diff --git a/configure.ac b/configure.ac
index fb1ff3931..66b11eb11 100644
--- a/configure.ac
+++ b/configure.ac
@@ -431,7 +431,7 @@ if test x$eap_radius = xtrue -o x$radattr = xtrue -o x$tnc_pdp = xtrue; then
 	radius=true;
 fi
 
-if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_dynamic = xtrue -o x$eap_tnc = xtrue; then
+if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_20 = xtrue -o x$tnccs_dynamic = xtrue -o x$eap_tnc = xtrue; then
 	tnc_tnccs=true;
 fi
 
diff --git a/fuzz/.gitignore b/fuzz/.gitignore
index dbd3ef9fd..765d23ae2 100644
--- a/fuzz/.gitignore
+++ b/fuzz/.gitignore
@@ -1,3 +1,4 @@
 fuzz_certs
 fuzz_crls
 fuzz_pa_tnc
+fuzz_pb_tnc
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
index d6e596b40..df228d38b 100644
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@@ -3,6 +3,8 @@ AM_CPPFLAGS = @CPPFLAGS@ \
 	-I$(top_srcdir)/src/libimcv \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtpmtss \
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtnccs/plugins/tnccs_20 \
 	-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
 	-DPLUGINS="\"${fuzz_plugins}\""
 
@@ -17,7 +19,12 @@ pa_tnc_ldflags = \
 	$(top_builddir)/src/libtpmtss/.libs/libtpmtss.a \
 	$(fuzz_ldflags)
 
-FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_pa_tnc
+pb_tnc_ldflags = \
+	$(top_builddir)/src/libtnccs/.libs/libtnccs.a \
+	$(top_builddir)/src/libtncif/.libs/libtncif.a \
+	$(fuzz_ldflags)
+
+FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_pa_tnc fuzz_pb_tnc
 
 all-local: $(FUZZ_TARGETS)
 
@@ -32,6 +39,9 @@ fuzz_crls: fuzz_crls.c ${libfuzzer}
 fuzz_pa_tnc: fuzz_pa_tnc.c ${libfuzzer}
 	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(pa_tnc_ldflags)
 
+fuzz_pb_tnc: fuzz_pb_tnc.c ${libfuzzer}
+	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(pb_tnc_ldflags)
+
 noinst_LIBRARIES = libFuzzerLocal.a
 libFuzzerLocal_a_SOURCES = libFuzzerLocal.c
 libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/fuzz/fuzz_pb_tnc.c b/fuzz/fuzz_pb_tnc.c
new file mode 100644
index 000000000..e8f23c9f1
--- /dev/null
+++ b/fuzz/fuzz_pb_tnc.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2018 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <batch/pb_tnc_batch.h>
+#include <messages/ietf/pb_error_msg.h>
+#include <state_machine/pb_tnc_state_machine.h>
+#include <utils/debug.h>
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+	pb_tnc_batch_t *batch;
+	pb_tnc_state_machine_t *state;
+	pb_tnc_msg_t *msg;
+	pb_error_msg_t *error;
+	enumerator_t *enumerator;
+	bool from_server;
+	chunk_t chunk;
+
+	dbg_default_set_level(-1);
+	library_init(NULL, "fuzz_pb_tnc");
+	plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
+	if (!lib->plugins->load(lib->plugins, PLUGINS))
+	{
+		return 1;
+	}
+	chunk = chunk_create((u_char*)buf, len);
+
+	INIT(state,
+		.receive_batch = (void*)return_true,
+		.set_empty_cdata = (void*)nop,
+	);
+
+	/* parse incoming PB-TNC batch */
+	batch = pb_tnc_batch_create_from_data(chunk);
+	if (batch->process_header(batch, TRUE, FALSE, &from_server) == SUCCESS ||
+		batch->process_header(batch, TRUE, TRUE, &from_server) == SUCCESS)
+	{
+		batch->process(batch, state);
+	}
+
+	/* enumerate correctly decoded PB-TNC messages */
+	enumerator = batch->create_msg_enumerator(batch);
+	while (enumerator->enumerate(enumerator, &msg))
+	{
+		msg->get_type(msg);
+	}
+	enumerator->destroy(enumerator);
+
+	/* enumerate errors detected while parsing PB-TNC batch and messages */
+	enumerator = batch->create_error_enumerator(batch);
+	while (enumerator->enumerate(enumerator, &msg))
+	{
+		error = (pb_error_msg_t*)msg;
+		error->get_error_code(error);
+	}
+	enumerator->destroy(enumerator);
+
+	batch->destroy(batch);
+
+	free(state);
+	lib->plugins->unload(lib->plugins);
+	library_deinit();
+	return 0;
+}
diff --git a/scripts/test.sh b/scripts/test.sh
index cea8ece38..f8ffdced3 100755
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -127,7 +127,7 @@ osx)
 fuzzing)
 	CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
 	CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
-			--enable-imc-test"
+			--enable-imc-test --enable-tnccs-20"
 	# don't run any of the unit tests
 	export TESTS_RUNNERS=
 	# prepare corpora