created with a separate CREATE_CHILD_SA exchange. A proposal mismatch
+	might, therefore, not immediately be noticed when the SA is established, but
+	may later cause rekeying to fail.
+
+	Extended Sequence Number support may be indicated with the _esn_ and _noesn_
+	values, both may be included to indicate support for both modes. If omitted,
+	_noesn_ is assumed.
 
 	In IKEv2, multiple algorithms of the same kind can be specified in a single
 	proposal, from which one gets selected. In IKEv1, only one algorithm per
@@ -652,6 +659,13 @@ connections.<conn>.children.<child>.policies = yes
 	Whether to install IPsec policies or not. Disabling this can be useful in
 	some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
 
+connections.<conn>.children.<child>.policies_fwd_out = no
+	Whether to install outbound FWD IPsec policies or not.
+
+	Whether to install outbound FWD IPsec policies or not. Enabling this is
+	required in case there is a drop policy that would match and block forwarded
+	traffic for this CHILD_SA.
+
 connections.<conn>.children.<child>.dpd_action = clear
 	Action to perform on DPD timeout (_clear_, _trap_ or _restart_).
 
@@ -821,6 +835,15 @@ secrets.ike<suffix>.id<suffix> =
 	may be specified, each having an _id_ prefix, if a secret is shared between
 	multiple peers.
 
+secrets.private<suffix> { # }
+	Private key decryption passphrase for a key in the _private_ folder.
+
+secrets.private<suffix>.file =
+	File name in the _private_ folder for which this passphrase should be used.
+
+secrets.private<suffix>.secret
+	Value of decryption passphrase for private key.
+
 secrets.rsa<suffix> { # }
 	Private key decryption passphrase for a key in the _rsa_ folder.
 
diff --git a/testing/Makefile.in b/testing/Makefile.in
index b6ad617..58fd2eb 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -267,7 +267,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -301,8 +300,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -356,6 +353,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/testing/config/kernel/config-4.7 b/testing/config/kernel/config-4.7
new file mode 100644
index 0000000..011184d
--- /dev/null
+++ b/testing/config/kernel/config-4.7
@@ -0,0 +1,2460 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 4.7.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_ARCH_MMAP_RND_BITS_MIN=28
+CONFIG_ARCH_MMAP_RND_BITS_MAX=32
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEBUG_RODATA=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_FHANDLE=y
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_RCU_EXPERT is not set
+CONFIG_SRCU=y
+# CONFIG_TASKS_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+# CONFIG_RCU_EXPEDITE_BOOT is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_NMI_LOG_BUF_SHIFT=13
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_CGROUPS=y
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
+CONFIG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_PROC_PID_CPUSET=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_DEBUG is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_MULTIUSER=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set
+CONFIG_KALLSYMS_BASE_RELATIVE=y
+CONFIG_PRINTK=y
+CONFIG_PRINTK_NMI=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+# CONFIG_USERFAULTFD is not set
+CONFIG_PCI_QUIRKS=y
+CONFIG_MEMBARRIER=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_SLAB_FREELIST_RANDOM is not set
+# CONFIG_SYSTEM_DATA_VERIFICATION is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_NMI=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_HUGE_VMAP=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
+CONFIG_HAVE_EXIT_THREAD=y
+CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_HAVE_COPY_THREAD_TLS=y
+CONFIG_HAVE_STACK_VALIDATION=y
+# CONFIG_HAVE_ARCH_HASH is not set
+# CONFIG_ISA_BUS_API is not set
+# CONFIG_CPU_NO_EFFICIENT_FFS is not set
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_DEV_THROTTLING is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_CFQ_GROUP_IOSCHED is not set
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_FAST_FEATURE_TESTS=y
+CONFIG_X86_MPPARSE=y
+# CONFIG_GOLDFISH is not set
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_MID is not set
+# CONFIG_X86_INTEL_LPSS is not set
+# CONFIG_X86_AMD_PLATFORM_DEVICE is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_UP_LATE_INIT=y
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+
+#
+# Performance monitoring
+#
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_PERF_EVENTS_INTEL_RAPL=y
+CONFIG_PERF_EVENTS_INTEL_CSTATE=y
+# CONFIG_PERF_EVENTS_AMD_POWER is not set
+# CONFIG_VM86 is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_INTEL=y
+# CONFIG_MICROCODE_AMD is not set
+CONFIG_MICROCODE_OLD_INTERFACE=y
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_X86_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
+# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
+# CONFIG_IDLE_PAGE_TRACKING is not set
+CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
+CONFIG_ARCH_HAS_PKEYS=y
+# CONFIG_X86_PMEM_LEGACY is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_X86_INTEL_MPX is not set
+CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_KEXEC_FILE is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_LEGACY_VSYSCALL_NATIVE is not set
+CONFIG_LEGACY_VSYSCALL_EMULATE=y
+# CONFIG_LEGACY_VSYSCALL_NONE is not set
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_MODIFY_LDT_SYSCALL=y
+CONFIG_HAVE_LIVEPATCH=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+# CONFIG_ACPI_DEBUGGER is not set
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+# CONFIG_ACPI_NFIT is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_PMIC_OPREGION is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_BUS_ADDR_T_64BIT=y
+CONFIG_PCI_MSI=y
+CONFIG_PCI_MSI_IRQ_DOMAIN=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=y
+# CONFIG_HOTPLUG_PCI is not set
+
+#
+# PCI host controller drivers
+#
+# CONFIG_PCIE_DW_PLAT is not set
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ELFCORE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_X86_X32 is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+# CONFIG_VMD is not set
+CONFIG_NET=y
+CONFIG_NET_INGRESS=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_INET_DIAG_DESTROY is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+# CONFIG_IPV6_ILA is not set
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+# CONFIG_IPV6_FOU is not set
+# CONFIG_IPV6_FOU_TUNNEL is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+CONFIG_NF_NAT_REDIRECT=y
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+# CONFIG_NF_DUP_IPV4 is not set
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+# CONFIG_NF_DUP_IPV6 is not set
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_NAT is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_MPLS is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+# CONFIG_NET_L3_MASTER_DEV is not set
+CONFIG_SOCK_CGROUP_DATA=y
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+# CONFIG_AF_KCM is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+# CONFIG_LWTUNNEL is not set
+CONFIG_DST_CACHE=y
+# CONFIG_NET_DEVLINK is not set
+CONFIG_MAY_USE_DEVLINK=y
+CONFIG_HAVE_EBPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_OF is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+# CONFIG_BLK_DEV_NVME is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_INTEL_MEI is not set
+# CONFIG_INTEL_MEI_ME is not set
+# CONFIG_INTEL_MEI_TXE is not set
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# SCIF Bus Driver
+#
+# CONFIG_SCIF_BUS is not set
+
+#
+# VOP Bus Driver
+#
+# CONFIG_VOP_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+
+#
+# SCIF Driver
+#
+
+#
+# Intel MIC Coprocessor State Management (COSM) Drivers
+#
+
+#
+# VOP Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+# CONFIG_CXL_KERNEL_API is not set
+# CONFIG_CXL_EEH is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_IPVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_GENEVE is not set
+# CONFIG_GTP is not set
+# CONFIG_MACSEC is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_TUN_VNET_CROSS_LE is not set
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+# CONFIG_NET_VENDOR_AURORA is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BCMGENET is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+# CONFIG_BNXT is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CAVIUM=y
+# CONFIG_THUNDER_NIC_PF is not set
+# CONFIG_THUNDER_NIC_VF is not set
+# CONFIG_THUNDER_NIC_BGX is not set
+# CONFIG_LIQUIDIO is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EZCHIP=y
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_MVNETA_BM is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+# CONFIG_MLXSW_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_NETRONOME=y
+# CONFIG_NFP_NETVF is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+# CONFIG_QED is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RENESAS=y
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_SYNOPSYS=y
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TI_CPSW_ALE is not set
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+CONFIG_WLAN_VENDOR_ADMTEK=y
+CONFIG_WLAN_VENDOR_ATH=y
+# CONFIG_ATH_DEBUG is not set
+# CONFIG_ATH5K_PCI is not set
+CONFIG_WLAN_VENDOR_ATMEL=y
+CONFIG_WLAN_VENDOR_BROADCOM=y
+CONFIG_WLAN_VENDOR_CISCO=y
+CONFIG_WLAN_VENDOR_INTEL=y
+CONFIG_WLAN_VENDOR_INTERSIL=y
+# CONFIG_HOSTAP is not set
+# CONFIG_PRISM54 is not set
+CONFIG_WLAN_VENDOR_MARVELL=y
+CONFIG_WLAN_VENDOR_MEDIATEK=y
+CONFIG_WLAN_VENDOR_RALINK=y
+CONFIG_WLAN_VENDOR_REALTEK=y
+CONFIG_WLAN_VENDOR_RSI=y
+CONFIG_WLAN_VENDOR_ST=y
+CONFIG_WLAN_VENDOR_TI=y
+CONFIG_WLAN_VENDOR_ZYDAS=y
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_FUJITSU_ES is not set
+# CONFIG_ISDN is not set
+# CONFIG_NVM is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_BYD=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+CONFIG_MOUSE_PS2_FOCALTECH=y
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+# CONFIG_RMI4_CORE is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_USERIO is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVMEM=y
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_UARTLITE is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27XXX is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_DELL_SMM is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_I5500 is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+# CONFIG_THERMAL_WRITABLE_TRIPS is not set
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+
+#
+# ACPI INT340X thermal drivers
+#
+# CONFIG_INT340X_THERMAL is not set
+# CONFIG_INTEL_PCH_THERMAL is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_INTEL_LPSS_ACPI is not set
+# CONFIG_MFD_INTEL_LPSS_PCI is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_MT6397 is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+
+#
+# ACP (Audio CoProcessor) Configuration
+#
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_DUMMY_CONSOLE_COLUMNS=80
+CONFIG_DUMMY_CONSOLE_ROWS=25
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+# CONFIG_HID_CMEDIA is not set
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_GEMBIRD is not set
+# CONFIG_HID_GFRM is not set
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_HIDPP is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+CONFIG_HID_PLANTRONICS=y
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_SUPPORT=y
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+
+#
+# DMABUF options
+#
+# CONFIG_SYNC_FILE is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_BALLOON=y
+# CONFIG_VIRTIO_INPUT is not set
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ASUS_WIRELESS is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_HID_EVENT is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_INTEL_PMC_CORE is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_INTEL_PMC_IPC is not set
+# CONFIG_SURFACE_PRO3_BUTTON is not set
+# CONFIG_INTEL_PUNIT_IPC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+
+#
+# Generic IOMMU Pagetable Support
+#
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_SUNXI_SRAM is not set
+# CONFIG_SOC_TI is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+CONFIG_ARM_GIC_MAX_NR=1
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_PHY_PXA_28NM_HSIC is not set
+# CONFIG_PHY_PXA_28NM_USB2 is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+
+#
+# Performance monitor support
+#
+# CONFIG_RAS is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+# CONFIG_LIBNVDIMM is not set
+# CONFIG_NVMEM is not set
+# CONFIG_STM is not set
+# CONFIG_INTEL_TH is not set
+
+#
+# FPGA Configuration Support
+#
+# CONFIG_FPGA is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_FW_CFG_SYSFS is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_FS_POSIX_ACL is not set
+# CONFIG_EXT3_FS_SECURITY is not set
+CONFIG_EXT4_FS=y
+# CONFIG_EXT4_FS_POSIX_ACL is not set
+# CONFIG_EXT4_FS_SECURITY is not set
+# CONFIG_EXT4_ENCRYPTION is not set
+# CONFIG_EXT4_DEBUG is not set
+CONFIG_JBD2=y
+# CONFIG_JBD2_DEBUG is not set
+CONFIG_FS_MBCACHE=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+# CONFIG_F2FS_FS is not set
+# CONFIG_FS_DAX is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+CONFIG_FILE_LOCKING=y
+CONFIG_MANDATORY_FILE_LOCKING=y
+# CONFIG_FS_ENCRYPTION is not set
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+# CONFIG_PROC_CHILDREN is not set
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ORANGEFS_FS is not set
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+# CONFIG_GDB_SCRIPTS is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_PAGE_OWNER is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_STACK_VALIDATION is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_PAGE_POISONING is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+CONFIG_HAVE_ARCH_KASAN=y
+# CONFIG_KASAN is not set
+CONFIG_ARCH_HAS_KCOV=y
+# CONFIG_KCOV is not set
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_WQ_WATCHDOG is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHED_INFO is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_DEBUG_TIMEKEEPING is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_PROVE_RCU is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_PERF_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_RCU_EQS_DEBUG is not set
+# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_HIST_TRIGGERS is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_HEXDUMP is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_PRINTF is not set
+# CONFIG_TEST_BITMAP is not set
+# CONFIG_TEST_UUID is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_TEST_HASH is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_MEMTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
+# CONFIG_UBSAN is not set
+CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP_CORE is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_WX is not set
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_ENTRY is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+CONFIG_X86_DEBUG_FPU=y
+# CONFIG_PUNIT_ATOM_DEBUG is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_AKCIPHER2=y
+# CONFIG_CRYPTO_RSA is not set
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+# CONFIG_CRYPTO_MCRYPTD is not set
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_SEQIV=y
+CONFIG_CRYPTO_ECHAINIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+# CONFIG_CRYPTO_KEYWRAP is not set
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_POLY1305=y
+CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_CHACHA20=y
+CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_842=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+CONFIG_CRYPTO_DRBG_HASH=y
+CONFIG_CRYPTO_DRBG_CTR=y
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_USER_API_RNG is not set
+CONFIG_CRYPTO_USER_API_AEAD=y
+# CONFIG_CRYPTO_HW is not set
+
+#
+# Certificates for signature checking
+#
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+# CONFIG_HAVE_ARCH_BITREVERSE is not set
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_842_COMPRESS=y
+CONFIG_842_DECOMPRESS=y
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+# CONFIG_IRQ_POLL is not set
+# CONFIG_SG_SPLIT is not set
+# CONFIG_SG_POOL is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
+CONFIG_ARCH_HAS_PMEM_API=y
+CONFIG_ARCH_HAS_MMIO_FLUSH=y
diff --git a/testing/config/kernel/config-4.8 b/testing/config/kernel/config-4.8
new file mode 100644
index 0000000..2fa52d9
--- /dev/null
+++ b/testing/config/kernel/config-4.8
@@ -0,0 +1,2484 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 4.8.1 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_ARCH_MMAP_RND_BITS_MIN=28
+CONFIG_ARCH_MMAP_RND_BITS_MAX=32
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEBUG_RODATA=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_FHANDLE=y
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_RCU_EXPERT is not set
+CONFIG_SRCU=y
+# CONFIG_TASKS_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+# CONFIG_RCU_EXPEDITE_BOOT is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_NMI_LOG_BUF_SHIFT=13
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_CGROUPS=y
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
+CONFIG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_PROC_PID_CPUSET=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_DEBUG is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_MULTIUSER=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set
+CONFIG_KALLSYMS_BASE_RELATIVE=y
+CONFIG_PRINTK=y
+CONFIG_PRINTK_NMI=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+# CONFIG_USERFAULTFD is not set
+CONFIG_PCI_QUIRKS=y
+CONFIG_MEMBARRIER=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_SLAB_FREELIST_RANDOM is not set
+# CONFIG_SYSTEM_DATA_VERIFICATION is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_NMI=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGINS is not set
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_HUGE_VMAP=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
+CONFIG_HAVE_EXIT_THREAD=y
+CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_HAVE_COPY_THREAD_TLS=y
+CONFIG_HAVE_STACK_VALIDATION=y
+# CONFIG_HAVE_ARCH_HASH is not set
+# CONFIG_ISA_BUS_API is not set
+# CONFIG_CPU_NO_EFFICIENT_FFS is not set
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_DEV_THROTTLING is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_CFQ_GROUP_IOSCHED is not set
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_FAST_FEATURE_TESTS=y
+CONFIG_X86_MPPARSE=y
+# CONFIG_GOLDFISH is not set
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_MID is not set
+# CONFIG_X86_INTEL_LPSS is not set
+# CONFIG_X86_AMD_PLATFORM_DEVICE is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_UP_LATE_INIT=y
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+
+#
+# Performance monitoring
+#
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_PERF_EVENTS_INTEL_RAPL=y
+CONFIG_PERF_EVENTS_INTEL_CSTATE=y
+# CONFIG_PERF_EVENTS_AMD_POWER is not set
+# CONFIG_VM86 is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_INTEL=y
+# CONFIG_MICROCODE_AMD is not set
+CONFIG_MICROCODE_OLD_INTERFACE=y
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_X86_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
+# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
+# CONFIG_IDLE_PAGE_TRACKING is not set
+# CONFIG_ZONE_DEVICE is not set
+CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
+CONFIG_ARCH_HAS_PKEYS=y
+# CONFIG_X86_PMEM_LEGACY is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_X86_INTEL_MPX is not set
+CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_KEXEC_FILE is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_LEGACY_VSYSCALL_NATIVE is not set
+CONFIG_LEGACY_VSYSCALL_EMULATE=y
+# CONFIG_LEGACY_VSYSCALL_NONE is not set
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_MODIFY_LDT_SYSCALL=y
+CONFIG_HAVE_LIVEPATCH=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+# CONFIG_ACPI_DEBUGGER is not set
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+# CONFIG_ACPI_NFIT is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_DPTF_POWER is not set
+# CONFIG_PMIC_OPREGION is not set
+# CONFIG_ACPI_CONFIGFS is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_BUS_ADDR_T_64BIT=y
+CONFIG_PCI_MSI=y
+CONFIG_PCI_MSI_IRQ_DOMAIN=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=y
+# CONFIG_HOTPLUG_PCI is not set
+
+#
+# PCI host controller drivers
+#
+# CONFIG_PCIE_DW_PLAT is not set
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ELFCORE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_X86_X32 is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+# CONFIG_VMD is not set
+CONFIG_NET=y
+CONFIG_NET_INGRESS=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_INET_DIAG_DESTROY is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+# CONFIG_IPV6_ILA is not set
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+# CONFIG_IPV6_FOU is not set
+# CONFIG_IPV6_FOU_TUNNEL is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+CONFIG_NF_NAT_REDIRECT=y
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+# CONFIG_NF_DUP_IPV4 is not set
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+# CONFIG_NF_DUP_IPV6 is not set
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_NAT is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_MPLS is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+# CONFIG_NET_L3_MASTER_DEV is not set
+# CONFIG_NET_NCSI is not set
+CONFIG_SOCK_CGROUP_DATA=y
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+# CONFIG_AF_KCM is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+# CONFIG_LWTUNNEL is not set
+CONFIG_DST_CACHE=y
+# CONFIG_NET_DEVLINK is not set
+CONFIG_MAY_USE_DEVLINK=y
+CONFIG_HAVE_EBPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_OF is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+# CONFIG_BLK_DEV_NVME is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_INTEL_MEI is not set
+# CONFIG_INTEL_MEI_ME is not set
+# CONFIG_INTEL_MEI_TXE is not set
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# SCIF Bus Driver
+#
+# CONFIG_SCIF_BUS is not set
+
+#
+# VOP Bus Driver
+#
+# CONFIG_VOP_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+
+#
+# SCIF Driver
+#
+
+#
+# Intel MIC Coprocessor State Management (COSM) Drivers
+#
+
+#
+# VOP Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+# CONFIG_CXL_AFU_DRIVER_OPS is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_IPVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_GENEVE is not set
+# CONFIG_GTP is not set
+CONFIG_MACSEC=y
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_TUN_VNET_CROSS_LE is not set
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+# CONFIG_NET_VENDOR_AURORA is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BCMGENET is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+# CONFIG_BNXT is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CAVIUM=y
+# CONFIG_THUNDER_NIC_PF is not set
+# CONFIG_THUNDER_NIC_VF is not set
+# CONFIG_THUNDER_NIC_BGX is not set
+# CONFIG_LIQUIDIO is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EZCHIP=y
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_MVNETA_BM is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+# CONFIG_MLXSW_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_NETRONOME=y
+# CONFIG_NFP_NETVF is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+# CONFIG_QED is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RENESAS=y
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_SYNOPSYS=y
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TI_CPSW_ALE is not set
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+CONFIG_WLAN_VENDOR_ADMTEK=y
+CONFIG_WLAN_VENDOR_ATH=y
+# CONFIG_ATH_DEBUG is not set
+# CONFIG_ATH5K_PCI is not set
+CONFIG_WLAN_VENDOR_ATMEL=y
+CONFIG_WLAN_VENDOR_BROADCOM=y
+CONFIG_WLAN_VENDOR_CISCO=y
+CONFIG_WLAN_VENDOR_INTEL=y
+CONFIG_WLAN_VENDOR_INTERSIL=y
+# CONFIG_HOSTAP is not set
+# CONFIG_PRISM54 is not set
+CONFIG_WLAN_VENDOR_MARVELL=y
+CONFIG_WLAN_VENDOR_MEDIATEK=y
+CONFIG_WLAN_VENDOR_RALINK=y
+CONFIG_WLAN_VENDOR_REALTEK=y
+CONFIG_WLAN_VENDOR_RSI=y
+CONFIG_WLAN_VENDOR_ST=y
+CONFIG_WLAN_VENDOR_TI=y
+CONFIG_WLAN_VENDOR_ZYDAS=y
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_FUJITSU_ES is not set
+# CONFIG_ISDN is not set
+# CONFIG_NVM is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_BYD=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+CONFIG_MOUSE_PS2_FOCALTECH=y
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+# CONFIG_RMI4_CORE is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_USERIO is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVMEM=y
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_UARTLITE is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27XXX is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_DELL_SMM is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_I5500 is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+# CONFIG_THERMAL_WRITABLE_TRIPS is not set
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+
+#
+# ACPI INT340X thermal drivers
+#
+# CONFIG_INT340X_THERMAL is not set
+# CONFIG_INTEL_PCH_THERMAL is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_INTEL_LPSS_ACPI is not set
+# CONFIG_MFD_INTEL_LPSS_PCI is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_MT6397 is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+
+#
+# ACP (Audio CoProcessor) Configuration
+#
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_DUMMY_CONSOLE_COLUMNS=80
+CONFIG_DUMMY_CONSOLE_ROWS=25
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+# CONFIG_HID_CMEDIA is not set
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_GEMBIRD is not set
+# CONFIG_HID_GFRM is not set
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_HIDPP is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+CONFIG_HID_PLANTRONICS=y
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+# CONFIG_HID_ALPS is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_SUPPORT=y
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+CONFIG_RTC_MC146818_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+
+#
+# DMABUF options
+#
+# CONFIG_SYNC_FILE is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_BALLOON=y
+# CONFIG_VIRTIO_INPUT is not set
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ASUS_WIRELESS is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_HID_EVENT is not set
+# CONFIG_INTEL_VBTN is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_INTEL_PMC_CORE is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_INTEL_PMC_IPC is not set
+# CONFIG_SURFACE_PRO3_BUTTON is not set
+# CONFIG_INTEL_PUNIT_IPC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+
+#
+# Generic IOMMU Pagetable Support
+#
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+
+#
+# Broadcom SoC drivers
+#
+# CONFIG_SUNXI_SRAM is not set
+# CONFIG_SOC_TI is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+CONFIG_ARM_GIC_MAX_NR=1
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_PHY_PXA_28NM_HSIC is not set
+# CONFIG_PHY_PXA_28NM_USB2 is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+
+#
+# Performance monitor support
+#
+# CONFIG_RAS is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+# CONFIG_LIBNVDIMM is not set
+# CONFIG_NVMEM is not set
+# CONFIG_STM is not set
+# CONFIG_INTEL_TH is not set
+
+#
+# FPGA Configuration Support
+#
+# CONFIG_FPGA is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_FW_CFG_SYSFS is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_FS_POSIX_ACL is not set
+# CONFIG_EXT3_FS_SECURITY is not set
+CONFIG_EXT4_FS=y
+# CONFIG_EXT4_FS_POSIX_ACL is not set
+# CONFIG_EXT4_FS_SECURITY is not set
+# CONFIG_EXT4_ENCRYPTION is not set
+# CONFIG_EXT4_DEBUG is not set
+CONFIG_JBD2=y
+# CONFIG_JBD2_DEBUG is not set
+CONFIG_FS_MBCACHE=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+# CONFIG_F2FS_FS is not set
+# CONFIG_FS_DAX is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+# CONFIG_EXPORTFS_BLOCK_OPS is not set
+CONFIG_FILE_LOCKING=y
+CONFIG_MANDATORY_FILE_LOCKING=y
+# CONFIG_FS_ENCRYPTION is not set
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+# CONFIG_PROC_CHILDREN is not set
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ORANGEFS_FS is not set
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+# CONFIG_GDB_SCRIPTS is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_PAGE_OWNER is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_STACK_VALIDATION is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_PAGE_POISONING is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+CONFIG_HAVE_ARCH_KASAN=y
+# CONFIG_KASAN is not set
+CONFIG_ARCH_HAS_KCOV=y
+# CONFIG_KCOV is not set
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_WQ_WATCHDOG is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHED_INFO is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_DEBUG_TIMEKEEPING is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_PROVE_RCU is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_PERF_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_RCU_EQS_DEBUG is not set
+# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_HIST_TRIGGERS is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_HEXDUMP is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_PRINTF is not set
+# CONFIG_TEST_BITMAP is not set
+# CONFIG_TEST_UUID is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_TEST_HASH is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_MEMTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
+# CONFIG_UBSAN is not set
+CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP_CORE is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_WX is not set
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_ENTRY is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+CONFIG_X86_DEBUG_FPU=y
+# CONFIG_PUNIT_ATOM_DEBUG is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
+CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_KPP=y
+# CONFIG_CRYPTO_RSA is not set
+CONFIG_CRYPTO_DH=y
+CONFIG_CRYPTO_ECDH=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_MCRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_SEQIV=y
+CONFIG_CRYPTO_ECHAINIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+# CONFIG_CRYPTO_KEYWRAP is not set
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_POLY1305=y
+CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256_MB=y
+CONFIG_CRYPTO_SHA512_MB=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_SHA3=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_CHACHA20=y
+CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_842=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+CONFIG_CRYPTO_DRBG_HASH=y
+CONFIG_CRYPTO_DRBG_CTR=y
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_USER_API_RNG is not set
+CONFIG_CRYPTO_USER_API_AEAD=y
+# CONFIG_CRYPTO_HW is not set
+
+#
+# Certificates for signature checking
+#
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+# CONFIG_HAVE_ARCH_BITREVERSE is not set
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_842_COMPRESS=y
+CONFIG_842_DECOMPRESS=y
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_CLZ_TAB=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+# CONFIG_IRQ_POLL is not set
+CONFIG_MPILIB=y
+# CONFIG_SG_SPLIT is not set
+# CONFIG_SG_POOL is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
+CONFIG_ARCH_HAS_PMEM_API=y
+CONFIG_ARCH_HAS_MMIO_FLUSH=y
diff --git a/testing/config/kvm/winnetou.xml b/testing/config/kvm/winnetou.xml
index 9dbf3a5..b21cb7b 100644
--- a/testing/config/kvm/winnetou.xml
+++ b/testing/config/kvm/winnetou.xml
@@ -35,6 +35,11 @@
       <target dir='/hostshare'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
     </filesystem>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-testresults'/>
+      <target dir='/testresults'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
+    </filesystem>
     <interface type='network'>
       <mac address='52:54:00:4b:23:fa'/>
       <source network='vnet1'/>
diff --git a/testing/do-tests b/testing/do-tests
index d0d1ead..fd5cfe6 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -46,6 +46,7 @@ SOURCEIP_ROUTING_TABLE=220
 testnumber="0"
 failed_cnt="0"
 passed_cnt="0"
+subdir_cnt="0"
 
 ##############################################################################
 # copy default tests to $BUILDDIR
@@ -181,17 +182,25 @@ echo "strongSwan   : $SWANVERSION"
 echo "Date         : $TESTDATE"
 echo
 
+##############################################################################
+# trap CTRL-C to properly terminate a long run
+#
+
+function abort_tests()
+{
+	echo -n "...aborting..." > /dev/tty
+	aborted=YES
+}
+trap abort_tests INT
 
 ##############################################################################
 # enter specific test directory
 #
-
 if [ $# -gt 0 ]
 then
-    TESTS=$*
+    TESTS=$(printf "%s\n" $* | sort -u)
 else
-    # set internal field seperator
-    TESTS="`ls $DEFAULTTESTSDIR`"
+    TESTS=$(ls $DEFAULTTESTSDIR)
 fi
 
 for SUBDIR in $TESTS
@@ -214,12 +223,18 @@ do
 	else
 	    FIRST=" "
 	fi
+
+	if [ $subdir_cnt != 0 ]
+	then
+	    echo "      <td align=\"right\">$subdir_cnt</td>" >> $INDEX
+	    echo "      <td> </td>" >> $INDEX
+	    echo "    </tr>" >> $INDEX
+	    subdir_cnt="0"
+	fi
 	echo "    <tr>" >> $INDEX
     echo "      <td>$FIRST</td>">> $INDEX
     echo "      <td><a href=\"$SUBDIR/index.html\">$SUBDIR</a></td>" >> $INDEX
-    echo "      <td align=\"right\">x</td>" >> $INDEX
-    echo "      <td> </td>" >> $INDEX
-    echo "    </tr>" >> $INDEX
+
 	SUBTESTSINDEX=$TODAYDIR/$SUBDIR/index.html
 	cat > $SUBTESTSINDEX <<@EOF
 <html>
@@ -259,6 +274,7 @@ do
     for name in $SUBTESTS
     do
 	let "testnumber += 1"
+	let "subdir_cnt += 1"
 	testname=$SUBDIR/$name
 	log_action " $testnumber $testname:"
 
@@ -341,7 +357,7 @@ do
 
 
 	##########################################################################
-	# copy test specific configurations to uml hosts and clear auth.log files
+	# copy test specific configurations to hosts and clear log files
 	#
 
 	DBDIR=/etc/db.d
@@ -394,6 +410,16 @@ do
 	done
 
 	##########################################################################
+	# remove leak detective log on all hosts
+	#
+
+	export LEAK_DETECTIVE_LOG=/var/log/leak-detective.log
+	for host in $STRONGSWANHOSTS
+	do
+		ssh $SSHCONF root@`eval echo \\\$ipv4_$host` 'rm -f $LEAK_DETECTIVE_LOG' >/dev/null 2>&1
+	done
+
+	##########################################################################
 	# flush IPsec state on all hosts
 	#
 
@@ -410,7 +436,7 @@ do
 	echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1
 
 	eval `awk -F "::" '{
-	    if ($2 != "")
+	    if ($1 !~ /^#.*/ && $2 != "")
 	    {
 		printf("echo \"%s# %s\"; ", $1, $2)
 		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
@@ -447,7 +473,7 @@ do
 	    command=$2
 	    pattern=$3
 	    hit=$4
-	    if (command != "")
+	    if (host !~ /^#.*/ && command != "")
 	    {
 		if (command == "tcpdump")
 		{
@@ -470,18 +496,6 @@ do
 
 
 	##########################################################################
-	# set counters
-	#
-
-	if [ $STATUS = "failed" ]
-	then
-	    let "failed_cnt += 1"
-	else
-	    let "passed_cnt += 1"
-	fi
-
-
-	##########################################################################
 	# log statusall and listall output
 	# get copies of ipsec.conf, ipsec.secrets
 	# create index.html for the given test case
@@ -508,25 +522,34 @@ do
     <img src="../../images/$DIAGRAM" alt="$VIRTHOSTS">
 @EOF
 
+	IPTABLES_CMD_V4="echo -e '=== filter table ==='; iptables  -v -n -L; echo -e '\n=== nat table ==='; iptables  -v -n -t nat -L; echo -e '\n=== mangle table ==='; iptables  -v -n -t mangle -L"
+	IPTABLES_CMD_V6="echo -e '=== filter table ==='; ip6tables -v -n -L; echo -e '\n=== nat table ==='; ip6tables -v -n -t nat -L; echo -e '\n=== mangle table ==='; ip6tables -v -n -t mangle -L"
+
 	if [ -n "$IPV6" ]
 	then
 	    IPROUTE_CMD="ip -6 route list table $SOURCEIP_ROUTING_TABLE"
 	    IPROUTE_DSP=$IPROUTE_CMD
-	    IPTABLES_CMD="ip6tables -v -n -L"
+	    IPTABLES_CMD="$IPTABLES_CMD_V6"
 	    IPTABLES_DSP="ip6tables -L"
+	    IPTABLES_SAVE_CMD="ip6tables-save"
+	    IPTABLES_SAVE_DSP="ip6tables-save"
 	else
 	    IPROUTE_CMD="ip route list table $SOURCEIP_ROUTING_TABLE"
 	    IPROUTE_DSP=$IPROUTE_CMD
-	    IPTABLES_CMD="iptables -v -n -L"
+	    IPTABLES_CMD="$IPTABLES_CMD_V4"
 	    IPTABLES_DSP="iptables -L"
+	    IPTABLES_SAVE_CMD="iptables-save"
+	    IPTABLES_SAVE_DSP="iptables-save"
 	fi
 
 	if [ $name = "net2net-ip4-in-ip6-ikev2" -o $name = "net2net-ip6-in-ip4-ikev2" ]
 	then
 	    IPROUTE_CMD="ip route list table $SOURCEIP_ROUTING_TABLE; echo; ip -6 route list table $SOURCEIP_ROUTING_TABLE"
 	    IPROUTE_DSP="ip (-6) route list table $SOURCEIP_ROUTING_TABLE"
-	    IPTABLES_CMD="iptables -v -n -L ; echo ; ip6tables -v -n -L"
+	    IPTABLES_CMD="$IPTABLES_CMD_V4; echo; $IPTABLES_CMD_V6"
 	    IPTABLES_DSP="iptables -L ; ip6tables -L"
+	    IPTABLES_SAVE_CMD="iptables-save; echo; ip6tables-save"
+	    IPTABLES_SAVE_DSP="iptables-save ; ip6tables-save"
 	fi
 
 	for host in $DBHOSTS
@@ -589,6 +612,8 @@ do
 		    > $TESTRESULTDIR/${host}.ip.route 2>/dev/null
 	    ssh $SSHCONF $HOSTLOGIN $IPTABLES_CMD \
 		    > $TESTRESULTDIR/${host}.iptables 2>/dev/null
+		ssh $SSHCONF $HOSTLOGIN $IPTABLES_SAVE_CMD \
+		    > $TESTRESULTDIR/${host}.iptables-save 2>/dev/null
 	    chmod a+r $TESTRESULTDIR/*
 
 		if [ -n "$SWANCTL" ]
@@ -612,6 +637,7 @@ do
 	    <li><a href="$host.swanctl.pools">swanctl --list-pools</a></li>
 	    <li><a href="$host.swanctl.authorities">swanctl --list-authorities</a></li>
 	    <li><a href="$host.swanctl.stats">swanctl --stats|--list-algs</a></li>
+	    <li><a href="$host.auth.log">auth.log</a></li>
 	    <li><a href="$host.daemon.log">daemon.log</a></li>
 	  </ul>
       </td>
@@ -621,7 +647,7 @@ do
 	    <li><a href="$host.ip.state">ip -s xfrm state</a></li>
 	    <li><a href="$host.ip.route">$IPROUTE_DSP</a></li>
 	    <li><a href="$host.iptables">$IPTABLES_DSP</a></li>
-	    <li><a href="$host.auth.log">auth.log</a></li>
+	    <li><a href="$host.iptables-save">$IPTABLES_SAVE_DSP</a></li>
 	  </ul>
 	   
       </td>
@@ -656,6 +682,7 @@ do
 	    <li><a href="$host.ip.state">ip -s xfrm state</a></li>
 	    <li><a href="$host.ip.route">$IPROUTE_DSP</a></li>
 	    <li><a href="$host.iptables">$IPTABLES_DSP</a></li>
+	    <li><a href="$host.iptables-save">$IPTABLES_SAVE_DSP</a></li>
 	  </ul>
       </td>
     </tr>
@@ -746,7 +773,7 @@ do
 	echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1
 
 	eval `awk -F "::" '{
-	    if ($2 != "")
+	    if ($1 !~ /^#.*/ && $2 != "")
 	    {
 		printf("echo \"%s# %s\"; ", $1, $2)
 		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
@@ -773,6 +800,25 @@ do
 		fi
 	done
 
+
+	##########################################################################
+	# make sure there were no leaks
+	#
+
+	for host in $STRONGSWANHOSTS
+	do
+		eval HOSTLOGIN=root@\$ipv4_${host}
+		LEAKS=`ssh $SSHCONF $HOSTLOGIN 'cat $LEAK_DETECTIVE_LOG 2>/dev/null | grep -v "No leaks detected.*"'`
+		if [ -n "$LEAKS" ]
+		then
+			echo -e "\n$host# cat $LEAK_DETECTIVE_LOG [NO]" >> $CONSOLE_LOG
+			echo "$LEAKS" >> $CONSOLE_LOG
+			echo "<<< $host $LEAK_DETECTIVE_LOG >>>" >> $CONSOLE_LOG
+			STATUS="failed"
+		fi
+	done
+
+
 	##########################################################################
 	# get a copy of /var/log/auth.log
 	#
@@ -830,6 +876,18 @@ do
 
 
 	##########################################################################
+	# set counters
+	#
+
+	if [ $STATUS = "failed" ]
+	then
+	    let "failed_cnt += 1"
+	else
+	    let "passed_cnt += 1"
+	fi
+
+
+	##########################################################################
 	# write test status to html file
 	#
 	testend=$(date +%s)
@@ -873,6 +931,11 @@ do
 	    ssh $SSHCONF $HOSTLOGIN 'if [ -f /var/run/charon.pid ]; then rm /var/run/charon.pid; echo "    removed charon.pid on `hostname`"; fi'
 	done
 
+	if [ -n "$aborted" ]
+	then
+	    break 2
+	fi
+
     done
 
 done
@@ -900,6 +963,15 @@ cat >> $TESTRESULTSHTML << @EOF
 </html>
 @EOF
 
+if [ $subdir_cnt != 0 ]
+then
+cat >> $INDEX << @EOF
+      <td align="right">$subdir_cnt</td>
+      <td> </td>
+    </tr>
+ at EOF
+fi
+
 let "all_cnt = $passed_cnt + $failed_cnt"
 
 cat >> $INDEX << @EOF
@@ -923,18 +995,7 @@ cat >> $INDEX << @EOF
 echo
 echo_ok     "Passed : $passed_cnt"
 echo_failed "Failed : $failed_cnt"
-echo
-
-
-##############################################################################
-# copy the test results to the apache server
-#
-
-HTDOCS="/var/www"
 
-ssh $SSHCONF root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
-scp $SSHCONF -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
-ssh $SSHCONF root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
 echo
 echo "The results are available in $TODAYDIR"
 echo "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
index ae2e4cc..ecd7f4f 100644
--- a/testing/hosts/default/etc/ssh/sshd_config
+++ b/testing/hosts/default/etc/ssh/sshd_config
@@ -12,3 +12,4 @@ PermitEmptyPasswords yes
 PrintMotd no
 PrintLastLog no
 UsePAM no
+AcceptEnv LEAK_DETECTIVE_LOG
diff --git a/testing/hosts/winnetou/etc/apache2/sites-available/000-default.conf b/testing/hosts/winnetou/etc/apache2/sites-available/000-default.conf
index 9335899..03f93ad 100644
--- a/testing/hosts/winnetou/etc/apache2/sites-available/000-default.conf
+++ b/testing/hosts/winnetou/etc/apache2/sites-available/000-default.conf
@@ -6,6 +6,9 @@
                 Options Indexes FollowSymLinks MultiViews
         </Directory>
 
+        RewriteEngine on
+        RewriteRule "^/testresults/.+/images/(.*)" "/images/$1" [PT]
+
         LogLevel warn
         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index fd75ed0..1a375e0 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -31,6 +31,12 @@ cp index.html         ${ROOT}
 # revoke moon's current CERT
 pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem --lifetime 30 --reason key-compromise --cert newcerts/2B.pem --lastcrl strongswan.crl > strongswan_moon_revoked.crl
 cp strongswan_moon_revoked.crl ${ROOT}
+# generate a base CRL
+pki --signcrl --lastcrl strongswan.crl --cacert strongswanCert.der --cakey strongswanKey.pem --lifetime 30 --crluri http://crl.strongswan.org/strongswan_delta.crl --digest sha256 > strongswan_base.crl
+cp strongswan_base.crl ${ROOT}
+# generate a delta CRL revoking moon's current cert
+pki --signcrl --basecrl strongswan_base.crl --reason key-compromise --cert newcerts/2B.pem --cacert strongswanCert.der --cakey strongswanKey.pem --lifetime 10 --digest sha256 > strongswan_delta.crl
+cp strongswan_delta.crl ${ROOT}
 cd /etc/openssl/research
 openssl ca -gencrl -crldays 15 -config /etc/openssl/research/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out research.crl
@@ -54,3 +60,6 @@ cp strongswan_rfc3779.crl ${ROOT}
 cd /etc/openssl/bliss
 pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha3_512 > strongswan_bliss.crl
 cp strongswan_bliss.crl ${ROOT}
+cd /etc/openssl/sha3-rsa
+pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem --lifetime 30 --digest sha3_256 > strongswan-sha3-rsa.crl
+cp strongswan-sha3-rsa.crl ${ROOT}
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index db139d5..586f9dd 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -33,9 +33,9 @@ V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 R	150803083841Z	150804144912Z,superseded	22	unknown	/C=CH/O=Linux strongSwan/CN=aaa.strongswan.org
 R	151119165922Z	151126081658Z,superseded	23	unknown	/C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=mars.strongswan.org
-V	161015124507Z		24	unknown	/C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
-V	161015124759Z		25	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
-V	161015125030Z		26	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
+R	161015124507Z	161018152707Z,superseded	24	unknown	/C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
+R	161015124759Z	161018152711Z,superseded	25	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
+R	161015125030Z	161018152714Z,superseded	26	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
 V	170314064200Z		27	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol at strongswan.org
 R	190321135622Z	140322135700Z,CACompromise	28	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	190413204655Z		29	unknown	/C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol at strongswan.org
@@ -50,3 +50,6 @@ V	190826151202Z		31	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave at stron
 V	191127201436Z		32	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
 V	190906145531Z		33	unknown	/C=CH/O=Linux strongSwan/CN=aaa.strongswan.org
 V	190906082453Z		34	unknown	/C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=mars.strongswan.org
+V	190905153713Z		35	unknown	/C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
+V	190905154104Z		36	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
+V	190905154224Z		37	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index a3385db..649ad9f 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -33,9 +33,9 @@ V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 R	150803083841Z	150804144912Z,superseded	22	unknown	/C=CH/O=Linux strongSwan/CN=aaa.strongswan.org
 R	151119165922Z	151126081658Z,superseded	23	unknown	/C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=mars.strongswan.org
-V	161015124507Z		24	unknown	/C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
-V	161015124759Z		25	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
-V	161015125030Z		26	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
+R	161015124507Z	161018152707Z,superseded	24	unknown	/C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
+R	161015124759Z	161018152711Z,superseded	25	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
+R	161015125030Z	161018152714Z,superseded	26	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
 V	170314064200Z		27	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol at strongswan.org
 R	190321135622Z	140322135700Z,CACompromise	28	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	190413204655Z		29	unknown	/C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol at strongswan.org
@@ -49,3 +49,6 @@ V	190826150536Z		30	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol at strong
 V	190826151202Z		31	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave at strongswan.org
 V	191127201436Z		32	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
 V	190906145531Z		33	unknown	/C=CH/O=Linux strongSwan/CN=aaa.strongswan.org
+V	190906082453Z		34	unknown	/C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=mars.strongswan.org
+V	190905153713Z		35	unknown	/C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
+V	190905154104Z		36	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/35.pem b/testing/hosts/winnetou/etc/openssl/newcerts/35.pem
new file mode 100644
index 0000000..20fd024
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/35.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBNTANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE2MTAxODE1MzcxM1oXDTE5MDkwNTE1MzcxM1owWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y
+MjQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDpZ9FM1s4VqqweOS24P5dVW4uTVrN4HgK2c70P+umh
+u5+pr8cyPn/Kdor7SU9B/GdV6onZumgSUaeNqCSmGzLA77x/nR1xRWtiszWStJUQ
+ICszEb8/WkPq68jlsmgIsfpTmABOBPYTvAqh7bZCTSoySG2fKt+E4UAd5S+BH1CH
+YruIvrvuNxVMA/z8J+tMFZGqjQ6DopatYgSpccbSX5kuAgXCA9g9cemoPoKjjjLD
+w0JBKCErtNKimY9pvf+SaRqoCc0YTIw6ydyna0e+tuPQImFjopZTyelnGHIZ/l62
+lnmrfB+sw2Younp7L9Fh9ki4wBOcXS/g4fQgyjKvLAG/AgMBAAGjggEFMIIBATAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUwdMoB5LJvckJ8GY1vi2f
+AiL8s5YwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDgUAA4IBAQCzWf9dGTbHy8B91uSR
+BAR0K/Wi/j2AqqhDxIH7/PHh78ww9Zb1bBeCt5iFnpqGdTe17vmbga8QGK3W7NHm
+hFYUJhXGyxT3uclUzsePLXKqDnoG9tbZMLoJLzle3j4uJ4PjWN0Wsu+76/QZudOt
+zoJUZRyMvDfBByLOLqbdR7KOm0hNPsjCkzEfj2ql+IDQdNhulatpThqTRxZcYDP8
+bxpDIOaJQPGwpQFKIkZ34kZBPjUVY6Ad/mvoTna/ydWrPCGjfqcn/n14vxFS0nyh
+FRtEpelFVKTX/JDXs/IZ0Bsn+lWar4lgUEs2PlmS5sMS8EZVOgiazT+rdVNWHrQh
+cS9u
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/36.pem b/testing/hosts/winnetou/etc/openssl/newcerts/36.pem
new file mode 100644
index 0000000..d786db3
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/36.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEITCCAwmgAwIBAgIBNjANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE2MTAxODE1NDEwNFoXDTE5MDkwNTE1NDEwNFowWTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z
+ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA0021rEucwTZnd5pGxpWrXvn6Vkhd8ibwiyQ7ynpk
+1Wi+WB0eWqW6ciU3BbA6L8DXUZoo0BzhIlH68X1n+CWiSBS8lBC21QJTAYywdQar
+TVzUusbhX5S7c6JQrk9Oj+Tt+X5D0Q91SMfcB/i+G9IpZZz9DiceCIxpBd0HxoPJ
+PRANjThQnqot4TYYUm45N05PixAD+K3P8Yik7BTRHPV4JhflPeOd0pTZL2b4sg7O
+vZctotdF/riDvDeixMS/OlYxrKqVeP1wafsTE4MwADooRgaWa9zkRTxO4JwNE9M3
+LQ2s8AUq73kHxwJqhvom18lgMD056iZYqN7RKSaE+Zn40QIDAQABo4IBBjCCAQIw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFONu1FifPZHQiluTzIlQ
+02i3SSqWMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
+CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS
+c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaCFGNhcm9sQHN0cm9uZ3N3
+YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAALEERUj19IbP7NL
+fyNy+CRVZ9fT20jDjLhQ3yZpmYep2TEAAGIP2I550tc/eIXj4LCJJ3i5a/AdSQjW
+09beMwXatszqrE+taY7tELSKGy5Pbnb32HIDPwKXs92Ivxt9FgwUaLrj3AtVUmxk
+0bhGMSjkgtrxbeki9394+ISW0EdD9DZSheJSLKa6rykb7akQPU8J2hreVAFdNZnF
+RDVpT/OI8ZoH0K12YvthC33fysmKyGNCjDRP/x4UsdrnRpHP7BMjVe1TJQBiu6cm
+DWPvj6ZkKqRZ2P67GVZLSu7s3hHKu0O5p3oY0J3YLh6ZrCw53dfG0860vfAV78f3
+DhxaCpo=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/37.pem b/testing/hosts/winnetou/etc/openssl/newcerts/37.pem
new file mode 100644
index 0000000..9c62f21
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/37.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBNzANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE2MTAxODE1NDIyNFoXDTE5MDkwNTE1NDIyNFowWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01
+MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDOTJOm4HBLbc0fCUHKOSYSAJj+dbWmXo+M+ViblRwU
+iTij2wBchH2T3SUuj/OimtxloyVWyfATS7eTjCbqPbduVc2aE1QqwpBzTGnh8hd2
+1IQ2Hg/ruAS1t6XlGbQXbzOmA53tePh7iLMeW1UzIlq/i1isducIKSOusc5/225j
+2C3OHbfpIlBzW9NgtDZZqAc6BsI2z6XsaA/U0S+4YYv8mImsSm71aoeesGLV2Fqm
+7xQLxzH7eQQS1gg8+iWfPTU6pHL6AYR7HKKCdMiqDUOrP6VEleueinnzh8MbWwa3
+z3iIJ8pGD1jBLJ+Tlt+qKu5ZE0fGX2WCVntkf0IWc7HRAgMBAAGjggEFMIIBATAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU4jVZk42tDoUyFnMs869u
+69kHafUwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITZGF2ZUBzdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQBvE869kmBTDlTm3LnK
+Sj6tGRhE0rN/Ki3zHBTlVzGZvaggt9ZvPFcLypLZkC0BfPu5/z58ig/Z8dC/bITR
+g6kr02wgpLlwOTrU2dNQ/ehKOKClG0gkNNlw4cdi5ayRFXVvYhWzZNPGvIY8O8EH
+LY2oZ0LXBvttx+rSuFAYiOEXON5/oiiNpGxqGu2mYIeyAAIIcKa4PqvGu7DxEGtN
+OKwJ+ez5bg4qpUVGgBYce1SbzShS+eAe87xLRL1QKxcBD0DVFb9c6hrPRIpdxHD3
+AEFEo87lj5npbvP9PExufP9mTl4Ko7mENhEYVo4/2eGsMmyD+FXUWUXr7bWY5Zrg
+jSFJ
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index 8f92bfd..e522732 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-35
+38
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index a787364..81b5c5d 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-34
+37
diff --git a/testing/hosts/winnetou/etc/openssl/sha3-rsa/carolCert.pem b/testing/hosts/winnetou/etc/openssl/sha3-rsa/carolCert.pem
new file mode 100644
index 0000000..94f2c0a
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sha3-rsa/carolCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtTCCAx2gAwIBAgIBAzANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzYwMloXDTI2MDky
+MjEwMzYwMlowWTELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAw7ArNq1Cs5RMc1Mu
+HO5BZAIAc9v04THLSpCs+zNQlyJCXaijsiTQUbATyhgB5O11HKh69J8PRITx+dqI
+W/are3KGAKbvo8G5AgVOPhO+X3n7iOwTPqtaAlAa4/qpVyD/RSfOiQPXj+SFtBz9
+Js36gZegcm/w3d0QVOPUIEMWpSMIHCAmv6Ji/QHyOEVyOuiW0PTKVxqY8iFgnT8d
+jDo0xWU40RNcIC7qyMkmGD8xR+kIbBcH8akPB6NgNvFVUZPK4EQfr19JNAQp7KbP
+A6tlzRxR6z0eL57zRUU47g3cf9Ie1zNj4FrIfv/+nA9ZVpR/DsGe3qmJvTVDfuba
+GkFE4AKxUEGcm0N4gHXo1PBj7hayJJSUIuAfoIfmkorqrPTp3bRoH2NWmMveBU6W
+4c8Vocv4ceWmCsrodcNdzqcnU4QGFc9xKPeiD232KeBZdpK4vs1ewkzftWmOVYUB
+G0X5oNNYoT54Qr8YXTWTI/3Rp7TbVGh7Z6iqH7hQ9gNGOe+NAgMBAAGjgYkwgYYw
+HwYDVR0jBBgwFoAU5MnNjPKIbR2nLtdeeTGlZlU1zgIwHwYDVR0RBBgwFoEUY2Fy
+b2xAc3Ryb25nc3dhbi5vcmcwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybC5z
+dHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLXNoYTMtcnNhLmNybDANBglghkgBZQME
+Aw4FAAOCAYEAHxkcN7plS2BvO/yXxE5WJ+2k9IP/IupuE6ChuFHDq5SrGNMsStsG
+sGpV6/yxvLSHchNGnGMIOyLTMzKgWy5dnDy4YX2FqZkI8ZBa0FJ9iO2IxILCsmyw
+ouShOv47YkNuAzJWIZjRz3+7mNhfX3TsdEr26cNKf1JqawTyFCDq0t/UYS6K/8O+
++6Q1kmy2mRgR19XkxA0ts3xno+eeB0NelnVEjJwqZPFgmVYK/2T4fUKraJyQzwhp
+xghLtlmwNuN6jetB4Z9k3hQQaPlUy2wxrqdsNfV9Ysgy+3LcI2ynoFMYShrS4avW
+FI2z0hb8sDkvS4Knif4UCv14Gycb/8nSgiingEMU+UmPOxwUl79/99e4LvIaslp4
+S0AiLwe0Tz2NqQ6uhvVppw3lYptIt+EK042cYpm/CPTMlMhT+Pi8l/POWIdquNLp
+85NuiVBbt3wMff+qTu+/ppyQsytTfDMD6XLggorLni/Owf9PoBakcdGuPW9MAUTf
+6Idv0tl5T0qX
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sha3-rsa/carolKey.pem b/testing/hosts/winnetou/etc/openssl/sha3-rsa/carolKey.pem
new file mode 100644
index 0000000..db6c98d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sha3-rsa/carolKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAw7ArNq1Cs5RMc1MuHO5BZAIAc9v04THLSpCs+zNQlyJCXaij
+siTQUbATyhgB5O11HKh69J8PRITx+dqIW/are3KGAKbvo8G5AgVOPhO+X3n7iOwT
+PqtaAlAa4/qpVyD/RSfOiQPXj+SFtBz9Js36gZegcm/w3d0QVOPUIEMWpSMIHCAm
+v6Ji/QHyOEVyOuiW0PTKVxqY8iFgnT8djDo0xWU40RNcIC7qyMkmGD8xR+kIbBcH
+8akPB6NgNvFVUZPK4EQfr19JNAQp7KbPA6tlzRxR6z0eL57zRUU47g3cf9Ie1zNj
+4FrIfv/+nA9ZVpR/DsGe3qmJvTVDfubaGkFE4AKxUEGcm0N4gHXo1PBj7hayJJSU
+IuAfoIfmkorqrPTp3bRoH2NWmMveBU6W4c8Vocv4ceWmCsrodcNdzqcnU4QGFc9x
+KPeiD232KeBZdpK4vs1ewkzftWmOVYUBG0X5oNNYoT54Qr8YXTWTI/3Rp7TbVGh7
+Z6iqH7hQ9gNGOe+NAgMBAAECggGAKuC3F0vviZm9Bqf7OquZ+GfX4YsYpR9cBAKf
+ZIth5TvEfvEsrSQT4VJLg8Su5ZKCTr07883GcqUOwEh6CGyMNohphEsPxznzZ9Xx
+xvhchl8cFmxj6x9woYEb40hRQp4gUO7f+nW1DfpssYKIlbAca7jlly2gAX0mzvL8
+z/TjSVvbsw34b5UNS5LZmCrfVLkSEscQbvWM/cECgnIJ72fxmC8NvAIZ9ZNSLpyk
+lDuEeNU+2zBQtUrt2CacNm263B0dvHrW9QSTdi1GvIjxhc3ab8OT0ZDNzo/S2eRJ
+InN77gwkYgEu1jeloBsicG4ZAAdbQU5/X4prnJIy2novnA/2C+hrmpYDhxqOT4Uk
+AhoMiyvrJF6rxPZj+R5qzc4RUzZapcXUNzH0lCwtwd19Ogfw38LUkHCtqQQpleme
+AL7FeVDXDu9oe6c5YrZihehT7p8ExKwlwiWy4u2bnoip77wOCuLo+D6eZpt64w4e
+XiHpWtmkADqhfzMgt/WUMpD/+gcBAoHBAPTa6zMClhGP6su624Rv9HSVClacXR7d
+zJNo5stnPierfcIZs8loWthR6AgGx36q9bOqtfIdFRc/PajF7oggnTcxMBZdCoU8
+Oi3vWEH+aIzIX3KICUjRYjj1kpm9xcy7XPGc6bEit+PM1DJ1jXCTiC30uQpavNxr
+klV4+ROIt9MYsb3tQw7CO1mGNR37jAEUqbJ7sK2OnvmjZPJlwJs0AyN1j7ZUihDO
+VT5UhjwB4KUH6BEirXTkoaDxZwsRfR5SaQKBwQDMmFm2M8J9AOxgrYTY80YIRQpy
+vrcX7Xrzn4Lu8M8Xr6RlS5bbXApAH7WtRHGlIj14lItmvZpRSOTzawtn65AzeIUF
+82/EMxLJaGjMBviTyNy+ta9wn8Qdy5c2ZZ5dKgsQ4PprSkAvNOnpd1wG48pbGg7/
+n3tVs9zdD2wa35KVjoyueu9Ls9BbND8v7OYmkmSNqFlA5KuLIeQkuLNxjxQsV5Vg
+S8pyg1jlYs7KmYs9GIFHAVEf5LG6a/3huWfuR4UCgcAGWfdn51VFN1p71mkDUnQg
+4gzWmk/AETjRShNSi2cNWGF2u3vyaYaRve4q5yIdowmkk3UMxrxZUgajbh714QKy
+/8+jhN5U/m7z6hV8AMFthXUUX3r+LJBDsfsPieCrouCSU+Or+J6Uhieq92mn1eve
+ZU63egsUHKY7GVw8qXs7OpTBvHnU1Cz98YFHOdMz4/lS6+p1VhHBn/9qWkFYxUyf
+itkjfaXnMbL8XuzseY/+N+pJJ4EgWx3mMtzdaKK6OqECgcAttOdt1fhgFsG4A2vH
+T+nYVRw1cDfVJ5+tJ3iHytJpFzshyhZEoTZFBxB+SekdnB2hf4X5COiduiwz2Tku
+GSkY5pbJMo5IhaRvzFyFIBWOZnQyQsKT5Y1Znq8EXwVXCNp6BdjL+UWHhkmvd5Pe
+kisV2Sd6ofVauxjfZd+fzUyhDryNCjfFcMFebrijC0iLW28NWou9/Jf6ODMQpRap
+iu5Vzac4YRY0KPXGISHTjyPVHVFcPIYUGvI9lHyeXd5DFEUCgcA9s3ei/H000sC6
+3q5iELW8kxFCpwvu7uKCFfakAqQn8nponHEUgRS7eLjzS1NB0qysIiOMtZPAVMCz
+puETLsi9PxD8de4RyEyZC2yd973j+TqFQmPyiWF3QNW55zM2iELW5sGeEVk/Z15c
+nlItcy7KOJOJU0TAKvUUjr4ug5N7sVSN1aeF4tiaFz0GFIqV3qAkcTMfpaOKfuSc
+huiHBdBaY7m4uNK4/ZOi1JitocO7wpRsX/eRJ4AuNrro8EHHAe0=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/sha3-rsa/daveCert.pem b/testing/hosts/winnetou/etc/openssl/sha3-rsa/daveCert.pem
new file mode 100644
index 0000000..c5c769c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sha3-rsa/daveCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEszCCAxugAwIBAgIBBDANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzcwN1oXDTI2MDky
+MjEwMzcwN1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5v
+cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDa0Mg8XicEZYIYmuet
+XWekjDifPbi7WyIOUPV5LajXuxhMGd/NAaRrJb13D+GHLdsY2uwaa7Cv+VMyfWDc
+qD5RDQw0hYY+zdRYt4Hk4GNDiZZOYcqXQCi/ZCcU7k9Prd/nurBk4FcwsnMh06UE
+mS7mTEG7SphP8WxfjQpHRBLOXlq3tAfm0nzV4Ee5VosQmuDmFiSpoOW0a+KxR5Sj
+OjmyKMx828lRvBhC0vtRCsAzIUMAeoeTH9Fo6Q4/nwV2bNOKGpFcs5tVWs4xarql
+MBEKyx0OFwD/LZC1xDN+0JsgP3/6EzHzJHIPQVs9wMLoK+vFXNRPKoE2Nb1mesN8
+jGuqJGdrsWeN+r2ANjFi0NcaO/HU90inVmCKKJDQEtZBXzD66MqAznbDLxgx2cJM
+N1whWat6jTZqa7i3FffB/1gB4a1DmA1CQlKihkSPA6epWGKo0MSPEOCgSywAn9VC
+1LCPftSDUAVn1sHbH5g20Llv8yPRjiiTuY74G60OJPOTDncCAwEAAaOBiDCBhTAf
+BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVgRNkYXZl
+QHN0cm9uZ3N3YW4ub3JnMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwuc3Ry
+b25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEzLXJzYS5jcmwwDQYJYIZIAWUDBAMO
+BQADggGBAISXAxemOSUmXqkf7cgTQHpreMH1Y9LPJxZUUq5GVErmPzhLaZDSqZSy
+ZXcu3EWPA0RElaYBd9CSgFx0I89tw41dIYOLDyLnrEDHmcsgcJl74YYBSzebB/TJ
+OGXtV3S9M9OF1vSdugaXI1hDXck7cODUR6nyZAWOp5kBSItAH5bglCRtaQlAuSxM
+wRWYhBErUR5tZvu0loCN+11hVg/ddQ3r+FeHUt35KNenxkd6hWlHljbPv/eTtqgc
+/5VGEC96I2rD6WNcszj/SKK40zA9GuF1mIwNKEdcYnPRxoszlD6C7cdGJZ8VpJLc
+d7sO0QJur5HNtj6oUbM3HuHAaZBjg7uh5GDj+RehhKCybYyJQ1fu4iRaNYKdPwZh
+/F6hBRLytkt1qjJhngmBmQU4Ent8GL0Zn6Q8/HvbTP/xw4VXkY9JHdMIkzH8zokd
+TVjkunPPt+zdzeMq4hOewYR8HfiKcAnNUG7eO6PnUvC2NKsqX8a7/z0OV68XybZs
+gjC1FqvMvg==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sha3-rsa/daveKey.pem b/testing/hosts/winnetou/etc/openssl/sha3-rsa/daveKey.pem
new file mode 100644
index 0000000..85ad0d8
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sha3-rsa/daveKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5QIBAAKCAYEA2tDIPF4nBGWCGJrnrV1npIw4nz24u1siDlD1eS2o17sYTBnf
+zQGkayW9dw/hhy3bGNrsGmuwr/lTMn1g3Kg+UQ0MNIWGPs3UWLeB5OBjQ4mWTmHK
+l0Aov2QnFO5PT63f57qwZOBXMLJzIdOlBJku5kxBu0qYT/FsX40KR0QSzl5at7QH
+5tJ81eBHuVaLEJrg5hYkqaDltGvisUeUozo5sijMfNvJUbwYQtL7UQrAMyFDAHqH
+kx/RaOkOP58FdmzTihqRXLObVVrOMWq6pTARCssdDhcA/y2QtcQzftCbID9/+hMx
+8yRyD0FbPcDC6CvrxVzUTyqBNjW9ZnrDfIxrqiRna7Fnjfq9gDYxYtDXGjvx1PdI
+p1ZgiiiQ0BLWQV8w+ujKgM52wy8YMdnCTDdcIVmreo02amu4txX3wf9YAeGtQ5gN
+QkJSooZEjwOnqVhiqNDEjxDgoEssAJ/VQtSwj37Ug1AFZ9bB2x+YNtC5b/Mj0Y4o
+k7mO+ButDiTzkw53AgMBAAECggGACY1lwGTn1SRNSp+wj3vtY1yPuDvsjZlL4k4c
+eT7KCSjsxZ23jG6O6/KI0+LImKsiznH4LqsW2ofK3wBkMx3RIp6sMrrFgoZfx8Oz
+EvfMvY0LF77jJjkxzjEkF6DTq4nOpYIb4zt78u9HYWmo4YuCZaFcmT2Haq4CaiVx
+Fm1dWM77rNtaIPR9aKTS3L9vcLkiKkk7LoCMppSzH8QdNAb9r85iJu09W6kXcgtd
+10rd2x2PnDy9IGoaLTdHXPWnOmVDviFgCp9zxBk4g/SWDR2AdHOgg3D2mvOmFkVK
+SLxr8RKhzzQfbRQuV4F3so9QVfkKyH8xsOpjAqjQwJC1LIWMJipzmc8o/AnUw0Rj
+UvU1sDYV8MHimgoftG000vB72hws8tv/XQHl13Tig8y46lSOYxavBJZuHjPPhkQF
+YlsfyUV5B11EmlyZ+KsNCHj9vXGRL6bw3Hu1UeG5cnXBXNkPq7ssNpgwdJrpqcW3
+8KWtl7w/b68ZLwyMpxKbmUNIyNkJAoHBAP9KBnqa91RA8gg0/Kp91NLiNXT9ibN3
+cQ6Y6HXuCWrKIKVKMmxRkhM9lMzOVfVVw5ydWZ3B5tzMiIfVCnyzs357vxBGsQEk
+TQ9I/kdFuR1gSMZVbXSH1Cbf/Ealg7j/w5/3WpQSaszUN2dmkJ64I3iEWELjT/VV
+RaxEhdNmZiRieOglkpvt+4X2Cr5oKXUofb11QX8bBmPnZklWUTuEfQu2KFc7T2im
+2ZonJKdxRMMFcnHqS3StX8OYqK8qqTC9hQKBwQDbbMIAp2omxd+iiN4hCIgZ1mK3
+HzBBwam6A/ZLqbByB4Ch1TNRK959xtJW6FLibZPYCi12b1ILwjOVO7aQHKnhKItX
+rhwAdhaBd3tJTxu2jDB0Bx1UkKbTDQ3bipnLY+VX/r/rMKbRsWgzejLs/CjafOj7
+OaFSpQOiQfOkpGKpwTab2H0CYqCMxK/4VYBP/NWwM0o0gaL5dJCjZ5i72CnHtmx7
+3D69TCieFY7RiDyf4Pix0tonwD5FfVHfH1SpjssCgcEAxJIcYQW4EhEcDIO4VhMj
+7+msndOn1x/OVx4YSM4sRCU1c/Co2M0KfHQ7gmQSviD2yT5DxfyLJlL7ghPhylmY
+iXkBiqfUHXv1NiLPYNPoER2Vi9o1uLfp/LEVkNRbk/SkjiUpgsCXqfZyXtUT4JML
+BP5q874SUGcDif0NStUbK0MDtEVSGWzq8qCcbzbHTWYLQ/non9WQWxbPpQKo8/o1
+SvJNJ7YMlBl9jnw7dg76kmw8TkjJJyNkjLickpx3wIb9AoHBAIx01s6SW9nL6fZh
+xEbC7lQTrobn2P0OmbWv2ZXfXknv0YBGOB4qhbZfcb8d4gh8+hldknJwmcVbH6fU
+XG1tW7T8Pg33LoeBD7D6KZnooKW+oTl0YGsEWTVZ8tfopb/TBzjHolRLhU1PUZM6
+EqUuWHxbXsuJvWForaXMr8hhTaK6QlmKP6MqPPk+4iGFoagSATtT6Zkorokd+4QN
+yW/c1Am6FUFH34VO3eUriYtIuP3ihW9WuDyfy3yx1pmLtab/9wKBwQDbBXYm9ugE
+wRSIxCywJ+aPNRQKanCKORwQMNJZ80rrXIs7saomY4Os+utJpOhoksTJB7mAn3ij
+kopmXn6NOsXdOlp9Ty55YRylGmOIQpsO7kSfylE1NFioHqksuQndbUwZFbskI0cN
+egyoihqnbfoLyxGu1/M521IseW3AwFIc0gAGdQ7i4ZXVlXOXWvdZFxnpd6PAfFMb
+J9mOicxHQ6Yv5b30RUvSIN+LHnUNGGk9XAxCH/jKtU7886jD6f34ru8=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/sha3-rsa/moonCert.pem b/testing/hosts/winnetou/etc/openssl/sha3-rsa/moonCert.pem
new file mode 100644
index 0000000..bea7e81
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sha3-rsa/moonCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyDCCAzCgAwIBAgIBAjANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzU0N1oXDTI2MDky
+MjEwMzU0N1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5v
+cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCcPfHpuwuPBQ/0FTT6
+ENKjbxcGfVozz5Q7mfleee5DwIMH4yqkQeA297vUUEPwap/Z2Frmt9HHkeFdvDoF
+kwJN1SzmjEexo6XksbCnxbgbUFLGh9VPvLN+eZb/6U8RHbMmdds6VV9bxSgRuwB9
+ekKv950m8G7XSSTVUeOucwkgMaU1zg1F7ToNxhJv/sCBE3q6Y9Cv65HOfmMVcnJE
+6PHTSAfz0bNkho1yLKJjBoJkUF24HK1SFovxEowD4zFasHUgJCATuEhNle8kmDZS
+4R763eVcxJ8qhkfJTaxMG1y1dqfqt/9eYLQ7cF/tFPCgWYO8mUCmB+kvVAh7yAfW
+GL826RNiySb7NZg+QkDNzALIybKFkVi/SvSnJstYjWFnzF5OvsxJu0iay/GXybHA
+bvBG1ZLkEp3SSR7+CisIQjwBhmPfc0AbnyJfj7PvjnPhQ01MODVueMHZ9PDhzQAP
+tM4hTvpmySEYqPgntkzN5DlhcswVGamqfSn2htKpfCDrZ1cCAwEAAaOBnTCBmjAf
+BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVghNtb29u
+LnN0cm9uZ3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEIGA1UdHwQ7MDkw
+N6A1oDOGMWh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEz
+LXJzYS5jcmwwDQYJYIZIAWUDBAMOBQADggGBAAHZATrdzGmUIq+0+EdA1AbPdcaT
+UDKJvDS30JyOkUnAv5jr63PHyfw+RS92zgE2UyB4+u43BiggBNmTNCjpaEUmViAo
+tdywkzIKm7q3dr0078IZ8LU8Wo+hoeRNkBJOxdgflsSislQYDeTd7syoQ4BW7whs
+jjFK2Lbthd+/33Iw3LMekYuZF7ZUbHY7D3nlBidrmTIQQCvOnsW2lJi/S83FEYzl
+noK+of3eo4Ryg1/428FHts26PxSmnHv+ckj9R4Jf5kH8kd1WhrgDyHQMnihWlUJ2
+pintDBgislbZytqiBOGeYpbpxKl57zHs421wmUs329asu7zgfJFnCynkUgvuRXdc
+gDJ+DAiVaXCJlYnk36P87028SR9/C0JLzHA3O5CcfUdFEUs0BvVe1D3b9kC28rdA
+5V86DFCL+gp6rB+wDtq6YnCddaNk+ZCs/QAPidqOFAytaBBKaagMIFk+wlsFge79
+ZssIfKy33Frluw0HCj0LNs2tjWvG4Ku8xkFO1Q==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sha3-rsa/moonKey.pem b/testing/hosts/winnetou/etc/openssl/sha3-rsa/moonKey.pem
new file mode 100644
index 0000000..f24b3eb
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sha3-rsa/moonKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAnD3x6bsLjwUP9BU0+hDSo28XBn1aM8+UO5n5XnnuQ8CDB+Mq
+pEHgNve71FBD8Gqf2dha5rfRx5HhXbw6BZMCTdUs5oxHsaOl5LGwp8W4G1BSxofV
+T7yzfnmW/+lPER2zJnXbOlVfW8UoEbsAfXpCr/edJvBu10kk1VHjrnMJIDGlNc4N
+Re06DcYSb/7AgRN6umPQr+uRzn5jFXJyROjx00gH89GzZIaNciyiYwaCZFBduByt
+UhaL8RKMA+MxWrB1ICQgE7hITZXvJJg2UuEe+t3lXMSfKoZHyU2sTBtctXan6rf/
+XmC0O3Bf7RTwoFmDvJlApgfpL1QIe8gH1hi/NukTYskm+zWYPkJAzcwCyMmyhZFY
+v0r0pybLWI1hZ8xeTr7MSbtImsvxl8mxwG7wRtWS5BKd0kke/gorCEI8AYZj33NA
+G58iX4+z745z4UNNTDg1bnjB2fTw4c0AD7TOIU76ZskhGKj4J7ZMzeQ5YXLMFRmp
+qn0p9obSqXwg62dXAgMBAAECggGAHb2g3efv5FKHXePniK5JGjkcPe0AjZo20j2V
+/UjidN0hVBAG3ut3PZ9cjqaUuB/ju7j2XLKi6QU4y/n3ZXY9Wwl4GY6cWxEWk/jK
+8rStPe3FQ+s5TItT84A7oQ0NMunfXzPR/kGf/D0ESpO5HSl3pj1RGcdsoehXbY+/
+8kYNd6Zbl2lYl3X3tgV9Hvp0NF2739z+LW5++7qNK9j0LW/WEGzGrr+9ESaXqCMc
+6hKkIWo23MQArf6Ctunb4yWNEIFEDi1r9DzMbZN/lVhDx77Q0KYLH1P31R5rOc1G
+NYXPF4F3CSfUsgd48dB2/1FCTnDJ4PmOU/R1L8jAgnSOroTAYDVzY4DJ7vyKGvIE
+DL7eKlbwOfS5swyANUKgHO6QiHt9WzcNUGpeinTa3wJ4KoAdG+lzDMuiwRFdSRRU
+z7t1ptTf2LuCAtva2daP2SPed+ITg2QB6X4BSQkqR0vPYBQIZAtFjMWH78E2PLrD
+01+LpOj8TBRerd834etDODg4ddiRAoHBAMiYg7hWfChw3SdnmAmkhDAZN80pvsUU
+bzzAiQ5EI59JYMoi/amYyLd6hUK4Z8g4gcdXzBYw9iwJuj8LMpPBZlplAxVnFdId
+23I+GNDmcX2ovOpl6skKy1grNhBigxRUQUGsS9oxrYeuy2VymDzeZPCQmrrhsXk/
+Mac237nncJj2n8I5RtDOoSOFD0+grs7MXs4P+W2HHzWgkN7mBgKeFfUPLI3Kyy3p
+F7tXegtJqIJsXlfZ/fzR40QTy7/VbwAW/wKBwQDHZVDYtYe4YoHKdwtAqs/J08QA
+29fGkM4ZawLNTY4jz9rdtOuBWg0FPAo82x21xlbRQLsaTKzy9O6a3cQ5oaKtKCh/
+XmKCssrnzJsYZYnhkP4f4VXK8nai/9LFo8TWhB8hNy62GGmfXffsqhAIqIqZA02F
+/mOfR6Wrqs7yfzYnJnVsjbR1B2zSiNAYKtk1VtQdGjuagSn/dEyhSCaQRXotXUKX
+SJDzPf/H2mj97Cg+3bCtdE/h//N1/cmV/5QEx6kCgcEAh1ua7oW1bBiUsuVNi5wu
+8sHhjJiRuS0LzsPg9/Z0zyRVorCv2IRXVK/hQl9q8Ilo0VnmRkctphO+UJI+w8Nq
+TK8CwKt55vnsvY83cac+h9uX9tdk8dpN0qX96lp/NvWPv0ADQy3oebkyWLdWESTE
+miwJrPdkqXtCByKZHzoUGbO5o/bAWWBFDdHYvhOgQb1Yb9YJqqXWInrBpxcykQuZ
+p25g0yE3rzgtomXp3boLck6r7r4TjEkZATQWddERAM+DAoHAEW4w6BDOYXbzA6Du
+ceO8sFb7vlt5fFkyOxSYtRu/fi/wYQssvy0BEGEUQAejjD1fX4F6Ga10PPTeWtli
+CuuvTdXB3IiCsgwxIpxHPpW5vOcw39aR6mDRsCQO58oOLfZ0xjGNustdiFntj1m6
+dxdMrl2UjE8VpFneCKiw2I/4SunYv/mPOd/BSpI9Jq+wNzJ07mpZpYL/Cd6/yCWH
+gXshWA/b/1+PlEPqNS1JmlDnn78/b5pIVWhLfxgFZEBoTxapAoHAY/58nLcWpvpY
+3IZC0fBuR7usTACbxr9Z4okHzJUNnoJe+MSE+wQwuE3nP+vc1CrmBSwCjN2wyVLc
+gy3idN77NthU9l0oElrPbGFKdFEaa85IcKtnfnspzmvo9AJn2wveZUAlZAzu2zBN
+vKI8ubXgoS56uHQnNsWOIugTW/P1I8FnlD4jPItaACGJ3yZWolh9g/WOGS29qJvV
+E/6hT4QPPXPZFEnOKO0/3YsMXBwcnEqm2mQ+c4rGMKrTcynk4KaE
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/sha3-rsa/strongswanCert.pem b/testing/hosts/winnetou/etc/openssl/sha3-rsa/strongswanCert.pem
new file mode 100644
index 0000000..29ad5b9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sha3-rsa/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sha3-rsa/strongswanKey.pem b/testing/hosts/winnetou/etc/openssl/sha3-rsa/strongswanKey.pem
new file mode 100644
index 0000000..acf3199
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sha3-rsa/strongswanKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAmkcag4IlKJmgmE9ceoVda+tjzPIbCVQKLCmE6hurieGqjYRy
+FO4p0+8JyTG1en+kXkgmxemm1syY1SaA3spUwj/OYj16y0VRmDyGfktIwBuebXTZ
+bfEvMzoVElYxzB7aBqOD80LDDTaY+yiE40JHic0xSBg5l16w8Oa1hQqTeyvlk12k
+EvqERIEzMViZgsHNqh6x67OtrtTznS0X0lRh+klK0Fc0PPyJU8Ko6SAp/WEWs803
+G2awFbrxXYBGZg3Oqdo/ecuz9TjfNlCJPq1v7NwATWHpEaBVeMXVvUobrgnXnefR
+gQusLZOloXYkAZBW/NCDGhluCJYIq3SbvDFBvs/d67LwzGwwaaocMy3O2uDoADNE
+qgk3nqoep0/aoTFzfa678HB+ZsW/swvEpDCDRXKR9YFI3LH/YcwMfDv2J2AWnMev
+aePgIOoHpAta1EwJa2VPxHuuXPkmVywljVTtGXCiSN70K2P/mBOhdy2ctuj6PbnT
+oYu1uHE05ofWzsazAgMBAAECggGATQJoHDP3K2yAKvcWYPw4VVni79b8IuxlxYSW
+GavlNQbFtS1jKsp1a5p65oifH34ehId8fzcx9i+brG4zTsJti6cA9K3eoR/Ban3v
+3pPixS4kJ1v3+ra1CluYUBZhdhQCXeT6RQ/SwEI8G8auiqg3gHRCAMxC1ynHpgBr
+pHTSiF2xk51e/LA7HNznOl8RBaGK8TuwMUj3zfjzf8YWCYHghGhYZWXaKAUg4YQd
+/3x0KUvw4qBxvQZFqBswRy10NpX2CAe/ha+AFSK5KlcjXBybvllOnrE8wnInfcC2
+Aef0kbGsMvulRuiNDR+HWIava1vHhYHqQ6rFIiOqN8Eq2bREuZFQrvbZJleztSOv
+n23uiRr0E1LpHCC8lnsa4nLOP7T7k+P0q+/vDyef+ZXCEI7enFyLeyaeYWPdgnZX
+1xGVtn079t6OkoU60GuDOmfZaix4Sx7WfDHD70iTImAgW+ysqgI9JHCwC4wEJAE5
+azkUZOiCszv3QEBddAuuRvpHCxsxAoHBAMqAju3lV7VylfC+DPaQp2vgbxYkPeLi
++nLiA4f3KQ4yGrKul6tQGnV/L1i48RPTVFq0nz4dZ/FQ84J3DLhb8QajoReJtpEm
+rzxzvKDgg8gf66BQVUCxJHzfOLDAUylqrHZ8hPbFT+JEg6A8N4cI7TfuqdG2FPZf
+jHzQEcz3ZpV0UM+z6JWQCxGaphvf4OH4GHZbl+cIl7Ifsauv07DrAELZfFX5Y6Au
+3QGgzPDfUyiqHT/Qr1ChmE11gR8tSfvIgwKBwQDDCRMeAIXaN27YcWnMvlGSbeT0
+5bTTeqvBc0bEuBO7pBckU9mmq+AeHL7fiVf1auHnmZrXuyTdjel0ivUChIR1h8hN
+/QkwAgFWGP6JwYukK+yLl5J0sDY6TPKa1hgeVzv3PVqYDGfrxNWYwh4YQKFg4Ba0
+OoA5zYB9HgyWEPsLiKixeft2lVBFeMndwcNLgyUfEVnnYNCg7jasMBjwEzq/ZXd+
+Qj4Im2fB25VHe4qW9cOmoaXnqBDi03X/u3IJ0hECgcAb8R9HvjSbCeOco2zAfPdN
+EFvjrz6G1xD91yfrk/QrTEiYzTSKY/QysEkFMge515g1J+UtOfuEtcnT/79WlQEu
+DFgHGm6BmtflPIcTn8cvTxBBP7Rzx72kKVz2LqOK/HgtpULnlhROwWt0KbrzvAyX
+giwWjsxXrpmBA2jhYmXaS4F3F3kJYiXU2QUApaSvKX+enUbZjzr3Th5C9XD9YX/Y
+uY/JgS75BF5kgh6lQfuEieydSJtYQeP1FDir56DkyCcCgcAVt/L7Ck/dhwK+85I2
+jJME3Vv7sYC7dBOgTTf6PA1mfdVd5EB+gPFKKSVQOzkiSS6y3bYSg/KNAXqX0cmK
+6Drf46j4lk7pm6+OaOYfbQAh3gpPWSej+uNvBpaVi3XQGyLAW4K1H9yKsraedi9n
+v/q4kPu2QjV5Olsuk6QPKgDqveMbMFxCTkpMEjFYknUu+YGuvf3m+C8DXMOV1R1R
+zrJiEeiGlNXXm4aoXc130lgSi3eoHKQe8eY/fBDN04/VbCECgcEAtXL9CAd7L7rD
+yIdFrEt36FhQF8PovFb4pokhZ/sI0uN0kCcwl5OCmeqaiq5ecxHTb9ACVWbe5YIC
+J1cGvNd1k0yJieXk7DUuguCIJ/PpaTEuaLEaZtdtcqrGsljgFgkrKXhIL0SfVMda
+CTgHD+CawFG5ZV7m7RpuQg5Q5Lz0/1tMgvbMSZOWZnolwXLKmLZ2VGEJYoHY+7ua
+DMVScCE8kdgXXxxKodQz0x4fVPArKULS+dt1QSK3SPoI1JpZdgkl
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/sha3-rsa/sunCert.pem b/testing/hosts/winnetou/etc/openssl/sha3-rsa/sunCert.pem
new file mode 100644
index 0000000..f1c086e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sha3-rsa/sunCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExjCCAy6gAwIBAgIBATANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzUzMFoXDTI2MDky
+MjEwMzUzMFowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2FuLm9y
+ZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALqBhFVeobbsy2Xe6HmR
+2M5zGwS33zs9pfrdF6h01AOOHjOeymWTAwHHNIGb2VlRTQ5jlqV6cW0kKMwPA4G/
+W/QWJDVhyltda8Eh6uZs5owTBN/eKQ783Vd7TJkhq4UtNBMhVly56aq75DU7YiJu
+pzR4na6jOIsW14nmzow4t2dbyCRzrjIlAXvCr2e6fKuDKUQA6RAeeuTVnfuf2MuA
+xAnqQXJkJ/vT5/+hb3WH6HQYp/UMjvu8bIEJZ8elyNR3ojHQehBPK+ADlW2VrHhC
+ZFKP2YbEJObSGCmQdfL6P/J5wB5+q3s/m3pZqOJf94XLUZ/LdPC6e00cZyFMBi/G
+/AcbQJEfU9PXbsBNSkbeIfz7AkcdR1ijfYPyrDovGT6wYs/oaB4SL/qb0OHIhLgt
+WX+gHpRFJyP0YekbiJBI7orDZOsy+hYvSdkVg012ObyXVE25kIaEKW5l98lnSci5
+/by2ivyA4WoLmDrolBymOe41l2cFv2w92ucItPCSwm9GoQIDAQABo4GcMIGZMB8G
+A1UdIwQYMBaAFOTJzYzyiG0dpy7XXnkxpWZVNc4CMB0GA1UdEQQWMBSCEnN1bi5z
+dHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBCBgNVHR8EOzA5MDeg
+NaAzhjFodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tc2hhMy1y
+c2EuY3JsMA0GCWCGSAFlAwQDDgUAA4IBgQACXiUqwisoOZUH3CPfi+aGaluK3mO7
+nj/gX5X9oE2JC3haWjbnC9fsKai72U8makp12xCpWjHsuiytVlXiiSCRxBGAaFm0
+cy2AI4Ttj+4+GAaI4BkqYBTApdSSXXUH3X4Lwb4LReX+16TsJ4E+d2U/j70gyGRK
+F/KgkKj/Bi4F//4/uXHPbgp2istKmkQ4wlcUb5EdM0tUiAUwYGMhdUhSryq4+7y8
+1QaPGg0Zv3nvGgoj332BOczflmNzoonXcihZk97iMRc/TvBOoizvuH9COCSbw/AB
+hnVG1lyTQjBAcE2U4MP5yUVuIqBgPnKtbyN3gf30Iq3g/ThVekchrYGO3PWMWAzS
+ecfr2yN11BC6nDca039Yub41AuzQqBQR1gY5sHouXNTx4Bs0g4xk+3rGa8MMgI0+
+jXhDVAorQFYuACDuto6skRtkcmXJ/1psvVEv5dcKAHdZCNKkgtXe2XoVvrjNxnPw
+MTVros8o+8Bz2R4qArLjwrZtvYI+czZx6dk=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sha3-rsa/sunKey.pem b/testing/hosts/winnetou/etc/openssl/sha3-rsa/sunKey.pem
new file mode 100644
index 0000000..a694bbb
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sha3-rsa/sunKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAuoGEVV6htuzLZd7oeZHYznMbBLffOz2l+t0XqHTUA44eM57K
+ZZMDAcc0gZvZWVFNDmOWpXpxbSQozA8Dgb9b9BYkNWHKW11rwSHq5mzmjBME394p
+DvzdV3tMmSGrhS00EyFWXLnpqrvkNTtiIm6nNHidrqM4ixbXiebOjDi3Z1vIJHOu
+MiUBe8KvZ7p8q4MpRADpEB565NWd+5/Yy4DECepBcmQn+9Pn/6FvdYfodBin9QyO
++7xsgQlnx6XI1HeiMdB6EE8r4AOVbZWseEJkUo/ZhsQk5tIYKZB18vo/8nnAHn6r
+ez+belmo4l/3hctRn8t08Lp7TRxnIUwGL8b8BxtAkR9T09duwE1KRt4h/PsCRx1H
+WKN9g/KsOi8ZPrBiz+hoHhIv+pvQ4ciEuC1Zf6AelEUnI/Rh6RuIkEjuisNk6zL6
+Fi9J2RWDTXY5vJdUTbmQhoQpbmX3yWdJyLn9vLaK/IDhaguYOuiUHKY57jWXZwW/
+bD3a5wi08JLCb0ahAgMBAAECggGALeWxq1Cee2XKqEcy7rf1otiwzXhydyG0twex
+ysL1aeqPhCSPqm+DTey3/y1bT5+yVtgrOo3nW/SKFa2cL1HoTykjv/9QzSswWVb/
+d7VVByOnD3CcqhOQZPby4rxmeV+mcQ7DMg6OcnXKs07p149jloYYR+HjCFeWs1kZ
+e2h5ufXcSxwswipZMxu2DtDV3V9pyFJxCIZ3t9jaCBJOR8ZoeAguEviS3mZHsaEI
+zOOlUOzAaI2uokS8bwThhUBHLAJEe5hglKtu5N1QGUo5x62wIK1+4McKqX5cphvW
+63N5P7yB30hfc1xM9VP/fi5UzmgccNmHl3ErJX6EbHbVNUv0a/wI6cp+s/DQRZMc
+Injr5BJIIFbzmqYST+UxEwtxUL7uV1s/eTXwsFxfQPJnx8rWbeyvGJHU6VykWJ2n
+vHmOItgaw4Lm0iw5XH2g0QC7nYFW6qC5sk7LIS3xUzN73JWjV2Z1E5nLfKxZ9sXz
+aA8WNrMSHUM/KkFaUri1xoH6gdABAoHBAPfA/gcZaoMemP06BIWKwgb/91GRsvc+
+slrmyZy+nq2bQaJw8oYyUmgWfh9X8pD6eVQN7jJBuA3BMg3L4Vn/R65rcwwYKA20
+pHgZF2MbwRlbBDtFQJe8kmwFu+TkHpGcoo94V6MdpbqoRKwQs66WOcjp4vzRLOL0
+ueynDrAPxpOaNIsr66s7xjd01VwEXYlfOfNBpOF/+3vN+O++k45/rnlEWgLeq6ie
+1xkv9vZp4FuNf6gnBXcNhu8aDJvJEMfxnQKBwQDAtqgE9K7Rhq9ht8w8P+QZUGYL
+c8mL4IGsPgmucuuheeWpmvLuAhsTxWBQhrO8/eEK4je+li6R/x0HYqgytsnOxlQH
+xH8ZsvouPtacUF9pv8x7GLnGlvdxdQzmnjYqR5MzFEX/L8+8skiyY95V/kNiWE/T
+X/Q8JgqyQ7VlykHtaToYchEhgY2m2Zxw6YhrI/ghtlP6NwOJDYsFxe7cfVvBQj9K
+qtwAidr8pKSLyJFaot+dAdSqAYZxiO90aSt/i9UCgcEAjzv7YR1Xj+CjsFrXfGFB
+VYysbnMelYSg1p7w1nb6BAJrir9j5yO2ssi2N+a/rQOyG19GY7XM897K0mEZss88
+oOEsDUT1+x6Bq5FODRVhqQgOxTl/Y3o46MzT2TvtVF/LN8jqWbptMyHPOe8aAoiF
+dduKSIGiQsAbsW7PtggY1QLk98T3pfKT4UHhjCZV8XKlbTZ5XYmBWg01q11xr4Ov
+2hojM9+KPJ1AXCZ3z/RcKnH+6LdOmIqwhRF5UqOG2SGdAoHAEA+pFTCnWUMWXtiI
+pwTUJ9/xgUbXJ1dAt3A8MlPVm5GjOG13jaqTQySSEGQJmti15shPyQyPOQ/ABZuN
+VRyy2Q7idftEdIncG/qUvFZefVvE2QWIhiqS2NvehWHuNbvdYsZvxwLfF2TsdiGo
+qBYW251smbtHibPJ9G18Ms2WjQjWFK99CgPYIG3GggqUmglXZsfhW9s16jg8u/Bx
+JeM0wHia+cgfqdPTcnbuV9ARfTJR3K4IYVrbL58wBc22GF05AoHAQvhfvtieWCJ8
+ATqOBjOcUHJ2WLiOslWsYOoqXy7v2YuVt8XFWAWZmLlzcC+8Tv79lCLpOmpiseQw
+kP9Mihi+8T15AmRUUsPREeGb7wCDNbd/KixPimhnelNGPNAV+6DPonSa4WcF9jZk
+nDa51PBPWCEPB5GHdbg/E5yiWMbr63bcTQNZxlRDaljNSRPp8xprs+JT1AIZI2wq
+hEyK6IMjYIj80jB8JZIM7nNgRhzCKCo7RdR3JMb5tduOgzvEheC3
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/strongswan.conf b/testing/hosts/winnetou/etc/strongswan.conf
new file mode 100644
index 0000000..dfb9dbc
--- /dev/null
+++ b/testing/hosts/winnetou/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# strongswan.conf - strongSwan configuration file
+
+pki {
+  load = random pem sha1 sha2 sha3 pkcs1 pem gmp mgf1 bliss x509
+}
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
index e2ec422..43a71b9 100755
--- a/testing/scripts/build-guestimages
+++ b/testing/scripts/build-guestimages
@@ -60,7 +60,11 @@ do
 	then
 		execute "mkdir $LOOPDIR/var/log/apache2/ocsp" 0
 		execute "cp -rf $DIR/../images $LOOPDIR/var/www/" 0
+		execute "mkdir $LOOPDIR/var/www/testresults" 0
+		echo "echo /testresults ... >> $LOOPDIR/etc/fstab" >>$LOGFILE 2>&1
+		echo "/testresults /var/www/testresults 9p trans=virtio,version=9p2000.L 0 0" >> $LOOPDIR/etc/fstab
 		execute_chroot "a2enmod -q cgid" 0
+		execute_chroot "a2enmod -q rewrite" 0
 		execute_chroot "ln -s /etc/openssl/certs /var/www/certs" 0
 		execute_chroot "/etc/openssl/generate-crl" 0
 		execute_chroot "rm -rf /var/lib/ldap/*" 0
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index f205df3..5c4fdd8 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -99,7 +99,8 @@ CONFIG_OPTS = \
 	--enable-ntru \
 	--enable-lookip \
 	--enable-bliss \
-	--enable-sha3
+	--enable-sha3 \
+	--enable-newhope
 
 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
 
diff --git a/testing/ssh_config b/testing/ssh_config
index 831b9dc..3676830 100644
--- a/testing/ssh_config
+++ b/testing/ssh_config
@@ -1,6 +1,7 @@
 Host *
 	# debian default
 	SendEnv LANG LC_*
+	SendEnv LEAK_DETECTIVE_LOG
 	StrictHostKeyChecking no
 	UserKnownHostsFile /dev/null
 	GSSAPIAuthentication yes
diff --git a/testing/start-testing b/testing/start-testing
index d339ac0..7ef35f9 100755
--- a/testing/start-testing
+++ b/testing/start-testing
@@ -9,6 +9,7 @@ CONFDIR=$DIR/config/kvm
 KNLSRC=$BUILDDIR/$KERNEL/arch/x86/boot/bzImage
 KNLTARGET=/var/run/kvm-swan-kernel
 HOSTFSTARGET=/var/run/kvm-swan-hostfs
+TESTRESTULSTARGET=/var/run/kvm-swan-testresults
 MCASTBRS="test-br0 test-br1"
 
 echo "Starting test environment"
@@ -26,6 +27,10 @@ log_action "Deploying $SHAREDDIR as hostfs"
 execute "chown -R $KVMUSER:$KVMGROUP $SHAREDDIR" 0
 execute "ln -Tfs $SHAREDDIR $HOSTFSTARGET"
 
+[ -d $TESTRESULTSDIR ] || mkdir $TESTRESULTSDIR
+log_action "Deploying $TESTRESULTSDIR as hostfs"
+execute "ln -Tfs $TESTRESULTSDIR $TESTRESTULSTARGET"
+
 for net in $NETWORKS
 do
 	log_action "Network $net"
diff --git a/testing/stop-testing b/testing/stop-testing
index 704ae66..8abf5f2 100755
--- a/testing/stop-testing
+++ b/testing/stop-testing
@@ -9,6 +9,7 @@ echo "Stopping test environment"
 NETWORKS="vnet1 vnet2 vnet3"
 KNLTARGET=/var/run/kvm-swan-kernel
 HOSTFSTARGET=/var/run/kvm-swan-hostfs
+TESTRESULTSTARGET=/var/run/kvm-swan-testresults
 
 [ `id -u` -eq 0 ] || die "You must be root to run $0"
 
@@ -32,3 +33,6 @@ execute "rm $KNLTARGET"
 
 log_action "Removing link to hostfs"
 execute "rm $HOSTFSTARGET"
+
+log_action "Removing link to testresults"
+execute "rm $TESTRESULTSTARGET"
diff --git a/testing/testing.conf b/testing/testing.conf
index ee40343..5f85dd5 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -24,14 +24,14 @@ fi
 : ${TESTDIR=/srv/strongswan-testing}
 
 # Kernel configuration
-: ${KERNELVERSION=4.6.4}
+: ${KERNELVERSION=4.8.3}
 : ${KERNEL=linux-$KERNELVERSION}
 : ${KERNELTARBALL=$KERNEL.tar.xz}
-: ${KERNELCONFIG=$DIR/../config/kernel/config-4.6}
+: ${KERNELCONFIG=$DIR/../config/kernel/config-4.8}
 : ${KERNELPATCH=ha-4.4-abicompat.patch.bz2}
 
 # strongSwan version used in tests
-: ${SWANVERSION=5.5.0}
+: ${SWANVERSION=5.5.1}
 
 # Build directory where the guest kernel and images will be built
 : ${BUILDDIR=$TESTDIR/build}
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
index 978b276..3925d92 100644
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
 
   multiple_authentication = no
   send_vendor_id = yes
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
index c52a325..fafe267 100644
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,8 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
+
   multiple_authentication = no
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf
index 079ea72..e7364f6 100644
--- a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf
index 079ea72..e7364f6 100644
--- a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf
index 079ea72..e7364f6 100644
--- a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
index 9e655ea..278f98e 100644
--- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = chapoly aes des sha1 sha2 md5 pem pkcs1 gmp ntru random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce chapoly aes sha1 sha2 md5 pem pkcs1 gmp mgf1 ntru x509 curl revocation hmac stroke kernel-netlink socket-default updown
 
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
index 964c520..7d03051 100644
--- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = chapoly aes des sha1 sha2 md5 pem pkcs1 gmp ntru random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce chapoly aes sha1 sha2 pem pkcs1 gmp mgf1 ntru x509 curl revocation hmac stroke kernel-netlink socket-default updown
 
   send_vendor_id = yes 
 }
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
index 3314f75..d2137d9 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	cachecrls=yes
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
index 7014c36..ea1b905 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+
+  cache_crls = yes
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
index 3314f75..d2137d9 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	cachecrls=yes
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
index 7014c36..ea1b905 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+
+  cache_crls = yes
 }
diff --git a/testing/tests/ikev2/default-keys/description.txt b/testing/tests/ikev2/default-keys/description.txt
deleted file mode 100644
index 889f829..0000000
--- a/testing/tests/ikev2/default-keys/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
-and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
-and a self-signed X.509 certificate. Because the virtual testing environment
-does not offer enough entropy, the non-blocking /dev/urandom device is used in
-place of /dev/random for generating the random primes.
-<p>
-The self-signed certificates are then distributed to the peers via scp
-and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev2/default-keys/evaltest.dat b/testing/tests/ikev2/default-keys/evaltest.dat
deleted file mode 100644
index 43d85d0..0000000
--- a/testing/tests/ikev2/default-keys/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::cat /var/log/auth.log::scepclient::YES
-moon:: cat /var/log/auth.log::scepclient::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*CN=carol.*CN=moon::YES
-moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*CN=moon.*CN=carol::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 5cfec3e..0000000
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce
-}
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
deleted file mode 100644
index 72a1c17..0000000
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,30 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --sport 22 -j ACCEPT
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
--A OUTPUT -p tcp --dport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 5cfec3e..0000000
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce
-}
diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat
deleted file mode 100644
index 25f737e..0000000
--- a/testing/tests/ikev2/default-keys/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat
deleted file mode 100644
index 8ae5062..0000000
--- a/testing/tests/ikev2/default-keys/pretest.dat
+++ /dev/null
@@ -1,20 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::rm /etc/ipsec.secrets
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-moon::expect-connection carol
-moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
-moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
-moon::ipsec reload
-carol::ipsec reload
-moon::expect-connection carol
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
index 91451e9..61adcd2 100644
--- a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
+++ b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
@@ -1,6 +1,6 @@
-moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA512 successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_512 successful::YES
 moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA384 successful::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_384 successful::YES
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/net2net-multicast/description.txt b/testing/tests/ikev2/net2net-multicast/description.txt
new file mode 100644
index 0000000..8287432
--- /dev/null
+++ b/testing/tests/ikev2/net2net-multicast/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+Using the <b>forecast</b> plugin additionally all 224.0.0.251 mDNS multicasts are going
+to be tunneled.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, mDNS multicasts sent by <b>alice</b> are
+received by <b>bob</b> and vice versa whereas unfortunately multicasts originating
+from the gateways <b>moon</b> and <b>sun</b> themselves are not tunneled.
diff --git a/testing/tests/ikev2/net2net-multicast/evaltest.dat b/testing/tests/ikev2/net2net-multicast/evaltest.dat
new file mode 100644
index 0000000..7649abc
--- /dev/null
+++ b/testing/tests/ikev2/net2net-multicast/evaltest.dat
@@ -0,0 +1,16 @@
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+bob::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+sun::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES
+alice::tcpdump::IP moon1.strongswan.org.*224.0.0.251::YES
+alice::tcpdump::IP sun1.strongswan.org.*224.0.0.251::NO
+bob::tcpdump::IP alice.strongswan.org.*224.0.0.251::YES
+bob::tcpdump::IP sun1.strongswan.org.*224.0.0.251::YES
+bob::tcpdump::IP moon1.strongswan.org.*224.0.0.251::NO
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/ipsec.conf
similarity index 57%
copy from testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
copy to testing/tests/ikev2/net2net-multicast/hosts/moon/etc/ipsec.conf
index 3314f75..47cd53a 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=yes
-	cachecrls=yes
 
 conn %default
 	ikelifetime=60m
@@ -10,11 +8,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
+	mobike=no
 
-conn rw
+conn net-net 
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
+	leftsubnet=10.1.0.0/16,224.0.0.251/32
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16,224.0.0.251/32
+	mark=%unique
 	auto=add
diff --git a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..db2698d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default forecast
+
+  multiple_authentication = no
+  plugins {
+    forecast {
+      groups = 224.0.0.251
+      interface = eth1
+    }
+  }
+}
diff --git a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/ipsec.conf
new file mode 100644
index 0000000..65a8ced
--- /dev/null
+++ b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16,224.0.0.251/32
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16,224.0.0.251/32
+	mark=%unique
+	auto=add
diff --git a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf
new file mode 100644
index 0000000..db2698d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default forecast
+
+  multiple_authentication = no
+  plugins {
+    forecast {
+      groups = 224.0.0.251
+      interface = eth1
+    }
+  }
+}
diff --git a/testing/tests/ikev2/net2net-multicast/posttest.dat b/testing/tests/ikev2/net2net-multicast/posttest.dat
new file mode 100644
index 0000000..dff1817
--- /dev/null
+++ b/testing/tests/ikev2/net2net-multicast/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+sun::ipsec stop
diff --git a/testing/tests/ikev2/net2net-multicast/pretest.dat b/testing/tests/ikev2/net2net-multicast/pretest.dat
new file mode 100644
index 0000000..e777dba
--- /dev/null
+++ b/testing/tests/ikev2/net2net-multicast/pretest.dat
@@ -0,0 +1,7 @@
+moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
+sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
+sun::ipsec start
+moon::ipsec start
+sun::expect-connection net-net
+moon::expect-connection net-net
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/ikev2/net2net-multicast/test.conf
similarity index 73%
copy from testing/tests/ikev2/default-keys/test.conf
copy to testing/tests/ikev2/net2net-multicast/test.conf
index ce84ce4..4859737 100644
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/ikev2/net2net-multicast/test.conf
@@ -5,17 +5,17 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
-
+DIAGRAM="a-m-w-s-b.png"
+ 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="alice sun bob"
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
index 577d74e..867949d 100644
--- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
 
   multiple_authentication = no
   send_vendor_id = yes
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
index 9f1d9c4..e39c922 100644
--- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
 
   multiple_authentication = no
   send_vendor_id = yes
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
index 978b276..3925d92 100644
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
 
   multiple_authentication = no
   send_vendor_id = yes
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
index c52a325..a4cfc61 100644
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 646bcee..6a6d398 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 
   integrity_test = yes
   crypto_test {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 646bcee..6a6d398 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 
   integrity_test = yes
   crypto_test {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 646bcee..6a6d398 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 
   integrity_test = yes
   crypto_test {
diff --git a/testing/tests/ikev2/rw-newhope-bliss/description.txt b/testing/tests/ikev2/rw-newhope-bliss/description.txt
new file mode 100644
index 0000000..eb76784
--- /dev/null
+++ b/testing/tests/ikev2/rw-newhope-bliss/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The IKEv2 key exchange is based on the NewHope lattice-based post-quantum algorithm
+with a cryptographical strength of 128 bits. Authentication is based on the BLISS
+algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
+<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
+<p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order. 
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat b/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat
new file mode 100644
index 0000000..a2df0a3
--- /dev/null
+++ b/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
+dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave at strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol at strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave at strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol at strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave at strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf
similarity index 55%
copy from testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
copy to testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf
index 15aba18..6f561ab 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf
@@ -1,6 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
+	strictcrlpolicy=yes
 
 conn %default
 	ikelifetime=60m
@@ -8,14 +9,18 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
+	ike=aes256-sha256-newhope128!
+	esp=aes256-sha256!
+	authby=pubkey
+	fragmentation=yes
 
 conn home
 	left=PH_IP_CAROL
-	leftcert=selfCert.der
-	leftsendcert=never
+	leftsourceip=%config
+	leftcert=carolCert.der
+	leftid=carol at strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
-	rightcert=peerCert.der
-	rightsendcert=never
+	rightid=moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 0000000..fdfd39f
Binary files /dev/null and b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der differ
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
new file mode 100644
index 0000000..8a520c0
Binary files /dev/null and b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der differ
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der
new file mode 100644
index 0000000..b2831a8
Binary files /dev/null and b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der differ
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 0000000..c222564
--- /dev/null
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS carolKey.der
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
new file mode 100644
index 0000000..1d9f6e2
--- /dev/null
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+  fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf
similarity index 52%
rename from testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
rename to testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf
index 15aba18..caf99dd 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf
@@ -1,6 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
+	strictcrlpolicy=yes
 
 conn %default
 	ikelifetime=60m
@@ -8,14 +9,18 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
+	ike=aes256-sha256-newhope128!
+	esp=aes256-sha256!
+	authby=pubkey
+	fragmentation=yes
 
 conn home
-	left=PH_IP_CAROL
-	leftcert=selfCert.der
-	leftsendcert=never
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.der
+	leftid=dave at strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
-	rightcert=peerCert.der
-	rightsendcert=never
+	rightid=moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 0000000..fdfd39f
Binary files /dev/null and b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der differ
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
new file mode 100644
index 0000000..75a1143
Binary files /dev/null and b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der differ
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der
new file mode 100644
index 0000000..0ec528d
Binary files /dev/null and b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der differ
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 0000000..fe26432
--- /dev/null
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS daveKey.der
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
new file mode 100644
index 0000000..1d9f6e2
--- /dev/null
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+  fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf
similarity index 53%
rename from testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
rename to testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf
index 278943d..0ec0ac8 100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf
@@ -1,6 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
+	strictcrlpolicy=yes
 
 conn %default
 	ikelifetime=60m
@@ -8,14 +9,18 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
+	ike=aes256-sha256-newhope128!
+	esp=aes256-sha256!
+	authby=pubkey
+	fragmentation=yes
 
-conn carol
+conn rw
 	left=PH_IP_MOON
-	leftcert=selfCert.der
-	leftsendcert=never
 	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.der
+	leftauth=bliss-sha512
+	leftid=moon.strongswan.org
 	leftfirewall=yes
 	right=%any
-	rightcert=peerCert.der
-	rightsendcert=never
+	rightsourceip=10.3.0.0/28
 	auto=add
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 0000000..fdfd39f
Binary files /dev/null and b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der differ
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
new file mode 100644
index 0000000..d0ea364
Binary files /dev/null and b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der differ
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der
new file mode 100644
index 0000000..c989f91
Binary files /dev/null and b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der differ
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 0000000..b4a9ee6
--- /dev/null
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS moonKey.der
diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..1d9f6e2
--- /dev/null
+++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+  fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-newhope-bliss/posttest.dat b/testing/tests/ikev2/rw-newhope-bliss/posttest.dat
new file mode 100644
index 0000000..9ba8c5f
--- /dev/null
+++ b/testing/tests/ikev2/rw-newhope-bliss/posttest.dat
@@ -0,0 +1,9 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-newhope-bliss/pretest.dat b/testing/tests/ikev2/rw-newhope-bliss/pretest.dat
new file mode 100644
index 0000000..058b3c3
--- /dev/null
+++ b/testing/tests/ikev2/rw-newhope-bliss/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/ikev2/rw-newhope-bliss/test.conf
similarity index 73%
copy from testing/tests/ikev2/default-keys/test.conf
copy to testing/tests/ikev2/rw-newhope-bliss/test.conf
index ce84ce4..164b07f 100644
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/ikev2/rw-newhope-bliss/test.conf
@@ -5,17 +5,17 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
+DIAGRAM="a-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="moon alice"
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
index c47ca80..028dd8e 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
   fragment_size = 1500
 }
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
index c47ca80..028dd8e 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
   fragment_size = 1500
 }
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
index c47ca80..028dd8e 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
   fragment_size = 1500
 }
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf
index 079ea72..e7364f6 100644
--- a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf
index 079ea72..e7364f6 100644
--- a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf
index 079ea72..e7364f6 100644
--- a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2/rw-sig-auth/evaltest.dat
index 5e264c5..20849de 100644
--- a/testing/tests/ikev2/rw-sig-auth/evaltest.dat
+++ b/testing/tests/ikev2/rw-sig-auth/evaltest.dat
@@ -1,12 +1,12 @@
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-moon ::cat /var/log/daemon.log::authentication of .*carol at strongswan.org.* with RSA_EMSA_PKCS1_SHA384 successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*carol at strongswan.org.* with RSA_EMSA_PKCS1_SHA2_384 successful::YES
 moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
 carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
 moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
 dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-moon ::cat /var/log/daemon.log::authentication of .*dave at strongswan.org.* with RSA_EMSA_PKCS1_SHA512 successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*dave at strongswan.org.* with RSA_EMSA_PKCS1_SHA2_512 successful::YES
 moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
 dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
 moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
index 929f737..d786db3 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEITCCAwmgAwIBAgIBJTANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEITCCAwmgAwIBAgIBNjANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNDc1OVoXDTE2MTAxNTEyNDc1OVowWTELMAkGA1UE
+b290IENBMB4XDTE2MTAxODE1NDEwNFoXDTE5MDkwNTE1NDEwNFowWTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z
 ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv
-7otSsjbH4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0
-DvtT6CWnnxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoS
-hLjwuqq2eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9
-xAh32ywd10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkO
-ZLZYzBqJRpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABo4IBBjCCAQIw
-CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFPk6ATSleHErWFAYkCZD
-BhDo8X1qMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
+AQEFAAOCAQ8AMIIBCgKCAQEA0021rEucwTZnd5pGxpWrXvn6Vkhd8ibwiyQ7ynpk
+1Wi+WB0eWqW6ciU3BbA6L8DXUZoo0BzhIlH68X1n+CWiSBS8lBC21QJTAYywdQar
+TVzUusbhX5S7c6JQrk9Oj+Tt+X5D0Q91SMfcB/i+G9IpZZz9DiceCIxpBd0HxoPJ
+PRANjThQnqot4TYYUm45N05PixAD+K3P8Yik7BTRHPV4JhflPeOd0pTZL2b4sg7O
+vZctotdF/riDvDeixMS/OlYxrKqVeP1wafsTE4MwADooRgaWa9zkRTxO4JwNE9M3
+LQ2s8AUq73kHxwJqhvom18lgMD056iZYqN7RKSaE+Zn40QIDAQABo4IBBjCCAQIw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFONu1FifPZHQiluTzIlQ
+02i3SSqWMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
 CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS
-c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3
+c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaCFGNhcm9sQHN0cm9uZ3N3
 YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAHiE/MMyXJXuMuhw
-/lu/UwjCHbbJMA9QrBJe++34OwAV0siM98loVLs23vHXk/52QHRIwZgMLO2FF9Pk
-4JkFOvTXCgNPZKrUL28UhHsnJe8EZVOuir5o6yTSti+J/tR4M2YoY67JjW/KeTwU
-BVBtBVH88gf/xm2mSlIrkHxG3/GWqyEdeY7BOaft1sFTTZ1gKKXQlARtWidho1mf
-5Y1lZ//kOuvMjnk+hEWPWESq8lBzLOmQGBk65vaEH3LVZxSQVJbfG2E0dHgPZNgc
-hFOS8Oc6L6AfKlWHAT0ZCR5+1YsxxnlsftHzxiA0ayGCgpn2qcN+OPjfzPCtC80N
-6oXDLZM=
+cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAALEERUj19IbP7NL
+fyNy+CRVZ9fT20jDjLhQ3yZpmYep2TEAAGIP2I550tc/eIXj4LCJJ3i5a/AdSQjW
+09beMwXatszqrE+taY7tELSKGy5Pbnb32HIDPwKXs92Ivxt9FgwUaLrj3AtVUmxk
+0bhGMSjkgtrxbeki9394+ISW0EdD9DZSheJSLKa6rykb7akQPU8J2hreVAFdNZnF
+RDVpT/OI8ZoH0K12YvthC33fysmKyGNCjDRP/x4UsdrnRpHP7BMjVe1TJQBiu6cm
+DWPvj6ZkKqRZ2P67GVZLSu7s3hHKu0O5p3oY0J3YLh6ZrCw53dfG0860vfAV78f3
+DhxaCpo=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem
index 497d957..cb9c85a 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem
@@ -1,30 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-192-CBC,0BFCA887A0607C7629452B14E865F782
+DEK-Info: AES-192-CBC,3B3CC0EC06DA44CAF42AF63116EA300A
 
-NG0IHVWcpgMabsPpHUOQeWi5pbAaXeQMkBMAJt2v5UIkB8oKojx4tFt98IKxlkPX
-oUNYiw5Ku5Iz61EgO2Lk7NKYB1RPVYSvqnNOtqOdnbU6mb+rZD8dP42wLmVU91SP
-VkBGCutAV3jP+lP5WYxTqUJI+MHaWaQxxDABgVYwpOgRdri1hqvcqVU0+BIEgnq0
-PzjOGF34zOyProCo3T8R4Y3QkuFy9KJAKfBRVQVyx2Mmu/3cGB6k+7YiU614WBxM
-MlG7gMWx054QrYte5G9RvLCv98katprqbxSFF9Co1aOkLMxdY8vdyEn0I+oUfZuB
-bZ8e5cdWEzdkz34rquh7cty+WyMfwboYgndXtnke33k2nltoP4Nhvgehyo3hQcio
-4elGTyYTlzzSR+bcAtF2otcPL3idTlcCJQ/8gcydotY3oBI44lUhPbIYONKQYYUX
-wYrKdZDHa2zxKRyWLEgbEqfN3S20iITREUu5pTAB4nzNtNf7Af6R81bS5/WsfdDk
-VfJJC+ICX2GWxNefUPR+/wMtHLv2lIDzuBFFborF7v5YYHbQpXpjWbpFVaw7/0Gf
-d5XuHG3OBMmZL0q0rLbSrOfWISJ2QnPmC9bqp6OgncTMDuMXkmyXTDu1F+oT8gZ2
-IBRL94gPvG5hJYaAIZXxxElbxhzmNb4E1nnYikYJXJDvjOk2+yPVZkVOCBGqP5Mn
-p2ieW5ZBBlUtnVcRAalJKxU9l/vPjtQjE1/aeH2Z/B01Rjn65kiVXwyLQxnxBtDA
-ed7Rpdc+wcnlleMLkIg8FntXpb7CIxqNx3eC8yaq7kHDCaWHL+6/4bexb/Q7Nzxi
-H70ITSHu7L4p1KpLJIyaYHRYG0AKjr+vezK5SjREjZMpH+w805QLz5d0QpJSDTWI
-XOkPW/vKvnacvUlPIlQrAS5fxMCQJgQmTGvbKnC+qE1Tbkc4Bz19cZn6Fseq1tPa
-i8w2AKno1t+pRfXXrh7p8A0YxEBA0atf1O7gnyg6aMcMHfm3kSxq6xuPhNI4gG9z
-v3yLNBd/08GGEtHNa6jG3cvankHpG6VUjFd5jwaHpvLZCh8U4sA7r4soXXag49LC
-Y5UkHcjFkcbacBKX39x/AnGUCmP/bq+PLJQ7z35XQ360rqFTlGPISGzLaDiBKFxc
-53xtkkgTqcrZq5Tv9xOIT+EhH7Z7ndAtA4hIs4rSc0d6zde206w3hzqzUwooPppj
-qEd+FSb/lPnKQ5Q9z8pod28+CxCaxqxFBqfDT6ORlegdlvIWDvw4HS6BVWK9ZVy+
-xODJ4t1hTuTNEZUiyG6DMkhuQ41L39mnHxcSjWicS6BLYql+BAxM+Yp62VC5q3p6
-qIG17JjTSOm4FuyO2R9l2/jXjj4l4adPDtCmpJfI6PXjXdptWBITl1YrgHgeEme5
-H+Ag9HQgqbuP8REc4TwwCoMOV38KLsvlxK2oa1o2dJPF3Tck1rQNVM5mY8TnxSN2
-ozygG/ECyMoCyBDJYELfh1SN4OmX8kbsl4t6YxqydmRy9AqaLOwwSCKIWLH0graF
-HwDujb3VkM9nhplw8aNeLZef4M1EpCwVVW+i6h9ADfWClePjJlJ9XTtgZku1TPEA
++1iflM4ExvjvCHQdk8C4nTd3DdND8KXrEHgcfUBlMasBSRca7++2i//FKNbs7wTe
+M5X9JsHiL8ySsioCsRC778726Un48IRIrioBj4B3EsZ+vQL/E1JoIUA+Qm5WkjNT
+Rd9o5z+C4GreHRWYP8Io4j+kDXPDTz1Ga7EcNFqoQybjwca6Yn8elZQ+ZfntZxTI
+jVY37X1p9WmFv5ySkw5NyHzLgRGaPiTPg+MB39gOWzvZoZ6qQbY0lAyi+zJ1Xu+q
+m4XeqNxYs0hLjEujTZ5+7StMThoTJUGiA5DbjQb07c1n3G9HytgyTnihEYWVCPq8
+Rb4f2/grVWj4DHGOXC7D5LNvvvrDHZZRIn3DjT73vveAUJcVawXCpx9TBZIvgsP8
+AbLr7PUUUmnngSkCRpmWphJjEEU28ocW9nP9qs7kLCk4FlW9vDXru37KsjiiN+96
+Puzczv6M9SLdvCKVfAYoKRNrmmfHO/HzvDBQfGhixs5B6HqW2RZ4TV1kUuqREhw+
+5ZbjROPbcXw6M0S2WWed81YxyFmM3OKxtFw5m4PUzQgG0uPAO2ttJMWjY8MWGxin
+QYBOldvlXNkJOJOMJb1xYJ2OR5idDBvuhac5vJPMVJ53EMsJUviBf95HMZgCT4e9
+bcWbd1t5zV/xEyJRX+OlMjN9ket1/4m6faXTbcuEkhGGFiHTCv/wyPjBEtHQ6Lav
+EU8zdtRHU4BA15qOwWvWYDyIya7LQfpcp3CuTwwQoOr47RIya5wz1WJvfrciuJUT
+ZUflT88FSkfi401GRwFANArG0pdujuer9eHCzR39kQ1v+9goI7LF+mMElZb2Wugt
+ccrX6RxvtBzAQBMaakMWQI048vibWjVGEmXxEVx4rgB/ze7WStVX+36/UE7JVw8P
+zp0ygt63t1DgqTwwRGvkq/nvbOw6rgSuX7RWuOFSn2flsgEejJt1dmrg+/Iyb7Dm
+/pw4d2+66DqfXDMBrj8+mwTPZolJy71aXv3xOY3rOB6Dj0K6X7WZVEiJMFbBdsJe
+xS8OrRausahEno5KSqA7O/EXm4eGWl62OvMtixUV3Gg7Mz+nTsHbU6pzdMpa4QM/
+eLCPfUpyIFCk7heSh/k3fc9qG9L9kAn6qx+FoiZ09R153oRhIqGb5/P+4iXBFLR+
+OlsrSPJvXo/JpJHQh52SQe6mCnwAYIMS7KxF3sDFAFQKPzzXQaaqXUQkOLeO4Rvm
+GKeRDpnfZ4RcdVu6gWz0stxnK0W32T0ZZj8RXlVJOJJdcfZ/gfmt4wODkqVCewF6
+/6JFneSz34qUHreHrX0fmQnpOTo1V3t2/iuliFH05q5ZuSRkFekt8qBlHm5bomYR
+Xn9DwOUjFvIUoRj9qDO4L4H2wT4FuJjWL6WRzYtk/Z2aZzLcpGN03r8X7EOTbqiC
+tAgb0+7HPOSiTQ32DG2mJVjqcCCd1zWGY+IYSbZfFxWsKUqhGa9gAQQpaowoR7nc
+7Mqf/Fygjlu3YKPLHu5x179sl+cM+oYqN5ekv/O4Vc0f37jlq9/QN/MNpe724DMy
+BOdwY6u3T1srykxtu2w7F6E1Yjf+y0iW6mdHvfzNWoOUFNlQwmqHq1Vw1XOfk8YU
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
index fc769c1..9c62f21 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBJjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
+MIIEHzCCAwegAwIBAgIBNzANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNTAzMFoXDTE2MTAxNTEyNTAzMFowWDELMAkGA1UE
+b290IENBMB4XDTE2MTAxODE1NDIyNFoXDTE5MDkwNTE1NDIyNFowWDELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01
 MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCs5SBCzV3Is/w7CIzfBXRGv6uXwyDivRXXYsczeSRf
-5mw/slRVAEtNbX8rQ8BWLIqiJPCLDek5ODkqKI+hArZVpJqMzZyql2Teosrtnokb
-h/yA8EWtEr0jII2RxQ0xb8r25h+DwBosAM15B1rCAMmJOjbEMMBGmAb7y7N0K8nr
-Z8RctwrRdCGVcg+f+LFrklF1tBLs0zGIrJsk1eB0XbrB+fEPar9Lmn+/q2QHGPCt
-aOlR2ZxRsjqsYJW9yI8r33PVVm2aGmS/19UguEG8FC3owud0boHfP91/NvSIWfhP
-iIuDPjJOBPEJ/I6OYjYXXQuOZYwFGau2WrpNDQioPgedAgMBAAGjggEFMIIBATAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU5re6olyWAt1HfN2l92Rb
-7DDCnxMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+AQUAA4IBDwAwggEKAoIBAQDOTJOm4HBLbc0fCUHKOSYSAJj+dbWmXo+M+ViblRwU
+iTij2wBchH2T3SUuj/OimtxloyVWyfATS7eTjCbqPbduVc2aE1QqwpBzTGnh8hd2
+1IQ2Hg/ruAS1t6XlGbQXbzOmA53tePh7iLMeW1UzIlq/i1isducIKSOusc5/225j
+2C3OHbfpIlBzW9NgtDZZqAc6BsI2z6XsaA/U0S+4YYv8mImsSm71aoeesGLV2Fqm
+7xQLxzH7eQQS1gg8+iWfPTU6pHL6AYR7HKKCdMiqDUOrP6VEleueinnzh8MbWwa3
+z3iIJ8pGD1jBLJ+Tlt+qKu5ZE0fGX2WCVntkf0IWc7HRAgMBAAGjggEFMIIBATAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU4jVZk42tDoUyFnMs869u
+69kHafUwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
 BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
-dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdzd2Fu
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITZGF2ZUBzdHJvbmdzd2Fu
 Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQAtRPFMSuEnPmqeC2mF
-OE5N26r2p8HfB4FAPwarlg66IIvKvkk1zqn5YfZIXfMU/x5q+85aO31iQmjlAPpo
-KXqRq7V0a0ldjXEr+Tz7xG3jno989dBrD3kQZnwXR57xGt1qTVGY7uQdbgXWzVHM
-GYS6gjUw7Df9vAQcTfUxUpZc5wlDoiRrFkyPc1raFCZF3//Ig9agjO4r1SzPHYw7
-LrHJR1xkd0IWVTW8Z6xB14j452IiimhyK1zAR3zmh1vH9VuHDLHMhyjSl1R+gk5U
-KzDPaqXd4NA7eIQNiAhysYTXfmUYytbFNZw9bamxTxlCmca1snuTIcFM5OYOfxRT
-iKMh
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQBvE869kmBTDlTm3LnK
+Sj6tGRhE0rN/Ki3zHBTlVzGZvaggt9ZvPFcLypLZkC0BfPu5/z58ig/Z8dC/bITR
+g6kr02wgpLlwOTrU2dNQ/ehKOKClG0gkNNlw4cdi5ayRFXVvYhWzZNPGvIY8O8EH
+LY2oZ0LXBvttx+rSuFAYiOEXON5/oiiNpGxqGu2mYIeyAAIIcKa4PqvGu7DxEGtN
+OKwJ+ez5bg4qpUVGgBYce1SbzShS+eAe87xLRL1QKxcBD0DVFb9c6hrPRIpdxHD3
+AEFEo87lj5npbvP9PExufP9mTl4Ko7mENhEYVo4/2eGsMmyD+FXUWUXr7bWY5Zrg
+jSFJ
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem
index 3223c1d..8fcd410 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem
@@ -1,30 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,8AF4F2ED0B6D096AD675CFDC4F41083B
+DEK-Info: AES-256-CBC,5AB0B0B04BC2FBE873B5D35BF5A6082A
 
-2ezZg1fOw6Wcvk2ei1VLqpA1Z5lxroSsibmDu5+UuyJyTtdbPPY0iWxnryVoaXBq
-9VK4AD7lkoJOX/CymbzSSOkBL4t9fN6akefTN6rEY6g8zN2q4al3xxIvZv0WgCDg
-XxqJ8ZsdZmUoe12RbJ6HvMw9UR2m2XZYvwcD9+hzT8Agsy5JBV5Nkgxc52ZVYoIh
-O5E+PI3w1yrXrzIPx9H8nj3VKRGguZCVFtae7ChSSxotoaIQxM6weVkEDUQXtSs9
-CmtXrn/o6uiafzfHx2pPELdsARlnuyvbKATrOr5lwnM4kwUl+bBvoRI7YaUsg/A5
-48gy82PQRZoWH3ofQv1d24sGc6ZctrzRRrCLzDAGDd3fw8bJkV2b/9D1u9O5Df7+
-Vs0fdrRoP8ooa9d131zBy1brDUckTsTIQZ3Sn4FdBI610MX7l5gJ+7vXYqp/rMOt
-Rq8LZoKggzeklwYjum77YFdtbv4m4ihI4DUYHY0xWgMDUMQTFLEUgvAeNrPNRRwI
-Ep1JmV9I7it6DHrCD9QmVWUoxSgRqodQDV4p3npH8WlrJMlL0ReiOJZ45PWOsmvI
-AAjdsKLwqQEfXkckCvtCM7Nuu8pNA7UUm9TqNLFOFR3HWtm0si1IE8iXu3v/o/tx
-OzzRl5pxc1tg8TFiFrNT2+6+HcAJOnWboYJRJzkcW2UzVpSZ04BLiXHPfGue1gG7
-uPZ+pp3k4iQrRRC45I1I0MwE2gOpppt/MUmNVPGqvL/Uu4RGzOjPk6Re4mm3GvIs
-JOD1Pqsg01OUqKTNqsTPEld8vLwFPlOgXwmPLr5cpC/hGo0YUx3ysJ8Hw3FN20V6
-+nm9xWpPytNqfaY7jaxhMYZPgz81WOuGrlCv48VkoJiWlrTxbaq2t4IzR2SdyXKd
-HNu6ryFn0WVw6hVm2aE8Al9mLxmaiMhg6HaonPoQSVoHRCCM8/GoJQRx9I6lonTC
-ZY04BuAUT+nmMlEa0vlLI+tbS7gNkSNG/UyUFGRN++vzQE6s2LPfe9FRsdOfnhaO
-W2VqbFbiKkPK+pKXjh7ln+NMrXIGxYVtuKWFEUEp9drh5MQCUFNLTn2Jblb6u0kQ
-WdBP9Ku+ea9VprmUVnTYhaRZbuMwQFlfx9eImZ1UQPs8MWSUWI0t4RB+9kdN66n2
-+H3aJTpGv4BGNdSohSCbKKe/VttflnkMQHZmSY1iTDQJhZqbMSAuNv/H3DV1ZBWv
-pR1MYwG/kXbaKaFRTctPE8tLxTvO8GG9JmOPuMgldYD2wq4zAu4Fr+Ve0jjznQGN
-nGDtG7NoUJxJBbcFFPY4pRH3wtLWXlc1WUnPAxen17ZjbYHrvA3WJqTNCdtQ9tan
-StaDqbhDTwSS9HDAvdH7tXLk+lQ+xlaeKFDRd/6K3Tngtjwly+kJjTH1bWR9BXyc
-rHeDSpexPdMgVccuDTGDloebjZ/lZVKqkyL0f4/gDOtw7/0kjTZZXkkoVeVKqQyW
-aHREhiszCHhJzW2c+Uw7mPrd4tfolPsI6mneNtt/6CCf0kl5Nkx1rg7Anzo0YSvK
-vHj7ciRZLri/B4fOFhfZvk4Qgjoq2t7cBKnuAcZuN7pNM8DRruDekrHKY2+uHJnU
+M9GcjSK3WP68ZJ2KcFTfqU+vcqft81ypCMkRFJzT7RIgx8Z8dKUYUZtJLX7IkoSL
+gFbux1Jm7eeQl+Lj73Vkz3JjQDHPz7jeh0MjbPz93IOqwo14NnEiVQylt/cuPgHO
+/VkRr/rd24nObyEVMZR2rfQW+fHDn64EoJ44RCkK8M8s0edLzl942SnyZbOTKpNt
+2V3G6v40e0TgmgCBQrJIAW69GFQNOndRMCQwtPojkX5QO8yeqz1m8QXhNAoGR8Ei
+iJjy3u24dzmkMBSeL+1tlbQoMsR8dcNxroDBxWQerFbhfWq8yLHey5FyTR8mumqv
+PFuEA+MJNOwj+WozaeMZcWdCB8UDadtYfNbWRRGOWQaEC/hjySmiegxr/XfGJRhO
+QYUze4F2BbA7sY5E0YWMm6ENfbKXkl82sW6K+tFZrEQQXh0zaeeuOJvTxWrCKxMn
+4lnIdczwhnegn/O8xRZ4GNHZi2nJrojkIBj2J6quzE0KcmK1cwmv1Gt+QJqa42pD
+LL7HXl446oAcC+/8h+euwHubZwAv8fZn09j9lA3YFd/Klw9hRg+M4iesNLc8W80h
+FW/W8InQwa/BfA4o0IeMMkewVi4EbSIhPcQkz+rUHgS8bjhvX0/E3jFdzZnatzTF
+04pHtxSHRnIp/L/70oGs5yk//Rn+KjYeZxAIHJgf4J7gfYhjQMi9DzD2Dpan7Dlw
+N3VtNeHb3wyDhYK9vsNiLdFBHU2oNXrZDtYYUDJWYVuzEk6X9twROnHBPPlea0xJ
+2nfpTChtBkv8pSIadvsvkORTz7fKjvco8f6zndMyzKQ8xyAVSifPZQDWGmRREt7m
+HTb/XlB9pz/KNQCgNrgz0fN4OLkQKyqYhMMsPCbUja/NnTOvdhMF5aDEmB0whokM
+XhRPKFLHMjaqbHzBFXYLmCODkdCrG2wkbLHTtMmOc2zNBFNO7ApeaPqggXcC8Y09
+VpUsda5q6GMUpDVveY+ZHiSSGBYBNPHARX+aryNzY5KEaItjPD9aO9AcZoT55NCC
+iSD62CKlOqm2MSy7VbXedyrwlUtFHxg40XAsMO0chPc2OxB0QDeCmaAi+T4RQgZn
+O5W5b5DJNO4NbTjJ3ivmcl3QFKgJFZN3S6mUbKmlS/BGRMDSykRUtooI4ULSELMC
+r1Z7uTMl3nL4Wf7sjS66iUd4zGjF3BEzFsEtbk278A9jdO6wpFZNdb9hYrISzI0z
+1nezvZBFL7hKjHnTRaylr83d4o6qoPG07JmgzIY+UVFr738CTsoh/rq6AM8hWUek
+tjst81PFqLKqsV121022epxfQSe8sz5KqzehTBWYo1ZbzlD9B8LkzXXIkVpOBPDY
+nFpQYiwu/V12MGVTmAb2CE+F/j37KAbsdF5pi23eAYvp/miz9SqkcsD/Ucyg8AvN
+/yfv8EX7sf7tPsknckExorQqVPOZs1XITUx1Zsmv+hOKRMdtyrVi7mn8wWPbP36G
+uTL6glQVlGJXf706IcvG3tgKgXnG7DHK+txbhNFIivNd69C4ykoVYhSXpmHj2HBq
+fkuAPRwAdSd6xeWDlZ49u9l/Q2Je7JO9r1yZTrC7KDIFbEZkpbWPObYjyyYYB2sq
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
index bda4f52..20fd024 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIENDCCAxygAwIBAgIBJDANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ
+MIIEHzCCAwegAwIBAgIBNTANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNDUwN1oXDTE2MTAxNTEyNDUwN1owWDELMAkGA1UE
+b290IENBMB4XDTE2MTAxODE1MzcxM1oXDTE5MDkwNTE1MzcxM1owWDELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y
 MjQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDEPYW1tmcbkgNMcnOHXAKHlgL2k7r1+rVWJ/8NF9vI
-7MpQ8qomHPV3G00CYSQsCDgBVvK71pasiz+dsYdHAY28ihb2m/lsaSquwsb0Fexj
-hJiqaohcLJk0MjTDUdArh6iddvDAYMDkfApM49TaXNxdz0sffV5KOIH0hrQe0wsw
-P2p/SHTATNh3ebTLr8Y7dMKecxFrKQswZc+d7gvIftZXRvjsUprc77dDURGByPw3
-N+/23chuDXNNaxMylWQhmiTUne8tIyg0vtur3do5Dq1IqQKqvxSfBjRL6ZJU0/6l
-KuhChV0cSVd2H2zzovuke5XzHzUsoESWXWYK9qIEj2HRAgMBAAGjggEaMIIBFjAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUT4FJonJgeZBpFHc8iosc
-WWM+mPswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+AQUAA4IBDwAwggEKAoIBAQDpZ9FM1s4VqqweOS24P5dVW4uTVrN4HgK2c70P+umh
+u5+pr8cyPn/Kdor7SU9B/GdV6onZumgSUaeNqCSmGzLA77x/nR1xRWtiszWStJUQ
+ICszEb8/WkPq68jlsmgIsfpTmABOBPYTvAqh7bZCTSoySG2fKt+E4UAd5S+BH1CH
+YruIvrvuNxVMA/z8J+tMFZGqjQ6DopatYgSpccbSX5kuAgXCA9g9cemoPoKjjjLD
+w0JBKCErtNKimY9pvf+SaRqoCc0YTIw6ydyna0e+tuPQImFjopZTyelnGHIZ/l62
+lnmrfB+sw2Younp7L9Fh9ki4wBOcXS/g4fQgyjKvLAG/AgMBAAGjggEFMIIBATAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUwdMoB5LJvckJ8GY1vi2f
+AiL8s5YwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
 BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
 dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu
-Lm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRw
-Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEB
-DgUAA4IBAQA60WN0QwQuFVYg/C156POjKENZP9CGF8NyiC/NUYqgbIrGGTTpwTxs
-pW/+YDG1tVtCkqtLGsO0uZRe8Ihs3afNsPMNlCiTCPgrs5erc4ZTv5MB7Ap2lyL5
-NSQ9SggICbQhkHQHP6TINtas9+FrAw10jWIa107DYLLC7Ea77Y5vryL6/ymrpwdL
-Vwm9kAkGYvm0lmzw6YfzPskKc3MpWnjBTraPG42Z8oWTEDJnBtS761k60lNwndKC
-JdRUxoOOegzsKIIzorRz9xCN2zA2CAeChqHMbBpNCRwl0dQ00ztXReONl97iNgw6
-NrdHsqCiH8Q+I2JCxU230Zl6UFKARLo+
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDgUAA4IBAQCzWf9dGTbHy8B91uSR
+BAR0K/Wi/j2AqqhDxIH7/PHh78ww9Zb1bBeCt5iFnpqGdTe17vmbga8QGK3W7NHm
+hFYUJhXGyxT3uclUzsePLXKqDnoG9tbZMLoJLzle3j4uJ4PjWN0Wsu+76/QZudOt
+zoJUZRyMvDfBByLOLqbdR7KOm0hNPsjCkzEfj2ql+IDQdNhulatpThqTRxZcYDP8
+bxpDIOaJQPGwpQFKIkZ34kZBPjUVY6Ad/mvoTna/ydWrPCGjfqcn/n14vxFS0nyh
+FRtEpelFVKTX/JDXs/IZ0Bsn+lWar4lgUEs2PlmS5sMS8EZVOgiazT+rdVNWHrQh
+cS9u
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem
index 90631fb..7b8a363 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem
@@ -1,30 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,3EEEC63B86A4F0864B610F29D446AB99
+DEK-Info: AES-128-CBC,BA475B267FC48360A09763ED2A15E817
 
-aUw9rzSBLmvzVlWlCePyRXs2LL10A2QGVjB9jiarsjVLd5k1uVPrLVb6lcTVuGR6
-9pC9sA7+F9Ub1V6oe/n5f1UiHiLeaqdYShfVan7N1z0Kvoaqg1qaVNmbGuZH81Mv
-VH/kvfKbig6Gxyn2wxhxoQ84r5uVyzzrfQlrqcwQze43NuRaxh6Eov/vpel8yB4/
-HNSEyItiDenT6tDO4Exw4H91GYWPbutaTmcsbaDSQS54LMcZZA/NVu0Y/uiJ6lxJ
-5qQ8xejBC07nc/g+GJgFRxetd56FdiTXR4ADVUiSgOrUaUu2t9NIMig9VBNYWsmv
-wlKI1NB/Jt111AhbF+wdw9M0Yqe3O4V0N+jTxTzff+0gky61T5CxbhCMosD/Ohzy
-IhRjeuL2gFvCENd2kn0U/1POe9anPJEo7mYfA8oYpxb/jl8KxIxssxLKGDE5qF8n
-+J8jGDFbLkiwm/pDeFSWc1LZqKfZsSsBMhffC4NR/hhCi3eY3HnMpnyngzpWpwwY
-eZnElVXFYro3qEuJbLRUkD/7rrLgU+LMoetdB5I8oaEvKucRo7dulLNXUFCt6tbK
-AXLWn+pTCuLpjtAXxWjF6Hyr7ssLEcLjixDwdb66Ypqm3YncjFemsRFncVQe0R0b
-3LY0FH4+GFFXAOywrMP1rQ+2mhl+BH079bu+BhP3bjusJwqBhlz8j4cnbv/STWGl
-B9XnMXYx1NVOMFF23zMm9ftkPa6PvkZ3TcGJX2S849pxPTPrA0oFLfIPqyYLqZ42
-+a2jmMdr7lPtcT4ENshpWZ1L8O25Bl10yll+Upx4T7yDrSD/9P+yv/MyIlGiV1x4
-N1oaaVdTLU+ZZbpjVUmD/eSprGye8FzblEhSkY990m5kupWxiPmHzLCKHRYBOnBS
-rNdyiz7pTXAQQLZBP4/RLDlYuIyXmbmn61PSdF7u6K/daUf+voKHHGi5m5NUhnS7
-zkUx+ZrHUoWhybOeMoQT0lsx0BsD+NiuqUbthkTFXyLD2dhvWcyAtsOW2yLMATa3
-09HPwdjI2ntJx4Msz1jqBY8XicXd+NHS5yx1jvg0POnygX4sU9xF0J3hfk/Phwfd
-Cc7I+jWi+1yPwKi85PHEs0F6SW2kxOx9rmdwXi4EC7Lii3d8LtCR4jEKswzLNwRn
-uceH3+vUv6UZC7EA9cdcmh6RWe3HvTrHNyPoYHng35jT5aZ1lhYx4bg67TJg7I6y
-j2OyP48YhbKvpF2S8uUGdhCZSYJHLqh3yDI1DrzABMZ/9s0xpSfQtzhQYVz5svHk
-Hv93VcbqrYf2Cx0OlxuZG4EEObyYdSqFnqMQBEf/L53oDe9jJKVaXt9IA2XHtyBD
-SAjQeDUUKlzfD+CctjX407qpF2Z22xblGVKzYL1V1oXdN4E8GXq6VWQ8SSwQF/2H
-wQYubDOJ6xxP1PdW+ws2eXhe5g49cSW4PgIpvmxyUEEnKro16RQL4M3Hv5VJYic3
-CRxugrdJWLSrHGnoz/0W5QUTzMX4L2RNf+xeE3eKU74qj2lWEWZgtZLW1waiTqXE
-MBvvFYWh/qMOprpTlXWG5vTag1XLj55uutz1KAVXQRg6AbMKpLXi7wTlZ2nUpUbj
+jRBH0cHh7XWdhRMqOIoOrQUcQV/petFZ4n8xOlZyKhzN8tLCSDEujKpJ/Bw+mE+X
+kXR2rIV3KAywXe3zWkA7s5jiJBKZ5BeTCYyk5veMf9GlRdKbh/BmaHelDRb/yvsv
+GVlS9jT92vde96aMhbJM5AI4cjlu4GxFz5pCtkdg2hLLntSDQIl4fa++Cu2ToN1O
+6wFbvYrKRB8eLUMXEfU/qfXnjL66QAnPA1vW0ys0DWBQKULjJXYzZJPBS/K/3tzS
+HkB+ZhlLmg+aeggxxm3axPa8xF4VkmIfICsOgNcs7nUyGcC+9bY3DWpYtlvYo8ss
+xOEAMGygf+DH4KcGfET+21Lzi8vX9Zz8dG2qhulojZ+IwHZAJ2sLcxGo2bJCimAD
+0sOA4d+ikplEIUJlzNK765y5CYq93s0vgT7E9RiP1rbV2hn46uPZmTxEH904Hobs
+h4aUg7jdiMVHX3/oFYnk0uKjVc4s/QukuvQ2Bd6DTi3UiSv59bZOfKyElQyFwSHP
+C/eIn2lZJrYZBhIZT7BaoQ0ohnXiF7LNeyYj7OW7HeMbKmoIyYBvXFN7F0yk+A4d
+LDa82N+OJax6t+mDMtfx0bH86mOsvHG5O4Vu3AcJIMTsQgyq+7RVJCt3MJXNshbk
+TnkrMrWPFZgPuvZPi1l0+CcUXUqVCQlRkyBccDobG2NFWZEW3isirZX4/cPaKXgD
+UwtGZ0/26vxCJHnf6eD2/2xwckKbsL85lFd0M1U0EijL+/4ScJIf/LS8G9wvma5L
+cB80m32axufatrhmkQmMXijpgLmyr0IAvdhQgmD3AA99H7BbFueUh6oggjHw2kVK
+0QFgW/s+eP9M1/jOlkndALEWzxuuisZ24UFUHLmIGkLwRh955rgtfb4ILlvNhAfG
+2YTn9q9eTURwKJDWFk8SDfQiIqDpqC6iSF5A5PAlC9MOO9Xf+kGsj2+wZ5MeERO5
+DTpQOMbM8mKbswmbDwLbT4D1sOCJEPzpYgpN0s+UQvbcM8DVe06z8x/4g1sDVM0C
+JRqB4Oz4Nbn/BuqKeNYwwP59y5VNez0Plneny3SRQE0mA711n8uiF8X403U33+6Y
+In3B53FPVWjCS6u06YRe99ZXsZ/PsoV0pL9wTqt1Q4m4Kqm5eRQe/Mj4+jmyKbqz
+4S4H2YulRHxC/75vqQr3Ffsdk80pwX4Guwpsd3RwuxJ0rPYh3qm1fMIJ1TW7pOX2
+n1RuPu1/N23u6FfVn8oiXny2FbultJLb9X10EQMIIPyqO0Uch7W8pAa1yH7egLUz
+wJaxcfmBfVGHnrftSZd49WNaD7WcivZbkZgGWPFT6I8b4wGN3Qh6UornqiPptLSJ
+vDYGjPjxA0/sXx/8uLG9On4wrg4RpqUVr7drkJ7PkSGf3q3rVCdaV5HYRdb/Mepz
+k+coJ4HOzR+BSN/tm7XgYZfCLPYBHuDmTsHY5a3GjJcKwY+S75sygYR0uG+5W6ai
+bdwz3pr/aPB8GEKO+ARLYlowesn57FJRtNg+q5he+iamYC/EK7Oh4bs9H/rQGDsL
+9VCrbN3UtqXp8CUUEEtNxBCrIVHr4Fv+/GHHk5vrCWEhVjg16Ww/Pz1UDIILXyef
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
index 8d328f0..8acfbbf 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-libipsec kernel-netlink socket-default updown
+  load = pem pkcs1 pkcs8 random nonce x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
 
   initiator_only = yes
 
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
index 8d328f0..8acfbbf 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-libipsec kernel-netlink socket-default updown
+  load = pem pkcs1 pkcs8 random nonce x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
 
   initiator_only = yes
 
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
index 0f4c68f..5f39be3 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-libipsec kernel-netlink socket-default updown
+  load = pem pkcs1 pkcs8 random nonce x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
 
   plugins {
     openssl {
diff --git a/testing/tests/swanctl/crl-to-cache/description.txt b/testing/tests/swanctl/crl-to-cache/description.txt
new file mode 100644
index 0000000..0e6f1cb
--- /dev/null
+++ b/testing/tests/swanctl/crl-to-cache/description.txt
@@ -0,0 +1,8 @@
+By setting <b>cache_crls = yes</b> in <b>/etc/strongswan.conf</b>, a copy of
+both the <b>base CRL</b> and the latest <b>delta CRL</b> fetched via http from
+the web server <b>winnetou</b> is saved locally in the directory
+<b>/etc/swanctl/x509crl</b> on both the roadwarrior <b>carol</b> and the
+gateway <b>moon</b> when the IPsec connection is set up.
+The <b>subjectKeyIdentifier</b> of the issuing CA plus the suffixes
+<b>.crl</b> and <b>_delta.crl</b> are used as unique filename for the
+cached <b>base CRL</b> and <b>delta CRL</b>, respectively.
diff --git a/testing/tests/swanctl/crl-to-cache/evaltest.dat b/testing/tests/swanctl/crl-to-cache/evaltest.dat
new file mode 100644
index 0000000..fa61f19
--- /dev/null
+++ b/testing/tests/swanctl/crl-to-cache/evaltest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org::NO
+moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES
+carol::cat /var/log/daemon.log::certificate was revoked::YES
+carol::cat /var/log/daemon.log::no trusted RSA public key found for.*moon.strongswan.org::YES
diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf
new file mode 100644
index 0000000..61ff400
--- /dev/null
+++ b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+
+  cache_crls = yes
+}
diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..e84508d
--- /dev/null
+++ b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol at strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/x509/carolCert.pem
new file mode 100644
index 0000000..60c3687
--- /dev/null
+++ b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/x509/carolCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAoigAwIBAgIBMDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MDgyNzE1MDUzNloXDTE5MDgyNjE1MDUzNlowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDDBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALfz1DcXyt/sOALi1IZ/RcuPa5m+4fiSST2wVWWr
+lw3hUjeiwLfgoLrtKaGX4i+At82Zol2mdbEXFpO+9qxXliP2u0fexqP4mBuZus3E
+LA82EOL0lQ2ahAi8O3qafkDMBSgvoeJpEwNe00Ugh53g7hT7dw8tSgcPGqQkWutI
+IKT9T6e/HbHNjRtYlw9ZlHsp8gSYjg/Q6vV6ofttueMUD9NRv8w2Y76rnRRmUGf3
+GlNFFmgxZntCJRuYltnxV7VcCFoppyauYt/fPmjAxbPRuhHKacnzIzq83Ixf5fSj
+MTlluGCfWFX/NGENXamBqChkRLHmuCHNexxRp9s2F1S10hECAwEAAaOBhTCBgjAf
+BgNVHSMEGDAWgBRdp91wBlEyfue2bbO15eBg6i5N7zAfBgNVHREEGDAWgRRjYXJv
+bEBzdHJvbmdzd2FuLm9yZzA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fYmFzZS5jcmwwDQYJKoZIhvcNAQELBQAD
+ggEBABxfR7BK9IlDFdycldmYVfL2W2U/2b5tEZx/n943wEhc+AM+J1bba3yTeo61
+6AOEhO7QeaNnsAY9ZIRHfH827Lk1dWjub88ze/rS7qmozStF23Rzs4BimeiMQ6xI
+f1hJA1OiNXja2/lLijprevBY824Cd2iEq8LdU+9PIstsYKoLaSD/Ohilk4PGHIqX
+unhdasBKogtvS/PxKWSq+qdEFgHjM70uaf1Tx6QnPS9sqo/qxAQqxKOLstRmXRd6
+ojkTNWRO1miG1rOQkMcc4L2nbsb8nYFrUFLw7PjeJ1ugPL6R+tVjp32OWqCwvWtP
+SGaAJ/regpHs89VLbTKz1ybcqhw=
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..61ff400
--- /dev/null
+++ b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+
+  cache_crls = yes
+}
diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..47dd366
--- /dev/null
+++ b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,21 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+         }
+      }
+      version = 2
+   }
+}
diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100644
index 0000000..ce570ce
--- /dev/null
+++ b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAoigAwIBAgIBKzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MDgyNzE0NDQ1NloXDTE5MDgyNjE0NDQ1NlowRjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u
+c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk
+fAX6xRdB0f5bBjN08zOmO7CEYa8eCyYFqHUhCw+x10v2BnKB6vOlMzW+9DiRtG68
+TdJlYt/24oRuJBX0gAGvzsv0kC9rnoQcgCJQy4bxaLNVsgoiFCVlzxLaYjABbQlz
+oSaegm/2PoX+1UP37rG8wlvAcuLSHsFQ720FUs/LvZh4Y0FjoKhvgKs64U4nIAJ7
+MnuL29n5fM5+dem7uovQOBg/+faZo8QkYSK9MW6eQkP+YnwN5zItNBxyGwKPbXXw
+Ey5/aqNWfhRY8IEG6HJgrnCwBMHUA14C2UV+Af7Cy4eNnC1Mmu7TmUYcFncXaFn0
+87ryFUdshlmPpIHxfjufAgMBAAGjgZkwgZYwHwYDVR0jBBgwFoAUXafdcAZRMn7n
+tm2zteXgYOouTe8wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNV
+HSUEDDAKBggrBgEFBQcDATA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fYmFzZS5jcmwwDQYJKoZIhvcNAQELBQAD
+ggEBAD7YFpbQoRC0nte5t/hpoaxiOwE4Wm+rKexOt8zbYhUc0Yrw6a89LELdqoa8
+vuSAxeHAUY4VmeWLOy7rSf/wURmjdMGO2su3Db+ZaOcrA8J5Oqxv3IAhdBcO4PUz
+e0Lu2+f8RyKhKUQGpkSJBIlHhv0APN6TBX0R8cvvZ5XnFKj+GNd7fT4RN5Qjp+9H
+f8kZboA3/Rg2+JcWOWgNu9sjqevoqjSJiDV8s3n5QO1VRZi32DAgSMAWWorDdKtd
+uMPizLDy7W1nSQGf/vhXDkE95g689Md04dul6vAerCdsf389ckjthCIUqAPoLWn7
+XZnkIiV5xba29D9dTq0QElCzU+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/crl-to-cache/posttest.dat b/testing/tests/swanctl/crl-to-cache/posttest.dat
new file mode 100644
index 0000000..210685a
--- /dev/null
+++ b/testing/tests/swanctl/crl-to-cache/posttest.dat
@@ -0,0 +1,4 @@
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::rm /etc/swanctl/x509crl/*
+carol::rm /etc/swanctl/x509crl/*
diff --git a/testing/tests/swanctl/crl-to-cache/pretest.dat b/testing/tests/swanctl/crl-to-cache/pretest.dat
new file mode 100644
index 0000000..8f72f9c
--- /dev/null
+++ b/testing/tests/swanctl/crl-to-cache/pretest.dat
@@ -0,0 +1,5 @@
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/swanctl/crl-to-cache/test.conf
similarity index 76%
copy from testing/tests/ikev2/default-keys/test.conf
copy to testing/tests/swanctl/crl-to-cache/test.conf
index ce84ce4..fdda0a0 100644
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/swanctl/crl-to-cache/test.conf
@@ -5,17 +5,20 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
+DIAGRAM="m-c-w.png"
 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS=""
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1
diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf
index 53883f7..5fefdcd 100755
--- a/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf
@@ -16,7 +16,8 @@ connections {
             local_ts  = 10.1.0.0/16
             priority = 2
             interface = eth0
-           
+            policies_fwd_out = yes
+
             esp_proposals = aes128gcm128-modp3072
          }
       }
@@ -32,15 +33,15 @@ connections {
             local_ts  = 0.0.0.0/0
             remote_ts = 0.0.0.0/0
             interface = eth0
-            priority = 4 
+            priority = 4
 
-            mode = drop 
+            mode = drop
             start_action = trap
          }
          pass-ssh-in {
             local_ts  = 0.0.0.0/0[tcp/ssh]
             remote_ts = 0.0.0.0/0[tcp]
-            priority = 1 
+            priority = 1
 
             mode = pass
             start_action = trap
@@ -61,6 +62,6 @@ connections {
             mode = pass
             start_action = trap
          }
-      }  
+      }
    }
 }
diff --git a/testing/tests/swanctl/net2net-multicast/description.txt b/testing/tests/swanctl/net2net-multicast/description.txt
new file mode 100644
index 0000000..8287432
--- /dev/null
+++ b/testing/tests/swanctl/net2net-multicast/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+Using the <b>forecast</b> plugin additionally all 224.0.0.251 mDNS multicasts are going
+to be tunneled.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, mDNS multicasts sent by <b>alice</b> are
+received by <b>bob</b> and vice versa whereas unfortunately multicasts originating
+from the gateways <b>moon</b> and <b>sun</b> themselves are not tunneled.
diff --git a/testing/tests/swanctl/net2net-multicast/evaltest.dat b/testing/tests/swanctl/net2net-multicast/evaltest.dat
new file mode 100644
index 0000000..e29f312
--- /dev/null
+++ b/testing/tests/swanctl/net2net-multicast/evaltest.dat
@@ -0,0 +1,14 @@
+alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+bob::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+sun::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.251/32] remote-ts=\[10.2.0.0/1 [...]
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16 224.0.0.251/32] remote-ts=\[10.1.0.0/16 224.0.0.251/ [...]
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES
+alice::tcpdump::IP moon1.strongswan.org.*224.0.0.251::YES
+alice::tcpdump::IP sun1.strongswan.org.*224.0.0.251::NO
+bob::tcpdump::IP alice.strongswan.org.*224.0.0.251::YES
+bob::tcpdump::IP sun1.strongswan.org.*224.0.0.251::YES
+bob::tcpdump::IP moon1.strongswan.org.*224.0.0.251::NO
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..bbd60d8
--- /dev/null
+++ b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+
+  multiple_authentication = no
+  plugins {
+    forecast {
+      groups = 224.0.0.251
+      interface = eth1
+    }
+  }
+}
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..89d616c
--- /dev/null
+++ b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2 
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16,224.0.0.251/32 
+            remote_ts = 10.2.0.0/16,224.0.0.251/32 
+            mark_in  = %unique
+            mark_out = %unique
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf
new file mode 100644
index 0000000..48c4b83
--- /dev/null
+++ b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+
+  multiple_authentication = no
+  plugins {
+    forecast {
+      groups = 224.0.0.251
+      interface = eth1
+    }
+  }
+}
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..68ba24a
--- /dev/null
+++ b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16,224.0.0.251/32
+            remote_ts = 10.1.0.0/16,224.0.0.251/32 
+            mark_in  = %unique
+            mark_out = %unique
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/net2net-multicast/posttest.dat b/testing/tests/swanctl/net2net-multicast/posttest.dat
new file mode 100644
index 0000000..ba484f9
--- /dev/null
+++ b/testing/tests/swanctl/net2net-multicast/posttest.dat
@@ -0,0 +1,3 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-multicast/pretest.dat b/testing/tests/swanctl/net2net-multicast/pretest.dat
new file mode 100644
index 0000000..5b8d988
--- /dev/null
+++ b/testing/tests/swanctl/net2net-multicast/pretest.dat
@@ -0,0 +1,7 @@
+moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
+sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
+moon::service charon start 2> /dev/null
+sun::service charon start 2> /dev/null
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/swanctl/net2net-multicast/test.conf
similarity index 67%
copy from testing/tests/ikev2/default-keys/test.conf
copy to testing/tests/swanctl/net2net-multicast/test.conf
index ce84ce4..5799787 100644
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/swanctl/net2net-multicast/test.conf
@@ -5,17 +5,21 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
-
+DIAGRAM="a-m-w-s-b.png"
+ 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="alice sun bob"
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/description.txt b/testing/tests/swanctl/net2net-sha3-rsa-cert/description.txt
new file mode 100755
index 0000000..2db82a9
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> with signatures consisting of
+<b>RSA-encrypted SHA-3 hashes</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat
new file mode 100755
index 0000000..1d9bd64
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
new file mode 100755
index 0000000..5b67bf3
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem
new file mode 100644
index 0000000..f24b3eb
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAnD3x6bsLjwUP9BU0+hDSo28XBn1aM8+UO5n5XnnuQ8CDB+Mq
+pEHgNve71FBD8Gqf2dha5rfRx5HhXbw6BZMCTdUs5oxHsaOl5LGwp8W4G1BSxofV
+T7yzfnmW/+lPER2zJnXbOlVfW8UoEbsAfXpCr/edJvBu10kk1VHjrnMJIDGlNc4N
+Re06DcYSb/7AgRN6umPQr+uRzn5jFXJyROjx00gH89GzZIaNciyiYwaCZFBduByt
+UhaL8RKMA+MxWrB1ICQgE7hITZXvJJg2UuEe+t3lXMSfKoZHyU2sTBtctXan6rf/
+XmC0O3Bf7RTwoFmDvJlApgfpL1QIe8gH1hi/NukTYskm+zWYPkJAzcwCyMmyhZFY
+v0r0pybLWI1hZ8xeTr7MSbtImsvxl8mxwG7wRtWS5BKd0kke/gorCEI8AYZj33NA
+G58iX4+z745z4UNNTDg1bnjB2fTw4c0AD7TOIU76ZskhGKj4J7ZMzeQ5YXLMFRmp
+qn0p9obSqXwg62dXAgMBAAECggGAHb2g3efv5FKHXePniK5JGjkcPe0AjZo20j2V
+/UjidN0hVBAG3ut3PZ9cjqaUuB/ju7j2XLKi6QU4y/n3ZXY9Wwl4GY6cWxEWk/jK
+8rStPe3FQ+s5TItT84A7oQ0NMunfXzPR/kGf/D0ESpO5HSl3pj1RGcdsoehXbY+/
+8kYNd6Zbl2lYl3X3tgV9Hvp0NF2739z+LW5++7qNK9j0LW/WEGzGrr+9ESaXqCMc
+6hKkIWo23MQArf6Ctunb4yWNEIFEDi1r9DzMbZN/lVhDx77Q0KYLH1P31R5rOc1G
+NYXPF4F3CSfUsgd48dB2/1FCTnDJ4PmOU/R1L8jAgnSOroTAYDVzY4DJ7vyKGvIE
+DL7eKlbwOfS5swyANUKgHO6QiHt9WzcNUGpeinTa3wJ4KoAdG+lzDMuiwRFdSRRU
+z7t1ptTf2LuCAtva2daP2SPed+ITg2QB6X4BSQkqR0vPYBQIZAtFjMWH78E2PLrD
+01+LpOj8TBRerd834etDODg4ddiRAoHBAMiYg7hWfChw3SdnmAmkhDAZN80pvsUU
+bzzAiQ5EI59JYMoi/amYyLd6hUK4Z8g4gcdXzBYw9iwJuj8LMpPBZlplAxVnFdId
+23I+GNDmcX2ovOpl6skKy1grNhBigxRUQUGsS9oxrYeuy2VymDzeZPCQmrrhsXk/
+Mac237nncJj2n8I5RtDOoSOFD0+grs7MXs4P+W2HHzWgkN7mBgKeFfUPLI3Kyy3p
+F7tXegtJqIJsXlfZ/fzR40QTy7/VbwAW/wKBwQDHZVDYtYe4YoHKdwtAqs/J08QA
+29fGkM4ZawLNTY4jz9rdtOuBWg0FPAo82x21xlbRQLsaTKzy9O6a3cQ5oaKtKCh/
+XmKCssrnzJsYZYnhkP4f4VXK8nai/9LFo8TWhB8hNy62GGmfXffsqhAIqIqZA02F
+/mOfR6Wrqs7yfzYnJnVsjbR1B2zSiNAYKtk1VtQdGjuagSn/dEyhSCaQRXotXUKX
+SJDzPf/H2mj97Cg+3bCtdE/h//N1/cmV/5QEx6kCgcEAh1ua7oW1bBiUsuVNi5wu
+8sHhjJiRuS0LzsPg9/Z0zyRVorCv2IRXVK/hQl9q8Ilo0VnmRkctphO+UJI+w8Nq
+TK8CwKt55vnsvY83cac+h9uX9tdk8dpN0qX96lp/NvWPv0ADQy3oebkyWLdWESTE
+miwJrPdkqXtCByKZHzoUGbO5o/bAWWBFDdHYvhOgQb1Yb9YJqqXWInrBpxcykQuZ
+p25g0yE3rzgtomXp3boLck6r7r4TjEkZATQWddERAM+DAoHAEW4w6BDOYXbzA6Du
+ceO8sFb7vlt5fFkyOxSYtRu/fi/wYQssvy0BEGEUQAejjD1fX4F6Ga10PPTeWtli
+CuuvTdXB3IiCsgwxIpxHPpW5vOcw39aR6mDRsCQO58oOLfZ0xjGNustdiFntj1m6
+dxdMrl2UjE8VpFneCKiw2I/4SunYv/mPOd/BSpI9Jq+wNzJ07mpZpYL/Cd6/yCWH
+gXshWA/b/1+PlEPqNS1JmlDnn78/b5pIVWhLfxgFZEBoTxapAoHAY/58nLcWpvpY
+3IZC0fBuR7usTACbxr9Z4okHzJUNnoJe+MSE+wQwuE3nP+vc1CrmBSwCjN2wyVLc
+gy3idN77NthU9l0oElrPbGFKdFEaa85IcKtnfnspzmvo9AJn2wveZUAlZAzu2zBN
+vKI8ubXgoS56uHQnNsWOIugTW/P1I8FnlD4jPItaACGJ3yZWolh9g/WOGS29qJvV
+E/6hT4QPPXPZFEnOKO0/3YsMXBwcnEqm2mQ+c4rGMKrTcynk4KaE
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..9034651
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2 
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16 
+            remote_ts = 10.2.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100644
index 0000000..bea7e81
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyDCCAzCgAwIBAgIBAjANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzU0N1oXDTI2MDky
+MjEwMzU0N1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5v
+cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCcPfHpuwuPBQ/0FTT6
+ENKjbxcGfVozz5Q7mfleee5DwIMH4yqkQeA297vUUEPwap/Z2Frmt9HHkeFdvDoF
+kwJN1SzmjEexo6XksbCnxbgbUFLGh9VPvLN+eZb/6U8RHbMmdds6VV9bxSgRuwB9
+ekKv950m8G7XSSTVUeOucwkgMaU1zg1F7ToNxhJv/sCBE3q6Y9Cv65HOfmMVcnJE
+6PHTSAfz0bNkho1yLKJjBoJkUF24HK1SFovxEowD4zFasHUgJCATuEhNle8kmDZS
+4R763eVcxJ8qhkfJTaxMG1y1dqfqt/9eYLQ7cF/tFPCgWYO8mUCmB+kvVAh7yAfW
+GL826RNiySb7NZg+QkDNzALIybKFkVi/SvSnJstYjWFnzF5OvsxJu0iay/GXybHA
+bvBG1ZLkEp3SSR7+CisIQjwBhmPfc0AbnyJfj7PvjnPhQ01MODVueMHZ9PDhzQAP
+tM4hTvpmySEYqPgntkzN5DlhcswVGamqfSn2htKpfCDrZ1cCAwEAAaOBnTCBmjAf
+BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVghNtb29u
+LnN0cm9uZ3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEIGA1UdHwQ7MDkw
+N6A1oDOGMWh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEz
+LXJzYS5jcmwwDQYJYIZIAWUDBAMOBQADggGBAAHZATrdzGmUIq+0+EdA1AbPdcaT
+UDKJvDS30JyOkUnAv5jr63PHyfw+RS92zgE2UyB4+u43BiggBNmTNCjpaEUmViAo
+tdywkzIKm7q3dr0078IZ8LU8Wo+hoeRNkBJOxdgflsSislQYDeTd7syoQ4BW7whs
+jjFK2Lbthd+/33Iw3LMekYuZF7ZUbHY7D3nlBidrmTIQQCvOnsW2lJi/S83FEYzl
+noK+of3eo4Ryg1/428FHts26PxSmnHv+ckj9R4Jf5kH8kd1WhrgDyHQMnihWlUJ2
+pintDBgislbZytqiBOGeYpbpxKl57zHs421wmUs329asu7zgfJFnCynkUgvuRXdc
+gDJ+DAiVaXCJlYnk36P87028SR9/C0JLzHA3O5CcfUdFEUs0BvVe1D3b9kC28rdA
+5V86DFCL+gp6rB+wDtq6YnCddaNk+ZCs/QAPidqOFAytaBBKaagMIFk+wlsFge79
+ZssIfKy33Frluw0HCj0LNs2tjWvG4Ku8xkFO1Q==
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 0000000..29ad5b9
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
new file mode 100755
index 0000000..5b67bf3
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem
new file mode 100644
index 0000000..a694bbb
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAuoGEVV6htuzLZd7oeZHYznMbBLffOz2l+t0XqHTUA44eM57K
+ZZMDAcc0gZvZWVFNDmOWpXpxbSQozA8Dgb9b9BYkNWHKW11rwSHq5mzmjBME394p
+DvzdV3tMmSGrhS00EyFWXLnpqrvkNTtiIm6nNHidrqM4ixbXiebOjDi3Z1vIJHOu
+MiUBe8KvZ7p8q4MpRADpEB565NWd+5/Yy4DECepBcmQn+9Pn/6FvdYfodBin9QyO
++7xsgQlnx6XI1HeiMdB6EE8r4AOVbZWseEJkUo/ZhsQk5tIYKZB18vo/8nnAHn6r
+ez+belmo4l/3hctRn8t08Lp7TRxnIUwGL8b8BxtAkR9T09duwE1KRt4h/PsCRx1H
+WKN9g/KsOi8ZPrBiz+hoHhIv+pvQ4ciEuC1Zf6AelEUnI/Rh6RuIkEjuisNk6zL6
+Fi9J2RWDTXY5vJdUTbmQhoQpbmX3yWdJyLn9vLaK/IDhaguYOuiUHKY57jWXZwW/
+bD3a5wi08JLCb0ahAgMBAAECggGALeWxq1Cee2XKqEcy7rf1otiwzXhydyG0twex
+ysL1aeqPhCSPqm+DTey3/y1bT5+yVtgrOo3nW/SKFa2cL1HoTykjv/9QzSswWVb/
+d7VVByOnD3CcqhOQZPby4rxmeV+mcQ7DMg6OcnXKs07p149jloYYR+HjCFeWs1kZ
+e2h5ufXcSxwswipZMxu2DtDV3V9pyFJxCIZ3t9jaCBJOR8ZoeAguEviS3mZHsaEI
+zOOlUOzAaI2uokS8bwThhUBHLAJEe5hglKtu5N1QGUo5x62wIK1+4McKqX5cphvW
+63N5P7yB30hfc1xM9VP/fi5UzmgccNmHl3ErJX6EbHbVNUv0a/wI6cp+s/DQRZMc
+Injr5BJIIFbzmqYST+UxEwtxUL7uV1s/eTXwsFxfQPJnx8rWbeyvGJHU6VykWJ2n
+vHmOItgaw4Lm0iw5XH2g0QC7nYFW6qC5sk7LIS3xUzN73JWjV2Z1E5nLfKxZ9sXz
+aA8WNrMSHUM/KkFaUri1xoH6gdABAoHBAPfA/gcZaoMemP06BIWKwgb/91GRsvc+
+slrmyZy+nq2bQaJw8oYyUmgWfh9X8pD6eVQN7jJBuA3BMg3L4Vn/R65rcwwYKA20
+pHgZF2MbwRlbBDtFQJe8kmwFu+TkHpGcoo94V6MdpbqoRKwQs66WOcjp4vzRLOL0
+ueynDrAPxpOaNIsr66s7xjd01VwEXYlfOfNBpOF/+3vN+O++k45/rnlEWgLeq6ie
+1xkv9vZp4FuNf6gnBXcNhu8aDJvJEMfxnQKBwQDAtqgE9K7Rhq9ht8w8P+QZUGYL
+c8mL4IGsPgmucuuheeWpmvLuAhsTxWBQhrO8/eEK4je+li6R/x0HYqgytsnOxlQH
+xH8ZsvouPtacUF9pv8x7GLnGlvdxdQzmnjYqR5MzFEX/L8+8skiyY95V/kNiWE/T
+X/Q8JgqyQ7VlykHtaToYchEhgY2m2Zxw6YhrI/ghtlP6NwOJDYsFxe7cfVvBQj9K
+qtwAidr8pKSLyJFaot+dAdSqAYZxiO90aSt/i9UCgcEAjzv7YR1Xj+CjsFrXfGFB
+VYysbnMelYSg1p7w1nb6BAJrir9j5yO2ssi2N+a/rQOyG19GY7XM897K0mEZss88
+oOEsDUT1+x6Bq5FODRVhqQgOxTl/Y3o46MzT2TvtVF/LN8jqWbptMyHPOe8aAoiF
+dduKSIGiQsAbsW7PtggY1QLk98T3pfKT4UHhjCZV8XKlbTZ5XYmBWg01q11xr4Ov
+2hojM9+KPJ1AXCZ3z/RcKnH+6LdOmIqwhRF5UqOG2SGdAoHAEA+pFTCnWUMWXtiI
+pwTUJ9/xgUbXJ1dAt3A8MlPVm5GjOG13jaqTQySSEGQJmti15shPyQyPOQ/ABZuN
+VRyy2Q7idftEdIncG/qUvFZefVvE2QWIhiqS2NvehWHuNbvdYsZvxwLfF2TsdiGo
+qBYW251smbtHibPJ9G18Ms2WjQjWFK99CgPYIG3GggqUmglXZsfhW9s16jg8u/Bx
+JeM0wHia+cgfqdPTcnbuV9ARfTJR3K4IYVrbL58wBc22GF05AoHAQvhfvtieWCJ8
+ATqOBjOcUHJ2WLiOslWsYOoqXy7v2YuVt8XFWAWZmLlzcC+8Tv79lCLpOmpiseQw
+kP9Mihi+8T15AmRUUsPREeGb7wCDNbd/KixPimhnelNGPNAV+6DPonSa4WcF9jZk
+nDa51PBPWCEPB5GHdbg/E5yiWMbr63bcTQNZxlRDaljNSRPp8xprs+JT1AIZI2wq
+hEyK6IMjYIj80jB8JZIM7nNgRhzCKCo7RdR3JMb5tduOgzvEheC3
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..2b9ddcf
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16 
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem
new file mode 100644
index 0000000..f1c086e
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExjCCAy6gAwIBAgIBATANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzUzMFoXDTI2MDky
+MjEwMzUzMFowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2FuLm9y
+ZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALqBhFVeobbsy2Xe6HmR
+2M5zGwS33zs9pfrdF6h01AOOHjOeymWTAwHHNIGb2VlRTQ5jlqV6cW0kKMwPA4G/
+W/QWJDVhyltda8Eh6uZs5owTBN/eKQ783Vd7TJkhq4UtNBMhVly56aq75DU7YiJu
+pzR4na6jOIsW14nmzow4t2dbyCRzrjIlAXvCr2e6fKuDKUQA6RAeeuTVnfuf2MuA
+xAnqQXJkJ/vT5/+hb3WH6HQYp/UMjvu8bIEJZ8elyNR3ojHQehBPK+ADlW2VrHhC
+ZFKP2YbEJObSGCmQdfL6P/J5wB5+q3s/m3pZqOJf94XLUZ/LdPC6e00cZyFMBi/G
+/AcbQJEfU9PXbsBNSkbeIfz7AkcdR1ijfYPyrDovGT6wYs/oaB4SL/qb0OHIhLgt
+WX+gHpRFJyP0YekbiJBI7orDZOsy+hYvSdkVg012ObyXVE25kIaEKW5l98lnSci5
+/by2ivyA4WoLmDrolBymOe41l2cFv2w92ucItPCSwm9GoQIDAQABo4GcMIGZMB8G
+A1UdIwQYMBaAFOTJzYzyiG0dpy7XXnkxpWZVNc4CMB0GA1UdEQQWMBSCEnN1bi5z
+dHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBCBgNVHR8EOzA5MDeg
+NaAzhjFodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tc2hhMy1y
+c2EuY3JsMA0GCWCGSAFlAwQDDgUAA4IBgQACXiUqwisoOZUH3CPfi+aGaluK3mO7
+nj/gX5X9oE2JC3haWjbnC9fsKai72U8makp12xCpWjHsuiytVlXiiSCRxBGAaFm0
+cy2AI4Ttj+4+GAaI4BkqYBTApdSSXXUH3X4Lwb4LReX+16TsJ4E+d2U/j70gyGRK
+F/KgkKj/Bi4F//4/uXHPbgp2istKmkQ4wlcUb5EdM0tUiAUwYGMhdUhSryq4+7y8
+1QaPGg0Zv3nvGgoj332BOczflmNzoonXcihZk97iMRc/TvBOoizvuH9COCSbw/AB
+hnVG1lyTQjBAcE2U4MP5yUVuIqBgPnKtbyN3gf30Iq3g/ThVekchrYGO3PWMWAzS
+ecfr2yN11BC6nDca039Yub41AuzQqBQR1gY5sHouXNTx4Bs0g4xk+3rGa8MMgI0+
+jXhDVAorQFYuACDuto6skRtkcmXJ/1psvVEv5dcKAHdZCNKkgtXe2XoVvrjNxnPw
+MTVros8o+8Bz2R4qArLjwrZtvYI+czZx6dk=
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 0000000..29ad5b9
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat
new file mode 100755
index 0000000..30d10b5
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat
new file mode 100755
index 0000000..b128bef
--- /dev/null
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+sun::service charon start 2> /dev/null
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf
old mode 100644
new mode 100755
similarity index 68%
copy from testing/tests/ikev2/default-keys/test.conf
copy to testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf
index ce84ce4..07a3b24
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf
@@ -5,17 +5,21 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
-
+DIAGRAM="a-m-w-s-b.png"
+ 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="sun"
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/description.txt b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/description.txt
new file mode 100755
index 0000000..e9ea4ac
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>EAP-TLS</b> only using
+<b>X.509 certificates</b> with signatures consisting of <b>RSA-encrypted SHA-3 hashes</b>. 
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat
new file mode 100755
index 0000000..51bf8c1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat
@@ -0,0 +1,10 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
new file mode 100755
index 0000000..3b492f0
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/rsa/carolKey.pem
new file mode 100644
index 0000000..db6c98d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/rsa/carolKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAw7ArNq1Cs5RMc1MuHO5BZAIAc9v04THLSpCs+zNQlyJCXaij
+siTQUbATyhgB5O11HKh69J8PRITx+dqIW/are3KGAKbvo8G5AgVOPhO+X3n7iOwT
+PqtaAlAa4/qpVyD/RSfOiQPXj+SFtBz9Js36gZegcm/w3d0QVOPUIEMWpSMIHCAm
+v6Ji/QHyOEVyOuiW0PTKVxqY8iFgnT8djDo0xWU40RNcIC7qyMkmGD8xR+kIbBcH
+8akPB6NgNvFVUZPK4EQfr19JNAQp7KbPA6tlzRxR6z0eL57zRUU47g3cf9Ie1zNj
+4FrIfv/+nA9ZVpR/DsGe3qmJvTVDfubaGkFE4AKxUEGcm0N4gHXo1PBj7hayJJSU
+IuAfoIfmkorqrPTp3bRoH2NWmMveBU6W4c8Vocv4ceWmCsrodcNdzqcnU4QGFc9x
+KPeiD232KeBZdpK4vs1ewkzftWmOVYUBG0X5oNNYoT54Qr8YXTWTI/3Rp7TbVGh7
+Z6iqH7hQ9gNGOe+NAgMBAAECggGAKuC3F0vviZm9Bqf7OquZ+GfX4YsYpR9cBAKf
+ZIth5TvEfvEsrSQT4VJLg8Su5ZKCTr07883GcqUOwEh6CGyMNohphEsPxznzZ9Xx
+xvhchl8cFmxj6x9woYEb40hRQp4gUO7f+nW1DfpssYKIlbAca7jlly2gAX0mzvL8
+z/TjSVvbsw34b5UNS5LZmCrfVLkSEscQbvWM/cECgnIJ72fxmC8NvAIZ9ZNSLpyk
+lDuEeNU+2zBQtUrt2CacNm263B0dvHrW9QSTdi1GvIjxhc3ab8OT0ZDNzo/S2eRJ
+InN77gwkYgEu1jeloBsicG4ZAAdbQU5/X4prnJIy2novnA/2C+hrmpYDhxqOT4Uk
+AhoMiyvrJF6rxPZj+R5qzc4RUzZapcXUNzH0lCwtwd19Ogfw38LUkHCtqQQpleme
+AL7FeVDXDu9oe6c5YrZihehT7p8ExKwlwiWy4u2bnoip77wOCuLo+D6eZpt64w4e
+XiHpWtmkADqhfzMgt/WUMpD/+gcBAoHBAPTa6zMClhGP6su624Rv9HSVClacXR7d
+zJNo5stnPierfcIZs8loWthR6AgGx36q9bOqtfIdFRc/PajF7oggnTcxMBZdCoU8
+Oi3vWEH+aIzIX3KICUjRYjj1kpm9xcy7XPGc6bEit+PM1DJ1jXCTiC30uQpavNxr
+klV4+ROIt9MYsb3tQw7CO1mGNR37jAEUqbJ7sK2OnvmjZPJlwJs0AyN1j7ZUihDO
+VT5UhjwB4KUH6BEirXTkoaDxZwsRfR5SaQKBwQDMmFm2M8J9AOxgrYTY80YIRQpy
+vrcX7Xrzn4Lu8M8Xr6RlS5bbXApAH7WtRHGlIj14lItmvZpRSOTzawtn65AzeIUF
+82/EMxLJaGjMBviTyNy+ta9wn8Qdy5c2ZZ5dKgsQ4PprSkAvNOnpd1wG48pbGg7/
+n3tVs9zdD2wa35KVjoyueu9Ls9BbND8v7OYmkmSNqFlA5KuLIeQkuLNxjxQsV5Vg
+S8pyg1jlYs7KmYs9GIFHAVEf5LG6a/3huWfuR4UCgcAGWfdn51VFN1p71mkDUnQg
+4gzWmk/AETjRShNSi2cNWGF2u3vyaYaRve4q5yIdowmkk3UMxrxZUgajbh714QKy
+/8+jhN5U/m7z6hV8AMFthXUUX3r+LJBDsfsPieCrouCSU+Or+J6Uhieq92mn1eve
+ZU63egsUHKY7GVw8qXs7OpTBvHnU1Cz98YFHOdMz4/lS6+p1VhHBn/9qWkFYxUyf
+itkjfaXnMbL8XuzseY/+N+pJJ4EgWx3mMtzdaKK6OqECgcAttOdt1fhgFsG4A2vH
+T+nYVRw1cDfVJ5+tJ3iHytJpFzshyhZEoTZFBxB+SekdnB2hf4X5COiduiwz2Tku
+GSkY5pbJMo5IhaRvzFyFIBWOZnQyQsKT5Y1Znq8EXwVXCNp6BdjL+UWHhkmvd5Pe
+kisV2Sd6ofVauxjfZd+fzUyhDryNCjfFcMFebrijC0iLW28NWou9/Jf6ODMQpRap
+iu5Vzac4YRY0KPXGISHTjyPVHVFcPIYUGvI9lHyeXd5DFEUCgcA9s3ei/H000sC6
+3q5iELW8kxFCpwvu7uKCFfakAqQn8nponHEUgRS7eLjzS1NB0qysIiOMtZPAVMCz
+puETLsi9PxD8de4RyEyZC2yd973j+TqFQmPyiWF3QNW55zM2iELW5sGeEVk/Z15c
+nlItcy7KOJOJU0TAKvUUjr4ug5N7sVSN1aeF4tiaFz0GFIqV3qAkcTMfpaOKfuSc
+huiHBdBaY7m4uNK4/ZOi1JitocO7wpRsX/eRJ4AuNrro8EHHAe0=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..229b602
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-tls 
+         certs = carolCert.pem
+         id = carol at strongswan.org
+      }
+      remote {
+         auth = eap-tls 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509/carolCert.pem
new file mode 100644
index 0000000..94f2c0a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509/carolCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtTCCAx2gAwIBAgIBAzANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzYwMloXDTI2MDky
+MjEwMzYwMlowWTELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAw7ArNq1Cs5RMc1Mu
+HO5BZAIAc9v04THLSpCs+zNQlyJCXaijsiTQUbATyhgB5O11HKh69J8PRITx+dqI
+W/are3KGAKbvo8G5AgVOPhO+X3n7iOwTPqtaAlAa4/qpVyD/RSfOiQPXj+SFtBz9
+Js36gZegcm/w3d0QVOPUIEMWpSMIHCAmv6Ji/QHyOEVyOuiW0PTKVxqY8iFgnT8d
+jDo0xWU40RNcIC7qyMkmGD8xR+kIbBcH8akPB6NgNvFVUZPK4EQfr19JNAQp7KbP
+A6tlzRxR6z0eL57zRUU47g3cf9Ie1zNj4FrIfv/+nA9ZVpR/DsGe3qmJvTVDfuba
+GkFE4AKxUEGcm0N4gHXo1PBj7hayJJSUIuAfoIfmkorqrPTp3bRoH2NWmMveBU6W
+4c8Vocv4ceWmCsrodcNdzqcnU4QGFc9xKPeiD232KeBZdpK4vs1ewkzftWmOVYUB
+G0X5oNNYoT54Qr8YXTWTI/3Rp7TbVGh7Z6iqH7hQ9gNGOe+NAgMBAAGjgYkwgYYw
+HwYDVR0jBBgwFoAU5MnNjPKIbR2nLtdeeTGlZlU1zgIwHwYDVR0RBBgwFoEUY2Fy
+b2xAc3Ryb25nc3dhbi5vcmcwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybC5z
+dHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLXNoYTMtcnNhLmNybDANBglghkgBZQME
+Aw4FAAOCAYEAHxkcN7plS2BvO/yXxE5WJ+2k9IP/IupuE6ChuFHDq5SrGNMsStsG
+sGpV6/yxvLSHchNGnGMIOyLTMzKgWy5dnDy4YX2FqZkI8ZBa0FJ9iO2IxILCsmyw
+ouShOv47YkNuAzJWIZjRz3+7mNhfX3TsdEr26cNKf1JqawTyFCDq0t/UYS6K/8O+
++6Q1kmy2mRgR19XkxA0ts3xno+eeB0NelnVEjJwqZPFgmVYK/2T4fUKraJyQzwhp
+xghLtlmwNuN6jetB4Z9k3hQQaPlUy2wxrqdsNfV9Ysgy+3LcI2ynoFMYShrS4avW
+FI2z0hb8sDkvS4Knif4UCv14Gycb/8nSgiingEMU+UmPOxwUl79/99e4LvIaslp4
+S0AiLwe0Tz2NqQ6uhvVppw3lYptIt+EK042cYpm/CPTMlMhT+Pi8l/POWIdquNLp
+85NuiVBbt3wMff+qTu+/ppyQsytTfDMD6XLggorLni/Owf9PoBakcdGuPW9MAUTf
+6Idv0tl5T0qX
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 0000000..29ad5b9
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
new file mode 100755
index 0000000..3b492f0
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/rsa/daveKey.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/rsa/daveKey.pem
new file mode 100644
index 0000000..85ad0d8
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/rsa/daveKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5QIBAAKCAYEA2tDIPF4nBGWCGJrnrV1npIw4nz24u1siDlD1eS2o17sYTBnf
+zQGkayW9dw/hhy3bGNrsGmuwr/lTMn1g3Kg+UQ0MNIWGPs3UWLeB5OBjQ4mWTmHK
+l0Aov2QnFO5PT63f57qwZOBXMLJzIdOlBJku5kxBu0qYT/FsX40KR0QSzl5at7QH
+5tJ81eBHuVaLEJrg5hYkqaDltGvisUeUozo5sijMfNvJUbwYQtL7UQrAMyFDAHqH
+kx/RaOkOP58FdmzTihqRXLObVVrOMWq6pTARCssdDhcA/y2QtcQzftCbID9/+hMx
+8yRyD0FbPcDC6CvrxVzUTyqBNjW9ZnrDfIxrqiRna7Fnjfq9gDYxYtDXGjvx1PdI
+p1ZgiiiQ0BLWQV8w+ujKgM52wy8YMdnCTDdcIVmreo02amu4txX3wf9YAeGtQ5gN
+QkJSooZEjwOnqVhiqNDEjxDgoEssAJ/VQtSwj37Ug1AFZ9bB2x+YNtC5b/Mj0Y4o
+k7mO+ButDiTzkw53AgMBAAECggGACY1lwGTn1SRNSp+wj3vtY1yPuDvsjZlL4k4c
+eT7KCSjsxZ23jG6O6/KI0+LImKsiznH4LqsW2ofK3wBkMx3RIp6sMrrFgoZfx8Oz
+EvfMvY0LF77jJjkxzjEkF6DTq4nOpYIb4zt78u9HYWmo4YuCZaFcmT2Haq4CaiVx
+Fm1dWM77rNtaIPR9aKTS3L9vcLkiKkk7LoCMppSzH8QdNAb9r85iJu09W6kXcgtd
+10rd2x2PnDy9IGoaLTdHXPWnOmVDviFgCp9zxBk4g/SWDR2AdHOgg3D2mvOmFkVK
+SLxr8RKhzzQfbRQuV4F3so9QVfkKyH8xsOpjAqjQwJC1LIWMJipzmc8o/AnUw0Rj
+UvU1sDYV8MHimgoftG000vB72hws8tv/XQHl13Tig8y46lSOYxavBJZuHjPPhkQF
+YlsfyUV5B11EmlyZ+KsNCHj9vXGRL6bw3Hu1UeG5cnXBXNkPq7ssNpgwdJrpqcW3
+8KWtl7w/b68ZLwyMpxKbmUNIyNkJAoHBAP9KBnqa91RA8gg0/Kp91NLiNXT9ibN3
+cQ6Y6HXuCWrKIKVKMmxRkhM9lMzOVfVVw5ydWZ3B5tzMiIfVCnyzs357vxBGsQEk
+TQ9I/kdFuR1gSMZVbXSH1Cbf/Ealg7j/w5/3WpQSaszUN2dmkJ64I3iEWELjT/VV
+RaxEhdNmZiRieOglkpvt+4X2Cr5oKXUofb11QX8bBmPnZklWUTuEfQu2KFc7T2im
+2ZonJKdxRMMFcnHqS3StX8OYqK8qqTC9hQKBwQDbbMIAp2omxd+iiN4hCIgZ1mK3
+HzBBwam6A/ZLqbByB4Ch1TNRK959xtJW6FLibZPYCi12b1ILwjOVO7aQHKnhKItX
+rhwAdhaBd3tJTxu2jDB0Bx1UkKbTDQ3bipnLY+VX/r/rMKbRsWgzejLs/CjafOj7
+OaFSpQOiQfOkpGKpwTab2H0CYqCMxK/4VYBP/NWwM0o0gaL5dJCjZ5i72CnHtmx7
+3D69TCieFY7RiDyf4Pix0tonwD5FfVHfH1SpjssCgcEAxJIcYQW4EhEcDIO4VhMj
+7+msndOn1x/OVx4YSM4sRCU1c/Co2M0KfHQ7gmQSviD2yT5DxfyLJlL7ghPhylmY
+iXkBiqfUHXv1NiLPYNPoER2Vi9o1uLfp/LEVkNRbk/SkjiUpgsCXqfZyXtUT4JML
+BP5q874SUGcDif0NStUbK0MDtEVSGWzq8qCcbzbHTWYLQ/non9WQWxbPpQKo8/o1
+SvJNJ7YMlBl9jnw7dg76kmw8TkjJJyNkjLickpx3wIb9AoHBAIx01s6SW9nL6fZh
+xEbC7lQTrobn2P0OmbWv2ZXfXknv0YBGOB4qhbZfcb8d4gh8+hldknJwmcVbH6fU
+XG1tW7T8Pg33LoeBD7D6KZnooKW+oTl0YGsEWTVZ8tfopb/TBzjHolRLhU1PUZM6
+EqUuWHxbXsuJvWForaXMr8hhTaK6QlmKP6MqPPk+4iGFoagSATtT6Zkorokd+4QN
+yW/c1Am6FUFH34VO3eUriYtIuP3ihW9WuDyfy3yx1pmLtab/9wKBwQDbBXYm9ugE
+wRSIxCywJ+aPNRQKanCKORwQMNJZ80rrXIs7saomY4Os+utJpOhoksTJB7mAn3ij
+kopmXn6NOsXdOlp9Ty55YRylGmOIQpsO7kSfylE1NFioHqksuQndbUwZFbskI0cN
+egyoihqnbfoLyxGu1/M521IseW3AwFIc0gAGdQ7i4ZXVlXOXWvdZFxnpd6PAfFMb
+J9mOicxHQ6Yv5b30RUvSIN+LHnUNGGk9XAxCH/jKtU7886jD6f34ru8=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..adf9326
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-tls 
+         certs = daveCert.pem
+         id = dave at strongswan.org
+      }
+      remote {
+         auth = eap-tls 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509/daveCert.pem
new file mode 100644
index 0000000..c5c769c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509/daveCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEszCCAxugAwIBAgIBBDANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzcwN1oXDTI2MDky
+MjEwMzcwN1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5v
+cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDa0Mg8XicEZYIYmuet
+XWekjDifPbi7WyIOUPV5LajXuxhMGd/NAaRrJb13D+GHLdsY2uwaa7Cv+VMyfWDc
+qD5RDQw0hYY+zdRYt4Hk4GNDiZZOYcqXQCi/ZCcU7k9Prd/nurBk4FcwsnMh06UE
+mS7mTEG7SphP8WxfjQpHRBLOXlq3tAfm0nzV4Ee5VosQmuDmFiSpoOW0a+KxR5Sj
+OjmyKMx828lRvBhC0vtRCsAzIUMAeoeTH9Fo6Q4/nwV2bNOKGpFcs5tVWs4xarql
+MBEKyx0OFwD/LZC1xDN+0JsgP3/6EzHzJHIPQVs9wMLoK+vFXNRPKoE2Nb1mesN8
+jGuqJGdrsWeN+r2ANjFi0NcaO/HU90inVmCKKJDQEtZBXzD66MqAznbDLxgx2cJM
+N1whWat6jTZqa7i3FffB/1gB4a1DmA1CQlKihkSPA6epWGKo0MSPEOCgSywAn9VC
+1LCPftSDUAVn1sHbH5g20Llv8yPRjiiTuY74G60OJPOTDncCAwEAAaOBiDCBhTAf
+BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVgRNkYXZl
+QHN0cm9uZ3N3YW4ub3JnMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwuc3Ry
+b25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEzLXJzYS5jcmwwDQYJYIZIAWUDBAMO
+BQADggGBAISXAxemOSUmXqkf7cgTQHpreMH1Y9LPJxZUUq5GVErmPzhLaZDSqZSy
+ZXcu3EWPA0RElaYBd9CSgFx0I89tw41dIYOLDyLnrEDHmcsgcJl74YYBSzebB/TJ
+OGXtV3S9M9OF1vSdugaXI1hDXck7cODUR6nyZAWOp5kBSItAH5bglCRtaQlAuSxM
+wRWYhBErUR5tZvu0loCN+11hVg/ddQ3r+FeHUt35KNenxkd6hWlHljbPv/eTtqgc
+/5VGEC96I2rD6WNcszj/SKK40zA9GuF1mIwNKEdcYnPRxoszlD6C7cdGJZ8VpJLc
+d7sO0QJur5HNtj6oUbM3HuHAaZBjg7uh5GDj+RehhKCybYyJQ1fu4iRaNYKdPwZh
+/F6hBRLytkt1qjJhngmBmQU4Ent8GL0Zn6Q8/HvbTP/xw4VXkY9JHdMIkzH8zokd
+TVjkunPPt+zdzeMq4hOewYR8HfiKcAnNUG7eO6PnUvC2NKsqX8a7/z0OV68XybZs
+gjC1FqvMvg==
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 0000000..29ad5b9
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
new file mode 100755
index 0000000..646ee0e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/rsa/moonKey.pem
new file mode 100644
index 0000000..f24b3eb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/rsa/moonKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAnD3x6bsLjwUP9BU0+hDSo28XBn1aM8+UO5n5XnnuQ8CDB+Mq
+pEHgNve71FBD8Gqf2dha5rfRx5HhXbw6BZMCTdUs5oxHsaOl5LGwp8W4G1BSxofV
+T7yzfnmW/+lPER2zJnXbOlVfW8UoEbsAfXpCr/edJvBu10kk1VHjrnMJIDGlNc4N
+Re06DcYSb/7AgRN6umPQr+uRzn5jFXJyROjx00gH89GzZIaNciyiYwaCZFBduByt
+UhaL8RKMA+MxWrB1ICQgE7hITZXvJJg2UuEe+t3lXMSfKoZHyU2sTBtctXan6rf/
+XmC0O3Bf7RTwoFmDvJlApgfpL1QIe8gH1hi/NukTYskm+zWYPkJAzcwCyMmyhZFY
+v0r0pybLWI1hZ8xeTr7MSbtImsvxl8mxwG7wRtWS5BKd0kke/gorCEI8AYZj33NA
+G58iX4+z745z4UNNTDg1bnjB2fTw4c0AD7TOIU76ZskhGKj4J7ZMzeQ5YXLMFRmp
+qn0p9obSqXwg62dXAgMBAAECggGAHb2g3efv5FKHXePniK5JGjkcPe0AjZo20j2V
+/UjidN0hVBAG3ut3PZ9cjqaUuB/ju7j2XLKi6QU4y/n3ZXY9Wwl4GY6cWxEWk/jK
+8rStPe3FQ+s5TItT84A7oQ0NMunfXzPR/kGf/D0ESpO5HSl3pj1RGcdsoehXbY+/
+8kYNd6Zbl2lYl3X3tgV9Hvp0NF2739z+LW5++7qNK9j0LW/WEGzGrr+9ESaXqCMc
+6hKkIWo23MQArf6Ctunb4yWNEIFEDi1r9DzMbZN/lVhDx77Q0KYLH1P31R5rOc1G
+NYXPF4F3CSfUsgd48dB2/1FCTnDJ4PmOU/R1L8jAgnSOroTAYDVzY4DJ7vyKGvIE
+DL7eKlbwOfS5swyANUKgHO6QiHt9WzcNUGpeinTa3wJ4KoAdG+lzDMuiwRFdSRRU
+z7t1ptTf2LuCAtva2daP2SPed+ITg2QB6X4BSQkqR0vPYBQIZAtFjMWH78E2PLrD
+01+LpOj8TBRerd834etDODg4ddiRAoHBAMiYg7hWfChw3SdnmAmkhDAZN80pvsUU
+bzzAiQ5EI59JYMoi/amYyLd6hUK4Z8g4gcdXzBYw9iwJuj8LMpPBZlplAxVnFdId
+23I+GNDmcX2ovOpl6skKy1grNhBigxRUQUGsS9oxrYeuy2VymDzeZPCQmrrhsXk/
+Mac237nncJj2n8I5RtDOoSOFD0+grs7MXs4P+W2HHzWgkN7mBgKeFfUPLI3Kyy3p
+F7tXegtJqIJsXlfZ/fzR40QTy7/VbwAW/wKBwQDHZVDYtYe4YoHKdwtAqs/J08QA
+29fGkM4ZawLNTY4jz9rdtOuBWg0FPAo82x21xlbRQLsaTKzy9O6a3cQ5oaKtKCh/
+XmKCssrnzJsYZYnhkP4f4VXK8nai/9LFo8TWhB8hNy62GGmfXffsqhAIqIqZA02F
+/mOfR6Wrqs7yfzYnJnVsjbR1B2zSiNAYKtk1VtQdGjuagSn/dEyhSCaQRXotXUKX
+SJDzPf/H2mj97Cg+3bCtdE/h//N1/cmV/5QEx6kCgcEAh1ua7oW1bBiUsuVNi5wu
+8sHhjJiRuS0LzsPg9/Z0zyRVorCv2IRXVK/hQl9q8Ilo0VnmRkctphO+UJI+w8Nq
+TK8CwKt55vnsvY83cac+h9uX9tdk8dpN0qX96lp/NvWPv0ADQy3oebkyWLdWESTE
+miwJrPdkqXtCByKZHzoUGbO5o/bAWWBFDdHYvhOgQb1Yb9YJqqXWInrBpxcykQuZ
+p25g0yE3rzgtomXp3boLck6r7r4TjEkZATQWddERAM+DAoHAEW4w6BDOYXbzA6Du
+ceO8sFb7vlt5fFkyOxSYtRu/fi/wYQssvy0BEGEUQAejjD1fX4F6Ga10PPTeWtli
+CuuvTdXB3IiCsgwxIpxHPpW5vOcw39aR6mDRsCQO58oOLfZ0xjGNustdiFntj1m6
+dxdMrl2UjE8VpFneCKiw2I/4SunYv/mPOd/BSpI9Jq+wNzJ07mpZpYL/Cd6/yCWH
+gXshWA/b/1+PlEPqNS1JmlDnn78/b5pIVWhLfxgFZEBoTxapAoHAY/58nLcWpvpY
+3IZC0fBuR7usTACbxr9Z4okHzJUNnoJe+MSE+wQwuE3nP+vc1CrmBSwCjN2wyVLc
+gy3idN77NthU9l0oElrPbGFKdFEaa85IcKtnfnspzmvo9AJn2wveZUAlZAzu2zBN
+vKI8ubXgoS56uHQnNsWOIugTW/P1I8FnlD4jPItaACGJ3yZWolh9g/WOGS29qJvV
+E/6hT4QPPXPZFEnOKO0/3YsMXBwcnEqm2mQ+c4rGMKrTcynk4KaE
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..ec6b06b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-tls 
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-tls 
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100644
index 0000000..bea7e81
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyDCCAzCgAwIBAgIBAjANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzU0N1oXDTI2MDky
+MjEwMzU0N1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5v
+cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCcPfHpuwuPBQ/0FTT6
+ENKjbxcGfVozz5Q7mfleee5DwIMH4yqkQeA297vUUEPwap/Z2Frmt9HHkeFdvDoF
+kwJN1SzmjEexo6XksbCnxbgbUFLGh9VPvLN+eZb/6U8RHbMmdds6VV9bxSgRuwB9
+ekKv950m8G7XSSTVUeOucwkgMaU1zg1F7ToNxhJv/sCBE3q6Y9Cv65HOfmMVcnJE
+6PHTSAfz0bNkho1yLKJjBoJkUF24HK1SFovxEowD4zFasHUgJCATuEhNle8kmDZS
+4R763eVcxJ8qhkfJTaxMG1y1dqfqt/9eYLQ7cF/tFPCgWYO8mUCmB+kvVAh7yAfW
+GL826RNiySb7NZg+QkDNzALIybKFkVi/SvSnJstYjWFnzF5OvsxJu0iay/GXybHA
+bvBG1ZLkEp3SSR7+CisIQjwBhmPfc0AbnyJfj7PvjnPhQ01MODVueMHZ9PDhzQAP
+tM4hTvpmySEYqPgntkzN5DlhcswVGamqfSn2htKpfCDrZ1cCAwEAAaOBnTCBmjAf
+BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVghNtb29u
+LnN0cm9uZ3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEIGA1UdHwQ7MDkw
+N6A1oDOGMWh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEz
+LXJzYS5jcmwwDQYJYIZIAWUDBAMOBQADggGBAAHZATrdzGmUIq+0+EdA1AbPdcaT
+UDKJvDS30JyOkUnAv5jr63PHyfw+RS92zgE2UyB4+u43BiggBNmTNCjpaEUmViAo
+tdywkzIKm7q3dr0078IZ8LU8Wo+hoeRNkBJOxdgflsSislQYDeTd7syoQ4BW7whs
+jjFK2Lbthd+/33Iw3LMekYuZF7ZUbHY7D3nlBidrmTIQQCvOnsW2lJi/S83FEYzl
+noK+of3eo4Ryg1/428FHts26PxSmnHv+ckj9R4Jf5kH8kd1WhrgDyHQMnihWlUJ2
+pintDBgislbZytqiBOGeYpbpxKl57zHs421wmUs329asu7zgfJFnCynkUgvuRXdc
+gDJ+DAiVaXCJlYnk36P87028SR9/C0JLzHA3O5CcfUdFEUs0BvVe1D3b9kC28rdA
+5V86DFCL+gp6rB+wDtq6YnCddaNk+ZCs/QAPidqOFAytaBBKaagMIFk+wlsFge79
+ZssIfKy33Frluw0HCj0LNs2tjWvG4Ku8xkFO1Q==
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 0000000..29ad5b9
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat
new file mode 100755
index 0000000..d7107cc
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat
new file mode 100755
index 0000000..762c354
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/test.conf
old mode 100644
new mode 100755
similarity index 71%
copy from testing/tests/ikev2/default-keys/test.conf
copy to testing/tests/swanctl/rw-eap-tls-sha3-rsa/test.conf
index ce84ce4..1227b9d
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/test.conf
@@ -5,11 +5,11 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
+DIAGRAM="a-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
@@ -18,4 +18,8 @@ TCPDUMPHOSTS="moon"
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-newhope-bliss/description.txt b/testing/tests/swanctl/rw-newhope-bliss/description.txt
new file mode 100755
index 0000000..0a7f248
--- /dev/null
+++ b/testing/tests/swanctl/rw-newhope-bliss/description.txt
@@ -0,0 +1,14 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The IKEv2 key exchange is based on the NewHope lattice-based post-quantum algorithm
+with a cryptographical strength of 128 bits. Authentication is based on the BLISS
+algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
+<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
+<p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
+The gateway <b>moon</b> assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously
+increasing order. 
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat b/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat
new file mode 100755
index 0000000..be3b867
--- /dev/null
+++ b/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat
@@ -0,0 +1,10 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts [...]
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts= [...]
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote [...]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote- [...]
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
new file mode 100755
index 0000000..00576a8
--- /dev/null
+++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici 
+
+  send_vendor_id = yes
+  fragment_size = 1500
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der
new file mode 100644
index 0000000..b2831a8
Binary files /dev/null and b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der differ
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..5706eda
--- /dev/null
+++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,29 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.der
+         id = carol at strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes256gcm128-newhope128
+         }
+      }
+      version = 2
+      proposals = aes256-sha256-newhope128
+      fragmentation = yes
+   }
+}
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509/carolCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509/carolCert.der
new file mode 100644
index 0000000..8a520c0
Binary files /dev/null and b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509/carolCert.der differ
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der
new file mode 100644
index 0000000..fdfd39f
Binary files /dev/null and b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der differ
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
new file mode 100755
index 0000000..83cfb4e
--- /dev/null
+++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici 
+
+  send_vendor_id = yes
+  fragment_size = 1500
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der
new file mode 100644
index 0000000..0ec528d
Binary files /dev/null and b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der differ
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..13407ed
--- /dev/null
+++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,29 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = daveCert.der
+         id = dave at strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes256gcm128-newhope128
+         }
+      }
+      version = 2
+      proposals = aes256-sha256-newhope128
+      fragmentation = yes
+   }
+}
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509/daveCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509/daveCert.der
new file mode 100644
index 0000000..75a1143
Binary files /dev/null and b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509/daveCert.der differ
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der
new file mode 100644
index 0000000..fdfd39f
Binary files /dev/null and b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der differ
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
new file mode 100755
index 0000000..98de2c9
--- /dev/null
+++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+
+  send_vendor_id = yes
+  fragment_size = 1500
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds
+    pools = /usr/local/sbin/swanctl --load-pools
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der
new file mode 100644
index 0000000..c989f91
Binary files /dev/null and b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der differ
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..bce22d0
--- /dev/null
+++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+      pools = rw_pool
+
+      local {
+         auth = pubkey
+         certs = moonCert.der
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes256gcm128-newhope128
+         }
+      }
+      version = 2
+      proposals = aes256-sha256-newhope128
+      fragmentation = yes
+   }
+}
+
+pools {
+   rw_pool {
+      addrs = 10.3.0.0/28
+   }
+}
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509/moonCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509/moonCert.der
new file mode 100644
index 0000000..d0ea364
Binary files /dev/null and b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509/moonCert.der differ
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der
new file mode 100644
index 0000000..fdfd39f
Binary files /dev/null and b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der differ
diff --git a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat
new file mode 100755
index 0000000..d7107cc
--- /dev/null
+++ b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat
new file mode 100755
index 0000000..a550a2f
--- /dev/null
+++ b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl;  rm rsa/* x509/moonCert.pem  x509ca/strongswanCert.pem
+carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem
+dave::cd /etc/swanctl;  rm rsa/* x509/daveCert.pem  x509ca/strongswanCert.pem
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/swanctl/rw-newhope-bliss/test.conf
old mode 100644
new mode 100755
similarity index 71%
rename from testing/tests/ikev2/default-keys/test.conf
rename to testing/tests/swanctl/rw-newhope-bliss/test.conf
index ce84ce4..1227b9d
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/swanctl/rw-newhope-bliss/test.conf
@@ -5,11 +5,11 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
+DIAGRAM="a-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
@@ -18,4 +18,8 @@ TCPDUMPHOSTS="moon"
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
index 1a8d362..b158ccd 100644
--- a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
 
   send_vendor_id = yes
   fragment_size = 1500
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
index 1a8d362..b158ccd 100644
--- a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
 
   send_vendor_id = yes
   fragment_size = 1500
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
index ec18f44..c6dd6be 100644
--- a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
 
   send_vendor_id = yes
   fragment_size = 1500

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git

