Apply patch (requested by tron in ticket #741): netbsd-3
authorsnj <snj@NetBSD.org>
Sat, 03 Sep 2005 07:03:49 +0000
branchnetbsd-3
changeset 264854 02c4190d9b7a
parent 264853 c7bc03594b5f
child 264855 9c36fa0ccd1c
Apply patch (requested by tron in ticket #741): Update ipsec-tools to version 0.6.1.
crypto/dist/ipsec-tools/ChangeLog
crypto/dist/ipsec-tools/NEWS
crypto/dist/ipsec-tools/README
crypto/dist/ipsec-tools/acracoon.m4
crypto/dist/ipsec-tools/configure.ac
crypto/dist/ipsec-tools/netbsd-import.sh
crypto/dist/ipsec-tools/rpm/suse/Makefile.am
crypto/dist/ipsec-tools/rpm/suse/ipsec-tools.spec.in
crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h
crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h
crypto/dist/ipsec-tools/src/include-glibc/netinet/ipsec.h
crypto/dist/ipsec-tools/src/include-glibc/sys/queue.h
crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h
crypto/dist/ipsec-tools/src/libipsec/key_debug.c
crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
crypto/dist/ipsec-tools/src/libipsec/pfkey.c
crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
crypto/dist/ipsec-tools/src/libipsec/policy_parse.y
crypto/dist/ipsec-tools/src/libipsec/policy_token.l
crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c
crypto/dist/ipsec-tools/src/libipsec/test-policy.c
crypto/dist/ipsec-tools/src/racoon/Makefile.am
crypto/dist/ipsec-tools/src/racoon/admin.c
crypto/dist/ipsec-tools/src/racoon/admin.h
crypto/dist/ipsec-tools/src/racoon/admin_var.h
crypto/dist/ipsec-tools/src/racoon/algorithm.c
crypto/dist/ipsec-tools/src/racoon/algorithm.h
crypto/dist/ipsec-tools/src/racoon/backupsa.c
crypto/dist/ipsec-tools/src/racoon/backupsa.h
crypto/dist/ipsec-tools/src/racoon/cfparse.y
crypto/dist/ipsec-tools/src/racoon/cfparse_proto.h
crypto/dist/ipsec-tools/src/racoon/cftoken.l
crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
crypto/dist/ipsec-tools/src/racoon/debug.h
crypto/dist/ipsec-tools/src/racoon/debugrm.c
crypto/dist/ipsec-tools/src/racoon/debugrm.h
crypto/dist/ipsec-tools/src/racoon/dhgroup.h
crypto/dist/ipsec-tools/src/racoon/dnssec.c
crypto/dist/ipsec-tools/src/racoon/dnssec.h
crypto/dist/ipsec-tools/src/racoon/dump.c
crypto/dist/ipsec-tools/src/racoon/dump.h
crypto/dist/ipsec-tools/src/racoon/eaytest.c
crypto/dist/ipsec-tools/src/racoon/evt.c
crypto/dist/ipsec-tools/src/racoon/evt.h
crypto/dist/ipsec-tools/src/racoon/gcmalloc.h
crypto/dist/ipsec-tools/src/racoon/genlist.c
crypto/dist/ipsec-tools/src/racoon/genlist.h
crypto/dist/ipsec-tools/src/racoon/getcertsbyname.c
crypto/dist/ipsec-tools/src/racoon/gnuc.h
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.h
crypto/dist/ipsec-tools/src/racoon/gssapi.c
crypto/dist/ipsec-tools/src/racoon/gssapi.h
crypto/dist/ipsec-tools/src/racoon/handler.c
crypto/dist/ipsec-tools/src/racoon/handler.h
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
crypto/dist/ipsec-tools/src/racoon/isakmp.c
crypto/dist/ipsec-tools/src/racoon/isakmp.h
crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_agg.h
crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
crypto/dist/ipsec-tools/src/racoon/isakmp_base.h
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.h
crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
crypto/dist/ipsec-tools/src/racoon/isakmp_frag.h
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.h
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.h
crypto/dist/ipsec-tools/src/racoon/isakmp_newg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_newg.h
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.h
crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c
crypto/dist/ipsec-tools/src/racoon/isakmp_unity.h
crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
crypto/dist/ipsec-tools/src/racoon/kmpstat.c
crypto/dist/ipsec-tools/src/racoon/localconf.c
crypto/dist/ipsec-tools/src/racoon/localconf.h
crypto/dist/ipsec-tools/src/racoon/logger.c
crypto/dist/ipsec-tools/src/racoon/logger.h
crypto/dist/ipsec-tools/src/racoon/main.c
crypto/dist/ipsec-tools/src/racoon/misc.c
crypto/dist/ipsec-tools/src/racoon/misc.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.c
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-api-fst.c
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-api-fst.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael_local.h
crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c
crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.h
crypto/dist/ipsec-tools/src/racoon/missing/strdup.c
crypto/dist/ipsec-tools/src/racoon/nattraversal.c
crypto/dist/ipsec-tools/src/racoon/nattraversal.h
crypto/dist/ipsec-tools/src/racoon/netdb_dnssec.h
crypto/dist/ipsec-tools/src/racoon/oakley.c
crypto/dist/ipsec-tools/src/racoon/oakley.h
crypto/dist/ipsec-tools/src/racoon/pfkey.c
crypto/dist/ipsec-tools/src/racoon/pfkey.h
crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.8
crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
crypto/dist/ipsec-tools/src/racoon/plog.c
crypto/dist/ipsec-tools/src/racoon/plog.h
crypto/dist/ipsec-tools/src/racoon/policy.c
crypto/dist/ipsec-tools/src/racoon/policy.h
crypto/dist/ipsec-tools/src/racoon/privsep.c
crypto/dist/ipsec-tools/src/racoon/privsep.h
crypto/dist/ipsec-tools/src/racoon/proposal.c
crypto/dist/ipsec-tools/src/racoon/proposal.h
crypto/dist/ipsec-tools/src/racoon/prsa_par.y
crypto/dist/ipsec-tools/src/racoon/prsa_tok.l
crypto/dist/ipsec-tools/src/racoon/racoon.8
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
crypto/dist/ipsec-tools/src/racoon/racoonctl.8
crypto/dist/ipsec-tools/src/racoon/racoonctl.c
crypto/dist/ipsec-tools/src/racoon/racoonctl.h
crypto/dist/ipsec-tools/src/racoon/remoteconf.c
crypto/dist/ipsec-tools/src/racoon/remoteconf.h
crypto/dist/ipsec-tools/src/racoon/rsalist.c
crypto/dist/ipsec-tools/src/racoon/rsalist.h
crypto/dist/ipsec-tools/src/racoon/safefile.c
crypto/dist/ipsec-tools/src/racoon/safefile.h
crypto/dist/ipsec-tools/src/racoon/sainfo.c
crypto/dist/ipsec-tools/src/racoon/sainfo.h
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.in
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-gssapi
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-inherit
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt
crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-plainrsa
crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/README
crypto/dist/ipsec-tools/src/racoon/schedule.c
crypto/dist/ipsec-tools/src/racoon/schedule.h
crypto/dist/ipsec-tools/src/racoon/session.c
crypto/dist/ipsec-tools/src/racoon/session.h
crypto/dist/ipsec-tools/src/racoon/sockmisc.c
crypto/dist/ipsec-tools/src/racoon/sockmisc.h
crypto/dist/ipsec-tools/src/racoon/str2val.c
crypto/dist/ipsec-tools/src/racoon/str2val.h
crypto/dist/ipsec-tools/src/racoon/strnames.c
crypto/dist/ipsec-tools/src/racoon/strnames.h
crypto/dist/ipsec-tools/src/racoon/throttle.c
crypto/dist/ipsec-tools/src/racoon/throttle.h
crypto/dist/ipsec-tools/src/racoon/var.h
crypto/dist/ipsec-tools/src/racoon/vendorid.c
crypto/dist/ipsec-tools/src/racoon/vendorid.h
crypto/dist/ipsec-tools/src/racoon/vmbuf.c
crypto/dist/ipsec-tools/src/racoon/vmbuf.h
crypto/dist/ipsec-tools/src/setkey/Makefile.am
crypto/dist/ipsec-tools/src/setkey/extern.h
crypto/dist/ipsec-tools/src/setkey/parse.y
crypto/dist/ipsec-tools/src/setkey/setkey.8
crypto/dist/ipsec-tools/src/setkey/setkey.c
crypto/dist/ipsec-tools/src/setkey/test-pfkey.c
crypto/dist/ipsec-tools/src/setkey/token.l
crypto/dist/ipsec-tools/src/setkey/vchar.h
doc/CHANGES
lib/libipsec/Makefile
lib/libipsec/config.h
lib/libipsec/package_version.h
sbin/setkey/Makefile
--- a/crypto/dist/ipsec-tools/ChangeLog	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/ChangeLog	Sat Sep 03 07:03:49 2005 +0000
@@ -1,23 +1,174 @@
+---------------------------------------------
+
+	0.6.1 released
+
+2005-08-14  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
+	* src/racoon/dnssec.c: fix bogus test on function result
+
+2005-08-11  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp.c: Improved in/out SA addresses check in
+	  purge_remote(). Reported by Patrick Ma.
+
+2005-08-08  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/libipsec/{key_debug.c|pfkey.c|pfkey_dump.c}: de-lint, warnings
+
+2005-08-08  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/privsep.c: Fixed a %d -> %zu in
+	port_check() (reported by Matthias Scheler).
+
+---------------------------------------------
+
+	0.6.1.rc1 released
+
+2005-08-04  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* configure.ac: correctly quote RACOON_PATH_LIBS arguments
+
+2005-08-02  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp_inf.c: First fix to
+	info_recv_initialcontact(): do a basic IP check when no NAT-T.
+
+2005-07-28  Emmanuel Dreyfus <manu@netbsd.org>
+
+	* src/racoon/{pfkey.c|proposal.c}: IPcomp CPI size fixes
+
+2005-07-26  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp.c: Fixed purge_remote()
+
+2005-07-25  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp.c: Do not purge IPSec SAs in purge_remote() if
+	a new ph1handle exists (patch by Krzysztof Oledzki)
+
+---------------------------------------------
+
+	0.6.1.beta3 released
+
+2005-07-20  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* configure.ac: disabled --enable-samode-unspec for linux
+
+2005-07-20  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp_quick.c: Ignore NATOA payloads in
+	quick_r1recv() as it is done in quick_i2recv().
+
+2005-07-19  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp.c: Checks in isakmp_ph1begin_r() if we got the
+	packet from NAT-T port, and set up the NAT_PORTS_CHANGED in that
+	case (RFC 3947, sect 4, we MUST allow new phase1 negociations on
+	NAT-T floated port), to correctly generate the reply.
+
+2005-07-16  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/grabmyaddr.c: fixed file descriptor leak. Thanks to
+	  Patrice Fournier
+	* src/setkey/setkey.c: disabled readline's filename completion.
+	  Fixed bug 1179281.
+	* src/racoon/proposal.c: fixed mode selection for SAs with
+	  complex_bundle on behind NAT.
+
+2005-07-14  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/handler.c: Clears the DPD schedule in delph1()
+
+---------------------------------------------
+
+	0.6.1.beta2 released
+
+2005-07-13  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/setkey/Makefile.am: missing file in distribution
+	* src/racoon/isakmp_inf.c: build fix
+
+---------------------------------------------
+
+	0.6.1.beta1 released
+
+2005-07-12  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/isakmp.c: Fixed a mem leak in isakmp_send().
+
+2005-07-12  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not
+	  used. 
+	* src/racoon/{crypto_openssl.c|ipsec_doi.c|oakley.c} configure.ac
+	  src/racoon/missing/crypto/sha2/sha2.h: Support OpenSSL-0.9.8
+	* src/racoon/{admin.c|session.c}: Don't use the adminport if it is
+	  disabled
+	* src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}:
+	  Add comments for using the scripts without NAT-T
+
+2005-07-04  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/isakmp_inf.c: safety checks on informational messages
+
+2005-07-11  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* configure.ac: build fixes on Linux. Accomodate various libiconv 
+	  versions
+
 2005-07-09  Yvan Vanhullebus  <vanhu@free.fr>
 
 	* src/racoon/crypto_openssl.c: Fixed evp_crypt when using crypto
 	  algorithms with variable key size but not OpenSSL default key
 	  size.
 
-2005-07-12  Emmanuel Dreyfus  <manu@netbsd.org>
-
-	* src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}:
-	  Add comments for using the scripts without NAT-T
-	* src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not
-	  used. 
-	* src/racoon/{admin.c|session.c}: Don't use adminport if it is 
-	  disabled.
+2005-07-07  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Mathias Scheler <tron@netbsd.org>
+	* src/racoon/raccon.conf.5: Document that aes can be used in 
+	  racoon.conf
+
+2005-07-06  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/setkey/extern.h: new file (was missing in previous commit)
+
+2005-07-06  Frederic Senault  <fred@lacave.net>
+
+	* src/setkey/setkey.c: fix compilation with readline.
+	* src/racoon/oakley.c: move declarations to the top of the function
+	  to fix compilation issues with gcc 2.95.4/FreeBSD4, re-indentation
+	  and style cleanup of the pkcs7 patch.
 
 2005-07-01  Emmanuel Dreyfus  <manu@netbsd.org>
 
-	From Uri <urimobile@optonline.net>
+	From Uri <urimobile@optonline.net>:
+	* src/racoon/{ipsec_doi.c|Makefile.am}: Linux build fixes
 	* src/racoon/oakley.c: pkcs7 support
 
+2005-06-29  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Christos Zoulas <christos@zoulas.com>
+	* configure.ac src/setkey/{parse.y|setkey.c|token.l}
+	  src/libipsec/{ipsec_dump_policy.c|ipsec_get_policylen.c|key_debug.c}
+	  src/libipsec/{libpfkey.h|pfkey_dump.c|policy_parse.y}: de-lint, 
+	  using void * instead of caddr_t and adding const where appropriate.
+	* src/setkey/extern.h: new file
+	* src/libipsec/{pfkey.c|pfkey_dump.c|policy_parse.y}
+	  src/racoon/{sockmisc.c|sockmisc.h}: de-lint signed/unsigned, 
+	  size_t/int and lint constants
+
+2005-06-29  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Uri <urimobile@optonline.net> and Larry Baird <lab@gta.com>:
+	* src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
+	  src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c}
+	  src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
+
+---------------------------------------------
+
+	0.6 released 
+
 2005-06-22  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	From Ludo Stellingwerff <ludo@protactive.nl>:
@@ -27,7 +178,11 @@
 	  on phase 2 initiation retries when the phase 2 had been queued
 	  for a phase 1.
 
-2005-06-07  Emmanuel Dreyfus  <manu@netbsd.org>
+---------------------------------------------
+
+	0.6rc1 released 
+
+2005-06-15  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	From Larry Baird <lab@gta.com>
 	* src/racoon/isakmp.c: consume NAT keepalive data  already seen
@@ -40,11 +195,25 @@
 	From Frederic Senault  <fred@lacave.net>
 	* src/racoon/privsep.c: fix Xauth login with PAM authentication
 
+2005-06-05  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Thomas Klausner <wiz@netbsd.org>
+	* src/setkey/setkey.8 src/racoon/racoon.conf.5: remove trailing
+	  spaces, grammar fix
+
 2005-05-31  Aidas Kasparas  <a.kasparas@gmc.lt>
 
 	* src/racoon/ipsec_doi.c: Inserted missing 0th element of
 	  rm_idtype2doi array. Bug #1199700 fix.
 
+2005-05-23  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/admin.c: build fix
+
+---------------------------------------------
+
+	0.6b3 released 
+
 2005-05-20  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	From Mike Robinson <sundialservices@users.sourceforge.net>
@@ -60,23 +229,38 @@
 	  altering lifetime, duplicate the proposal instead of modifying 
 	  the configured one.
 
+	From Frederic Senault  <fred@lacave.net>
+	* src/racoon/{isakmp.c|pfkey.c}: Put sockets in non-blocking mode to
+	  fix a hangup with FreeBSD 4.
+
 2005-05-14  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	* src/libipsec/policy_parse.y: fix parse bug in IPsec policies
 
+2005-05-14  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/sockmisc.c: Debug message said it will send to
+	  source address insted of destination.
+
 2005-05-13  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	* src/racoon/isakmp.c: For acquire messages, when NAT-T is in use,
 	  consider null port as a wildcard and use IKE port
 
+	* src/racoon/isakmp.c: Build fix
+
 2005-05-13  Yvan Vanhullebus  <vanhu@free.fr>
 
 	* src/racoon/isakmp.c: Fixed a double ph2handler free in
 	  isakmp_ph2begin_i().
 
+2005-05-12  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/{proposal.c|proposal.h|isakmp_quick.c}: fix build problem
+
 ---------------------------------------------
 
-	0.6b2 released
+	0.6b2 released 
 
 2005-05-10  Emmanuel Dreyfus  <manu@netbsd.org>
 
@@ -87,12 +271,18 @@
 	  higher security settings. Remove now useless phase 1 down 
 	  script on server side.
 
+2005-05-10  Emmanuel Dreyfus  <manu@netbsd.org>
+
 	* src/racoon/ipsec_doi.c: check for lifebyte in proposals
 	* src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
 
 	* src/racoon/{cfparse.y|cftoken.l|racoon.conf.5|isakmp_cfg.c}
 	  src/racoon/{isakmp_cfg.h|isakmp_unity.c}: add Cisco extensions for
-	  pushing PFS group and save password setting through ISAKMP mode cfg
+	  sending PFS group and save password through ISAKMP mode config.
+
+2005-05-08  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* configure.ac src/racoon/isakmp_xauth.c: Support shadow passwords
 
 2005-05-07  Emmanuel Dreyfus  <manu@netbsd.org>
 
@@ -123,11 +313,19 @@
 	From Manisha Malla <mmanisha@novell.com>
 	* src/racoon/isakmp_cfg.c: fix unsigned int checked for being negative
 
+	From Ludo Stellingwerff <ludo@protactive.nl>
+	* src/setkey/{parse.y|token.l}: build on system that do not have
+	  TCP-MD5 support
+
+2005-05-04  Michal Ludvig  <michal@logix.cz>
+
+	* configure.ac: Revert GLIBC_BUGS change from 2005-04-15
+
 2005-05-03  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	From Patrick McHardy <kaber@trash.net>
-	* src/racoon/{pfkey.c|handler.h|hendler.c}: on phase 2 acquire,
-	  lookup phase 2 by (src, dst, policy id) so that multiple SA can
+	* src/racoon/{pfkey.c|handler.h|hendler.c}: on phase 2 acquire, 
+	  lookup phase 2 by (src, dst, policy id) so that multiple SA can 
 	  be used in transport mode
 
 2005-04-26  Emmanuel Dreyfus  <manu@netbsd.org>
@@ -140,17 +338,34 @@
 	* src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}:
 	  src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to
 	  enable the display of ESP over UDP ports in policies.
-
+	
 	* src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
 	  forget port numbers so that mutiple clients behind the same NAT
 	  can work.
 
 	* src/racoon/ipsec_doi.c: fix LP64 bug
-
+	
 	From Larry Baird <lab@gta.com>
 	* src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}:
 	  NAT-T fixes for interoperability with greenbow VPN client.
 
+2005-04-21  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/libipsec/policy.parse.y, src/racoon/cfparse.y,
+	  src/libipsec/policy_parse.y, src/racoon/cfparse.y,
+	  src/racoon/cftoken.l, src/racoon/crypto_openssl.c,
+	  src/racoon/getcertsbyname.c, src/racoon/grabmyaddr.c, 
+	  src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
+	  src/racoon/isakmp_inf.c, src/racoon/pfkey.c,
+	  src/racoon/plainrsa-gen.c, src/racoon/sockmisc.c,
+	  src/racoon/sockmisc.h, src/racoon/racoonctl.c: made
+	  compile with gcc-4.0 (20050410 prerelease)
+
+2005-04-20  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	From: Ganesan Rajagopal <rganesan@users.sourceforge.net>
+	* configure.ac: fix --enable-ipv6 logic
+
 2005-04-19  Yvan Vanhullebus  <vanhu@free.fr>
 
 	* src/racoon/handler.h: added a flag to identify generated policies
@@ -164,6 +379,7 @@
 2005-04-18  Aidas Kasparas  <a.kasparas@gmc.lt>
 
 	* src/racoon/crypto_openssl.c: fixed single DES support;
+	* NEWS: noted fix
 
 2005-04-18  Emmanuel Dreyfus  <manu@netbsd.org>
 
@@ -182,20 +398,51 @@
 	From KAME
 	* src/racoon/ipsec_doi.c: wrong check on SA lifebyte
 
+2005-04-15  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	From Zilvinas Valinskas <zilvinas@gemtek.lt>:
+	* configure.ac: 
+	  - cross-compile type fix (patch 1);
+	  - --enable-{frag|hybrid}=no fixes (patches 6,7);
+	  - support for --with-flex, --with-flexlib (patch 11);
+	  - GLIBC_BUGS assignment correction (patch 14 with mods).
+
 2005-04-10  Emmanuel Dreyfus <manu@netbsd.org>
 
 	* src/racoon/isakmp_agg.c: fix a memory leak when using hybrid auth
-	* src/libipsec/{pfkey.c|pfkey_dump.c}
-	  src/setkey/{token.l|parse.y|setkey.8}: missing bits for TCP_MD5
+        * src/libipsec/{pfkey.c|pfkey_dump.c}
+          src/setkey/{token.l|parse.y|setkey.8}: missing bits for TCP_MD5 
 	  support, from KAME
 
 2005-04-04  Emmanuel Dreyfus <manu@netbsd.org>
 
 	* src/racoon/isakmp_cfg.c: fix a buffer overrun in mode config SET
 
+2005-03-30  Michal Ludvig  <michal@logix.cz>
+
+	* configure.ac: Don't compile with NAT-T by default (according to 
+	  documentation, finally :-)
+	* configure.ac, rpm/suse/ipsec-tools.spec.in,
+	  rpm/suse/Makefile.am: Distribute .spec file with 
+	  resolved version string.
+	* src/racoon/Makefile.am: Allow parallel cluster build.
+
+2005-03-27  Michal Ludvig  <michal@logix.cz>
+
+	From Zilvinas Valinskas <zilvinas@gemtek.lt>:
+	* configure.ac: 
+	  - Use AC_CHECK_HEADER for kernel headers instead of AC_CHECK_FILE.
+	  - Fix OpenSSL check for cross-compilation.
+	* acracoon.m4(RACOON_CHECK_VA_COPY): Allow cross-compilation.
+	  (RACOON_CHECK_BUGGY_GETADDRINFO): Ditto.
+
 ---------------------------------------------
 
-	0.6b1 released
+	0.6b1 released 
+
+2005-03-22  Emmanuel Dreyfus <manu@netbsd.org>
+
+	* src/racoon/privsep.c: fix the build without --with-libpam
 
 2005-03-16  Emmanuel Dreyfus <manu@netbsd.org>
 
@@ -243,7 +490,7 @@
 	
 2005-02-23  Emmanuel Dreyfus <manu@netbsd.org>
 
-        * configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
+	* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
 	  support for patented algorithms: IDEA and RC5.
 	* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
 	  is not required in the configuration
@@ -253,7 +500,7 @@
 
 2005-02-18  Emmanuel Dreyfus <manu@netbsd.org>
 
-        * src/racoon/{main.c|eaytest.c|plairsa-gen.c}
+	* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
 	  src/setkey/setkey.c: don't use fuzzy paths for package_version.h
 
 2005-02-18  Yvan Vanhullebus  <vanhu@free.fr>
--- a/crypto/dist/ipsec-tools/NEWS	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/NEWS	Sat Sep 03 07:03:49 2005 +0000
@@ -1,13 +1,25 @@
 Version history:
 ----------------
-0.6???	- ??
+0.6.1	- 10 august 2005
+	o NAT-T fixes for situations where NAT-T is not used
+	o OpenSSL 0.9.8 support
+	o keys are not restricted to OpenSSL default size anymore
+	o PKCS7 support
+	o SHA2 support
+
+0.6	- 27 June 2005
+	o Generated policies are now correctly flushed
+	o NAT-T works with multiple peers behind the NAT (need kernel support)
+	o Xauth can use shadow passwords
+	o TCP-MD5 support
 	o PAM support for Xauth
 	o Privilege separation
 	o ESP fragmentation in tunnel mode can be tunned (NetBSD only)
 	o racoon admin interface is exported (header and library) to 
 	  help building control programs for racoon (think GUI)
+ 	o Fixed single DES support; single DES users MUST UPGRADE
 
-0.5???	- ?? 
+0.5	- 10 April 2005
 	o Rewritten buildsystem. Now completely autoconfed, automaked,
 	  libtoolized.
 	o IPsec-tools now compiles on NetBSD and FreeBSD again.
--- a/crypto/dist/ipsec-tools/README	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/README	Sat Sep 03 07:03:49 2005 +0000
@@ -13,15 +13,15 @@
 
 Currently the package is actively maintained and developed 
 by Michal Ludvig <mludvig@suse.cz>, Aidas Kasparas <a.kasparas@gmc.lt>
-and Emmanuel Dreyfus <manu@netbsd.org>.
+Emmanuel Dreyfus <manu@netbsd.org>, VANHULLEBUS Yvan <vanhu@zeninc.net>,
+and Fred Senault <fred.letter@lacave.net>.
 
 Sources can be found at the IPsec-Tools home page at:
 	http://ipsec-tools.sourceforge.net/
 
 Please report any problems to the mailing list:
 	ipsec-tools-devel@lists.sourceforge.net
-	(it is called 'devel' but feel free to send general
-	questions there as well :-)
+	ipsec-tools-users@lists.sourceforge.net
 
 You can also browse the list archive:
 	http://sourceforge.net/mailarchive/forum.php?forum_id=32000
--- a/crypto/dist/ipsec-tools/acracoon.m4	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/acracoon.m4	Sat Sep 03 07:03:49 2005 +0000
@@ -48,7 +48,8 @@
 		}],
 		[ac_cv_va_copy=yes],
 		[ac_cv_va_copy=no],
-		[])
+		AC_MSG_WARN(Cross compiling... Unable to test va_copy)
+		[ac_cv_va_copy=no])
 	])
 	if test x$ac_cv_va_copy != xyes; then
 		AC_CACHE_CHECK([for an implementation of __va_copy()],
@@ -69,7 +70,8 @@
 			}],
 			[ac_cv___va_copy=yes],
 			[ac_cv___va_copy=no],
-			[])
+			AC_MSG_WARN(Cross compiling... Unable to test __va_copy)
+			[ac_cv___va_copy=no])
 		])
 	fi
 
@@ -186,8 +188,8 @@
 	buggygetaddrinfo=no,
 	AC_MSG_RESULT(buggy)
 	buggygetaddrinfo=yes,
-	AC_MSG_RESULT(buggy)
-	buggygetaddrinfo=yes)
+	AC_MSG_RESULT(Cross compiling ... Assuming getaddrinfo is not buggy.)
+	buggygetaddrinfo=no)
 	CFLAGS=$saved_CFLAGS
 	unset saved_CFLAGS
 ])
--- a/crypto/dist/ipsec-tools/configure.ac	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/configure.ac	Sat Sep 03 07:03:49 2005 +0000
@@ -1,8 +1,8 @@
 dnl -*- mode: m4 -*-
-dnl Id: configure.ac,v 1.47.2.3 2005/03/14 07:55:03 manubsd Exp
+dnl Id: configure.ac,v 1.47.2.24 2005/08/19 22:46:45 manubsd Exp
 
 AC_PREREQ(2.52)
-AC_INIT(ipsec-tools, 0.5pre)
+AC_INIT(ipsec-tools, 0.6.1)
 AC_CONFIG_SRCDIR([configure.ac])
 AM_CONFIG_HEADER(config.h)
 
@@ -57,8 +57,8 @@
 	      AC_SUBST(CONFIGURE_AMFLAGS) ],
 	    [ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ])
 
-    AC_CHECK_FILE($KERNEL_INCLUDE/linux/pfkeyv2.h, ,
-	[ AC_CHECK_FILE(/usr/src/linux/include/linux/pfkeyv2.h,
+    AC_CHECK_HEADER($KERNEL_INCLUDE/linux/pfkeyv2.h, ,
+	[ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
 	  KERNEL_INCLUDE=/usr/src/linux/include ,
 	  [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] )
     AC_SUBST(KERNEL_INCLUDE)
@@ -73,9 +73,10 @@
     	[#include "$KERNEL_INCLUDE/linux/pfkeyv2.h"])
 
     GLIBC_BUGS='-include ${top_srcdir}/src/include-glibc/glibc-bugs.h -I${top_srcdir}/src/include-glibc -I${top_builddir}/src/include-glibc'
-    AC_SUBST(GLIBC_BUGS)
     GLIBC_BUGS_LOCAL="-include ${srcdir-.}/src/include-glibc/glibc-bugs.h -I${srcdir-.}/src/include-glibc -I./src/include-glibc"
     CPPFLAGS="$GLIBC_BUGS_LOCAL $CPPFLAGS"
+    CPPFLAGS="-D_GNU_SOURCE $CPPFLAGS"
+    AC_SUBST(GLIBC_BUGS)
     ;;
  *)
     if test "$have_net_pfkey$have_netinet_ipsec" != yesyes; then
@@ -94,6 +95,7 @@
 AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
 AC_CHECK_HEADERS(limits.h sys/time.h unistd.h stdarg.h varargs.h)
+AC_CHECK_HEADERS(shadow.h)
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
@@ -149,6 +151,27 @@
 		], [])], [])
 fi
 
+
+AC_MSG_CHECKING(if --with-flex option is specified)
+AC_ARG_WITH(flexdir,
+	[AC_HELP_STRING([--with-flex], [use directiory (default: no)])],
+	[flexdir="$withval"])
+AC_MSG_RESULT(${flexdir-dirdefault})
+
+if test "x$flexdir" != "x"; then
+	LIBS="$LIBS $flexdir/libfl.a"
+fi
+
+AC_MSG_CHECKING(if --with-flexlib option is specified)
+AC_ARG_WITH(flexlib,
+	[  --with-flexlib=<LIB>    specify flex library.],
+	[flexlib="$withval"])
+AC_MSG_RESULT(${flexlib-default})
+
+if test "x$flexlib" != "x"; then
+	LIBS="$LIBS $flexlib"
+fi
+
 # Check if a different OpenSSL directory was specified
 AC_MSG_CHECKING(if --with-openssl option is specified)
 AC_ARG_WITH(openssl, [  --with-openssl=DIR      specify OpenSSL directory],
@@ -157,15 +180,21 @@
 
 if test "x$crypto_dir" != "x"; then
 	LIBS="$LIBS -L${crypto_dir}/lib"
-	CPPFLAGS_ADD="-I${crypto_dir}/include $CPPFLAGS_ADD"
+	CPPFLAGS="-I${crypto_dir}/include $CPPLAGS"
 fi
 AC_MSG_CHECKING(openssl version)
-AC_EGREP_CPP(yes, [#include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x0090602fL
-yes
-#endif], [AC_MSG_RESULT(ok)], [AC_MSG_RESULT(too old)
-	AC_MSG_ERROR([OpenSSL version must be 0.9.6 or higher. Aborting.])
-	])
+
+AC_TRY_COMPILE(
+[#include <openssl/opensslv.h>
+],
+[#if OPENSSL_VERSION_NUMBER < 0x0090602fL
+#error OpenSSL version is too old ...
+#endif],
+[AC_MSG_RESULT([ok])],
+[AC_MSG_RESULT(too old)
+AC_MSG_ERROR([OpenSSL version must be 0.9.6 or higher. Aborting.])
+])
+
 AC_CHECK_HEADERS(openssl/engine.h)
 
 # checking rijndael
@@ -175,10 +204,23 @@
 # checking sha2
 AC_MSG_CHECKING(sha2 support)
 AC_DEFINE([WITH_SHA2], [], [SHA2 support])
+AC_MSG_RESULT(yes)
 AC_CHECK_HEADER(openssl/sha2.h, [], [
+	AC_MSG_CHECKING(if sha2 is defined in openssl/sha.h)
+	AC_TRY_COMPILE([
+		#include <openssl/sha.h>
+	], [
+		typedef int SHA256_CTX;
+	], [AC_MSG_RESULT(no)
+	    AC_LIBOBJ([sha2])
+	    CRYPTOBJS="$CRYPTOBJS sha2.o"
+	], [
+	    AC_MSG_RESULT(yes)
+	    AC_DEFINE([HAVE_SHA2_IN_SHA_H], [], [sha2 is defined in sha.h])
+	])
+
 	CPPFLAGS_ADD="$CPPFLAGS_ADD -I./\${top_srcdir}/src/racoon/missing"
-	AC_LIBOBJ([sha2])
-	CRYPTOBJS="$CRYPTOBJS sha2.o"])
+])
 AC_SUBST(CRYPTOBJS)
 
 # Option --enable-adminport 
@@ -219,7 +261,7 @@
 AC_SUBST(EXTRA_CRYPTO)
 
 # For dynamic libradius
-RACOON_PATH_LIBS(MD5_Init, crypto)
+RACOON_PATH_LIBS([MD5_Init], [crypto])
 
 # Check for Kerberos5 support
 AC_MSG_CHECKING(if --enable-gssapi option is specified)
@@ -248,33 +290,52 @@
 	LIBS="$LIBS $krb5_libs"
 	CPPFLAGS_ADD="$krb5_incdir $CPPFLAGS_ADD"
 	AC_DEFINE([HAVE_GSSAPI], [], [Enable GSS API])
+
+	# Check if iconv 2nd argument needs const 
+	AC_CHECK_HEADER([iconv.h], [], [AC_MSG_ERROR([iconv.h not found, but needed for GSSAPI support. Aborting.])])
+	AC_MSG_CHECKING([if iconv second argument needs const])
+	AC_TRY_COMPILE([
+		#include <iconv.h>
+		#include <stdio.h>
+	], [
+		iconv_t cd = NULL;
+		const char **src = NULL;
+		size_t *srcleft = NULL;
+		char **dst = NULL;
+		size_t *dstleft = NULL;
+
+		(void)iconv(cd, src, srcleft, dst, dstleft);
+	], [AC_MSG_RESULT(yes)
+	    AC_DEFINE([HAVE_ICONV_2ND_CONST], [], [Have iconv using const])
+	], [AC_MSG_RESULT(no)])
+
 fi
 
 AC_MSG_CHECKING([if --enable-hybrid option is specified])
 AC_ARG_ENABLE(hybrid, 
     [  --enable-hybrid	  enable hybrid, both mode-cfg and xauth support],
-    [
+    [], [enable_hybrid=no])
+AC_MSG_RESULT($enable_hybrid)
+
+if test "x$enable_hybrid" = "xyes"; then
 	LIBS="$LIBS -lcrypt"; 
-	enable_hybrid=yes;
 	HYBRID_OBJS="isakmp_xauth.o isakmp_cfg.o isakmp_unity.o throttle.o"
 	AC_SUBST(HYBRID_OBJS)
 	AC_DEFINE([ENABLE_HYBRID], [], [Hybrid authentication support])
-    ],
-    [enable_hybrid=no])
-AC_MSG_RESULT($enable_hybrid)
+fi
 
 AC_MSG_CHECKING([if --enable-frag option is specified])
 AC_ARG_ENABLE(frag, 
     [  --enable-frag           enable IKE fragmentation payload support],
-    [
+    [], [enable_frag=no])
+AC_MSG_RESULT($enable_frag)
+
+if test "x$enable_frag" = "xyes"; then
 	LIBS="$LIBS -lcrypt"; 
-	enable_frag=yes;
 	FRAG_OBJS="isakmp_frag.o"
 	AC_SUBST(FRAG_OBJS)
 	AC_DEFINE([ENABLE_FRAG], [], [IKE fragmentation support])
-    ],
-    [enable_frag=no])
-AC_MSG_RESULT($enable_frag)
+fi
 
 AC_MSG_CHECKING(if --with-libradius option is specified)
 AC_ARG_WITH(libradius, 
@@ -287,11 +348,11 @@
 		  libradius_dir="";
 	fi;
 	if test "x$libradius_dir" = "x"; then
-		RACOON_PATH_LIBS(rad_create_request, radius)
+		RACOON_PATH_LIBS([rad_create_request], [radius])
 	else
 		if test -d "$libradius_dir/lib" -a \
 		    -d "$libradius_dir/include" ; then
-			RACOON_PATH_LIBS(rad_create_request, radius, "$libradius_dir/lib")
+			RACOON_PATH_LIBS([rad_create_request], [radius], ["$libradius_dir/lib"])
 			CPPFLAGS_ADD="$CPPFLAGS_ADD -I$libradius_dir/include"
 		else
 			AC_MSG_ERROR([RADIUS libs or includes not found. Aborting.])
@@ -313,11 +374,11 @@
 		  libpam_dir="";
 	fi;
 	if test "x$libpam_dir" = "x"; then
-		RACOON_PATH_LIBS(pam_start, pam)
+		RACOON_PATH_LIBS([pam_start], [pam])
 	else
 		if test -d "$libpam_dir/lib" -a \
 		    -d "$libpam_dir/include" ; then
-			RACOON_PATH_LIBS(pam_start, pam, "$libpam_dir/lib")
+			RACOON_PATH_LIBS([pam_start], [pam], ["$libpam_dir/lib"])
 			CPPFLAGS_ADD="$CPPFLAGS_ADD -I$libpam_dir/include"
 		else
 			AC_MSG_ERROR([PAM libs or includes not found. Aborting.])
@@ -352,6 +413,19 @@
         [  --enable-samode-unspec  enable to use unspecified a mode of SA],
         [], [enable_samode_unspec=no])
 if test "x$enable_samode_unspec" = "xyes"; then
+	case $host_os in
+	*linux*)
+		cat << EOC
+		
+ERROR: --enable-samode-unspec is not supported under linux 
+because linux kernel do not support it. This option is disabled 
+to prevent mysterious problems.
+
+If you REALLY know what your are doing, remove this check.
+EOC
+		exit 1;
+		;;
+	esac
 	AC_DEFINE([ENABLE_SAMODE_UNSPECIFIED], [], [Enable samode-unspec])
 fi
 AC_MSG_RESULT($enable_samode_unspec)
@@ -392,6 +466,7 @@
 ))
 
 if test "$ipv6" = "yes"; then
+	AC_DEFINE([INET6], [], [Support IPv6])
 	AC_MSG_CHECKING(for advanced API support)
 	AC_TRY_COMPILE([#ifndef INET6
 #define INET6
@@ -439,8 +514,8 @@
 AC_MSG_CHECKING(whether to support NAT-T)
 AC_ARG_ENABLE(natt,
 	[  --enable-natt           enable NAT-Traversal (yes/no/kernel)],
-        [if test "$enable_natt" = "kernel"; then enable_natt=$kernel_natt; fi],
-	[enable_natt=$kernel_natt])
+        [ if test "$enable_natt" = "kernel"; then enable_natt=$kernel_natt; fi ],
+	[ enable_natt=no ])
 AC_MSG_RESULT($enable_natt)
 
 if test "$enable_natt" = "yes"; then
@@ -500,6 +575,14 @@
 		;;
 esac
 
+AC_CHECK_TYPE([ipsec_policy_t], 
+	      [AC_DEFINE([HAVE_IPSEC_POLICY_T], [], [Have ipsec_policy_t])],
+	      [],
+	      [
+		#include <sys/types.h>
+	      	#include <netinet6/ipsec.h>
+	      ])
+
 CFLAGS="$CFLAGS $CFLAGS_ADD"
 CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
 
@@ -527,5 +610,6 @@
   src/racoon/samples/racoon.conf
   rpm/Makefile
   rpm/suse/Makefile
+  rpm/suse/ipsec-tools.spec
   ])
 AC_OUTPUT
--- a/crypto/dist/ipsec-tools/netbsd-import.sh	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/netbsd-import.sh	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-#	$NetBSD: netbsd-import.sh,v 1.1.1.2 2005/03/14 08:14:25 manu Exp $
+#	$NetBSD: netbsd-import.sh,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $
 #
 # Copyright (c) 2000-2005 The NetBSD Foundation, Inc.
 # All rights reserved.
--- a/crypto/dist/ipsec-tools/rpm/suse/Makefile.am	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/rpm/suse/Makefile.am	Sat Sep 03 07:03:49 2005 +0000
@@ -1,15 +1,1 @@
-EXTRA_DIST = ipsec-tools.spec.in racoon.init sysconfig.racoon
-
-all-local: ipsec-tools.spec
-
-## We borrow guile's convention and use @-...-@ as the substitution
-## brackets here, instead of the usual @...@.  This prevents autoconf
-## from substituting the values directly into the left-hand sides of
-## the sed substitutions.  *sigh*
-ipsec-tools.spec: ipsec-tools.spec.in Makefile
-	rm -f $@.tmp
-	sed < $< > $@.tmp \
-	    -e 's:@-VERSION-@:${VERSION}:'
-	mv $@.tmp $@
-
-CLEANFILES = ipsec-tools.spec
+EXTRA_DIST = ipsec-tools.spec.in ipsec-tools.spec racoon.init sysconfig.racoon
--- a/crypto/dist/ipsec-tools/rpm/suse/ipsec-tools.spec.in	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/rpm/suse/ipsec-tools.spec.in	Sat Sep 03 07:03:49 2005 +0000
@@ -1,7 +1,7 @@
 #
 # spec file for package ipsec-tools
 #
-# Copyright (c) 2004 SUSE LINUX AG, Nuernberg, Germany.
+# Copyright (c) 2005 SUSE LINUX AG, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
 # package are under the same license as the package itself.
 #
@@ -14,7 +14,7 @@
 BuildRequires: aaa_base acl attr bash bind-utils bison bzip2 coreutils cpio cpp cracklib cvs cyrus-sasl db devs diffutils e2fsprogs file filesystem fillup findutils flex gawk gdbm-devel glibc glibc-devel glibc-locale gpm grep groff gzip info insserv less libacl libattr libgcc libselinux libstdc++ libxcrypt libzio m4 make man mktemp module-init-tools ncurses ncurses-devel net-tools netcfg openldap2-client openssl pam pam-modules patch permissions popt procinfo procps psmisc pwdutils rcs readline sed strace syslogd sysvinit tar tcpd texinfo timezone unzip util-linux vim zlib zlib-devel autoconf automake binutils gcc gdbm gettext kernel-source libtool openssl-devel perl readline-devel rpm
 
 Name:         ipsec-tools
-Version:      @-VERSION-@
+Version:      @VERSION@
 Release:      0
 License:      Other License(s), see package, BSD
 Group:        Productivity/Networking/Security
--- a/crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: glibc-bugs.h,v 1.1.1.2 2005/02/23 14:54:07 manu Exp $	*/
+/*	$NetBSD: glibc-bugs.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 #ifndef __GLIBC_BUGS_H__
 #define __GLIBC_BUGS_H__ 1
--- a/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkeyv2.h,v 1.1.1.2 2005/02/23 14:54:07 manu Exp $	*/
+/*	$NetBSD: pfkeyv2.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 #ifndef __NET_PFKEYV2_H_
 #define __NET_PFKEYV2_H_ 1
--- a/crypto/dist/ipsec-tools/src/include-glibc/netinet/ipsec.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/netinet/ipsec.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.1.1.2 2005/02/23 14:54:07 manu Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 #include <net/pfkeyv2.h>
 #include <linux/ipsec.h>
--- a/crypto/dist/ipsec-tools/src/include-glibc/sys/queue.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/include-glibc/sys/queue.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: queue.h,v 1.1.1.2 2005/02/23 14:54:07 manu Exp $	*/
+/*	$NetBSD: queue.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*
  * Copyright (c) 1991, 1993
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: ipsec_dump_policy.c,v 1.1.1.2.2.1 2005/05/01 11:00:32 tron Exp $	*/
+/*	$NetBSD: ipsec_dump_policy.c,v 1.1.1.2.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: ipsec_dump_policy.c,v 1.7 2004/10/29 16:37:03 ludvigm Exp */
+/* Id: ipsec_dump_policy.c,v 1.7.4.2 2005/06/29 13:01:27 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@@ -66,7 +66,7 @@
 
 static char *ipsec_dump_ipsecrequest __P((char *, size_t,
 	struct sadb_x_ipsecrequest *, size_t, int));
-static char *ipsec_dump_policy1 __P((caddr_t, char *, int));
+static char *ipsec_dump_policy1 __P((void *, const char *, int));
 static int set_addresses __P((char *, size_t, struct sockaddr *,
 	struct sockaddr *, int));
 static char *set_address __P((char *, size_t, struct sockaddr *, int));
@@ -78,27 +78,27 @@
  */
 char *
 ipsec_dump_policy(policy, delimiter)
-	caddr_t policy;
-	char *delimiter;
+	ipsec_policy_t policy;
+	__ipsec_const char *delimiter;
 {
 	return ipsec_dump_policy1(policy, delimiter, 0);
 }
 
 char *
 ipsec_dump_policy_withports(policy, delimiter)
-	caddr_t policy;
-	char *delimiter;
+	void *policy;
+	const char *delimiter;
 {
 	return ipsec_dump_policy1(policy, delimiter, 1);
 }
 
 static char *
 ipsec_dump_policy1(policy, delimiter, withports)
-	caddr_t policy;
-	char *delimiter;
+	void *policy;
+	const char *delimiter;
 	int withports;
 {
-	struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
+	struct sadb_x_policy *xpl = policy;
 	struct sadb_x_ipsecrequest *xisr;
 	size_t off, buflen;
 	char *buf;
@@ -234,7 +234,7 @@
 	/* count length of buffer for use */
 	off = sizeof(*xpl);
 	while (off < PFKEY_EXTLEN(xpl)) {
-		xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
+		xisr = (void *)((caddr_t)(void *)xpl + off);
 		off += xisr->sadb_x_ipsecrequest_len;
 	}
 
@@ -248,7 +248,7 @@
 	off = sizeof(*xpl);
 	while (off < PFKEY_EXTLEN(xpl)) {
 		int offset;
-		xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
+		xisr = (void *)((caddr_t)(void *)xpl + off);
 
 		if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr,
 		    PFKEY_EXTLEN(xpl) - off, withports) == NULL) {
@@ -325,9 +325,9 @@
 		struct sockaddr *sa1, *sa2;
 		caddr_t p;
 
-		p = (caddr_t)(xisr + 1);
-		sa1 = (struct sockaddr *)p;
-		sa2 = (struct sockaddr *)(p + sysdep_sa_len(sa1));
+		p = (void *)(xisr + 1);
+		sa1 = (void *)p;
+		sa2 = (void *)(p + sysdep_sa_len(sa1));
 		if (sizeof(*xisr) + sysdep_sa_len(sa1) + sysdep_sa_len(sa2) !=
 		    xisr->sadb_x_ipsecrequest_len) {
 			__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
@@ -407,8 +407,8 @@
 	if (len < 1)
 		return NULL;
 	buf[0] = '\0';
-	if (getnameinfo(sa, sysdep_sa_len(sa), host, sizeof(host), serv,
-	    sizeof(serv), niflags) != 0)
+	if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), host, sizeof(host), 
+	    serv, sizeof(serv), niflags) != 0)
 		return NULL;
 
 	if (withports)
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_get_policylen.c,v 1.1.1.2 2005/02/23 14:54:07 manu Exp $	*/
+/*	$NetBSD: ipsec_get_policylen.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $	*/
 
@@ -37,6 +37,7 @@
 
 #include <sys/types.h>
 #include <sys/param.h>
+#include <sys/socket.h>
 
 #ifdef HAVE_NETINET6_IPSEC
 #  include <netinet6/ipsec.h>
@@ -44,14 +45,14 @@
 #  include <netinet/ipsec.h>
 #endif
 
-
 #include <net/pfkeyv2.h>
 
+#include "libpfkey.h"
 #include "ipsec_strerror.h"
 
 int
 ipsec_get_policylen(policy)
-	caddr_t policy;
+	ipsec_policy_t policy;
 {
 	return policy ? PFKEY_EXTLEN(policy) : -1;
 }
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: ipsec_set_policy.3,v 1.1.1.2.2.1 2005/07/01 12:24:40 tron Exp $
+.\"	$NetBSD: ipsec_set_policy.3,v 1.1.1.2.2.2 2005/09/03 07:03:49 snj Exp $
 .\"
 .\"	$KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $
 .\"
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: ipsec_strerror.3,v 1.1.1.2.2.1 2005/07/01 12:24:40 tron Exp $
+.\"	$NetBSD: ipsec_strerror.3,v 1.1.1.2.2.2 2005/09/03 07:03:49 snj Exp $
 .\"
 .\"	$KAME: ipsec_strerror.3,v 1.9 2001/08/17 07:21:36 itojun Exp $
 .\"
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_strerror.c,v 1.1.1.2 2005/02/23 14:54:07 manu Exp $	*/
+/*	$NetBSD: ipsec_strerror.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: ipsec_strerror.c,v 1.7 2000/07/30 00:45:12 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_strerror.h,v 1.1.1.2 2005/02/23 14:54:07 manu Exp $	*/
+/*	$NetBSD: ipsec_strerror.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: ipsec_strerror.h,v 1.4 2004/06/07 09:18:46 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: key_debug.c,v 1.1.1.2 2005/02/23 14:54:08 manu Exp $	*/
+/*	$NetBSD: key_debug.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $	*/
 
@@ -118,7 +118,7 @@
 	    base->sadb_msg_seq, base->sadb_msg_pid);
 
 	tlen = PFKEY_UNUNIT64(base->sadb_msg_len) - sizeof(struct sadb_msg);
-	ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg));
+	ext = (void *)((caddr_t)(void *)base + sizeof(struct sadb_msg));
 
 	while (tlen > 0) {
 		printf("sadb_ext{ len=%u type=%u }\n",
@@ -193,7 +193,7 @@
 
 		extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
 		tlen -= extlen;
-		ext = (struct sadb_ext *)((caddr_t)ext + extlen);
+		ext = (void *)((caddr_t)(void *)ext + extlen);
 	}
 
 	return;
@@ -203,7 +203,7 @@
 kdebug_sadb_prop(ext)
 	struct sadb_ext *ext;
 {
-	struct sadb_prop *prop = (struct sadb_prop *)ext;
+	struct sadb_prop *prop = (void *)ext;
 	struct sadb_comb *comb;
 	int len;
 
@@ -213,7 +213,7 @@
 
 	len = (PFKEY_UNUNIT64(prop->sadb_prop_len) - sizeof(*prop))
 		/ sizeof(*comb);
-	comb = (struct sadb_comb *)(prop + 1);
+	comb = (void *)(prop + 1);
 	printf("sadb_prop{ replay=%u\n", prop->sadb_prop_replay);
 
 	while (len--) {
@@ -253,7 +253,7 @@
 kdebug_sadb_identity(ext)
 	struct sadb_ext *ext;
 {
-	struct sadb_ident *id = (struct sadb_ident *)ext;
+	struct sadb_ident *id = (void *)ext;
 	int len;
 
 	/* sanity check */
@@ -273,7 +273,7 @@
 #else
 			char *p, *ep;
 			printf("\n  str=\"");
-			p = (char *)(id + 1);
+			p = (void *)(id + 1);
 			ep = p + len;
 			for (/*nothing*/; *p && p < ep; p++) {
 				if (isprint((int)*p))
@@ -296,7 +296,7 @@
 kdebug_sadb_supported(ext)
 	struct sadb_ext *ext;
 {
-	struct sadb_supported *sup = (struct sadb_supported *)ext;
+	struct sadb_supported *sup = (void *)ext;
 	struct sadb_alg *alg;
 	int len;
 
@@ -306,7 +306,7 @@
 
 	len = (PFKEY_UNUNIT64(sup->sadb_supported_len) - sizeof(*sup))
 		/ sizeof(*alg);
-	alg = (struct sadb_alg *)(sup + 1);
+	alg = (void *)(sup + 1);
 	printf("sadb_sup{\n");
 	while (len--) {
 		printf("  { id=%d ivlen=%d min=%d max=%d }\n",
@@ -323,7 +323,7 @@
 kdebug_sadb_lifetime(ext)
 	struct sadb_ext *ext;
 {
-	struct sadb_lifetime *lft = (struct sadb_lifetime *)ext;
+	struct sadb_lifetime *lft = (void *)ext;
 
 	/* sanity check */
 	if (ext == NULL)
@@ -343,7 +343,7 @@
 kdebug_sadb_sa(ext)
 	struct sadb_ext *ext;
 {
-	struct sadb_sa *sa = (struct sadb_sa *)ext;
+	struct sadb_sa *sa = (void *)ext;
 
 	/* sanity check */
 	if (ext == NULL)
@@ -362,7 +362,7 @@
 kdebug_sadb_address(ext)
 	struct sadb_ext *ext;
 {
-	struct sadb_address *addr = (struct sadb_address *)ext;
+	struct sadb_address *addr = (void *)ext;
 
 	/* sanity check */
 	if (ext == NULL)
@@ -370,10 +370,10 @@
 
 	printf("sadb_address{ proto=%u prefixlen=%u reserved=0x%02x%02x }\n",
 	    addr->sadb_address_proto, addr->sadb_address_prefixlen,
-	    ((u_char *)&addr->sadb_address_reserved)[0],
-	    ((u_char *)&addr->sadb_address_reserved)[1]);
+	    ((u_char *)(void *)&addr->sadb_address_reserved)[0],
+	    ((u_char *)(void *)&addr->sadb_address_reserved)[1]);
 
-	kdebug_sockaddr((struct sockaddr *)((caddr_t)ext + sizeof(*addr)));
+	kdebug_sockaddr((void *)((caddr_t)(void *)ext + sizeof(*addr)));
 
 	return;
 }
@@ -382,7 +382,7 @@
 kdebug_sadb_key(ext)
 	struct sadb_ext *ext;
 {
-	struct sadb_key *key = (struct sadb_key *)ext;
+	struct sadb_key *key = (void *)ext;
 
 	/* sanity check */
 	if (ext == NULL)
@@ -393,15 +393,15 @@
 	printf("  key=");
 
 	/* sanity check 2 */
-	if ((key->sadb_key_bits >> 3) >
+	if (((uint32_t)key->sadb_key_bits >> 3) >
 		(PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key))) {
 		printf("kdebug_sadb_key: key length mismatch, bit:%d len:%ld.\n",
-			key->sadb_key_bits >> 3,
+			(uint32_t)key->sadb_key_bits >> 3,
 			(long)PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key));
 	}
 
-	ipsec_hexdump((caddr_t)key + sizeof(struct sadb_key),
-	              key->sadb_key_bits >> 3);
+	ipsec_hexdump(key + sizeof(struct sadb_key),
+	              (int)((uint32_t)key->sadb_key_bits >> 3));
 	printf(" }\n");
 	return;
 }
@@ -410,7 +410,7 @@
 kdebug_sadb_x_sa2(ext)
 	struct sadb_ext *ext;
 {
-	struct sadb_x_sa2 *sa2 = (struct sadb_x_sa2 *)ext;
+	struct sadb_x_sa2 *sa2 = (void *)ext;
 
 	/* sanity check */
 	if (ext == NULL)
@@ -429,7 +429,7 @@
 kdebug_sadb_x_policy(ext)
 	struct sadb_ext *ext;
 {
-	struct sadb_x_policy *xpl = (struct sadb_x_policy *)ext;
+	struct sadb_x_policy *xpl = (void *)ext;
 	struct sockaddr *addr;
 
 	/* sanity check */
@@ -453,7 +453,7 @@
 		struct sadb_x_ipsecrequest *xisr;
 
 		tlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
-		xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
+		xisr = (void *)(xpl + 1);
 
 		while (tlen > 0) {
 			printf(" { len=%u proto=%u mode=%u level=%u reqid=%u\n",
@@ -464,9 +464,9 @@
 				xisr->sadb_x_ipsecrequest_reqid);
 
 			if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
-				addr = (struct sockaddr *)(xisr + 1);
+				addr = (void *)(xisr + 1);
 				kdebug_sockaddr(addr);
-				addr = (struct sockaddr *)((caddr_t)addr
+				addr = (void *)((caddr_t)(void *)addr
 							+ sysdep_sa_len(addr));
 				kdebug_sockaddr(addr);
 			}
@@ -474,7 +474,7 @@
 			printf(" }\n");
 
 			/* prevent infinite loop */
-			if (xisr->sadb_x_ipsecrequest_len <= 0) {
+			if (xisr->sadb_x_ipsecrequest_len == 0) {
 				printf("kdebug_sadb_x_policy: wrong policy struct.\n");
 				return;
 			}
@@ -486,7 +486,7 @@
 
 			tlen -= xisr->sadb_x_ipsecrequest_len;
 
-			xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+			xisr = (void *)((caddr_t)(void *)xisr
 			                + xisr->sadb_x_ipsecrequest_len);
 		}
 
@@ -501,7 +501,7 @@
 static void
 kdebug_sadb_x_nat_t_type(struct sadb_ext *ext)
 {
-	struct sadb_x_nat_t_type *ntt = (struct sadb_x_nat_t_type *)ext;
+	struct sadb_x_nat_t_type *ntt = (void *)ext;
 
 	/* sanity check */
 	if (ext == NULL)
@@ -515,7 +515,7 @@
 static void
 kdebug_sadb_x_nat_t_port(struct sadb_ext *ext)
 {
-	struct sadb_x_nat_t_port *ntp = (struct sadb_x_nat_t_port *)ext;
+	struct sadb_x_nat_t_port *ntp = (void *)ext;
 
 	/* sanity check */
 	if (ext == NULL)
@@ -764,18 +764,17 @@
 
 	switch (addr->sa_family) {
 	case AF_INET:
-		sin4 = (struct sockaddr_in *)addr;
+		sin4 = (void *)addr;
 		printf(" port=%u\n", ntohs(sin4->sin_port));
-		ipsec_hexdump((caddr_t)&sin4->sin_addr, sizeof(sin4->sin_addr));
+		ipsec_hexdump(&sin4->sin_addr, sizeof(sin4->sin_addr));
 		break;
 #ifdef INET6
 	case AF_INET6:
-		sin6 = (struct sockaddr_in6 *)addr;
+		sin6 = (void *)addr;
 		printf(" port=%u\n", ntohs(sin6->sin6_port));
 		printf("  flowinfo=0x%08x, scope_id=0x%08x\n",
 		    sin6->sin6_flowinfo, sin6->sin6_scope_id);
-		ipsec_hexdump((caddr_t)&sin6->sin6_addr,
-		    sizeof(sin6->sin6_addr));
+		ipsec_hexdump(&sin6->sin6_addr, sizeof(sin6->sin6_addr));
 		break;
 #endif
 	}
@@ -801,7 +800,7 @@
 
 void
 ipsec_hexdump(buf, len)
-	caddr_t buf;
+	const void *buf;
 	int len;
 {
 	int i;
@@ -809,7 +808,7 @@
 	for (i = 0; i < len; i++) {
 		if (i != 0 && i % 32 == 0) printf("\n");
 		if (i % 4 == 0) printf(" ");
-		printf("%02x", (unsigned char)buf[i]);
+		printf("%02x", ((const unsigned char *)buf)[i]);
 	}
 #if 0
 	if (i % 32 != 0) printf("\n");
--- a/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: libpfkey.h,v 1.3.2.1 2005/05/01 11:01:11 tron Exp $	*/
+/*	$NetBSD: libpfkey.h,v 1.3.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: libpfkey.h,v 1.8.2.1 2005/02/24 13:33:54 manubsd Exp */
+/* Id: libpfkey.h,v 1.8.2.3 2005/06/29 13:01:28 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -52,19 +52,33 @@
 struct sockaddr;
 struct sadb_alg;
 
+/* Accomodate different prototypes in <netinet6/ipsec.h> */
+#include <sys/types.h>
+#ifdef HAVE_NETINET6_IPSEC
+#  include <netinet6/ipsec.h>
+#else 
+#  include <netinet/ipsec.h>
+#endif
+
+#ifndef HAVE_IPSEC_POLICY_T
+typedef caddr_t ipsec_policy_t;
+#define __ipsec_const
+#else
+#define __ipsec_const const
+#endif
+
 /* IPsec Library Routines */
 
 int ipsec_check_keylen __P((u_int, u_int, u_int));
 int ipsec_check_keylen2 __P((u_int, u_int, u_int));
 int ipsec_get_keylen __P((u_int, u_int, struct sadb_alg *));
-char *ipsec_dump_policy __P((caddr_t policy, char *delimiter));
-char *ipsec_dump_policy_withports __P((caddr_t policy, char *delimiter));
-void ipsec_hexdump __P((caddr_t buf, int len));
-int  ipsec_get_policylen __P((caddr_t policy));
-caddr_t ipsec_set_policy __P((char *msg, int msglen));
+char *ipsec_dump_policy_withports __P((void *, const char *));
+void ipsec_hexdump __P((const void *, int));
 const char *ipsec_strerror __P((void));
-void kdebug_sadb __P((struct sadb_msg *base));
-
+void kdebug_sadb __P((struct sadb_msg *));
+ipsec_policy_t ipsec_set_policy __P((__ipsec_const char *, int));
+int  ipsec_get_policylen __P((ipsec_policy_t));
+char *ipsec_dump_policy __P((ipsec_policy_t, __ipsec_const char *));
 
 /* PFKey Routines */
 
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.1.1.2.2.1 2005/04/12 09:29:41 tron Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.1.1.2.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $	*/
 
@@ -131,7 +131,7 @@
 	caddr_t p;
 
 	/* validity check */
-	algno = findsupportedmap(satype);
+	algno = findsupportedmap((int)satype);
 	if (algno == -1) {
 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
 		return NULL;
@@ -143,14 +143,14 @@
 
 	tlen = ipsec_supported[algno]->sadb_supported_len
 		- sizeof(struct sadb_supported);
-	p = (caddr_t)(ipsec_supported[algno] + 1);
+	p = (void *)(ipsec_supported[algno] + 1);
 	while (tlen > 0) {
 		if (tlen < sizeof(struct sadb_alg)) {
 			/* invalid format */
 			break;
 		}
-		if (((struct sadb_alg *)p)->sadb_alg_id == alg_id)
-			return (struct sadb_alg *)p;
+		if (((struct sadb_alg *)(void *)p)->sadb_alg_id == alg_id)
+			return (void *)p;
 
 		tlen -= sizeof(struct sadb_alg);
 		p += sizeof(struct sadb_alg);
@@ -181,12 +181,12 @@
 	if (*ipsup)
 		free(*ipsup);
 
-	*ipsup = malloc(sup->sadb_supported_len);
+	*ipsup = malloc((size_t)sup->sadb_supported_len);
 	if (!*ipsup) {
 		__ipsec_set_strerror(strerror(errno));
 		return -1;
 	}
-	memcpy(*ipsup, sup, sup->sadb_supported_len);
+	memcpy(*ipsup, sup, (size_t)sup->sadb_supported_len);
 
 	return 0;
 }
@@ -206,7 +206,7 @@
 	u_int alg_id;
 	u_int keylen;
 {
-	int satype;
+	u_int satype;
 
 	/* validity check */
 	switch (supported) {
@@ -355,7 +355,7 @@
 		return soft_lifetime_usetime_rate;
 	}
 
-	return ~0;
+	return (u_int)~0;
 }
 
 /*
@@ -411,19 +411,19 @@
 		+ sizeof(struct sadb_address)
 		+ PFKEY_ALIGN8(sysdep_sa_len(dst));
 
-	if (min > 255 && max < ~0) {
+	if (min > 255 && max < (u_int)~0) {
 		need_spirange++;
 		len += sizeof(struct sadb_spirange);
 	}
 
-	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
 		__ipsec_set_strerror(strerror(errno));
 		return -1;
 	}
-	ep = ((caddr_t)newmsg) + len;
+	ep = ((caddr_t)(void *)newmsg) + len;
 
-	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI,
-	    len, satype, seq, getpid());
+	p = pfkey_setsadbmsg((void *)newmsg, ep, SADB_GETSPI,
+	    (u_int)len, satype, seq, getpid());
 	if (!p) {
 		free(newmsg);
 		return -1;
@@ -436,7 +436,7 @@
 	}
 
 	/* set sadb_address for source */
-	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
 	    IPSEC_ULPROTO_ANY);
 	if (!p) {
 		free(newmsg);
@@ -444,7 +444,7 @@
 	}
 
 	/* set sadb_address for destination */
-	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
 	    IPSEC_ULPROTO_ANY);
 	if (!p) {
 		free(newmsg);
@@ -511,8 +511,8 @@
 	if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
 			reqid, wsize,
 			keymat, e_type, e_keylen, a_type, a_keylen, flags,
-			l_alloc, l_bytes, l_addtime, l_usetime, seq,
-			0, 0, 0, NULL, 0)) < 0)
+			l_alloc, (u_int)l_bytes, (u_int)l_addtime, 
+			(u_int)l_usetime, seq, 0, 0, 0, NULL, 0)) < 0)
 		return -1;
 
 	return len;
@@ -543,9 +543,9 @@
 	if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
 			reqid, wsize,
 			keymat, e_type, e_keylen, a_type, a_keylen, flags,
-			l_alloc, l_bytes, l_addtime, l_usetime, seq,
-			l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
-			l_natt_frag)) < 0)
+			l_alloc, (u_int)l_bytes, (u_int)l_addtime, 
+			(u_int)l_usetime, seq, l_natt_type, l_natt_sport, 
+			l_natt_dport, l_natt_oa, l_natt_frag)) < 0)
 		return -1;
 
 	return len;
@@ -577,8 +577,8 @@
 	if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
 			reqid, wsize,
 			keymat, e_type, e_keylen, a_type, a_keylen, flags,
-			l_alloc, l_bytes, l_addtime, l_usetime, seq,
-			0, 0, 0, NULL, 0)) < 0)
+			l_alloc, (u_int)l_bytes, (u_int)l_addtime, 
+			(u_int)l_usetime, seq, 0, 0, 0, NULL, 0)) < 0)
 		return -1;
 
 	return len;
@@ -609,9 +609,9 @@
 	if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
 			reqid, wsize,
 			keymat, e_type, e_keylen, a_type, a_keylen, flags,
-			l_alloc, l_bytes, l_addtime, l_usetime, seq,
-			l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
-			l_natt_frag)) < 0)
+			l_alloc, (u_int)l_bytes, (u_int)l_addtime, 
+			(u_int)l_usetime, seq, l_natt_type, l_natt_sport, 
+			l_natt_dport, l_natt_oa, l_natt_frag)) < 0)
 		return -1;
 
 	return len;
@@ -647,6 +647,7 @@
  *	positive: success and return length sent
  *	-1	: error occured, and set errno
  */
+/*ARGSUSED*/
 int
 pfkey_send_delete_all(so, satype, mode, src, dst)
 	int so;
@@ -687,25 +688,25 @@
 		+ sizeof(struct sadb_address)
 		+ PFKEY_ALIGN8(sysdep_sa_len(dst));
 
-	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
 		__ipsec_set_strerror(strerror(errno));
 		return -1;
 	}
-	ep = ((caddr_t)newmsg) + len;
+	ep = ((caddr_t)(void *)newmsg) + len;
 
-	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0,
-	    getpid());
+	p = pfkey_setsadbmsg((void *)newmsg, ep, SADB_DELETE, (u_int)len, 
+	    satype, 0, getpid());
 	if (!p) {
 		free(newmsg);
 		return -1;
 	}
-	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
 	    IPSEC_ULPROTO_ANY);
 	if (!p) {
 		free(newmsg);
 		return -1;
 	}
-	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
 	    IPSEC_ULPROTO_ANY);
 	if (!p || p != ep) {
 		free(newmsg);
@@ -766,7 +767,7 @@
 			}
 		}
 	} else {
-		algno = findsupportedmap(satype);
+		algno = findsupportedmap((int)satype);
 		if (algno == -1) {
 			__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
 			return -1;
@@ -846,13 +847,13 @@
 		return -1;
 	}
 
-	p = (caddr_t)msg;
+	p = (void *)msg;
 	ep = p + tlen;
 
 	p += sizeof(struct sadb_msg);
 
 	while (p < ep) {
-		sup = (struct sadb_supported *)p;
+		sup = (void *)p;
 		if (ep < p + sizeof(*sup) ||
 		    PFKEY_EXTLEN(sup) < sizeof(*sup) ||
 		    ep < p + sup->sadb_supported_len) {
@@ -946,7 +947,8 @@
 {
 	int len;
 
-	if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0)
+	if ((len = pfkey_send_x3(so, SADB_X_PROMISC, 
+	    (u_int)(flag ? 1 : 0))) < 0)
 		return -1;
 
 	return len;
@@ -971,7 +973,7 @@
 
 	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
 				src, prefs, dst, prefd, proto,
-				0, 0,
+				(u_int64_t)0, (u_int64_t)0,
 				policy, policylen, seq)) < 0)
 		return -1;
 
@@ -1025,7 +1027,7 @@
 
 	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
 				src, prefs, dst, prefd, proto,
-				0, 0,
+				(u_int64_t)0, (u_int64_t)0,
 				policy, policylen, seq)) < 0)
 		return -1;
 
@@ -1084,7 +1086,7 @@
 
 	if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
 				src, prefs, dst, prefd, proto,
-				0, 0,
+				(u_int64_t)0, (u_int64_t)0,
 				policy, policylen, seq)) < 0)
 		return -1;
 
@@ -1153,7 +1155,7 @@
 
 	if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
 				src, prefs, dst, prefd, proto,
-				0, 0,
+				(u_int64_t)0, (u_int64_t)0,
 				policy, policylen, seq)) < 0)
 		return -1;
 
@@ -1305,7 +1307,11 @@
 #ifdef SADB_X_EXT_NAT_T_TYPE
 	/* add nat-t packets */
 	if (l_natt_type) {
-		if (satype != SADB_SATYPE_ESP) {
+		switch(satype) {
+		case SADB_SATYPE_ESP:
+		case SADB_X_SATYPE_IPCOMP:
+			break;
+		default:
 			__ipsec_errcode = EIPSEC_NO_ALGS;
 			return -1;
 		}
@@ -1323,13 +1329,13 @@
 	}
 #endif
 
-	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
 		__ipsec_set_strerror(strerror(errno));
 		return -1;
 	}
-	ep = ((caddr_t)newmsg) + len;
+	ep = ((caddr_t)(void *)newmsg) + len;
 
-	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
+	p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len,
 	                     satype, seq, getpid());
 	if (!p) {
 		free(newmsg);
@@ -1345,13 +1351,13 @@
 		free(newmsg);
 		return -1;
 	}
-	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
 	    IPSEC_ULPROTO_ANY);
 	if (!p) {
 		free(newmsg);
 		return -1;
 	}
-	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
 	    IPSEC_ULPROTO_ANY);
 	if (!p) {
 		free(newmsg);
@@ -1415,7 +1421,7 @@
 		if (l_natt_oa) {
 			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
 					      l_natt_oa,
-					      PFKEY_ALIGN8(sysdep_sa_len(l_natt_oa)),
+					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(l_natt_oa)),
 					      IPSEC_ULPROTO_ANY);
 			if (!p) {
 				free(newmsg);
@@ -1453,6 +1459,7 @@
 }
 
 /* sending SADB_DELETE or SADB_GET message to the kernel */
+/*ARGSUSED*/
 static int
 pfkey_send_x2(so, type, satype, mode, src, dst, spi)
 	int so;
@@ -1495,13 +1502,13 @@
 		+ sizeof(struct sadb_address)
 		+ PFKEY_ALIGN8(sysdep_sa_len(dst));
 
-	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
 		__ipsec_set_strerror(strerror(errno));
 		return -1;
 	}
-	ep = ((caddr_t)newmsg) + len;
+	ep = ((caddr_t)(void *)newmsg) + len;
 
-	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
+	p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, satype, 0,
 	    getpid());
 	if (!p) {
 		free(newmsg);
@@ -1512,13 +1519,13 @@
 		free(newmsg);
 		return -1;
 	}
-	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
 	    IPSEC_ULPROTO_ANY);
 	if (!p) {
 		free(newmsg);
 		return -1;
 	}
-	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
 	    IPSEC_ULPROTO_ANY);
 	if (!p || p != ep) {
 		free(newmsg);
@@ -1577,13 +1584,13 @@
 	/* create new sadb_msg to send. */
 	len = sizeof(struct sadb_msg);
 
-	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
 		__ipsec_set_strerror(strerror(errno));
 		return -1;
 	}
-	ep = ((caddr_t)newmsg) + len;
+	ep = ((caddr_t)(void *)newmsg) + len;
 
-	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
+	p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, satype, 0,
 	    getpid());
 	if (!p || p != ep) {
 		free(newmsg);
@@ -1654,13 +1661,13 @@
 		+ sizeof(struct sadb_lifetime)
 		+ policylen;
 
-	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
 		__ipsec_set_strerror(strerror(errno));
 		return -1;
 	}
-	ep = ((caddr_t)newmsg) + len;
+	ep = ((caddr_t)(void *)newmsg) + len;
 
-	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, (u_int)len,
 	    SADB_SATYPE_UNSPEC, seq, getpid());
 	if (!p) {
 		free(newmsg);
@@ -1677,12 +1684,12 @@
 		return -1;
 	}
 	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
-			0, 0, ltime, vtime);
+			0, 0, (u_int)ltime, (u_int)vtime);
 	if (!p || p + policylen != ep) {
 		free(newmsg);
 		return -1;
 	}
-	memcpy(p, policy, policylen);
+	memcpy(p, policy, (size_t)policylen);
 
 	/* send message */
 	len = pfkey_send(so, newmsg, len);
@@ -1712,13 +1719,13 @@
 	len = sizeof(struct sadb_msg)
 		+ sizeof(xpl);
 
-	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
 		__ipsec_set_strerror(strerror(errno));
 		return -1;
 	}
-	ep = ((caddr_t)newmsg) + len;
+	ep = ((caddr_t)(void *)newmsg) + len;
 
-	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
+	p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len,
 	    SADB_SATYPE_UNSPEC, 0, getpid());
 	if (!p) {
 		free(newmsg);
@@ -1806,7 +1813,7 @@
 	struct sadb_msg buf, *newmsg;
 	int len, reallen;
 
-	while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) {
+	while ((len = recv(so, (void *)&buf, sizeof(buf), MSG_PEEK)) < 0) {
 		if (errno == EINTR)
 			continue;
 		__ipsec_set_strerror(strerror(errno));
@@ -1814,19 +1821,19 @@
 	}
 
 	if (len < sizeof(buf)) {
-		recv(so, (caddr_t)&buf, sizeof(buf), 0);
+		recv(so, (void *)&buf, sizeof(buf), 0);
 		__ipsec_errcode = EIPSEC_MAX;
 		return NULL;
 	}
 
 	/* read real message */
 	reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
-	if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) {
+	if ((newmsg = CALLOC((size_t)reallen, struct sadb_msg *)) == 0) {
 		__ipsec_set_strerror(strerror(errno));
 		return NULL;
 	}
 
-	while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
+	while ((len = recv(so, (void *)newmsg, (socklen_t)reallen, 0)) < 0) {
 		if (errno == EINTR)
 			continue;
 		__ipsec_set_strerror(strerror(errno));
@@ -1863,7 +1870,7 @@
 	struct sadb_msg *msg;
 	int len;
 {
-	if ((len = send(so, (caddr_t)msg, len, 0)) < 0) {
+	if ((len = send(so, (void *)msg, (socklen_t)len, 0)) < 0) {
 		__ipsec_set_strerror(strerror(errno));
 		return -1;
 	}
@@ -1906,17 +1913,17 @@
 	for (i = 0; i < SADB_EXT_MAX + 1; i++)
 		mhp[i] = NULL;
 
-	mhp[0] = (caddr_t)msg;
+	mhp[0] = (void *)msg;
 
 	/* initialize */
-	p = (caddr_t) msg;
+	p = (void *) msg;
 	ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
 
 	/* skip base header */
 	p += sizeof(struct sadb_msg);
 
 	while (p < ep) {
-		ext = (struct sadb_ext *)p;
+		ext = (void *)p;
 		if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) ||
 		    ep < p + PFKEY_EXTLEN(ext)) {
 			/* invalid format */
@@ -1961,7 +1968,7 @@
 #ifdef SADB_X_EXT_TAG
 		case SADB_X_EXT_TAG:
 #endif
-			mhp[ext->sadb_ext_type] = (caddr_t)ext;
+			mhp[ext->sadb_ext_type] = (void *)ext;
 			break;
 		default:
 			__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
@@ -2003,7 +2010,7 @@
 		return -1;
 	}
 
-	msg = (struct sadb_msg *)mhp[0];
+	msg = (void *)mhp[0];
 
 	/* check version */
 	if (msg->sadb_msg_version != PF_KEY_V2) {
@@ -2078,8 +2085,8 @@
 	 && mhp[SADB_EXT_ADDRESS_DST] != NULL) {
 		struct sadb_address *src0, *dst0;
 
-		src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]);
-		dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]);
+		src0 = (void *)(mhp[SADB_EXT_ADDRESS_SRC]);
+		dst0 = (void *)(mhp[SADB_EXT_ADDRESS_DST]);
 
 		if (src0->sadb_address_proto != dst0->sadb_address_proto) {
 			__ipsec_errcode = EIPSEC_PROTO_MISMATCH;
@@ -2127,7 +2134,7 @@
 	struct sadb_msg *p;
 	u_int len;
 
-	p = (struct sadb_msg *)buf;
+	p = (void *)buf;
 	len = sizeof(struct sadb_msg);
 
 	if (buf + len > lim)
@@ -2160,7 +2167,7 @@
 	struct sadb_sa *p;
 	u_int len;
 
-	p = (struct sadb_sa *)buf;
+	p = (void *)buf;
 	len = sizeof(struct sadb_sa);
 
 	if (buf + len > lim)
@@ -2196,7 +2203,7 @@
 	struct sadb_address *p;
 	u_int len;
 
-	p = (struct sadb_address *)buf;
+	p = (void *)buf;
 	len = sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len(saddr));
 
 	if (buf + len > lim)
@@ -2209,7 +2216,7 @@
 	p->sadb_address_prefixlen = prefixlen;
 	p->sadb_address_reserved = 0;
 
-	memcpy(p + 1, saddr, sysdep_sa_len(saddr));
+	memcpy(p + 1, saddr, (size_t)sysdep_sa_len(saddr));
 
 	return(buf + len);
 }
@@ -2228,7 +2235,7 @@
 	struct sadb_key *p;
 	u_int len;
 
-	p = (struct sadb_key *)buf;
+	p = (void *)buf;
 	len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
 
 	if (buf + len > lim)
@@ -2259,7 +2266,7 @@
 	struct sadb_lifetime *p;
 	u_int len;
 
-	p = (struct sadb_lifetime *)buf;
+	p = (void *)buf;
 	len = sizeof(struct sadb_lifetime);
 
 	if (buf + len > lim)
@@ -2306,7 +2313,7 @@
 	u_int8_t mode = mode0 & 0xff;
 	u_int len;
 
-	p = (struct sadb_x_sa2 *)buf;
+	p = (void *)buf;
 	len = sizeof(struct sadb_x_sa2);
 
 	if (buf + len > lim)
@@ -2332,7 +2339,7 @@
 	struct sadb_x_nat_t_type *p;
 	u_int len;
 
-	p = (struct sadb_x_nat_t_type *)buf;
+	p = (void *)buf;
 	len = sizeof(struct sadb_x_nat_t_type);
 
 	if (buf + len > lim)
@@ -2356,7 +2363,7 @@
 	struct sadb_x_nat_t_port *p;
 	u_int len;
 
-	p = (struct sadb_x_nat_t_port *)buf;
+	p = (void *)buf;
 	len = sizeof(struct sadb_x_nat_t_port);
 
 	if (buf + len > lim)
@@ -2382,7 +2389,7 @@
 	struct sadb_x_nat_t_frag *p;
 	u_int len;
 
-	p = (struct sadb_x_nat_t_frag *)buf;
+	p = (void *)buf;
 	len = sizeof(struct sadb_x_nat_t_frag);
 
 	if (buf + len > lim)
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey_dump.c,v 1.1.1.2.2.3 2005/05/01 22:15:51 tron Exp $	*/
+/*	$NetBSD: pfkey_dump.c,v 1.1.1.2.2.4 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/
 
@@ -83,6 +83,7 @@
 
 #define GETMSGSTR(str, num) \
 do { \
+	/*CONSTCOND*/ \
 	if (sizeof((str)[0]) == 0 \
 	 || num >= sizeof(str)/sizeof((str)[0])) \
 		printf("%u ", (num)); \
@@ -90,7 +91,7 @@
 		printf("%u ", (num)); \
 	else \
 		printf("%s ", (str)[(num)]); \
-} while (0)
+} while (/*CONSTCOND*/0)
 
 #define GETMSGV2S(v2s, num) \
 do { \
@@ -103,7 +104,7 @@
 		printf("%s ", p->str); \
 	else \
 		printf("%u ", (num)); \
-} while (0)
+} while (/*CONSTCOND*/0)
 
 static char *str_ipaddr __P((struct sockaddr *));
 static char *str_prefport __P((u_int, u_int, u_int, u_int));
@@ -159,13 +160,13 @@
 	{ SADB_X_AALG_TCP_MD5, "tcp-md5", },
 #endif
 #ifdef SADB_X_AALG_SHA2_256
-	{ SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
+	{ SADB_X_AALG_SHA2_256, "hmac-sha256", },
 #endif
 #ifdef SADB_X_AALG_SHA2_384
-	{ SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
+	{ SADB_X_AALG_SHA2_384, "hmac-sha384", },
 #endif
 #ifdef SADB_X_AALG_SHA2_512
-	{ SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
+	{ SADB_X_AALG_SHA2_512, "hmac-sha512", },
 #endif
 #ifdef SADB_X_AALG_RIPEMD160HMAC
 	{ SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", },
@@ -217,10 +218,15 @@
 	struct sadb_sa *m_sa;
 	struct sadb_x_sa2 *m_sa2;
 	struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts;
-	struct sadb_address *m_saddr, *m_daddr, *m_paddr;
+	struct sadb_address *m_saddr, *m_daddr;
+#ifdef notdef
+	struct sadb_address *m_paddr;
+#endif
 	struct sadb_key *m_auth, *m_enc;
+#ifdef notdef
 	struct sadb_ident *m_sid, *m_did;
 	struct sadb_sens *m_sens;
+#endif
 #ifdef SADB_X_EXT_NAT_T_TYPE
 	struct sadb_x_nat_t_type *natt_type;
 	struct sadb_x_nat_t_port *natt_sport, *natt_dport;
@@ -239,24 +245,28 @@
 		return;
 	}
 
-	m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-	m_sa2 = (struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2];
-	m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
-	m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
-	m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
-	m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
-	m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
-	m_paddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_PROXY];
-	m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
-	m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
-	m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
-	m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
-	m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
+	m_sa = (void *)mhp[SADB_EXT_SA];
+	m_sa2 = (void *)mhp[SADB_X_EXT_SA2];
+	m_lftc = (void *)mhp[SADB_EXT_LIFETIME_CURRENT];
+	m_lfth = (void *)mhp[SADB_EXT_LIFETIME_HARD];
+	m_lfts = (void *)mhp[SADB_EXT_LIFETIME_SOFT];
+	m_saddr = (void *)mhp[SADB_EXT_ADDRESS_SRC];
+	m_daddr = (void *)mhp[SADB_EXT_ADDRESS_DST];
+#ifdef notdef
+	m_paddr = (void *)mhp[SADB_EXT_ADDRESS_PROXY];
+#endif
+	m_auth = (void *)mhp[SADB_EXT_KEY_AUTH];
+	m_enc = (void *)mhp[SADB_EXT_KEY_ENCRYPT];
+#ifdef notdef
+	m_sid = (void *)mhp[SADB_EXT_IDENTITY_SRC];
+	m_did = (void *)mhp[SADB_EXT_IDENTITY_DST];
+	m_sens = (void *)mhp[SADB_EXT_SENSITIVITY];
+#endif
 #ifdef SADB_X_EXT_NAT_T_TYPE
-	natt_type = (struct sadb_x_nat_t_type *)mhp[SADB_X_EXT_NAT_T_TYPE];
-	natt_sport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_SPORT];
-	natt_dport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_DPORT];
-	natt_oa = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OA];
+	natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE];
+	natt_sport = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
+	natt_dport = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
+	natt_oa = (void *)mhp[SADB_X_EXT_NAT_T_OA];
 
 	if (natt_type && natt_type->sadb_x_nat_t_type_type)
 		use_natt = 1;
@@ -267,7 +277,7 @@
 		printf("no ADDRESS_SRC extension.\n");
 		return;
 	}
-	printf("%s", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
+	printf("%s", str_ipaddr((void *)(m_saddr + 1)));
 #ifdef SADB_X_EXT_NAT_T_TYPE
 	if (use_natt && natt_sport)
 		printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port));
@@ -279,7 +289,7 @@
 		printf(" no ADDRESS_DST extension.\n");
 		return;
 	}
-	printf("%s", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
+	printf("%s", str_ipaddr((void *)(m_daddr + 1)));
 #ifdef SADB_X_EXT_NAT_T_TYPE
 	if (use_natt && natt_dport)
 		printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port));
@@ -320,7 +330,7 @@
 	/* other NAT-T information */
 	if (use_natt && natt_oa)
 		printf("\tNAT OA=%s\n",
-		       str_ipaddr((struct sockaddr *)(natt_oa + 1)));
+		       str_ipaddr((void *)(natt_oa + 1)));
 #endif
 
 	/* encryption key */
@@ -331,7 +341,7 @@
 		if (m_enc != NULL) {
 			printf("\tE: ");
 			GETMSGV2S(str_alg_enc, m_sa->sadb_sa_encrypt);
-			ipsec_hexdump((caddr_t)m_enc + sizeof(*m_enc),
+			ipsec_hexdump((caddr_t)(void *)m_enc + sizeof(*m_enc),
 				      m_enc->sadb_key_bits / 8);
 			printf("\n");
 		}
@@ -341,7 +351,7 @@
 	if (m_auth != NULL) {
 		printf("\tA: ");
 		GETMSGV2S(str_alg_auth, m_sa->sadb_sa_auth);
-		ipsec_hexdump((caddr_t)m_auth + sizeof(*m_auth),
+		ipsec_hexdump((caddr_t)(void *)m_auth + sizeof(*m_auth),
 		              m_auth->sadb_key_bits / 8);
 		printf("\n");
 	}
@@ -362,7 +372,7 @@
 		time_t tmp_time = time(0);
 
 		printf("\tcreated: %s",
-			str_time(m_lftc->sadb_lifetime_addtime));
+			str_time((long)m_lftc->sadb_lifetime_addtime));
 		printf("\tcurrent: %s\n", str_time(tmp_time));
 		printf("\tdiff: %lu(s)",
 			(u_long)(m_lftc->sadb_lifetime_addtime == 0 ?
@@ -376,7 +386,7 @@
 			0 : m_lfts->sadb_lifetime_addtime));
 
 		printf("\tlast: %s",
-			str_time(m_lftc->sadb_lifetime_usetime));
+			str_time((long)m_lftc->sadb_lifetime_usetime));
 		printf("\thard: %lu(s)",
 			(u_long)(m_lfth == NULL ?
 			0 : m_lfth->sadb_lifetime_usetime));
@@ -449,14 +459,14 @@
 		return;
 	}
 
-	m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
-	m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+	m_saddr = (void *)mhp[SADB_EXT_ADDRESS_SRC];
+	m_daddr = (void *)mhp[SADB_EXT_ADDRESS_DST];
 #ifdef SADB_X_EXT_TAG
-	m_tag = (struct sadb_x_tag *)mhp[SADB_X_EXT_TAG];
+	m_tag = (void *)mhp[SADB_X_EXT_TAG];
 #endif
-	m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
-	m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
-	m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
+	m_xpl = (void *)mhp[SADB_X_EXT_POLICY];
+	m_lftc = (void *)mhp[SADB_EXT_LIFETIME_CURRENT];
+	m_lfth = (void *)mhp[SADB_EXT_LIFETIME_HARD];
 
 #ifdef __linux__
 	/* *bsd indicates per-socket policies by omiting src and dst 
@@ -469,19 +479,20 @@
 #endif
 	if (m_saddr && m_daddr) {
 		/* source address */
-		sa = (struct sockaddr *)(m_saddr + 1);
+		sa = (void *)(m_saddr + 1);
 		switch (sa->sa_family) {
 		case AF_INET:
 		case AF_INET6:
-			if (getnameinfo(sa, sysdep_sa_len(sa), NULL, 0,
-			    pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
+			if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL,
+			    0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
 				sport = 0;	/*XXX*/
 			else
 				sport = atoi(pbuf);
 			printf("%s%s ", str_ipaddr(sa),
-				str_prefport(sa->sa_family,
-				    m_saddr->sadb_address_prefixlen, sport,
-				    m_saddr->sadb_address_proto));
+				str_prefport((u_int)sa->sa_family,
+				    (u_int)m_saddr->sadb_address_prefixlen, 
+				    (u_int)sport,
+				    (u_int)m_saddr->sadb_address_proto));
 			break;
 		default:
 			printf("unknown-af ");
@@ -489,19 +500,20 @@
 		}
 
 		/* destination address */
-		sa = (struct sockaddr *)(m_daddr + 1);
+		sa = (void *)(m_daddr + 1);
 		switch (sa->sa_family) {
 		case AF_INET:
 		case AF_INET6:
-			if (getnameinfo(sa, sysdep_sa_len(sa), NULL, 0,
-			    pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
+			if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL,
+			    0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
 				dport = 0;	/*XXX*/
 			else
 				dport = atoi(pbuf);
 			printf("%s%s ", str_ipaddr(sa),
-				str_prefport(sa->sa_family,
-				    m_daddr->sadb_address_prefixlen, dport,
-				    m_saddr->sadb_address_proto));
+				str_prefport((u_int)sa->sa_family,
+				    (u_int)m_daddr->sadb_address_prefixlen, 
+				    (u_int)dport,
+				    (u_int)m_saddr->sadb_address_proto));
 			break;
 		default:
 			printf("unknown-af ");
@@ -514,7 +526,8 @@
 			printf("upper layer protocol mismatched.\n");
 			return;
 		}
-		str_upperspec(m_saddr->sadb_address_proto, sport, dport);
+		str_upperspec((u_int)m_saddr->sadb_address_proto, (u_int)sport,
+		    (u_int)dport);
 	}
 #ifdef SADB_X_EXT_TAG
 	else if (m_tag)
@@ -532,9 +545,9 @@
 		return;
 	}
 	if (withports)
-		d_xpl = ipsec_dump_policy_withports((char *)m_xpl, "\n\t");
+		d_xpl = ipsec_dump_policy_withports(m_xpl, "\n\t");
 	else
-		d_xpl = ipsec_dump_policy((char *)m_xpl, "\n\t");
+		d_xpl = ipsec_dump_policy((ipsec_policy_t)m_xpl, "\n\t");
 		
 	if (!d_xpl)
 		printf("\n\tPolicy:[%s]\n", ipsec_strerror());
@@ -548,9 +561,9 @@
 	/* lifetime */
 	if (m_lftc) {
 		printf("\tcreated: %s  ",
-			str_time(m_lftc->sadb_lifetime_addtime));
+			str_time((long)m_lftc->sadb_lifetime_addtime));
 		printf("lastused: %s\n",
-			str_time(m_lftc->sadb_lifetime_usetime));
+			str_time((long)m_lftc->sadb_lifetime_usetime));
 	}
 	if (m_lfth) {
 		printf("\tlifetime: %lu(s) ",
@@ -584,7 +597,8 @@
 	if (sa == NULL)
 		return "";
 
-	if (getnameinfo(sa, sysdep_sa_len(sa), buf, sizeof(buf), NULL, 0, niflag) == 0)
+	if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), buf, sizeof(buf), 
+	    NULL, 0, niflag) == 0)
 		return buf;
 	return NULL;
 }
@@ -649,7 +663,7 @@
 			printf("ip4");
 			break;
 		default:
-			ent = getprotobynumber(ulp);
+			ent = getprotobynumber((int)ulp);
 			if (ent)
 				printf("%s", ent->p_name);
 			else
--- a/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: policy_parse.y,v 1.1.1.2.2.2 2005/05/28 12:52:29 tron Exp $	*/
+/*	$NetBSD: policy_parse.y,v 1.1.1.2.2.3 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $	*/
 
@@ -116,12 +116,12 @@
     struct _val *portbuf));
 static int rule_check __P((void));
 static int init_x_policy __P((void));
-static int set_x_request __P((struct sockaddr *src, struct sockaddr *dst));
-static int set_sockaddr __P((struct sockaddr *addr));
+static int set_x_request __P((struct sockaddr *, struct sockaddr *));
+static int set_sockaddr __P((struct sockaddr *));
 static void policy_parse_request_init __P((void));
-static caddr_t policy_parse __P((char *msg, int msglen));
+static void *policy_parse __P((const char *, int));
 
-extern void __policy__strbuffer__init__ __P((char *msg));
+extern void __policy__strbuffer__init__ __P((const char *));
 extern void __policy__strbuffer__free__ __P((void));
 extern int yyparse __P((void));
 extern int yylex __P((void));
@@ -603,9 +603,9 @@
 	return;
 }
 
-static caddr_t
+static void *
 policy_parse(msg, msglen)
-	char *msg;
+	const char *msg;
 	int msglen;
 {
 	int error;
@@ -636,9 +636,9 @@
 	return pbuf;
 }
 
-caddr_t
+ipsec_policy_t
 ipsec_set_policy(msg, msglen)
-	char *msg;
+	__ipsec_const char *msg;
 	int msglen;
 {
 	caddr_t policy;
@@ -653,4 +653,3 @@
 	__ipsec_errcode = EIPSEC_NO_ERROR;
 	return policy;
 }
-
--- a/crypto/dist/ipsec-tools/src/libipsec/policy_token.l	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/policy_token.l	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: policy_token.l,v 1.1.1.2.2.1 2005/05/12 12:04:12 tron Exp $	*/
+/*	$NetBSD: policy_token.l,v 1.1.1.2.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: policy_token.l,v 1.10 2004/11/14 20:15:43 monas Exp */
+/* Id: policy_token.l,v 1.10.4.1 2005/05/07 14:30:38 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
--- a/crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: test-policy-priority.c,v 1.1.1.2 2005/02/23 14:54:09 manu Exp $	*/
+/*	$NetBSD: test-policy-priority.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/test-policy.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/test-policy.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: test-policy.c,v 1.1.1.2 2005/02/23 14:54:09 manu Exp $	*/
+/*	$NetBSD: test-policy.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/Makefile.am	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/Makefile.am	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-# Id: Makefile.am,v 1.19.2.1 2005/02/22 23:56:08 manubsd Exp
+# Id: Makefile.am,v 1.19.2.4 2005/07/01 09:11:59 manubsd Exp
 
 sbin_PROGRAMS = racoon racoonctl plainrsa-gen
 noinst_PROGRAMS = eaytest
@@ -10,7 +10,7 @@
 adminsockdir=${localstatedir}/racoon
 
 INCLUDES = -I${srcdir}/../libipsec 
-AM_CFLAGS = @GLIBC_BUGS@ -DSYSCONFDIR=\"${sysconfdir}\" \
+AM_CFLAGS = -D_GNU_SOURCE @GLIBC_BUGS@ -DSYSCONFDIR=\"${sysconfdir}\" \
 	-DADMINPORTDIR=\"${adminsockdir}\"
 AM_LDFLAGS = @EXTRA_CRYPTO@ -lcrypto
 
@@ -93,7 +93,6 @@
    samples/roadwarrior/client/phase1-down.sh \
    samples/roadwarrior/client/phase1-up.sh \
    samples/roadwarrior/client/racoon.conf \
-   samples/roadwarrior/server/phase1-down.sh \
    samples/roadwarrior/server/racoon.conf \
    samples/roadwarrior/server/racoon.conf-radius
 
@@ -115,8 +114,8 @@
 	$(LEX) -ocftoken.c $(srcdir)/cftoken.l
 
 cfparse.h cfparse.c: $(srcdir)/cfparse.y
-	$(YACC) -d $(srcdir)/cfparse.y
-	mv y.tab.c cfparse.c
+	$(YACC) -d $(srcdir)/cfparse.y && \
+	mv y.tab.c cfparse.c && \
 	mv y.tab.h cfparse.h
 
 # Plain-RSA parser
@@ -130,8 +129,8 @@
 	$(LEX) -Pprsa -oprsa_tok.c $(srcdir)/prsa_tok.l
 
 prsa_par.h prsa_par.c: $(srcdir)/prsa_par.y
-	$(YACC) -pprsa -d $(srcdir)/prsa_par.y
-	mv y.tab.c prsa_par.c
+	$(YACC) -pprsa -d $(srcdir)/prsa_par.y && \
+	mv y.tab.c prsa_par.c && \
 	mv y.tab.h prsa_par.h
 
 # special object rules
--- a/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: admin.c,v 1.1.1.2.2.2 2005/07/12 17:37:41 tron Exp $	*/
+/*	$NetBSD: admin.c,v 1.1.1.2.2.3 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: admin.c,v 1.17 2005/01/02 08:39:09 manubsd Exp */
+/* Id: admin.c,v 1.17.2.4 2005/07/12 11:49:44 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -98,7 +98,7 @@
 {
 	int so2;
 	struct sockaddr_storage from;
-	int fromlen = sizeof(from);
+	socklen_t fromlen = sizeof(from);
 	struct admin_com com;
 	char *combuf = NULL;
 	pid_t pid = -1;
@@ -322,7 +322,7 @@
 		}
 
 		plog(LLV_INFO, LOCATION, NULL, 
-		    "Flushing all SA for peer %s\n", rem);
+		    "Flushing all SAs for peer %s\n", rem);
 
 		while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
 			if ((loc = strdup(saddrwop2str(iph1->local))) == NULL) {
--- a/crypto/dist/ipsec-tools/src/racoon/admin.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/admin.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.h,v 1.1.1.2 2005/02/23 14:54:10 manu Exp $	*/
+/*	$NetBSD: admin.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: admin.h,v 1.10 2004/12/30 13:45:49 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/admin_var.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/admin_var.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin_var.h,v 1.1.1.2 2005/02/23 14:54:10 manu Exp $	*/
+/*	$NetBSD: admin_var.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: admin_var.h,v 1.7 2004/12/30 00:08:30 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/algorithm.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/algorithm.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: algorithm.c,v 1.1.1.2 2005/02/23 14:54:11 manu Exp $	*/
+/*	$NetBSD: algorithm.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: algorithm.c,v 1.11 2004/10/24 17:36:46 manubsd Exp */
+/* Id: algorithm.c,v 1.11.4.1 2005/06/28 22:38:02 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -194,15 +194,15 @@
 		NULL,			eay_null_hashlen,
 		NULL, },
 #ifdef WITH_SHA2
-{ "hmac_sha2_256",	algtype_hmac_sha2_256,	IPSECDOI_ATTR_SHA2_256,
+{ "hmac_sha2_256",	algtype_hmac_sha2_256,IPSECDOI_ATTR_AUTH_HMAC_SHA2_256,
 		NULL,			NULL,
 		NULL,			eay_sha2_256_hashlen,
 		NULL, },
-{ "hmac_sha2_384",	algtype_hmac_sha2_384,	IPSECDOI_ATTR_SHA2_384,
+{ "hmac_sha2_384",	algtype_hmac_sha2_384,IPSECDOI_ATTR_AUTH_HMAC_SHA2_384,
 		NULL,			NULL,
 		NULL,			eay_sha2_384_hashlen,
 		NULL, },
-{ "hmac_sha2_512",	algtype_hmac_sha2_512,	IPSECDOI_ATTR_SHA2_512,
+{ "hmac_sha2_512",	algtype_hmac_sha2_512,IPSECDOI_ATTR_AUTH_HMAC_SHA2_512,
 		NULL,			NULL,
 		NULL,			eay_sha2_512_hashlen,
 		NULL, },
--- a/crypto/dist/ipsec-tools/src/racoon/algorithm.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/algorithm.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: algorithm.h,v 1.1.1.2 2005/02/23 14:54:11 manu Exp $	*/
+/*	$NetBSD: algorithm.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: algorithm.h,v 1.8 2004/11/18 15:14:44 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/backupsa.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/backupsa.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: backupsa.c,v 1.1.1.2 2005/02/23 14:54:11 manu Exp $	*/
+/*	$NetBSD: backupsa.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/backupsa.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/backupsa.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: backupsa.h,v 1.1.1.2 2005/02/23 14:54:11 manu Exp $	*/
+/*	$NetBSD: backupsa.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: backupsa.h,v 1.3 2004/06/11 16:00:15 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: cfparse.y,v 1.1.1.4.2.1 2005/05/11 17:42:02 tron Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.1.1.4.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
-/* $Id: cfparse.y,v 1.1.1.4.2.1 2005/05/11 17:42:02 tron Exp $ */
+/* Id: cfparse.y,v 1.37.2.4 2005/05/10 09:45:45 manubsd Exp */
 
 %{
 /*
@@ -1702,7 +1702,7 @@
 	struct secprotospec *s;
 	int prop_no = 1; 
 	int trns_no = 1;
-	u_int32_t types[MAXALGCLASS];
+	int32_t types[MAXALGCLASS];
 
 	p = prspec;
 	if (p->next != 0) {
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse_proto.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse_proto.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse_proto.h,v 1.1.1.2 2005/02/23 14:54:12 manu Exp $	*/
+/*	$NetBSD: cfparse_proto.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: cfparse_proto.h,v 1.3 2004/06/11 16:00:15 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: cftoken.l,v 1.1.1.4.2.1 2005/05/11 17:42:02 tron Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.1.1.4.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
-/* $Id: cftoken.l,v 1.1.1.4.2.1 2005/05/11 17:42:02 tron Exp $ */
+/* Id: cftoken.l,v 1.31.2.5 2005/06/28 22:38:02 manubsd Exp */
 
 %{
 /*
@@ -400,16 +400,22 @@
 hmac_md5	{ YYD; yylval.num = algtype_hmac_md5;	return(ALGORITHMTYPE); }
 hmac_sha1	{ YYD; yylval.num = algtype_hmac_sha1;	return(ALGORITHMTYPE); }
 hmac_sha2_256	{ YYD; yylval.num = algtype_hmac_sha2_256;	return(ALGORITHMTYPE); }
+hmac_sha256	{ YYD; yylval.num = algtype_hmac_sha2_256;	return(ALGORITHMTYPE); }
 hmac_sha2_384	{ YYD; yylval.num = algtype_hmac_sha2_384;	return(ALGORITHMTYPE); }
+hmac_sha384	{ YYD; yylval.num = algtype_hmac_sha2_384;	return(ALGORITHMTYPE); }
 hmac_sha2_512	{ YYD; yylval.num = algtype_hmac_sha2_512;	return(ALGORITHMTYPE); }
+hmac_sha512	{ YYD; yylval.num = algtype_hmac_sha2_512;	return(ALGORITHMTYPE); }
 des_mac		{ YYD; yylval.num = algtype_des_mac;	return(ALGORITHMTYPE); }
 kpdk		{ YYD; yylval.num = algtype_kpdk;	return(ALGORITHMTYPE); }
 md5		{ YYD; yylval.num = algtype_md5;	return(ALGORITHMTYPE); }
 sha1		{ YYD; yylval.num = algtype_sha1;	return(ALGORITHMTYPE); }
 tiger		{ YYD; yylval.num = algtype_tiger;	return(ALGORITHMTYPE); }
 sha2_256	{ YYD; yylval.num = algtype_sha2_256;	return(ALGORITHMTYPE); }
+sha256		{ YYD; yylval.num = algtype_sha2_256;	return(ALGORITHMTYPE); }
 sha2_384	{ YYD; yylval.num = algtype_sha2_384;	return(ALGORITHMTYPE); }
+sha384		{ YYD; yylval.num = algtype_sha2_384;	return(ALGORITHMTYPE); }
 sha2_512	{ YYD; yylval.num = algtype_sha2_512;	return(ALGORITHMTYPE); }
+sha512		{ YYD; yylval.num = algtype_sha2_512;	return(ALGORITHMTYPE); }
 oui		{ YYD; yylval.num = algtype_oui;	return(ALGORITHMTYPE); }
 deflate		{ YYD; yylval.num = algtype_deflate;	return(ALGORITHMTYPE); }
 lzs		{ YYD; yylval.num = algtype_lzs;	return(ALGORITHMTYPE); }
@@ -512,7 +518,7 @@
 		}
 
 {quotedstring}	{
-			u_char *p = yytext;
+			char *p = yytext;
 
 			YYD;
 			while (*++p != '"') ;
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken_proto.h,v 1.1.1.2 2005/02/23 14:54:12 manu Exp $	*/
+/*	$NetBSD: cftoken_proto.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: cftoken_proto.h,v 1.3 2004/06/11 16:00:15 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/* $Id: crypto_openssl.c,v 1.1.1.2.2.2 2005/07/12 17:42:26 tron Exp $ */
-
-/* Id: crypto_openssl.c,v 1.40.4.1 2005/02/22 23:56:08 manubsd Exp */
+/*	$NetBSD: crypto_openssl.c,v 1.1.1.2.2.3 2005/09/03 07:03:49 snj Exp $	*/
+
+/* Id: crypto_openssl.c,v 1.40.4.5 2005/07/12 11:50:15 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -161,7 +161,7 @@
 			if (!X509_NAME_add_entry_by_txt(name, field,
 					(value[0] == '*' && value[1] == 0) ? 
 						V_ASN1_PRINTABLESTRING : MBSTRING_ASC,
-					value, -1, -1, 0)) {
+					(unsigned char *) value, -1, -1, 0)) {
 				plog(LLV_ERROR, LOCATION, NULL, 
 				     "Invalid DN field: %s=%s\n",
 				     field, value);
@@ -187,7 +187,7 @@
 	if (!X509_NAME_add_entry_by_txt(name, field,
 			(value[0] == '*' && value[1] == 0) ? 
 				V_ASN1_PRINTABLESTRING : MBSTRING_ASC,
-			value, -1, -1, 0)) {
+			(unsigned char *) value, -1, -1, 0)) {
 		plog(LLV_ERROR, LOCATION, NULL, 
 		     "Invalid DN field: %s=%s\n",
 		     field, value);
@@ -246,7 +246,7 @@
 	}
 	binbuf = ret->v;
 
-	BN_bn2bin(bn, binbuf);
+	BN_bn2bin(bn, (unsigned char *) binbuf);
 
 out:
 	BN_free(bn);
@@ -596,7 +596,7 @@
 	int len;
 	int error = -1;
 
-	bp = cert->v;
+	bp = (unsigned char *) cert->v;
 
 	x509 = mem2x509(cert);
 	if (x509 == NULL)
@@ -608,7 +608,7 @@
 	if (!name)
 		goto end;
 	/* get the name */
-	bp = name->v;
+	bp = (unsigned char *) name->v;
 	len = i2d_X509_NAME(x509->cert_info->subject, &bp);
 
 	error = 0;
@@ -680,7 +680,7 @@
 		if (!*altname)
 			goto end;
 		
-		strlcpy(*altname, gen->d.ia5->data, len);
+		strlcpy(*altname, (char *) gen->d.ia5->data, len);
 		*type = gen->type;
 		error = 0;
 	}
@@ -797,9 +797,9 @@
     {
 	u_char *bp;
 
-	bp = cert->v;
-
-	x509 = d2i_X509(NULL, &bp, cert->l);
+	bp = (unsigned char *) cert->v;
+
+	x509 = d2i_X509(NULL, (void *)&bp, cert->l);
     }
 #else
     {
@@ -855,7 +855,7 @@
 		X509_free(x509);
 		return NULL;
 	}
-	bp = cert->v;
+	bp = (unsigned char *) cert->v;
 	error = i2d_X509(x509, &bp);
 	X509_free(x509);
 
@@ -885,9 +885,9 @@
 	EVP_PKEY *evp;
 	int res;
 
-	bp = cert->v;
-
-	x509 = d2i_X509(NULL, &bp, cert->l);
+	bp = (unsigned char *) cert->v;
+
+	x509 = d2i_X509(NULL, (void *)&bp, cert->l);
 	if (x509 == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, "d2i_X509(): %s\n", eay_strerror());
 		return -1;
@@ -952,7 +952,7 @@
 	pkey = vmalloc(pkeylen);
 	if (pkey == NULL)
 		goto end;
-	bp = pkey->v;
+	bp = (unsigned char *) pkey->v;
 	pkeylen = i2d_PrivateKey(evp, &bp);
 	if (pkeylen == 0)
 		goto end;
@@ -1008,7 +1008,7 @@
 	pkey = vmalloc(pkeylen);
 	if (pkey == NULL)
 		goto end;
-	bp = pkey->v;
+	bp = (unsigned char *) pkey->v;
 	pkeylen = i2d_PublicKey(evp, &bp);
 	if (pkeylen == 0)
 		goto end;
@@ -1030,13 +1030,13 @@
 	vchar_t *src, *privkey;
 {
 	EVP_PKEY *evp;
-	u_char *bp = privkey->v;
+	u_char *bp = (unsigned char *) privkey->v;
 	vchar_t *sig = NULL;
 	int len;
 	int pad = RSA_PKCS1_PADDING;
 
 	/* XXX to be handled EVP_PKEY_DSA */
-	evp = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &bp, privkey->l);
+	evp = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (void *)&bp, privkey->l);
 	if (evp == NULL)
 		return NULL;
 
@@ -1068,7 +1068,8 @@
 	if (sig == NULL)
 		return NULL;
 
-	len = RSA_private_encrypt(src->l, src->v, sig->v, rsa, pad);
+	len = RSA_private_encrypt(src->l, (unsigned char *) src->v, 
+			(unsigned char *) sig->v, rsa, pad);
 
 	if (len == 0 || len != sig->l) {
 		vfree(sig);
@@ -1095,7 +1096,8 @@
 		return -1;
 	}
 
-	len = RSA_public_decrypt(sig->l, sig->v, xbuf->v, rsa, pad);
+	len = RSA_public_decrypt(sig->l, (unsigned char *) sig->v, 
+			(unsigned char *) xbuf->v, rsa, pad);
 	if (len == 0 || len != src->l) {
 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
 		vfree(xbuf);
@@ -1159,55 +1161,58 @@
 
 	EVP_CIPHER_CTX_init(&ctx);
 
- 	switch(EVP_CIPHER_nid(e)){
- 	case NID_bf_cbc:
- 	case NID_bf_ecb:
- 	case NID_bf_cfb64:
- 	case NID_bf_ofb64:
- 	case NID_cast5_cbc:
- 	case NID_cast5_ecb:
- 	case NID_cast5_cfb64:
- 	case NID_cast5_ofb64:
- 		/* XXX: can we do that also for algos with a fixed key size ?
- 		 */
- 		/* init context without key/iv
-          */
-         if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
-         {
-             OpenSSL_BUG();
-             vfree(res);
-             return NULL;
-         }
- 		
-         /* update key size
-          */
-         if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
-         {
-             OpenSSL_BUG();
-             vfree(res);
-             return NULL;
-         }
- 
-         /* finalize context init with desired key size
-          */
-         if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
- 							(u_char *) iv->v, enc))
-         {
-             OpenSSL_BUG();
-             vfree(res);
-             return NULL;
- 		}
- 		break;
- 	default:
- 		if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, 
- 				(u_char *) iv->v, enc)) {
- 			OpenSSL_BUG();
- 			vfree(res);
- 			return NULL;
- 		}
+	switch(EVP_CIPHER_nid(e)){
+	case NID_bf_cbc:
+	case NID_bf_ecb:
+	case NID_bf_cfb64:
+	case NID_bf_ofb64:
+	case NID_cast5_cbc:
+	case NID_cast5_ecb:
+	case NID_cast5_cfb64:
+	case NID_cast5_ofb64:
+		/* XXX: can we do that also for algos with a fixed key size ?
+		 */
+		/* init context without key/iv
+         */
+        if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
+        {
+            OpenSSL_BUG();
+            vfree(res);
+            return NULL;
+        }
+		
+        /* update key size
+         */
+        if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
+        {
+            OpenSSL_BUG();
+            vfree(res);
+            return NULL;
+        }
+
+        /* finalize context init with desired key size
+         */
+        if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
+							(u_char *) iv->v, enc))
+        {
+            OpenSSL_BUG();
+            vfree(res);
+            return NULL;
+		}
+		break;
+	default:
+		if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, 
+							(u_char *) iv->v, enc)) {
+			OpenSSL_BUG();
+			vfree(res);
+			return NULL;
+		}
 	}
+
+	/* disable openssl padding */
+	EVP_CIPHER_CTX_set_padding(&ctx, 0); 
 	
-	if (!EVP_Cipher(&ctx, res->v, data->v, data->l)) {
+	if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
 		OpenSSL_BUG();
 		vfree(res);
 		return NULL;
@@ -1704,7 +1709,7 @@
 	caddr_t c;
 	vchar_t *data;
 {
-	HMAC_Update((HMAC_CTX *)c, data->v, data->l);
+	HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
 }
 
 vchar_t *
@@ -1717,7 +1722,7 @@
 	if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0)
 		return NULL;
 
-	HMAC_Final((HMAC_CTX *)c, res->v, &l);
+	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
 	res->l = l;
 	HMAC_cleanup((HMAC_CTX *)c);
 	(void)racoon_free(c);
@@ -1761,7 +1766,7 @@
 	caddr_t c;
 	vchar_t *data;
 {
-	HMAC_Update((HMAC_CTX *)c, data->v, data->l);
+	HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
 }
 
 vchar_t *
@@ -1774,7 +1779,7 @@
 	if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0)
 		return NULL;
 
-	HMAC_Final((HMAC_CTX *)c, res->v, &l);
+	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
 	res->l = l;
 	HMAC_cleanup((HMAC_CTX *)c);
 	(void)racoon_free(c);
@@ -1818,7 +1823,7 @@
 	caddr_t c;
 	vchar_t *data;
 {
-	HMAC_Update((HMAC_CTX *)c, data->v, data->l);
+	HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
 }
 
 vchar_t *
@@ -1831,7 +1836,7 @@
 	if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0)
 		return NULL;
 
-	HMAC_Final((HMAC_CTX *)c, res->v, &l);
+	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
 	res->l = l;
 	HMAC_cleanup((HMAC_CTX *)c);
 	(void)racoon_free(c);
@@ -1876,7 +1881,7 @@
 	caddr_t c;
 	vchar_t *data;
 {
-	HMAC_Update((HMAC_CTX *)c, data->v, data->l);
+	HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
 }
 
 vchar_t *
@@ -1889,7 +1894,7 @@
 	if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0)
 		return NULL;
 
-	HMAC_Final((HMAC_CTX *)c, res->v, &l);
+	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
 	res->l = l;
 	HMAC_cleanup((HMAC_CTX *)c);
 	(void)racoon_free(c);
@@ -1933,7 +1938,7 @@
 	caddr_t c;
 	vchar_t *data;
 {
-	HMAC_Update((HMAC_CTX *)c, data->v, data->l);
+	HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
 }
 
 vchar_t *
@@ -1946,7 +1951,7 @@
 	if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0)
 		return NULL;
 
-	HMAC_Final((HMAC_CTX *)c, res->v, &l);
+	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
 	res->l = l;
 	HMAC_cleanup((HMAC_CTX *)c);
 	(void)racoon_free(c);
@@ -1980,7 +1985,7 @@
 	caddr_t c;
 	vchar_t *data;
 {
-	SHA512_Update((SHA512_CTX *)c, data->v, data->l);
+	SHA512_Update((SHA512_CTX *)c, (unsigned char *) data->v, data->l);
 
 	return;
 }
@@ -1994,7 +1999,7 @@
 	if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0)
 		return(0);
 
-	SHA512_Final(res->v, (SHA512_CTX *)c);
+	SHA512_Final((unsigned char *) res->v, (SHA512_CTX *)c);
 	(void)racoon_free(c);
 
 	return(res);
@@ -2040,7 +2045,7 @@
 	caddr_t c;
 	vchar_t *data;
 {
-	SHA384_Update((SHA384_CTX *)c, data->v, data->l);
+	SHA384_Update((SHA384_CTX *)c, (unsigned char *) data->v, data->l);
 
 	return;
 }
@@ -2054,7 +2059,7 @@
 	if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0)
 		return(0);
 
-	SHA384_Final(res->v, (SHA384_CTX *)c);
+	SHA384_Final((unsigned char *) res->v, (SHA384_CTX *)c);
 	(void)racoon_free(c);
 
 	return(res);
@@ -2100,7 +2105,7 @@
 	caddr_t c;
 	vchar_t *data;
 {
-	SHA256_Update((SHA256_CTX *)c, data->v, data->l);
+	SHA256_Update((SHA256_CTX *)c, (unsigned char *) data->v, data->l);
 
 	return;
 }
@@ -2114,7 +2119,7 @@
 	if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0)
 		return(0);
 
-	SHA256_Final(res->v, (SHA256_CTX *)c);
+	SHA256_Final((unsigned char *) res->v, (SHA256_CTX *)c);
 	(void)racoon_free(c);
 
 	return(res);
@@ -2173,7 +2178,7 @@
 	if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0)
 		return(0);
 
-	SHA1_Final(res->v, (SHA_CTX *)c);
+	SHA1_Final((unsigned char *) res->v, (SHA_CTX *)c);
 	(void)racoon_free(c);
 
 	return(res);
@@ -2231,7 +2236,7 @@
 	if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0)
 		return(0);
 
-	MD5_Final(res->v, (MD5_CTX *)c);
+	MD5_Final((unsigned char *) res->v, (MD5_CTX *)c);
 	(void)racoon_free(c);
 
 	return(res);
@@ -2338,7 +2343,7 @@
 	BIGNUM *dh_pub = NULL;
 	DH *dh = NULL;
 	int l;
-	caddr_t v = NULL;
+	unsigned char *v = NULL;
 	int error = -1;
 
 	/* make public number to compute */
@@ -2362,7 +2367,7 @@
 	if (!BN_set_word(dh->g, g))
 		goto end;
 
-	if ((v = (caddr_t)racoon_calloc(prime->l, sizeof(u_char))) == NULL)
+	if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
 		goto end;
 	if ((l = DH_compute_key(v, dh_pub, dh)) == -1)
 		goto end;
@@ -2398,7 +2403,7 @@
 	BIGNUM **bn;
 	vchar_t *var;
 {
-	if ((*bn = BN_bin2bn(var->v, var->l, NULL)) == NULL)
+	if ((*bn = BN_bin2bn((unsigned char *) var->v, var->l, NULL)) == NULL)
 		return -1;
 
 	return 0;
@@ -2413,7 +2418,7 @@
 	if (*var == NULL)
 		return(-1);
 
-	(*var)->l = BN_bn2bin(bn, (*var)->v);
+	(*var)->l = BN_bn2bin(bn, (unsigned char *) (*var)->v);
 
 	return 0;
 }
@@ -2503,8 +2508,9 @@
 		goto out;
 	}
 
-	exp = BN_bin2bn(binbuf->v + 1, binbuf->v[0], NULL);
-	mod = BN_bin2bn(binbuf->v + binbuf->v[0] + 1, binbuf->l - binbuf->v[0] - 1, NULL);
+	exp = BN_bin2bn((unsigned char *) (binbuf->v + 1), binbuf->v[0], NULL);
+	mod = BN_bin2bn((unsigned char *) (binbuf->v + binbuf->v[0] + 1), 
+			binbuf->l - binbuf->v[0] - 1, NULL);
 	rsa_pub = RSA_new();
 
 	if (!exp || !mod || !rsa_pub) {
@@ -2570,7 +2576,7 @@
 		return NULL;
 	}
 	
-	BN_bn2bin(in, binbuf->v);
+	BN_bn2bin(in, (unsigned char *) binbuf->v);
 
 	rsa_pub = binbuf_pubkey2rsa(binbuf);
 
--- a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.h,v 1.1.1.2 2005/02/23 14:54:13 manu Exp $	*/
+/*	$NetBSD: crypto_openssl.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: crypto_openssl.h,v 1.11 2004/11/13 11:28:01 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/debug.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/debug.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: debug.h,v 1.1.1.2 2005/02/23 14:54:13 manu Exp $	*/
+/*	$NetBSD: debug.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: debug.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/debugrm.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/debugrm.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: debugrm.c,v 1.1.1.2 2005/02/23 14:54:13 manu Exp $	*/
+/*	$NetBSD: debugrm.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: debugrm.c,v 1.6 2001/12/13 16:07:46 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/debugrm.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/debugrm.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: debugrm.h,v 1.1.1.2 2005/02/23 14:54:13 manu Exp $	*/
+/*	$NetBSD: debugrm.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: debugrm.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/dhgroup.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/dhgroup.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dhgroup.h,v 1.1.1.2 2005/02/23 14:54:13 manu Exp $	*/
+/*	$NetBSD: dhgroup.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: dhgroup.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/dnssec.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/dnssec.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec.c,v 1.1.1.2 2005/02/23 14:54:13 manu Exp $	*/
+/*	$NetBSD: dnssec.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: dnssec.c,v 1.2 2001/08/05 18:46:07 itojun Exp $	*/
 
@@ -100,7 +100,7 @@
 	}
 
 	/* check response */
-	if (res->ci_next == NULL) {
+	if (res->ci_next != NULL) {
 		plog(LLV_WARNING, LOCATION, NULL,
 			"not supported multiple CERT RR.\n");
 	}
--- a/crypto/dist/ipsec-tools/src/racoon/dnssec.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/dnssec.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dnssec.h,v 1.1.1.2 2005/02/23 14:54:13 manu Exp $	*/
+/*	$NetBSD: dnssec.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: dnssec.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/dump.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/dump.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dump.c,v 1.1.1.2 2005/02/23 14:54:13 manu Exp $	*/
+/*	$NetBSD: dump.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: dump.c,v 1.3 2000/09/23 15:31:05 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/dump.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/dump.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: dump.h,v 1.1.1.2 2005/02/23 14:54:13 manu Exp $	*/
+/*	$NetBSD: dump.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: dump.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/eaytest.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/eaytest.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: eaytest.c,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: eaytest.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: eaytest.c,v 1.20.4.1 2005/02/18 10:23:10 manubsd Exp */
+/* Id: eaytest.c,v 1.20.4.2 2005/06/28 22:38:02 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -735,7 +735,11 @@
 	vchar_t mod;
 	caddr_t ctx;
 
+#ifdef WITH_SHA2
+	printf("\n**Test for HMAC MD5, SHA1, and SHA256.**\n");
+#else
 	printf("\n**Test for HMAC MD5 & SHA1.**\n");
+#endif
 
 	key = vmalloc(strlen(keyword));
 	memcpy(key->v, keyword, key->l);
@@ -774,6 +778,33 @@
 	free(mod.v);
 	vfree(res);
 
+	/* HMAC SHA1 */
+	printf("HMAC SHA1 by eay_hmacsha1_one()\n");
+	res = eay_hmacsha1_one(key, data);
+	PVDUMP(res);
+	mod.v = str2val(r_hsha1, 16, &mod.l);
+	if (memcmp(res->v, mod.v, mod.l)) {
+		printf(" XXX NG XXX\n");
+		return -1;
+	}
+	free(mod.v);
+	vfree(res);
+
+	/* HMAC SHA1 */
+	printf("HMAC SHA1 by eay_hmacsha1_xxx()\n");
+	ctx = eay_hmacsha1_init(key);
+	eay_hmacsha1_update(ctx, data1);
+	eay_hmacsha1_update(ctx, data2);
+	res = eay_hmacsha1_final(ctx);
+	PVDUMP(res);
+	mod.v = str2val(r_hsha1, 16, &mod.l);
+	if (memcmp(res->v, mod.v, mod.l)) {
+		printf(" XXX NG XXX\n");
+		return -1;
+	}
+	free(mod.v);
+	vfree(res);
+
 #ifdef WITH_SHA2
 	/* HMAC SHA2 */
 	printf("HMAC SHA2 by eay_hmacsha2_256_one()\n");
@@ -788,33 +819,6 @@
 	vfree(res);
 #endif
 
-	/* HMAC SHA1 */
-	printf("HMAC SHA1 by eay_hmacsha1_one()\n");
-	res = eay_hmacsha1_one(key, data);
-	PVDUMP(res);
-	mod.v = str2val(r_hsha1, 16, &mod.l);
-	if (memcmp(res->v, mod.v, mod.l)) {
-		printf(" XXX NG XXX\n");
-		return -1;
-	}
-	free(mod.v);
-	vfree(res);
-
-	/* HMAC MD5 */
-	printf("HMAC SHA1 by eay_hmacsha1_xxx()\n");
-	ctx = eay_hmacsha1_init(key);
-	eay_hmacsha1_update(ctx, data1);
-	eay_hmacsha1_update(ctx, data2);
-	res = eay_hmacsha1_final(ctx);
-	PVDUMP(res);
-	mod.v = str2val(r_hsha1, 16, &mod.l);
-	if (memcmp(res->v, mod.v, mod.l)) {
-		printf(" XXX NG XXX\n");
-		return -1;
-	}
-	free(mod.v);
-	vfree(res);
-
 	vfree(data);
 	vfree(data1);
 	vfree(data2);
--- a/crypto/dist/ipsec-tools/src/racoon/evt.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/evt.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: evt.c,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: evt.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: evt.c,v 1.2 2004/11/29 23:30:39 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/evt.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/evt.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: evt.h,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: evt.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: evt.h,v 1.3 2004/11/29 23:30:39 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/gcmalloc.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/gcmalloc.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: gcmalloc.h,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: gcmalloc.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: gcmalloc.h,v 1.4 2001/11/16 04:34:57 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/genlist.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/genlist.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: genlist.c,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: genlist.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: genlist.c,v 1.2 2004/07/12 20:43:50 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/genlist.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/genlist.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: genlist.h,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: genlist.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: genlist.h,v 1.2 2004/07/12 20:43:50 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/getcertsbyname.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/getcertsbyname.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: getcertsbyname.c,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: getcertsbyname.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: getcertsbyname.c,v 1.7 2001/11/16 04:12:59 sakane Exp $	*/
 
@@ -60,12 +60,13 @@
 /* XXX should it use ci_errno to hold errno instead of h_errno ? */
 extern int h_errno;
 
-static struct certinfo *getnewci __P((int, int, int, int, int, char *));
+static struct certinfo *getnewci __P((int, int, int, int, int, 
+			unsigned char *));
 
 static struct certinfo *
 getnewci(qtype, keytag, algorithm, flags, certlen, cert)
 	int qtype, keytag, algorithm, flags, certlen;
-	char *cert;
+	unsigned char *cert;
 {
 	struct certinfo *res;
 
@@ -201,11 +202,11 @@
 	char *name;
 	struct certinfo **res;
 {
-	caddr_t answer = NULL, p;
+	unsigned char *answer = NULL, *p;
 	int buflen, anslen, len;
 	HEADER *hp;
 	int qdcount, ancount, rdlength;
-	char *cp, *eom;
+	unsigned char *cp, *eom;
 	char hostbuf[1024];	/* XXX */
 	int qtype, qclass, keytag, algorithm;
 	struct certinfo head, *cur;
@@ -257,7 +258,7 @@
 		h_errno = NO_RECOVERY;
 		goto end;
 	}
-	cp = (char *)(hp + 1);
+	cp = (unsigned char *)(hp + 1);
 	len = dn_expand(answer, eom, cp, hostbuf, sizeof(hostbuf));
 	if (len < 0) {
 #ifdef DNSSEC_DEBUG
--- a/crypto/dist/ipsec-tools/src/racoon/gnuc.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/gnuc.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: gnuc.h,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: gnuc.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: gnuc.h,v 1.4 2004/11/18 15:14:44 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: grabmyaddr.c,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: grabmyaddr.c,v 1.23 2004/11/20 15:53:27 monas Exp */
+/* Id: grabmyaddr.c,v 1.23.4.2 2005/07/16 04:41:01 monas Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -254,6 +254,7 @@
 		ioctl(fd, SIOCGIFNAME, (void*)&ifr);
 		memcpy(i->ifa_name, ifr.ifr_name, 16);
 	}
+	close(fd);
 
 	return 0;
 }
@@ -842,7 +843,7 @@
 #ifdef __linux__
    {
 	struct sockaddr_nl nl;
-	int addr_len;
+	u_int addr_len;
 
 	memset(&nl, 0, sizeof(nl));
 	nl.nl_family = AF_NETLINK;
--- a/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.h,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: grabmyaddr.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: grabmyaddr.h,v 1.5 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/gssapi.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/gssapi.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: gssapi.c,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: gssapi.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/gssapi.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/gssapi.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: gssapi.h,v 1.1.1.2 2005/02/23 14:54:14 manu Exp $	*/
+/*	$NetBSD: gssapi.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: gssapi.h,v 1.5 2005/02/11 06:59:01 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/handler.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: handler.c,v 1.1.1.2.2.3 2005/05/28 13:04:30 tron Exp $	*/
+/*	$NetBSD: handler.c,v 1.1.1.2.2.4 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: handler.c,v 1.13 2004/11/21 19:36:26 manubsd Exp */
+/* Id: handler.c,v 1.13.4.4 2005/07/14 12:00:36 vanhu Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -277,6 +277,11 @@
 	}
 #endif
 
+#ifdef ENABLE_DPD
+	if (iph1->dpd_r_u != NULL)
+		SCHED_KILL(iph1->dpd_r_u);
+#endif
+
 	if (iph1->remote) {
 		racoon_free(iph1->remote);
 		iph1->remote = NULL;
@@ -420,21 +425,6 @@
 	return NULL;
 }
 
-struct ph2handle *
-getph2bysaddr(src, dst)
-	struct sockaddr *src, *dst;
-{
-	struct ph2handle *p;
-
-	LIST_FOREACH(p, &ph2tree, chain) {
-		if (cmpsaddrstrict(src, p->src) == 0 &&
-		    cmpsaddrstrict(dst, p->dst) == 0)
-			return p;
-	}
-
-	return NULL;
-}
-
 /*
  * search ph2handle with sequence number.
  */
@@ -479,8 +469,23 @@
 
 	LIST_FOREACH(p, &ph2tree, chain) {
 		if (spid == p->spid &&
-		    cmpsaddrwop(src, p->src) == 0 &&
-		    cmpsaddrwop(dst, p->dst) == 0)
+		    CMPSADDR(src, p->src) == 0 &&
+		    CMPSADDR(dst, p->dst) == 0)
+			return p;
+	}
+
+	return NULL;
+}
+
+struct ph2handle *
+getph2bysaddr(src, dst)
+	struct sockaddr *src, *dst;
+{
+	struct ph2handle *p;
+
+	LIST_FOREACH(p, &ph2tree, chain) {
+		if (cmpsaddrstrict(src, p->src) == 0 &&
+		    cmpsaddrstrict(dst, p->dst) == 0)
 			return p;
 	}
 
--- a/crypto/dist/ipsec-tools/src/racoon/handler.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: handler.h,v 1.1.1.2.2.4 2005/05/11 12:20:16 tron Exp $	*/
+/*	$NetBSD: handler.h,v 1.1.1.2.2.5 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: handler.h,v 1.11 2004/11/16 15:44:46 ludvigm Exp */
+/* Id: handler.h,v 1.11.4.3 2005/05/07 17:26:05 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: ipsec_doi.c,v 1.1.1.2.2.5 2005/06/10 09:21:36 tron Exp $	*/
-
-/* Id: ipsec_doi.c,v 1.38 2005/05/31 16:07:55 monas Exp */
+/*	$NetBSD: ipsec_doi.c,v 1.1.1.2.2.6 2005/09/03 07:03:49 snj Exp $	*/
+
+/* Id: ipsec_doi.c,v 1.26.2.12 2005/07/12 11:50:15 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -94,6 +94,11 @@
 #ifdef HAVE_GSSAPI
 #include <iconv.h>
 #include "gssapi.h"
+#ifdef HAVE_ICONV_2ND_CONST
+#define __iconv_const const
+#else
+#define __iconv_const
+#endif
 #endif
 
 int verbose_proposal_check = 1;
@@ -739,7 +744,7 @@
 		{
 			iconv_t cd;
 			size_t srcleft, dstleft, rv;
-			const char *src;
+			__iconv_const char *src;
 			char *dst;
 			int len = ntohs(d->lorv);
 
@@ -783,7 +788,8 @@
 			dst = sa->gssid->v;
 			dstleft = len / 2;
 
-			rv = iconv(cd, &src, &srcleft, &dst, &dstleft);
+			rv = iconv(cd, (__iconv_const char **)&src, &srcleft, 
+				   &dst, &dstleft);
 			if (rv != 0) {
 				if (rv == -1) {
 					plog(LLV_ERROR, LOCATION, NULL,
@@ -1931,6 +1937,9 @@
 	switch (t_id) {
 	case IPSECDOI_AH_MD5:
 	case IPSECDOI_AH_SHA:
+	case IPSECDOI_AH_SHA256:
+	case IPSECDOI_AH_SHA384:
+	case IPSECDOI_AH_SHA512:
 		return 0;
 	case IPSECDOI_AH_DES:
 		plog(LLV_ERROR, LOCATION, NULL,
@@ -2284,6 +2293,24 @@
 						goto ahmismatch;
 				}
 				break;
+ 			case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
+ 				if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
+ 					if (trns->t_id != IPSECDOI_AH_SHA256)
+ 						goto ahmismatch;
+ 				}	
+ 				break;
+ 			case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
+ 				if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
+ 					if (trns->t_id != IPSECDOI_AH_SHA384)
+ 						goto ahmismatch;
+ 				}
+ 				break;
+ 			case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
+ 				if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
+ 					if (trns->t_id != IPSECDOI_AH_SHA512)
+ 					goto ahmismatch;
+ 				}
+ 				break;
 			case IPSECDOI_ATTR_AUTH_DES_MAC:
 			case IPSECDOI_ATTR_AUTH_KPDK:
 				plog(LLV_ERROR, LOCATION, NULL,
@@ -2434,6 +2461,15 @@
 			case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
 			case IPSECDOI_ATTR_ENC_MODE_TRNS:
 				break;
+#ifdef ENABLE_NATT
+			case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
+			case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
+			case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
+			case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
+				plog(LLV_DEBUG, LOCATION, NULL,
+				     "UDP encapsulation requested\n");
+				break;
+#endif
 			default:
 				plog(LLV_ERROR, LOCATION, NULL,
 					"invalid encryption mode=%u.\n",
@@ -2796,8 +2832,8 @@
 					goto gssid_done;
 				}
 				odst = dst;
-				rv = iconv(cd, &src, &srcleft,
-				    &dst, &dstleft);
+				rv = iconv(cd, (__iconv_const char **)&src, 
+				    &srcleft, &dst, &dstleft);
 				if (rv != 0) {
 					if (rv == -1) {
 						plog(LLV_ERROR, LOCATION, NULL,
@@ -3601,11 +3637,11 @@
 		if (loglevel >= LLV_DEBUG) {
 			X509_NAME *xn;
 			BIO *bio;
-			unsigned char *ptr = new->v, *buf;
+			unsigned char *ptr = (unsigned char *) new->v, *buf;
 			size_t len;
 			char save;
 
-			xn = d2i_X509_NAME(NULL, &ptr, new->l);
+			xn = d2i_X509_NAME(NULL, (void *)&ptr, new->l);
 			bio = BIO_new(BIO_s_mem());
 			
 			X509_NAME_print_ex(bio, xn, 0, 0);
@@ -3755,7 +3791,8 @@
 
 	/* set prefix */
 	if (len2) {
-		u_char *p = new->v + sizeof(struct ipsecdoi_id_b) + len1;
+		u_char *p = (unsigned char *) new->v + 
+			sizeof(struct ipsecdoi_id_b) + len1;
 		u_int bits = prefixlen;
 
 		while (bits >= 8) {
@@ -3865,7 +3902,7 @@
 		plen = 0;
 		max = alen <<3;
 
-		p = buf->v
+		p = (unsigned char *) buf->v
 			+ sizeof(struct ipsecdoi_id_b)
 			+ alen;
 
@@ -4133,6 +4170,12 @@
 		return IPSECDOI_AH_MD5;
         case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
 		return IPSECDOI_AH_SHA;
+	case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
+		return IPSECDOI_AH_SHA256;
+	case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
+		return IPSECDOI_AH_SHA384;
+	case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
+		return IPSECDOI_AH_SHA512;
         case IPSECDOI_ATTR_AUTH_DES_MAC:
 		return IPSECDOI_AH_DES;
 	case IPSECDOI_ATTR_AUTH_KPDK:
@@ -4157,11 +4200,11 @@
 #endif
 
 static int rm_idtype2doi[] = {
-	255,				/* IDTYPE_UNDEFINED, 0	*/
+	255,				/* IDTYPE_UNDEFINED, 0 */
 	IPSECDOI_ID_FQDN,		/* IDTYPE_FQDN, 1 */
 	IPSECDOI_ID_USER_FQDN,		/* IDTYPE_USERFQDN, 2 */
-	IPSECDOI_ID_KEY_ID,		/* IDTYPE_KEYID, 3 */ 
-	255,	/* 			   IDTYPE_ADDRESS, 4
+	IPSECDOI_ID_KEY_ID,		/* IDTYPE_KEYID, 3 */
+	255,    /*			   IDTYPE_ADDRESS, 4 
 		 * it expands into 4 types by another function. */
 	IPSECDOI_ID_DER_ASN1_DN,	/* IDTYPE_ASN1DN, 5 */
 #ifdef ENABLE_HYBRID
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: ipsec_doi.h,v 1.1.1.2 2005/02/23 14:54:16 manu Exp $	*/
+/*	$NetBSD: ipsec_doi.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: ipsec_doi.h,v 1.9 2005/01/29 16:34:24 vanhu Exp */
+/* Id: ipsec_doi.h,v 1.9.2.1 2005/06/28 22:38:03 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -54,9 +54,9 @@
 #define   IPSECDOI_AH_MD5                              2
 #define   IPSECDOI_AH_SHA                              3
 #define   IPSECDOI_AH_DES                              4
-#define   IPSECDOI_AH_SHA2_256                         5
-#define   IPSECDOI_AH_SHA2_384                         6
-#define   IPSECDOI_AH_SHA2_512                         7
+#define   IPSECDOI_AH_SHA256                           5
+#define   IPSECDOI_AH_SHA384                           6
+#define   IPSECDOI_AH_SHA512                           7
 
 /* 4.4.1 IPSEC Security Protocol Identifiers */
 #define IPSECDOI_PROTO_IPSEC_ESP                     3
@@ -119,9 +119,9 @@
 #define   IPSECDOI_ATTR_AUTH_HMAC_SHA1          2
 #define   IPSECDOI_ATTR_AUTH_DES_MAC            3
 #define   IPSECDOI_ATTR_AUTH_KPDK               4 /*RFC-1826(Key/Pad/Data/Key)*/
-#define   IPSECDOI_ATTR_SHA2_256                5
-#define   IPSECDOI_ATTR_SHA2_384                6
-#define   IPSECDOI_ATTR_SHA2_512                7
+#define   IPSECDOI_ATTR_AUTH_HMAC_SHA2_256      5
+#define   IPSECDOI_ATTR_AUTH_HMAC_SHA2_384      6
+#define   IPSECDOI_ATTR_AUTH_HMAC_SHA2_512      7
 #define   IPSECDOI_ATTR_AUTH_NONE               254	/* NOTE:internal use */
 	/*
 	 * When negotiating ESP without authentication, the Auth
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp.c,v 1.1.1.3.2.6 2005/07/02 23:22:34 tron Exp $	*/
-
-/* $Id: isakmp.c,v 1.1.1.3.2.6 2005/07/02 23:22:34 tron Exp $ */
+/*	$NetBSD: isakmp.c,v 1.1.1.3.2.7 2005/09/03 07:03:49 snj Exp $	*/
+
+/* Id: isakmp.c,v 1.34.2.19 2005/08/11 14:58:51 vanhu Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -66,6 +66,7 @@
 #include <unistd.h>
 #endif
 #include <ctype.h>
+#include <fcntl.h>
 
 #include "var.h"
 #include "misc.h"
@@ -85,6 +86,7 @@
 #include "oakley.h"
 #include "evt.h"
 #include "handler.h"
+#include "proposal.h"
 #include "ipsec_doi.h"
 #include "pfkey.h"
 #include "crypto_openssl.h"
@@ -108,6 +110,8 @@
 # include "nattraversal.h"
 # ifdef __linux__
 #  include <linux/udp.h>
+#include <fcntl.h>
+
 #  ifndef SOL_UDP
 #   define SOL_UDP 17
 #  endif
@@ -194,8 +198,8 @@
 	} x;
 	struct sockaddr_storage remote;
 	struct sockaddr_storage local;
-	int remote_len = sizeof(remote);
-	int local_len = sizeof(local);
+	unsigned int remote_len = sizeof(remote);
+	unsigned int local_len = sizeof(local);
 	int len = 0, extralen = 0;
 	u_short port;
 	vchar_t *buf = NULL, *tmpbuf = NULL;
@@ -1086,6 +1090,15 @@
 #endif
 	iph1->approval = NULL;
 
+#ifdef ENABLE_NATT
+	/* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
+	 * We have to setup this flag now to correctly generate the first reply.
+	 * Don't know if a better check could be done for that ?
+	 */
+	if(extract_port(local) == lcconf->port_isakmp_natt)
+		iph1->natt_flags |= (NAT_PORTS_CHANGED);
+#endif
+
 	/* copy remote address */
 	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
 		return -1;
@@ -1573,6 +1586,10 @@
 				plog(LLV_ERROR, LOCATION, NULL,
 					"setsockopt(%d): %s\n",
 					pktinfo, strerror(errno));
+		if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
+			plog(LLV_WARNING, LOCATION, NULL,
+				"failed to put socket in non-blocking mode\n");
+
 				goto err_and_next;
 			}
 			break;
@@ -1715,39 +1732,46 @@
 		vbuf = vmalloc (sbuf->l + extralen);
 		*(u_int32_t *)vbuf->v = 0;
 		memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
+		sbuf = vbuf;
 	}
-	else
-		vbuf = sbuf;
-#else
-	vbuf = sbuf;
 #endif
 
 	/* select the socket to be sent */
 	s = getsockmyaddr(iph1->local);
-	if (s == -1)
+	if (s == -1){
+		if ( vbuf != NULL )
+			vfree(vbuf);
 		return -1;
-
-	plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", vbuf->l, 
+	}
+
+	plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, 
 	      saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
 
 #ifdef ENABLE_FRAG
-	if (iph1->frag && vbuf->l > ISAKMP_FRAG_MAXLEN) {
-		if (isakmp_sendfrags(iph1, vbuf) == -1) {
+	if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
+		if (isakmp_sendfrags(iph1, sbuf) == -1) {
 			plog(LLV_ERROR, LOCATION, NULL, 
 			    "isakmp_sendfrags failed\n");
+			if ( vbuf != NULL )
+				vfree(vbuf);
 			return -1;
 		}
 	} else 
 #endif
 	{
-		len = sendfromto(s, vbuf->v, vbuf->l,
+		len = sendfromto(s, sbuf->v, sbuf->l,
 		    iph1->local, iph1->remote, lcconf->count_persend);
 		if (len == -1) {
 			plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
+			if ( vbuf != NULL )
+				vfree(vbuf);
 			return -1;
 		}
 	}
-
+	
+	if ( vbuf != NULL )
+		vfree(vbuf);
+	
 	return 0;
 }
 
@@ -2763,6 +2787,7 @@
 	    iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
 	}
 #endif
+
 	return 0;
 }
 
@@ -3046,9 +3071,24 @@
 	struct sadb_sa *sa;
 	struct sockaddr *src, *dst;
 	caddr_t mhp[SADB_EXT_MAX + 1];
+	u_int proto_id;
 	struct ph2handle *iph2;
-
-	/* Delete all phase2 SAs */
+	struct ph1handle *new_iph1;
+
+	plog(LLV_INFO, LOCATION, NULL,
+		 "purging ISAKMP-SA spi=%s.\n",
+		 isakmp_pindex(&(iph1->index), iph1->msgid));
+
+	/* Mark as expired. */
+	iph1->status = PHASE1ST_EXPIRED;
+
+	/* Check if we have another, still valid, phase1 SA. */
+	new_iph1 = getph1byaddr(iph1->local, iph1->remote);
+
+	/*
+	 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
+	 * Keep all others phase2 SAs.
+	 */
 	buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
 	if (buf == NULL) {
 		plog(LLV_DEBUG, LOCATION, NULL,
@@ -3085,36 +3125,70 @@
 		src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
 		dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
 
-		if (sa->sadb_sa_state != SADB_SASTATE_MATURE &&
+		if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
+		    sa->sadb_sa_state != SADB_SASTATE_MATURE &&
 		    sa->sadb_sa_state != SADB_SASTATE_DYING) {
 			msg = next;
 			continue;
 		}
 
-		/* delete in/outbound SAs */
-		if (CMPSADDR(iph1->remote, dst) &&
-		    CMPSADDR(iph1->remote, src)) {
+		/* check in/outbound SAs */
+		if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
+			(CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
 			msg = next;
 			continue;
 		}
 
+		proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
+		iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
+
+		/* Check if there is another valid ISAKMP-SA */
+		if (new_iph1 != NULL) {
+
+			if (iph2 == NULL) {
+				/* No handler... still send a pfkey_delete message, but log this !*/
+				plog(LLV_INFO, LOCATION, NULL,
+					"Unknown IPsec-SA spi=%u, hmmmm?\n",
+					ntohl(sa->sadb_sa_spi));
+			}else{
+
+				/* 
+				 * If we have a new ph1, do not purge IPsec-SAs binded
+				 *  to a different ISAKMP-SA
+				 */
+				if (iph2->ph1 != NULL && iph2->ph1 != iph1){
+					msg = next;
+					continue;
+				}
+
+				/* If the ph2handle is established, do not purge IPsec-SA */
+				if (iph2->status == PHASE2ST_ESTABLISHED ||
+					iph2->status == PHASE2ST_EXPIRED) {
+					
+					plog(LLV_INFO, LOCATION, NULL,
+						 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
+						 ntohl(sa->sadb_sa_spi),
+						 isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
+					msg = next;
+					continue;
+				}
+			}
+		}
+
+		
 		pfkey_send_delete(lcconf->sock_pfkey,
 				  msg->sadb_msg_satype,
 				  IPSEC_MODE_ANY,
 				  src, dst, sa->sadb_sa_spi);
 
-		/*
-		 * delete a relative phase 2 handler.
-		 * continue to process if no relative phase 2 handler
-		 * exists.
-		 */
-		while ((iph2 = getph2bysaddr(src, dst)) != NULL) {
+		/* delete a relative phase 2 handle. */
+		if (iph2 != NULL) {
 			delete_spd(iph2);
 			unbindph12(iph2);
 			remph2(iph2);
 			delph2(iph2);
 		}
-		
+
 		plog(LLV_INFO, LOCATION, NULL,
 			 "purged IPsec-SA spi=%u.\n",
 			 ntohl(sa->sadb_sa_spi));
@@ -3133,7 +3207,6 @@
 	if (iph1->sce)
 		SCHED_KILL(iph1->sce);
 
-	iph1->status = PHASE1ST_EXPIRED;
 	iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
 }
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.h,v 1.1.1.2 2005/02/23 14:54:18 manu Exp $	*/
+/*	$NetBSD: isakmp.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: isakmp.h,v 1.10 2005/01/29 16:34:25 vanhu Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_agg.c,v 1.1.1.2.2.1 2005/04/12 09:29:41 tron Exp $	*/
+/*	$NetBSD: isakmp_agg.c,v 1.1.1.2.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: isakmp_agg.c,v 1.20 2005/01/29 16:34:25 vanhu Exp */
+/* Id: isakmp_agg.c,v 1.20.2.1 2005/04/09 22:32:06 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -302,16 +302,16 @@
 	for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
 		vfree(vid_natt[i]);
 #endif
+#ifdef ENABLE_DPD
+	if (vid_dpd != NULL)
+		vfree(vid_dpd);
+#endif
 #ifdef ENABLE_HYBRID
 	if (vid_xauth != NULL)
 		vfree(vid_xauth);
 	if (vid_unity != NULL)
 		vfree(vid_unity);
 #endif
-#ifdef ENABLE_DPD
-	if (vid_dpd != NULL)
-		vfree(vid_dpd);
-#endif
 
 	return error;
 }
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_agg.h,v 1.1.1.2 2005/02/23 14:54:18 manu Exp $	*/
+/*	$NetBSD: isakmp_agg.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: isakmp_agg.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_base.c,v 1.1.1.2 2005/02/23 14:54:18 manu Exp $	*/
+/*	$NetBSD: isakmp_base.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_base.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_base.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_base.h,v 1.1.1.2 2005/02/23 14:54:18 manu Exp $	*/
+/*	$NetBSD: isakmp_base.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: isakmp_base.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.1.1.3.2.4 2005/05/11 17:42:18 tron Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.1.1.3.2.5 2005/09/03 07:03:49 snj Exp $	*/
 
-/* $Id: isakmp_cfg.c,v 1.1.1.3.2.4 2005/05/11 17:42:18 tron Exp $ */
+/* Id: isakmp_cfg.c,v 1.26.2.5 2005/05/10 09:45:46 manubsd Exp */
 
 /*
  * Copyright (C) 2004 Emmanuel Dreyfus
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.h,v 1.1.1.3.2.1 2005/05/11 17:42:02 tron Exp $	*/
+/*	$NetBSD: isakmp_cfg.h,v 1.1.1.3.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME$ */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.1.1.2 2005/02/23 14:54:19 manu Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.h,v 1.1.1.2 2005/02/23 14:54:19 manu Exp $	*/
+/*	$NetBSD: isakmp_frag.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	Id: isakmp_frag.h,v 1.2 2004/10/24 16:51:24 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_ident.c,v 1.1.1.2 2005/02/23 14:54:19 manu Exp $	*/
+/*	$NetBSD: isakmp_ident.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: isakmp_ident.c,v 1.13 2005/01/29 16:34:25 vanhu Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_ident.h,v 1.1.1.2 2005/02/23 14:54:19 manu Exp $	*/
+/*	$NetBSD: isakmp_ident.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: isakmp_ident.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_inf.c,v 1.1.1.3.2.5 2005/07/12 19:08:47 tron Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.1.1.3.2.6 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: isakmp_inf.c,v 1.14.4.2 2005/03/02 20:00:03 vanhu Exp */
+/* Id: isakmp_inf.c,v 1.14.4.9 2005/08/02 15:09:26 vanhu Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -92,6 +92,9 @@
 #include "proposal.h"
 #include "admin.h"
 #include "strnames.h"
+#ifdef ENABLE_NATT
+#include "nattraversal.h"
+#endif
 
 /* information exchange */
 static int isakmp_info_recv_n __P((struct ph1handle *, vchar_t *));
@@ -124,6 +127,9 @@
 	int error = -1;
 	struct isakmp *isakmp;
 	struct isakmp_gen *gen;
+	void *p;
+	vchar_t *hash, *payload;
+	struct isakmp_gen *nd;
 	u_int8_t np;
 	int encrypted;
 
@@ -149,27 +155,40 @@
 	} else
 		msg = vdup(msg0);
 
-	isakmp = (struct isakmp *)msg->v;
-	gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));
-
-	if (isakmp->np != ISAKMP_NPTYPE_HASH) {
-		plog(LLV_ERROR, LOCATION, NULL,
-		    "ignore information because the message has no hash payload.\n");
+	/* Safety check */
+	if (msg->l < sizeof(*isakmp) + sizeof(*gen)) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+			"ignore information because the "
+			"message is way too short\n");
 		goto end;
 	}
 
-	if (iph1->status != PHASE1ST_ESTABLISHED) {
-		plog(LLV_ERROR, LOCATION, NULL,
-		    "ignore information because ISAKMP-SA has not been established yet.\n");
-		goto end;
-	}
-
+	isakmp = (struct isakmp *)msg->v;
+	gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));
 	np = gen->np;
 
-	{
-		void *p;
-		vchar_t *hash, *payload;
-		struct isakmp_gen *nd;
+	if (encrypted) {
+		if (isakmp->np != ISAKMP_NPTYPE_HASH) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "ignore information because the "
+			    "message has no hash payload.\n");
+			goto end;
+		}
+
+		if (iph1->status != PHASE1ST_ESTABLISHED) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "ignore information because ISAKMP-SA "
+			    "has not been established yet.\n");
+			goto end;
+		}
+
+		/* Safety check */
+		if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+				"ignore information because the "
+				"message is too short\n");
+			goto end;
+		}
 
 		p = (caddr_t) gen + sizeof(struct isakmp_gen);
 		nd = (struct isakmp_gen *) ((caddr_t) gen + ntohs(gen->len));
@@ -182,6 +201,12 @@
 			goto end;
 		}
 
+		if (ntohs(nd->len) < sizeof(*nd)) {
+			plog(LLV_ERROR, LOCATION, NULL,
+				"too short payload length (broken message?)\n");
+			goto end;
+		}
+
 		payload = vmalloc(ntohs(nd->len));
 		if (payload == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
@@ -223,10 +248,8 @@
 
 		vfree(hash);
 		vfree(payload);
-	}
-		
-	/* make sure the packet were encrypted. */
-	if (!encrypted) {
+	} else {
+		/* make sure the packet were encrypted after the beginning of phase 1. */
 		switch (iph1->etype) {
 		case ISAKMP_ETYPE_AGG:
 		case ISAKMP_ETYPE_BASE:
@@ -893,7 +916,7 @@
 			"invalid spi_size in notification payload.\n");
 		return -1;
 	}
-	spi = val2str((u_char *)(n + 1), n->spi_size);
+	spi = val2str((char *)(n + 1), n->spi_size);
 
 	plog(LLV_DEBUG, LOCATION, iph1->remote,
 		"notification message %d:%s, "
@@ -1163,11 +1186,34 @@
 		 * racoon only deletes SA which is matched both the
 		 * source address and the destination accress.
 		 */
-		if (CMPSADDR(iph1->local, src) == 0 &&
-		    CMPSADDR(iph1->remote, dst) == 0)
+#ifdef ENABLE_NATT
+		/* 
+		 * XXX RFC 3947 says that whe MUST NOT use IP+port to find old SAs
+		 * from this peer !
+		 */
+		if(iph1->natt_flags & NAT_DETECTED){
+			if (CMPSADDR(iph1->local, src) == 0 &&
+				CMPSADDR(iph1->remote, dst) == 0)
+				;
+			else if (CMPSADDR(iph1->remote, src) == 0 &&
+					 CMPSADDR(iph1->local, dst) == 0)
+				;
+			else {
+				msg = next;
+				continue;
+			}
+		} else
+#endif
+		/* If there is no NAT-T, we don't have to check addr + port...
+		 * XXX what about a configuration with a remote peers which is not
+		 * NATed, but which NATs some other peers ?
+		 * Here, the INITIAl-CONTACT would also flush all those NATed peers !!
+		 */
+		if (cmpsaddrwop(iph1->local, src) == 0 &&
+		    cmpsaddrwop(iph1->remote, dst) == 0)
 			;
-		else if (CMPSADDR(iph1->remote, src) == 0 &&
-		    CMPSADDR(iph1->local, dst) == 0)
+		else if (cmpsaddrwop(iph1->remote, src) == 0 &&
+		    cmpsaddrwop(iph1->local, dst) == 0)
 			;
 		else {
 			msg = next;
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.h,v 1.1.1.2 2005/02/23 14:54:21 manu Exp $	*/
+/*	$NetBSD: isakmp_inf.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: isakmp_inf.h,v 1.4 2004/11/16 15:44:46 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_newg.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_newg.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_newg.c,v 1.1.1.2 2005/02/23 14:54:21 manu Exp $	*/
+/*	$NetBSD: isakmp_newg.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: isakmp_newg.c,v 1.10 2002/09/27 05:55:52 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_newg.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_newg.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_newg.h,v 1.1.1.2 2005/02/23 14:54:21 manu Exp $	*/
+/*	$NetBSD: isakmp_newg.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: isakmp_newg.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_quick.c,v 1.1.1.3.2.4 2005/06/10 09:23:22 tron Exp $	*/
+/*	$NetBSD: isakmp_quick.c,v 1.1.1.3.2.5 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: isakmp_quick.c,v 1.13.2.1 2005/03/02 20:00:03 vanhu Exp */
+/* Id: isakmp_quick.c,v 1.13.2.7 2005/07/20 08:02:05 vanhu Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -986,6 +986,13 @@
 			isakmp_check_notify(pa->ptr, iph2->ph1);
 			break;
 
+#ifdef ENABLE_NATT
+		case ISAKMP_NPTYPE_NATOA_DRAFT:
+		case ISAKMP_NPTYPE_NATOA_RFC:
+			/* Ignore original source/destination messages */
+			break;
+#endif
+
 		default:
 			plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
 				"ignore the packet, "
@@ -1585,18 +1592,6 @@
 	return error;
 }
 
-int
-tunnel_mode_prop(p)
-	struct saprop *p;
-{
-	struct saproto *pr;
-
-	for (pr = p->head; pr; pr = pr->next)
-		if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL)
-			return 1;
-	return 0;
-}
-
 /*
  * set SA to kernel.
  */
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_quick.h,v 1.1.1.2 2005/02/23 14:54:21 manu Exp $	*/
+/*	$NetBSD: isakmp_quick.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /* Id: isakmp_quick.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_unity.c,v 1.1.1.2.2.1 2005/05/11 17:42:02 tron Exp $	*/
+/*	$NetBSD: isakmp_unity.c,v 1.1.1.2.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
-/* $Id: isakmp_unity.c,v 1.1.1.2.2.1 2005/05/11 17:42:02 tron Exp $ */
+/* Id: isakmp_unity.c,v 1.5.4.1 2005/05/10 09:45:46 manubsd Exp */
 
 /*
  * Copyright (C) 2004 Emmanuel Dreyfus
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_unity.h,v 1.1.1.2 2005/02/23 14:54:21 manu Exp $	*/
+/*	$NetBSD: isakmp_unity.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME$ */
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: isakmp_var.h,v 1.1.1.2.2.1 2005/05/12 12:04:12 tron Exp $	*/
+/*	$NetBSD: isakmp_var.h,v 1.1.1.2.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: isakmp_var.h,v 1.9 2004/12/29 23:11:11 manubsd Exp */
+/* Id: isakmp_var.h,v 1.9.2.1 2005/05/07 17:26:06 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,9 +1,9 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.1.1.4.2.1 2005/05/28 12:57:24 tron Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.1.1.4.2.2 2005/09/03 07:03:49 snj Exp $	*/
 
-/* Id: isakmp_xauth.c,v 1.17.2.3 2005/03/16 00:13:38 manubsd Exp */
+/* Id: isakmp_xauth.c,v 1.17.2.5 2005/05/20 07:31:09 manubsd Exp */
 
 /*
- * Copyright (C) 2004 Emmanuel Dreyfus
+ * Copyright (C) 2004-2005 Emmanuel Dreyfus
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without
@@ -45,6 +45,9 @@
 #include <string.h>
 #include <errno.h>
 #include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
 #if TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>
@@ -689,18 +692,31 @@
 {
 	struct passwd *pw;
 	char *cryptpwd;
+	char *syscryptpwd;
+#ifdef HAVE_SHADOW_H
+	struct spwd *spw;
+
+	if ((spw = getspnam(usr)) == NULL)
+		return -1;
+
+	syscryptpwd = spw->sp_pwdp;
+#endif
 
 	if ((pw = getpwnam(usr)) == NULL)
 		return -1;
 
+#ifndef HAVE_SHADOW_H
+	syscryptpwd = pw->pw_passwd;
+#endif
+
 	/* No root login. Ever. */
 	if (pw->pw_uid == 0)
 		return -1;
 
-	if ((cryptpwd = crypt(pwd, pw->pw_passwd)) == NULL)
+	if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL)
 		return -1;
 
-	if (strcmp(cryptpwd, pw->pw_passwd) == 0)
+	if (strcmp(cryptpwd, syscryptpwd) == 0)
 		return 0;
 
 	return -1;
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.h,v 1.1.1.2 2005/02/23 14:54:21 manu Exp $	*/
+/*	$NetBSD: isakmp_xauth.h,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME$ */
 
--- a/crypto/dist/ipsec-tools/src/racoon/kmpstat.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/kmpstat.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: kmpstat.c,v 1.1.1.2 2005/02/23 14:54:21 manu Exp $	*/
+/*	$NetBSD: kmpstat.c,v 1.1.1.2.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: kmpstat.c,v 1.33 2004/08/16 08:20:28 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/localconf.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/localconf.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: localconf.c,v 1.1.1.3 2005/02/24 20:53:34 manu Exp $	*/
+/*	$NetBSD: localconf.c,v 1.1.1.3.2.1 2005/09/03 07:03:49 snj Exp $	*/
 
 /*	$KAME: localconf.c,v 1.33 2001/08/09 07:32:19 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/localconf.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/localconf.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: localconf.h,v 1.1.1.4 2005/03/16 23:52:56 manu Exp $	*/
+/*	$NetBSD: localconf.h,v 1.1.1.4.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: localconf.h,v 1.9.2.2 2005/03/16 23:18:43 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/logger.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/logger.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: logger.c,v 1.1.1.2 2005/02/23 14:54:22 manu Exp $	*/
+/*	$NetBSD: logger.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /*	$KAME: logger.c,v 1.9 2002/09/03 14:37:03 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/logger.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/logger.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: logger.h,v 1.1.1.2 2005/02/23 14:54:22 manu Exp $	*/
+/*	$NetBSD: logger.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: logger.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/main.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/main.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.3 2005/02/23 15:17:51 manu Exp $	*/
+/*	$NetBSD: main.c,v 1.3.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: main.c,v 1.14.2.2 2005/02/23 12:18:40 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/misc.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/misc.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: misc.c,v 1.1.1.2 2005/02/23 14:54:22 manu Exp $	*/
+/*	$NetBSD: misc.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /*	$KAME: misc.c,v 1.23 2001/08/16 14:37:29 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/misc.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/misc.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: misc.h,v 1.1.1.2 2005/02/23 14:54:22 manu Exp $	*/
+/*	$NetBSD: misc.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: misc.h,v 1.6 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: rijndael-alg-fst.c,v 1.1.1.2 2005/02/23 14:54:37 manu Exp $	*/
+/*	$NetBSD: rijndael-alg-fst.c,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: rijndael-alg-fst.c,v 1.1.1.1 2001/08/08 09:56:23 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: rijndael-alg-fst.h,v 1.1.1.2 2005/02/23 14:54:37 manu Exp $	*/
+/*	$NetBSD: rijndael-alg-fst.h,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: rijndael-alg-fst.h,v 1.1.1.1 2001/08/08 09:56:23 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-api-fst.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-api-fst.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: rijndael-api-fst.c,v 1.1.1.2 2005/02/23 14:54:37 manu Exp $	*/
+/*	$NetBSD: rijndael-api-fst.c,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: rijndael-api-fst.c,v 1.8 2002/11/18 23:32:54 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-api-fst.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael-api-fst.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: rijndael-api-fst.h,v 1.1.1.2 2005/02/23 14:54:37 manu Exp $	*/
+/*	$NetBSD: rijndael-api-fst.h,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: rijndael-api-fst.h,v 1.1.1.1 2001/08/08 09:56:27 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: rijndael.h,v 1.1.1.2 2005/02/23 14:54:37 manu Exp $	*/
+/*	$NetBSD: rijndael.h,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: rijndael.h,v 1.1.1.1 2001/08/08 09:56:27 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael_local.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/missing/crypto/rijndael/rijndael_local.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: rijndael_local.h,v 1.1.1.2 2005/02/23 14:54:37 manu Exp $	*/
+/*	$NetBSD: rijndael_local.h,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: rijndael_local.h,v 1.1.1.1 2001/08/08 09:56:27 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: sha2.c,v 1.1.1.2 2005/02/23 14:54:38 manu Exp $	*/
+/*	$NetBSD: sha2.c,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /* Id: sha2.c,v 1.6 2004/09/21 14:35:25 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: sha2.h,v 1.1.1.2 2005/02/23 14:54:38 manu Exp $	*/
+/*	$NetBSD: sha2.h,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: sha2.h,v 1.2 2001/08/08 22:09:27 sakane Exp $	*/
 
@@ -67,6 +67,8 @@
 typedef unsigned int u_int32_t;		/* 4-bytes (32-bits) */
 typedef unsigned long long u_int64_t;	/* 8-bytes (64-bits) */
 #endif
+
+#ifndef HAVE_SHA2_IN_SHA_H
 /*
  * Most BSD systems already define u_intXX_t types, as does Linux.
  * Some systems, however, like Compaq's Tru64 Unix instead can use
@@ -110,27 +112,34 @@
 } SHA512_CTX;
 
 #endif /* SHA2_USE_INTTYPES_H */
+#endif /* HAVE_SHA2_IN_SHA_H */
 
 typedef SHA512_CTX SHA384_CTX;
 
 
 /*** SHA-256/384/512 Function Prototypes ******************************/
 
+#ifndef HAVE_SHA2_IN_SHA_H
 void SHA256_Init __P((SHA256_CTX *));
 void SHA256_Update __P((SHA256_CTX*, const u_int8_t*, size_t));
 void SHA256_Final __P((u_int8_t[SHA256_DIGEST_LENGTH], SHA256_CTX*));
+#endif /* HAVE_SHA2_IN_SHA_H */
 char* SHA256_End __P((SHA256_CTX*, char[SHA256_DIGEST_STRING_LENGTH]));
 char* SHA256_Data __P((const u_int8_t*, size_t, char[SHA256_DIGEST_STRING_LENGTH]));
 
+#ifndef HAVE_SHA2_IN_SHA_H
 void SHA384_Init __P((SHA384_CTX*));
 void SHA384_Update __P((SHA384_CTX*, const u_int8_t*, size_t));
 void SHA384_Final __P((u_int8_t[SHA384_DIGEST_LENGTH], SHA384_CTX*));
+#endif /* HAVE_SHA2_IN_SHA_H */
 char* SHA384_End __P((SHA384_CTX*, char[SHA384_DIGEST_STRING_LENGTH]));
 char* SHA384_Data __P((const u_int8_t*, size_t, char[SHA384_DIGEST_STRING_LENGTH]));
 
+#ifndef HAVE_SHA2_IN_SHA_H
 void SHA512_Init __P((SHA512_CTX*));
 void SHA512_Update __P((SHA512_CTX*, const u_int8_t*, size_t));
 void SHA512_Final __P((u_int8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*));
+#endif /* HAVE_SHA2_IN_SHA_H */
 char* SHA512_End __P((SHA512_CTX*, char[SHA512_DIGEST_STRING_LENGTH]));
 char* SHA512_Data __P((const u_int8_t*, size_t, char[SHA512_DIGEST_STRING_LENGTH]));
 
@@ -138,6 +147,12 @@
 struct env_md_st *EVP_sha2_384 __P((void));
 struct env_md_st *EVP_sha2_512 __P((void));
 
+#ifdef HAVE_SHA2_IN_SHA_H
+#define EVP_sha2_256 EVP_sha256
+#define EVP_sha2_384 EVP_sha384
+#define EVP_sha2_512 EVP_sha512
+#endif
+
 #ifdef	__cplusplus
 }
 #endif /* __cplusplus */
--- a/crypto/dist/ipsec-tools/src/racoon/missing/strdup.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/missing/strdup.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: strdup.c,v 1.1.1.2 2005/02/23 14:54:36 manu Exp $	*/
+/*	$NetBSD: strdup.c,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: strdup.c,v 1.2 2000/10/04 17:41:07 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/nattraversal.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/nattraversal.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: nattraversal.c,v 1.1.1.2.2.1 2005/05/01 11:00:32 tron Exp $	*/
+/*	$NetBSD: nattraversal.c,v 1.1.1.2.2.2 2005/09/03 07:03:50 snj Exp $	*/
 
 /*
  * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
--- a/crypto/dist/ipsec-tools/src/racoon/nattraversal.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/nattraversal.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: nattraversal.h,v 1.1.1.2.2.1 2005/05/01 11:00:32 tron Exp $	*/
+/*	$NetBSD: nattraversal.h,v 1.1.1.2.2.2 2005/09/03 07:03:50 snj Exp $	*/
 
 /*
  * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
--- a/crypto/dist/ipsec-tools/src/racoon/netdb_dnssec.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/netdb_dnssec.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: netdb_dnssec.h,v 1.1.1.2 2005/02/23 14:54:22 manu Exp $	*/
+/*	$NetBSD: netdb_dnssec.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: netdb_dnssec.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/oakley.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/oakley.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: oakley.c,v 1.1.1.3.2.2 2005/07/18 14:03:52 tron Exp $	*/
-
-/* Id: oakley.c,v 1.17.2.1 2005/03/01 09:51:48 vanhu Exp */
+/*	$NetBSD: oakley.c,v 1.1.1.3.2.3 2005/09/03 07:03:50 snj Exp $	*/
+
+/* Id: oakley.c,v 1.17.2.4 2005/07/12 11:50:15 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -38,8 +38,8 @@
 #include <sys/socket.h>	/* XXX for subjectaltname */
 #include <netinet/in.h>	/* XXX for subjectaltname */
 
+#include <openssl/x509.h>
 #include <openssl/pkcs7.h>
-#include <openssl/x509.h>
 
 #include <stdlib.h>
 #include <stdio.h>
@@ -1974,6 +1974,8 @@
 {
 	cert_t **c;
 	u_int8_t type;
+	STACK_OF(X509) *certs=NULL;
+	PKCS7 *p7;
 
 	type = *(u_int8_t *)(gen + 1) & 0xff;
 
@@ -2013,143 +2015,144 @@
 		return 0;
 	}
 
-        if (type == ISAKMP_CERT_PKCS7) {
-                 PKCS7 *p7;
-                 u_char *bp;
-                 int i;
-		 STACK_OF(X509) *certs=NULL;
-
-                 /* Skip the header */
-                 bp = (u_char *)(gen + 1);
-                 /* And the first byte is the certificate type, 
-		    we know that already
+	if (type == ISAKMP_CERT_PKCS7) {
+		u_char *bp;
+		int i;
+
+		/* Skip the header */
+		bp = (u_char *)(gen + 1);
+		/* And the first byte is the certificate type, 
+		 * we know that already
+		 */
+		bp++;
+		p7 = d2i_PKCS7(NULL, (void *)&bp, 
+		    ntohs(gen->len) - sizeof(*gen) - 1);
+
+		if (!p7) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			     "Failed to parse PKCS#7 CERT.\n");
+			return -1;
+		}
+
+		/* Copied this from the openssl pkcs7 application;
+		 * there"s little by way of documentation for any of
+		 * it. I can only presume it"s correct.
 		 */
-                 bp++;
-                 p7 = d2i_PKCS7(NULL, &bp, ntohs(gen->len) - sizeof(*gen) - 1);
-		 
-                 if (!p7) {
-		   plog(LLV_ERROR, LOCATION, NULL,
-			"Failed to parse PKCS#7 CERT.\n");
-		   return -1;
-                 }
-
-                 /* Copied this from the openssl pkcs7 application;
-                  * there"s little by way of documentation for any of
-                  * it. I can only presume it"s correct.
-                  */
-		 
-		 i = OBJ_obj2nid(p7->type);
-		 switch (i) {
-		 case NID_pkcs7_signed:
-		   certs=p7->d.sign->cert;
-		   break;
-                 case NID_pkcs7_signedAndEnveloped:
-		   certs=p7->d.signed_and_enveloped->cert;
-		   break;
-                 default:
-                         break;
-                 }
-
-                 if (!certs) {
-                         plog(LLV_ERROR, LOCATION, NULL,
-                              "CERT PKCS#7 bundle contains no certs.\n");
-                         PKCS7_free(p7);
-                         return -1;
-                 }
-
-                 for (i = 0; i < sk_X509_num(certs); i++) {
-                         int len;
-                         u_char *bp;
-                         X509 *cert = sk_X509_value(certs,i);
-
-                         plog(LLV_DEBUG, LOCATION, NULL, 
-			      "Trying PKCS#7 cert %d.\n", i);
-
-                         /* We"ll just try each cert in turn */
-                         *c = save_certx509(cert);
-
-                         if (!*c) {
-                                 plog(LLV_ERROR, LOCATION, NULL,
-                                      "Failed to get CERT buffer.\n");
-                                 continue;
-                         }
-
-                         /* Ignore cert if it doesn't match identity
-                          * XXX If verify cert is disabled, we still just take
-                          * the first certificate....
-                          */
-                         if(iph1->rmconf->verify_cert &&
-                            oakley_check_certid(iph1)){
-                                 plog(LLV_DEBUG, LOCATION, NULL,
-                                      "Discarding CERT: does not match ID.\n");
-                                 oakley_delcert((*c));
-                                 *c = NULL;
-                                 continue;
-                         }
-                         plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
-                         plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
-                         {
-                                 char *p = eay_get_x509text(&(*c)->cert);
-                                 plog(LLV_DEBUG, LOCATION, NULL, "%s", 
-				      p ? p : "\n");
-                                 racoon_free(p);
-                         }
-                         break;
-                 }
-
-                 PKCS7_free(p7);
-         } else {
-	   *c = save_certbuf(gen);
-	   if (!*c) {
-	     plog(LLV_ERROR, LOCATION, NULL,
-		  "Failed to get CERT buffer.\n");
-	     return -1;
-	   }
-	   
-	   switch ((*c)->type) {
-	   case ISAKMP_CERT_DNS:
-	     plog(LLV_WARNING, LOCATION, NULL,
-		  "CERT payload is unnecessary in DNSSEC. "
-		  "ignore it.\n");
-	     return 0;
-	   case ISAKMP_CERT_PGP:
-	   case ISAKMP_CERT_X509SIGN:
-	   case ISAKMP_CERT_KERBEROS:
-	   case ISAKMP_CERT_SPKI:
-	     /* Ignore cert if it doesn't match identity
-	      * XXX If verify cert is disabled, we still just take
-	      * the first certificate....
-	      */
-	     if(iph1->rmconf->verify_cert &&
-		oakley_check_certid(iph1)){
-	       plog(LLV_DEBUG, LOCATION, NULL,
-		    "Discarding CERT: does not match ID.\n");
-	       oakley_delcert((*c));
-	       *c = NULL;
-	       return 0;
-	     }
-	     plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
-	     plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
-	     {
-	       char *p = eay_get_x509text(&(*c)->cert);
-	       plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
-	       racoon_free(p);
-	     }
-	     break;
-	   case ISAKMP_CERT_CRL:
-	     plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n");
-	     plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
-	     break;
-	   case ISAKMP_CERT_X509KE:
-	   case ISAKMP_CERT_X509ATTR:
-	   case ISAKMP_CERT_ARL:
-	   default:
-	     /* XXX */
-	     oakley_delcert((*c));
-	     *c = NULL;
-	     return 0;
-	   }
-	 }
+		
+		i = OBJ_obj2nid(p7->type);
+		switch (i) {
+		case NID_pkcs7_signed:
+			certs=p7->d.sign->cert;
+			break;
+		case NID_pkcs7_signedAndEnveloped:
+			certs=p7->d.signed_and_enveloped->cert;
+			break;
+		default:
+			 break;
+		}
+
+		if (!certs) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			     "CERT PKCS#7 bundle contains no certs.\n");
+			PKCS7_free(p7);
+			return -1;
+		}
+
+		for (i = 0; i < sk_X509_num(certs); i++) {
+			int len;
+			u_char *bp;
+			X509 *cert = sk_X509_value(certs,i);
+
+			plog(LLV_DEBUG, LOCATION, NULL, 
+			     "Trying PKCS#7 cert %d.\n", i);
+
+			/* We'll just try each cert in turn */
+			*c = save_certx509(cert);
+
+			if (!*c) {
+				plog(LLV_ERROR, LOCATION, NULL,
+				     "Failed to get CERT buffer.\n");
+				continue;
+			}
+
+			/* Ignore cert if it doesn't match identity
+			 * XXX If verify cert is disabled, we still just take
+			 * the first certificate....
+			 */
+			if(iph1->rmconf->verify_cert &&
+			   oakley_check_certid(iph1)) {
+				plog(LLV_DEBUG, LOCATION, NULL,
+				     "Discarding CERT: does not match ID.\n");
+				oakley_delcert((*c));
+				*c = NULL;
+				continue;
+			}
+
+			{
+				char *p = eay_get_x509text(&(*c)->cert);
+				plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
+				plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
+				plog(LLV_DEBUG, LOCATION, NULL, "%s", 
+				     p ? p : "\n");
+				racoon_free(p);
+			}
+			break;
+		}
+		PKCS7_free(p7);
+
+	} else {
+		*c = save_certbuf(gen);
+		if (!*c) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			     "Failed to get CERT buffer.\n");
+			return -1;
+		}
+
+		switch ((*c)->type) {
+		case ISAKMP_CERT_DNS:
+			plog(LLV_WARNING, LOCATION, NULL,
+			     "CERT payload is unnecessary in DNSSEC. "
+			     "ignore it.\n");
+			return 0;
+		case ISAKMP_CERT_PGP:
+		case ISAKMP_CERT_X509SIGN:
+		case ISAKMP_CERT_KERBEROS:
+		case ISAKMP_CERT_SPKI:
+			/* Ignore cert if it doesn't match identity
+			 * XXX If verify cert is disabled, we still just take
+			 * the first certificate....
+			 */
+			if(iph1->rmconf->verify_cert &&
+			   oakley_check_certid(iph1)){
+				plog(LLV_DEBUG, LOCATION, NULL,
+				     "Discarding CERT: does not match ID.\n");
+				oakley_delcert((*c));
+				*c = NULL;
+				return 0;
+			}
+
+			{
+				char *p = eay_get_x509text(&(*c)->cert);
+				plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
+				plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
+				plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
+				racoon_free(p);
+			}
+			break;
+		case ISAKMP_CERT_CRL:
+			plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n");
+			plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
+			break;
+		case ISAKMP_CERT_X509KE:
+		case ISAKMP_CERT_X509ATTR:
+		case ISAKMP_CERT_ARL:
+		default:
+			/* XXX */
+			oakley_delcert((*c));
+			*c = NULL;
+			return 0;
+		}
+	}
 	
 	return 0;
 }
--- a/crypto/dist/ipsec-tools/src/racoon/oakley.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/oakley.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.h,v 1.1.1.2 2005/02/23 14:54:23 manu Exp $	*/
+/*	$NetBSD: oakley.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: oakley.h,v 1.9 2004/10/24 17:37:00 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.1.1.2.2.5 2005/07/12 17:39:36 tron Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.1.1.2.2.6 2005/09/03 07:03:50 snj Exp $	*/
 
-/* Id: pfkey.c,v 1.31.2.1 2005/02/18 10:01:40 vanhu Exp */
+/* Id: pfkey.c,v 1.31.2.9 2005/07/28 05:05:52 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -447,6 +447,24 @@
 		return SADB_AALG_MD5HMAC;
 	case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
 		return SADB_AALG_SHA1HMAC;
+	case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
+#if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC)
+		return SADB_X_AALG_SHA2_256;
+#else
+		return SADB_X_AALG_SHA2_256HMAC;
+#endif
+	case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
+#if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC)
+		return SADB_X_AALG_SHA2_384;
+#else
+		return SADB_X_AALG_SHA2_384HMAC;
+#endif
+	case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
+#if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC)
+		return SADB_X_AALG_SHA2_512;
+#else
+		return SADB_X_AALG_SHA2_512HMAC;
+#endif
 	case IPSECDOI_ATTR_AUTH_KPDK:		/* need special care */
 		return SADB_AALG_NONE;
 
@@ -840,8 +858,8 @@
 		/* this works around a bug in Linux kernel where it allocates 4 byte
 		   spi's for IPCOMP */
 		else if (satype == SADB_X_SATYPE_IPCOMP) {
-			minspi = ntohl (0x100);
-			maxspi = ntohl (0xffff);
+			minspi = 0x100;
+			maxspi = 0xffff;
 		}
 		else {
 			minspi = 0;
@@ -983,7 +1001,7 @@
 {
 	struct saproto *pr;
 	struct sockaddr *src = NULL, *dst = NULL;
-	int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
 	u_int satype, mode;
 	u_int64_t lifebyte = 0;
 	u_int wsize = 4;  /* XXX static size of window */ 
@@ -1275,7 +1293,7 @@
 {
 	struct saproto *pr;
 	struct sockaddr *src = NULL, *dst = NULL;
-	int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
 	u_int satype, mode;
 	u_int64_t lifebyte = 0;
 	u_int wsize = 4; /* XXX static size of window */ 
@@ -2131,7 +2149,7 @@
 	sp = getsp(&spidx);
 	if (sp == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL,
-			"such policy does not already exist: %s\n",
+			"such policy does not already exist: \"%s\"\n",
 			spidx2str(&spidx));
 	} else {
 		remsp(sp);
--- a/crypto/dist/ipsec-tools/src/racoon/pfkey.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/pfkey.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.h,v 1.1.1.2 2005/02/23 14:54:24 manu Exp $	*/
+/*	$NetBSD: pfkey.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: pfkey.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.8	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.8	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: plainrsa-gen.8,v 1.1.1.2.2.1 2005/07/01 12:24:40 tron Exp $
+.\"	$NetBSD: plainrsa-gen.8,v 1.1.1.2.2.2 2005/09/03 07:03:50 snj Exp $
 .\"
-.\" Id: plainrsa-gen.8,v 1.2 2004/07/12 20:43:50 ludvigm Exp
+.\" Id: plainrsa-gen.8,v 1.2.10.1 2005/04/18 11:10:55 manubsd Exp
 .\"
 .\" Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
 .\" Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
--- a/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: plainrsa-gen.c,v 1.1.1.2 2005/02/23 14:54:24 manu Exp $	*/
+/*	$NetBSD: plainrsa-gen.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
-/* Id: plainrsa-gen.c,v 1.4.8.1 2005/02/18 10:23:10 manubsd Exp */
+/* Id: plainrsa-gen.c,v 1.4.8.2 2005/04/21 09:07:20 monas Exp */
 /*
  * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
  * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
@@ -91,8 +91,8 @@
 	binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n);
 	binbuf = malloc(binlen);
 	memset(binbuf, 0, binlen);
-	binbuf[0] = BN_bn2bin(key->e, &binbuf[1]);
-	ret = BN_bn2bin(key->n, &binbuf[binbuf[0] + 1]);
+	binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]);
+	ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
 	if (1 + binbuf[0] + ret != binlen) {
 		plog(LLV_ERROR, LOCATION, NULL,
 		     "Pubkey generation failed. This is really strange...\n");
--- a/crypto/dist/ipsec-tools/src/racoon/plog.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/plog.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: plog.c,v 1.1.1.2 2005/02/23 14:54:24 manu Exp $	*/
+/*	$NetBSD: plog.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: plog.c,v 1.6 2004/07/12 20:15:08 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/plog.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/plog.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: plog.h,v 1.1.1.2 2005/02/23 14:54:24 manu Exp $	*/
+/*	$NetBSD: plog.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: plog.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/policy.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/policy.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: policy.c,v 1.1.1.2 2005/02/23 14:54:24 manu Exp $	*/
+/*	$NetBSD: policy.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /*	$KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/policy.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/policy.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: policy.h,v 1.1.1.2 2005/02/23 14:54:24 manu Exp $	*/
+/*	$NetBSD: policy.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/privsep.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/privsep.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: privsep.c,v 1.1.1.4.2.1 2005/06/10 09:25:32 tron Exp $	*/
+/*	$NetBSD: privsep.c,v 1.1.1.4.2.2 2005/09/03 07:03:50 snj Exp $	*/
 
-/* Id: privsep.c,v 1.6.2.4 2005/03/16 23:18:43 manubsd Exp */
+/* Id: privsep.c,v 1.6.2.7 2005/08/08 11:25:01 vanhu Exp */
 
 /*
  * Copyright (C) 2004 Emmanuel Dreyfus
@@ -69,7 +69,9 @@
 static int privsep_recv(int, struct privsep_com_msg **, size_t *);
 static int privsep_send(int, struct privsep_com_msg *, size_t);
 static int safety_check(struct privsep_com_msg *, int i);
+#ifdef HAVE_LIBPAM
 static int port_check(int);
+#endif
 static int unsafe_env(char *const *);
 static int unknown_name(int);
 static int unknown_script(int);
@@ -905,19 +907,21 @@
 }
 #endif /* ENABLE_HYBRID */
 
+#ifdef HAVE_LIBPAM
 static int
 port_check(port)
 	int port;
 {
 	if ((port < 0) || (port >= isakmp_cfg_config.pool_size)) {
 		plog(LLV_ERROR, LOCATION, NULL, 
-		    "privsep: port %d outsied of allowed range [0,%d]\n",
+		    "privsep: port %d outside of allowed range [0,%zu]\n",
 		    port, isakmp_cfg_config.pool_size - 1);
 		return -1;
 	}
 
 	return 0;
 }
+#endif
 
 static int 
 safety_check(msg, index)
--- a/crypto/dist/ipsec-tools/src/racoon/privsep.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/privsep.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.h,v 1.1.1.2 2005/02/23 14:54:25 manu Exp $	*/
+/*	$NetBSD: privsep.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: privsep.h,v 1.3 2005/02/10 02:02:56 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/proposal.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/proposal.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: proposal.c,v 1.1.1.2.2.1 2005/05/11 17:33:49 tron Exp $	*/
+/*	$NetBSD: proposal.c,v 1.1.1.2.2.2 2005/09/03 07:03:50 snj Exp $	*/
 
-/* Id: proposal.c,v 1.13 2004/09/13 14:09:19 ludvigm Exp */
+/* Id: proposal.c,v 1.13.8.5 2005/07/28 05:05:52 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -372,8 +372,8 @@
 			if (pr1->spisize == sizeof(u_int16_t) &&
 			    pr2->spisize == sizeof(u_int32_t)) {
 				spisizematch = 1;
-			} else if (pr1->spisize == sizeof(u_int16_t) &&
-				 pr2->spisize == sizeof(u_int32_t)) {
+			} else if (pr2->spisize == sizeof(u_int16_t) &&
+				 pr1->spisize == sizeof(u_int32_t)) {
 				spisizematch = 1;
 			}
 			if (spisizematch) {
@@ -1027,12 +1027,15 @@
 		}
 
 		newpr->proto_id = ipproto2doi(req->saidx.proto);
-		newpr->spisize = 4;
+		if (newpr->proto_id == IPSECDOI_PROTO_IPCOMP)
+			newpr->spisize = 2;
+		else
+			newpr->spisize = 4;
 		if (lcconf->complex_bundle) {
 			newpr->encmode = pfkey2ipsecdoi_mode(req->saidx.mode);
 #ifdef ENABLE_NATT
 			if (iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED))
-				encmodesv += iph2->ph1->natt_options->mode_udp_diff;
+				newpr->encmode += iph2->ph1->natt_options->mode_udp_diff;
 #endif
 		}
 		else
@@ -1174,3 +1177,15 @@
 	free_proppair(pair);
 	return error;
 }
+
+int
+tunnel_mode_prop(p)
+	struct saprop *p;
+{
+	struct saproto *pr;
+
+	for (pr = p->head; pr; pr = pr->next)
+		if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL)
+			return 1;
+	return 0;
+}
--- a/crypto/dist/ipsec-tools/src/racoon/proposal.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/proposal.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: proposal.h,v 1.1.1.2 2005/02/23 14:54:25 manu Exp $	*/
+/*	$NetBSD: proposal.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
-/* Id: proposal.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
+/* Id: proposal.h,v 1.5.10.1 2005/05/12 19:34:10 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -208,5 +208,6 @@
 extern int set_proposal_from_policy __P((struct ph2handle *,
 	struct secpolicy *, struct secpolicy *));
 extern int set_proposal_from_proposal __P((struct ph2handle *));
+extern int tunnel_mode_prop __P((struct saprop *p));
 
 #endif /* _PROPOSAL_H */
--- a/crypto/dist/ipsec-tools/src/racoon/prsa_par.y	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/prsa_par.y	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: prsa_par.y,v 1.1.1.2 2005/02/23 14:54:25 manu Exp $	*/
+/*	$NetBSD: prsa_par.y,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/prsa_tok.l	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/prsa_tok.l	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: prsa_tok.l,v 1.1.1.2 2005/02/23 14:54:25 manu Exp $	*/
+/*	$NetBSD: prsa_tok.l,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: prsa_tok.l,v 1.2 2004/07/12 20:43:51 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.8	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.8	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: racoon.8,v 1.1.1.2.2.1 2005/07/01 12:24:40 tron Exp $
+.\"	$NetBSD: racoon.8,v 1.1.1.2.2.2 2005/09/03 07:03:50 snj Exp $
 .\"
-.\" Id: racoon.8,v 1.3 2004/07/12 20:35:58 ludvigm Exp
+.\" Id: racoon.8,v 1.3.10.1 2005/04/18 11:10:55 manubsd Exp
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 .\" All rights reserved.
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: racoon.conf.5,v 1.1.1.4.2.4 2005/07/18 21:02:48 riz Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.1.1.4.2.5 2005/09/03 07:03:50 snj Exp $
 .\"
-.\" $Id: racoon.conf.5,v 1.1.1.4.2.4 2005/07/18 21:02:48 riz Exp $
+.\" Id: racoon.conf.5,v 1.27.2.8 2005/07/07 14:55:58 manubsd Exp
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 .\" All rights reserved.
@@ -736,7 +736,7 @@
 This directive must be defined.
 .Ar algorithm
 is one of following:
-.Ic md5, sha1
+.Ic md5, sha1, sha256, sha384, sha512
 for Oakley.
 .\"
 .It Ic authentication_method Ar type ;
@@ -882,7 +882,7 @@
 .\"
 .It Ic authentication_algorithm Ar algorithms ;
 .Ic des , 3des , des_iv64 , des_iv32 ,
-.Ic hmac_md5 , hmac_sha1 , non_auth
+.Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth
 .Pq used with ESP authentication and AH
 .\"
 .It Ic compression_algorithm Ar algorithms ;
--- a/crypto/dist/ipsec-tools/src/racoon/racoonctl.8	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoonctl.8	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: racoonctl.8,v 1.1.1.3.2.1 2005/07/01 12:24:40 tron Exp $
+.\"	$NetBSD: racoonctl.8,v 1.1.1.3.2.2 2005/09/03 07:03:50 snj Exp $
 .\"
-.\" Id: racoonctl.8,v 1.2.4.1 2005/02/24 18:04:42 manubsd Exp
+.\" Id: racoonctl.8,v 1.2.4.2 2005/04/18 11:10:55 manubsd Exp
 .\"
 .\" Copyright (C) 2004 Emmanuel Dreyfus
 .\" All rights reserved.
--- a/crypto/dist/ipsec-tools/src/racoon/racoonctl.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoonctl.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: racoonctl.c,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: racoonctl.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
-/*	Id: racoonctl.c,v 1.2 2004/12/30 11:08:32 manubsd Exp */
+/*	Id: racoonctl.c,v 1.2.2.1 2005/04/21 09:07:20 monas Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -82,7 +82,7 @@
 #include "ipsec_doi.h"
 #include "evt.h"
 
-static char *adminsock_path = ADMINSOCK_PATH;
+char *adminsock_path = ADMINSOCK_PATH;
 
 static void usage __P((void));
 static vchar_t *get_combuf __P((int, char **));
--- a/crypto/dist/ipsec-tools/src/racoon/racoonctl.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoonctl.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: racoonctl.h,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: racoonctl.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: racoonctl.h,v 1.2 2004/12/30 11:08:32 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/remoteconf.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/remoteconf.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: remoteconf.c,v 1.1.1.3.2.2 2005/05/28 13:04:22 tron Exp $	*/
+/*	$NetBSD: remoteconf.c,v 1.1.1.3.2.3 2005/09/03 07:03:50 snj Exp $	*/
 
-/* Id: remoteconf.c,v 1.26.2.2 2005/03/16 23:18:43 manubsd Exp */
+/* Id: remoteconf.c,v 1.26.2.4 2005/05/20 00:37:41 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
--- a/crypto/dist/ipsec-tools/src/racoon/remoteconf.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/remoteconf.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: remoteconf.h,v 1.1.1.2.2.1 2005/05/28 13:04:16 tron Exp $	*/
+/*	$NetBSD: remoteconf.h,v 1.1.1.2.2.2 2005/09/03 07:03:50 snj Exp $	*/
 
-/* Id: remoteconf.h,v 1.19 2005/01/07 14:22:32 manubsd Exp */
+/* Id: remoteconf.h,v 1.19.2.1 2005/05/20 00:37:42 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
--- a/crypto/dist/ipsec-tools/src/racoon/rsalist.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/rsalist.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: rsalist.c,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: rsalist.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: rsalist.c,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/rsalist.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/rsalist.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: rsalist.h,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: rsalist.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: rsalist.h,v 1.2 2004/07/12 20:43:51 ludvigm Exp */
 /*
--- a/crypto/dist/ipsec-tools/src/racoon/safefile.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/safefile.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: safefile.c,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: safefile.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /*	$KAME: safefile.c,v 1.5 2001/03/05 19:54:06 thorpej Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/safefile.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/safefile.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: safefile.h,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: safefile.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: safefile.h,v 1.4 2004/07/12 18:32:12 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/sainfo.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/sainfo.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: sainfo.c,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: sainfo.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /*	$KAME: sainfo.c,v 1.16 2003/06/27 07:32:39 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/sainfo.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/sainfo.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: sainfo.h,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: sainfo.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: sainfo.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.in	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.in	Sat Sep 03 07:03:49 2005 +0000
@@ -1,11 +1,13 @@
 # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
 
-# "path" must be placed before it should be used.
-# You can overwrite which you defined, but it should not use due to confusing.
+# "path" affects "include" directives.  "path" must be specified before any
+# "include" directive with relative file path.
+# you can overwrite "path" directive afterwards, however, doing so may add
+# more confusion.
 path include "@sysconfdir_x@/racoon";
 #include "remote.conf";
 
-# search this file for pre_shared_key with various ID key.
+# the file should contain key ID/key pairs, for pre-shared key authentication.
 path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
 
 # racoon will look for certificate file in the directory,
@@ -16,7 +18,7 @@
 # or "debug2".
 #log debug;
 
-# "padding" defines some parameter of padding.  You should not touch these.
+# "padding" defines some padding parameters.  You should not touch these.
 padding
 {
 	maximum_length 20;	# maximum padding length.
@@ -25,25 +27,25 @@
 	exclusive_tail off;	# extract last one octet.
 }
 
-# if no listen directive is specified, racoon will listen to all
+# if no listen directive is specified, racoon will listen on all
 # available interface addresses.
 listen
 {
 	#isakmp ::1 [7000];
 	#isakmp 202.249.11.124 [500];
-	#admin [7002];		# administrative's port by kmpstat.
-	#strict_address; 	# required all addresses must be bound.
+	#admin [7002];		# administrative port for racoonctl.
+	#strict_address; 	# requires that all addresses must be bound.
 }
 
-# Specification of default various timer.
+# Specify various default timers.
 timer
 {
 	# These value can be changed per remote node.
 	counter 5;		# maximum trying count to send.
 	interval 20 sec;	# maximum interval to resend.
-	persend 1;		# the number of packets per a send.
+	persend 1;		# the number of packets per send.
 
-	# timer for waiting to complete each phase.
+	# maximum time to wait for completing each phase.
 	phase1 30 sec;
 	phase2 15 sec;
 }
@@ -59,7 +61,7 @@
 
 	nonce_size 16;
 	initial_contact on;
-	proposal_check obey;	# obey, strict or claim
+	proposal_check obey;	# obey, strict, or claim
 
 	proposal {
 		encryption_algorithm 3des;
--- a/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
 # $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $
 
-# "path" affects "include" directive.  "path" must be specified before any
+# "path" affects "include" directives.  "path" must be specified before any
 # "include" directive with relative file path.
 # you can overwrite "path" directive afterwards, however, doing so may add
 # more confusion.
--- a/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-gssapi	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-gssapi	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
 # $KAME: racoon.conf.sample-gssapi,v 1.5 2001/08/16 06:33:40 itojun Exp $
 
-# sample configuration for GSSAPI authentication (basically, kerberos).
+# sample configuration for GSSAPI authentication (basically, Kerberos).
 # doc/README.gssapi gives some idea on how to configure it.
 # TODO: more documentation.
 
--- a/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-inherit	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-inherit	Sat Sep 03 07:03:49 2005 +0000
@@ -1,7 +1,7 @@
-# Id: racoon.conf.sample-inherit,v 1.1 2004/05/27 14:01:42 ludvigm Exp
+# Id: racoon.conf.sample-inherit,v 1.1.12.1 2005/04/18 11:10:55 manubsd Exp
 # Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
 
-# This file show the basic inheritance usage in 'remote' statements.
+# This file shows the basic inheritance usage in 'remote' statements.
 
 path pre_shared_key "/etc/racoon/psk.txt";
 path certificate "/etc/racoon";
--- a/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-# Id: racoon.conf.sample-natt,v 1.3 2004/07/12 18:32:12 ludvigm Exp
+# Id: racoon.conf.sample-natt,v 1.3.10.1 2005/04/18 11:10:55 manubsd Exp
 # Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
 
 # This file can be used as a template for NAT-Traversal setups.
@@ -13,10 +13,10 @@
 listen
 {
 	# First define an address where racoon will listen 
-	# for a "normal" IKE traffic. IANA allocated port 500.
+	# for "normal" IKE traffic. IANA allocated port 500.
 	isakmp 172.16.0.1[500];
 
-	# To use NAT-T you must also open the port 4500 of 
+	# To use NAT-T you must also open port 4500 of 
 	# the same address so that peers can do 'Port floating'.
 	# The same port will also be used for the UDP-Encapsulated 
 	# ESP traffic.
@@ -27,28 +27,28 @@
 timer
 {
 	# To keep the NAT-mappings on your NAT gateway, there must be
-	# a traffic between the peers. Noramlly the UDP-Encap traffic
+	# traffic between the peers. Normally the UDP-Encap traffic
 	# (i.e. the real data transported over the tunnel) would be
-	# enough, but to be safe racoon will send the a short
+	# enough, but to be safe racoon will send a short
 	# "Keep-alive packet" every few seconds to every peer with
 	# whom it does NAT-Traversal.
-	# The default is 20s. Set it to 0 to disable sending completely.
+	# The default is 20s. Set it to 0s to disable sending completely.
 	natt_keepalive 10 sec;
 }
 
 # To trigger the SA negotiation there must be an appropriate 
 # policy in the kernel SPD. For example for traffic between 
 # networks 192.168.0.0/24 and 192.168.1.0/24 with gateways 
-# 172.16.0.1 and 172.16.1.1, where the first gw is behind 
-# a NAT which translates its address to 172.16.1.3 you need the 
+# 172.16.0.1 and 172.16.1.1, where the first gateway is behind 
+# a NAT which translates its address to 172.16.1.3, you need the 
 # following rules:
 # On 172.16.0.1 (e.g. behind the NAT):
 #     spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
 #            esp/tunnel/172.16.0.1-172.16.1.1/require;
 #     spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
 #            esp/tunnel/172.16.1.1-172.16.0.1/require;
-# On the other side (172.16.1.1) either use "generate_policy on"
-# statement in the remote block, or in the case that you know 
+# On the other side (172.16.1.1) either use a "generate_policy on"
+# statement in the remote block, or in case that you know 
 # the translated address, use the following policy:
 #     spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
 #            esp/tunnel/172.16.1.1-172.16.1.3/require;
@@ -70,9 +70,9 @@
 	#   off - NAT-T support is disabled, i.e. neither offered,
 	#         nor accepted. This is the default.
 	#    on - normal NAT-T support, i.e. if NAT is detected 
-	#         along the way NAT-T is used.
+	#         along the way, NAT-T is used.
 	# force - if NAT-T is supported by both peers, it is used
-	#         regardless whether there is NAT gateway in between 
+	#         regardless of whether there is a NAT gateway between them
 	#         or not. This is useful for traversing some firewalls.
 	nat_traversal on;
 	
--- a/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-plainrsa	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-plainrsa	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-# Id: racoon.conf.sample-plainrsa,v 1.2 2004/07/12 20:43:51 ludvigm Exp
+# Id: racoon.conf.sample-plainrsa,v 1.2.10.1 2005/04/18 11:10:55 manubsd Exp
 # Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
 #                 http://www.logix.cz/michal
 
@@ -6,7 +6,7 @@
 # by FreeSWAN/OpenSwan/StrongSwan/*Swan users. This functionality is 
 # here mainly for those who are moving from the *Swan world to Racoon.
 
-# Racoon will look for a keyfile in this diretory.
+# Racoon will look for a keyfile in this directory.
 path certificate "samples" ;
 
 remote anonymous
--- a/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/README	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/README	Sat Sep 03 07:03:49 2005 +0000
@@ -1,7 +1,7 @@
 This directory contains sample configurations files used for roadwarrior
 remote access using hybrid authentication. In this setup, the VPN 
-gateway authenticate to the client using a certificate, and the client
-authenticate to the VPN gateway using a login and a password.
+gateway authenticates to the client using a certificate, and the client
+authenticates to the VPN gateway using a login and a password.
 
 Moreover, this setup makes use of ISAKMP mode config to autoconfigure 
 the client. After a successful login, the client will receive an 
@@ -24,9 +24,9 @@
 see radius.conf(5).
 
 Both configurations can be used with the Cisco VPN client if it
-is setup to use hybrid authentication (aka mutual group authentication,
+is set up to use hybrid authentication (aka mutual group authentication,
 available in Cisco VPN client version 4.0.5 and above). The group 
-password configured in the Cisco VPN client is unused by racoon.
+password configured in the Cisco VPN client is not used by racoon.
 
 After you have installed /etc/racoon/racoon.conf, you will also have 
 to install a server certificate and key in /etc/openssl/certs/server.crt
@@ -55,10 +55,10 @@
 The password can be stored in the psk.txt file. In that situation, 
 add this directive to the remote section of racoon.conf:
 	 xauth_login "username";
-Where username is your login.
+where username is your login.
 
 Note that for now there is no feedback in racoonctl if the authentication
-fails. Peek at racoon logs to discover what goes wrong.
+fails. Peek at the racoon logs to discover what goes wrong.
 
 In order to disconnect from the VPN, do this:
 racoonctl vd vpn-gateway.example.net
--- a/crypto/dist/ipsec-tools/src/racoon/schedule.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/schedule.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: schedule.c,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: schedule.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /*	$KAME: schedule.c,v 1.19 2001/11/05 10:53:19 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/schedule.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/schedule.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: schedule.h,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: schedule.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: schedule.h,v 1.4 2004/11/18 15:14:44 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/session.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/session.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.1.1.2.2.1 2005/07/12 17:37:35 tron Exp $	*/
+/*	$NetBSD: session.c,v 1.1.1.2.2.2 2005/09/03 07:03:50 snj Exp $	*/
 
 /*	$KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/session.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/session.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.h,v 1.1.1.2 2005/02/23 14:54:27 manu Exp $	*/
+/*	$NetBSD: session.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: session.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/sockmisc.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/sockmisc.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: sockmisc.c,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: sockmisc.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
-/* Id: sockmisc.c,v 1.17 2004/11/20 16:16:59 monas Exp */
+/* Id: sockmisc.c,v 1.17.4.3 2005/06/29 13:01:29 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -261,7 +261,7 @@
 	struct sockaddr *remote;
 {
 	struct sockaddr *local;
-	int local_len = sizeof(struct sockaddr_storage);
+	u_int local_len = sizeof(struct sockaddr_storage);
 	int s;	/* for dummy connection */
 
 	/* allocate buffer */
@@ -316,10 +316,10 @@
 	struct sockaddr *from;
 	int *fromlen;
 	struct sockaddr *to;
-	int *tolen;
+	u_int *tolen;
 {
 	int otolen;
-	int len;
+	u_int len;
 	struct sockaddr_storage ss;
 	struct msghdr m;
 	struct cmsghdr *cm;
@@ -460,7 +460,7 @@
 	struct sockaddr *dst;
 {
 	struct sockaddr_storage ss;
-	int len;
+	u_int len;
 	int i;
 
 	if (src->sa_family != dst->sa_family) {
@@ -614,7 +614,7 @@
 			plog(LLV_DEBUG, LOCATION, NULL,
 				"%d times of %d bytes message will be sent "
 				"to %s\n",
-				i + 1, len, saddr2str(src));
+				i + 1, len, saddr2str(dst));
 		}
 		plogdump(LLV_DEBUG, (char *)buf, buflen);
 
--- a/crypto/dist/ipsec-tools/src/racoon/sockmisc.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/sockmisc.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: sockmisc.h,v 1.1.1.2.2.1 2005/05/12 12:04:12 tron Exp $	*/
+/*	$NetBSD: sockmisc.h,v 1.1.1.2.2.2 2005/09/03 07:03:50 snj Exp $	*/
 
-/* Id: sockmisc.h,v 1.5 2004/07/12 20:43:51 ludvigm Exp */
+/* Id: sockmisc.h,v 1.5.10.3 2005/06/29 13:01:29 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -58,7 +58,7 @@
 extern struct sockaddr *getlocaladdr __P((struct sockaddr *));
 
 extern int recvfromto __P((int, void *, size_t, int,
-	struct sockaddr *, int *, struct sockaddr *, int *));
+	struct sockaddr *, int *, struct sockaddr *, unsigned int *));
 extern int sendfromto __P((int, const void *, size_t,
 	struct sockaddr *, struct sockaddr *, int));
 
--- a/crypto/dist/ipsec-tools/src/racoon/str2val.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/str2val.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: str2val.c,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: str2val.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /*	$KAME: str2val.c,v 1.11 2001/08/16 14:37:29 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/str2val.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/str2val.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: str2val.h,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: str2val.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: str2val.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/strnames.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/strnames.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: strnames.c,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: strnames.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /*	$KAME: strnames.c,v 1.25 2003/11/13 10:53:26 itojun Exp $	*/
 
@@ -357,6 +357,9 @@
 { IPSECDOI_AH_MD5,	"MD5", NULL },
 { IPSECDOI_AH_SHA,	"SHA", NULL },
 { IPSECDOI_AH_DES,	"DES", NULL },
+{ IPSECDOI_AH_SHA256,	"SHA256", NULL },
+{ IPSECDOI_AH_SHA384,	"SHA384", NULL },
+{ IPSECDOI_AH_SHA512,	"SHA512", NULL },
 };
 
 char *
@@ -487,10 +490,13 @@
 }
 
 static struct ksmap name_attr_ipsec_auth[] = {
-{ IPSECDOI_ATTR_AUTH_HMAC_MD5,	"hmac-md5",	NULL },
-{ IPSECDOI_ATTR_AUTH_HMAC_SHA1,	"hmac-sha",	NULL },
-{ IPSECDOI_ATTR_AUTH_DES_MAC,	"des-mac",	NULL },
-{ IPSECDOI_ATTR_AUTH_KPDK,	"kpdk",		NULL },
+{ IPSECDOI_ATTR_AUTH_HMAC_MD5,		"hmac-md5",	NULL },
+{ IPSECDOI_ATTR_AUTH_HMAC_SHA1,		"hmac-sha",	NULL },
+{ IPSECDOI_ATTR_AUTH_HMAC_SHA2_256,	"hmac-sha256",	NULL },
+{ IPSECDOI_ATTR_AUTH_HMAC_SHA2_384,	"hmac-sha384",	NULL },
+{ IPSECDOI_ATTR_AUTH_HMAC_SHA2_512,	"hmac-sha512",	NULL },
+{ IPSECDOI_ATTR_AUTH_DES_MAC,		"des-mac",	NULL },
+{ IPSECDOI_ATTR_AUTH_KPDK,		"kpdk",		NULL },
 };
 
 char *
@@ -598,6 +604,9 @@
 { OAKLEY_ATTR_HASH_ALG_MD5,	"MD5",		NULL },
 { OAKLEY_ATTR_HASH_ALG_SHA,	"SHA",		NULL },
 { OAKLEY_ATTR_HASH_ALG_TIGER,	"Tiger",	NULL },
+{ OAKLEY_ATTR_HASH_ALG_SHA2_256,"SHA256",	NULL },
+{ OAKLEY_ATTR_HASH_ALG_SHA2_384,"SHA384",	NULL },
+{ OAKLEY_ATTR_HASH_ALG_SHA2_512,"SHA512",	NULL },
 };
 
 char *
--- a/crypto/dist/ipsec-tools/src/racoon/strnames.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/strnames.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: strnames.h,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: strnames.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: strnames.h,v 1.5 2004/07/12 20:37:13 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/throttle.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/throttle.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: throttle.c,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: throttle.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: throttle.c,v 1.2 2004/11/30 07:40:13 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/throttle.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/throttle.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: throttle.h,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: throttle.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: throttle.h,v 1.1 2004/11/30 00:46:09 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/var.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/var.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: var.h,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: var.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: var.h,v 1.6 2004/11/20 16:16:59 monas Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/vendorid.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/vendorid.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: vendorid.c,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: vendorid.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: vendorid.c,v 1.7 2005/01/29 16:34:25 vanhu Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/vendorid.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/vendorid.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: vendorid.h,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: vendorid.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: vendorid.h,v 1.10 2005/01/29 16:34:25 vanhu Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/vmbuf.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/vmbuf.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: vmbuf.c,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: vmbuf.c,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /*	$KAME: vmbuf.c,v 1.11 2001/11/26 16:54:29 sakane Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/vmbuf.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/vmbuf.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: vmbuf.h,v 1.1.1.2 2005/02/23 14:54:28 manu Exp $	*/
+/*	$NetBSD: vmbuf.h,v 1.1.1.2.2.1 2005/09/03 07:03:50 snj Exp $	*/
 
 /* Id: vmbuf.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/setkey/Makefile.am	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/Makefile.am	Sat Sep 03 07:03:49 2005 +0000
@@ -13,7 +13,7 @@
 setkey_DEPENDENCIES = ../libipsec/libipsec.la
 setkey_LDADD = $(LEXLIB)
 
-noinst_HEADERS = vchar.h
+noinst_HEADERS = vchar.h extern.h
 man8_MANS = setkey.8
 
 EXTRA_DIST = ${man8_MANS} sample-policy01.cf sample-policy02.cf sample.cf \
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/extern.h	Sat Sep 03 07:03:49 2005 +0000
@@ -0,0 +1,30 @@
+/*	$NetBSD: extern.h,v 1.2.2.2 2005/09/03 07:03:56 snj Exp $	*/
+
+
+
+void parse_init __P((void));
+int parse __P((FILE **));
+int parse_string __P((char *));
+
+int setkeymsg __P((char *, size_t *));
+int sendkeymsg __P((char *, size_t));
+
+int yylex __P((void));
+int yyparse __P((void));
+void yyfatal __P((const char *));
+void yyerror __P((const char *));
+
+extern int f_rfcmode;
+extern int lineno;
+extern int last_msg_type;
+extern u_int32_t last_priority;
+extern int exit_now;
+
+extern u_char m_buf[BUFSIZ];
+extern u_int m_len;
+extern int f_debug;
+
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+extern int last_msg_type;
+extern u_int32_t last_priority;
+#endif
--- a/crypto/dist/ipsec-tools/src/setkey/parse.y	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/parse.y	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.1.1.2.2.1 2005/04/12 09:29:41 tron Exp $	*/
+/*	$NetBSD: parse.y,v 1.1.1.2.2.2 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
@@ -59,6 +59,7 @@
 
 #include "libpfkey.h"
 #include "vchar.h"
+#include "extern.h"
 
 #define DEFAULT_NATT_PORT	4500
 
@@ -74,17 +75,11 @@
 u_int p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
 u_int32_t p_reqid;
 u_int p_key_enc_len, p_key_auth_len;
-caddr_t p_key_enc, p_key_auth;
+const char *p_key_enc;
+const char *p_key_auth;
 time_t p_lt_hard, p_lt_soft;
 size_t p_lb_hard, p_lb_soft;
 
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
-extern int last_msg_type;
-extern u_int32_t last_priority;
-#endif
-
-extern int exit_now;
-
 static u_int p_natt_type;
 static struct addrinfo * p_natt_oa = NULL;
 
@@ -92,7 +87,8 @@
 
 static struct addrinfo *parse_addr __P((char *, char *));
 static int fix_portstr __P((vchar_t *, vchar_t *, vchar_t *));
-static int setvarbuf __P((char *, int *, struct sadb_ext *, int, caddr_t, int));
+static int setvarbuf __P((char *, int *, struct sadb_ext *, int, 
+    const void *, int));
 void parse_init __P((void));
 void free_buffer __P((void));
 
@@ -104,13 +100,6 @@
 	struct addrinfo *, struct addrinfo *, int));
 static int setkeymsg_add __P((unsigned int, unsigned int,
 	struct addrinfo *, struct addrinfo *));
-extern int setkeymsg __P((char *, size_t *));
-extern int sendkeymsg __P((char *, size_t));
-
-extern int yylex __P((void));
-extern void yyfatal __P((const char *));
-extern void yyerror __P((const char *));
-extern int f_rfcmode;
 %}
 
 %union {
@@ -766,9 +755,7 @@
 	:	DECSTRING { $$ = $1; }
 	|	ANY { $$ = IPSEC_ULPROTO_ANY; }
 	|	PR_TCP { 
-#ifdef SADB_X_SATYPE_TCPSIGNATURE
 				$$ = IPPROTO_TCP; 
-#endif
 			}
 	|	STRING
 		{
@@ -954,7 +941,7 @@
 			m_addr.sadb_address_reserved = 0;
 
 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
-			    sizeof(m_addr), (caddr_t)sa, salen);
+			    sizeof(m_addr), sa, salen);
 
 			msg->sadb_msg_len = PFKEY_UNIT64(l);
 
@@ -1130,7 +1117,7 @@
 			m_addr.sadb_address_reserved = 0;
 
 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
-			    sizeof(m_addr), (caddr_t)sa, salen);
+			    sizeof(m_addr), sa, salen);
 
 			/* set dst */
 			sa = d->ai_addr;
@@ -1143,7 +1130,7 @@
 			m_addr.sadb_address_reserved = 0;
 
 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
-			    sizeof(m_addr), (caddr_t)sa, salen);
+			    sizeof(m_addr), sa, salen);
 
 			msg->sadb_msg_len = PFKEY_UNIT64(l);
 
@@ -1168,8 +1155,8 @@
 	switch (s->sa_family) {
 	case AF_INET:
 	  {
-		struct sockaddr_in *sin = (struct sockaddr_in *)s;
-		port = ntohs(sin->sin_port);
+		struct sockaddr_in *sin4 = (struct sockaddr_in *)s;
+		port = ntohs(sin4->sin_port);
 		break;
 	  }
 	case AF_INET6:
@@ -1231,7 +1218,7 @@
 		m.key.sadb_key_reserved = 0;
 
 		setvarbuf(buf, &l, &m.ext, sizeof(m.key),
-			(caddr_t)p_key_enc, p_key_enc_len);
+			p_key_enc, p_key_enc_len);
 	}
 
 	/* set authentication algorithm, if present. */
@@ -1249,7 +1236,7 @@
 		m.key.sadb_key_reserved = 0;
 
 		setvarbuf(buf, &l, &m.ext, sizeof(m.key),
-			(caddr_t)p_key_auth, p_key_auth_len);
+			p_key_auth, p_key_auth_len);
 	}
 
 	/* set lifetime for HARD */
@@ -1342,7 +1329,7 @@
 			m_addr.sadb_address_reserved = 0;
 
 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
-			    sizeof(m_addr), (caddr_t)sa, salen);
+			    sizeof(m_addr), sa, salen);
 		}
 	}
 #endif
@@ -1382,7 +1369,7 @@
 			m_addr.sadb_address_reserved = 0;
 
 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
-			    sizeof(m_addr), (caddr_t)sa, salen);
+			    sizeof(m_addr), sa, salen);
 
 			/* set dst */
 			sa = d->ai_addr;
@@ -1395,7 +1382,7 @@
 			m_addr.sadb_address_reserved = 0;
 
 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
-			    sizeof(m_addr), (caddr_t)sa, salen);
+			    sizeof(m_addr), sa, salen);
 
 #ifdef SADB_X_EXT_NAT_T_TYPE
 			if (p_natt_type) {
@@ -1460,16 +1447,17 @@
 fix_portstr(spec, sport, dport)
 	vchar_t *spec, *sport, *dport;
 {
-	char *p, *p2 = "0";
+	const char *p, *p2 = "0";
+	char *q;
 	u_int l;
 
 	l = 0;
-	for (p = spec->buf; *p != ',' && *p != '\0' && l < spec->len; p++, l++)
+	for (q = spec->buf; *q != ',' && *q != '\0' && l < spec->len; q++, l++)
 		;
-	if (*p != '\0') {
-		if (*p == ',') {
-			*p = '\0';
-			p2 = ++p;
+	if (*q != '\0') {
+		if (*q == ',') {
+			*q = '\0';
+			p2 = ++q;
 		}
 		for (p = p2; *p != '\0' && l < spec->len; p++, l++)
 			;
@@ -1501,7 +1489,7 @@
 	int *off;
 	struct sadb_ext *ebuf;
 	int elen;
-	caddr_t vbuf;
+	const void *vbuf;
 	int vlen;
 {
 	memset(buf + *off, 0, PFKEY_UNUNIT64(ebuf->sadb_ext_len));
--- a/crypto/dist/ipsec-tools/src/setkey/setkey.8	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/setkey.8	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,4 @@
-.\"	$NetBSD: setkey.8,v 1.1.1.2.2.11 2005/07/01 12:24:40 tron Exp $
-.\"
-.\"	$KAME: setkey.8,v 1.93 2003/09/24 23:44:46 itojun Exp $
+.\"	$NetBSD: setkey.8,v 1.1.1.2.2.12 2005/09/03 07:03:56 snj Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\" All rights reserved.
@@ -95,18 +93,18 @@
 .It Fl D
 Dump the SAD entries.
 If
-.Fl P ,
-is also specified, SPD entries are dumped.
+.Fl P
+is also specified, the SPD entries are dumped. 
 If
 .Fl p
-is specified with
-.Fl P ,
-the ports that can be used for ESP over UDP are displayed in policies.
+is specified with 
+.FL P ,
+the ports that can be used for ESP over UDP are displayed.
 .It Fl F
 Flush the SAD entries.
 If
 .Fl P
-is also specified, the SPD entries are dumped.
+is also specified, the SPD entries are flushed.
 .It Fl H
 Add hexadecimal dump in
 .Fl x
@@ -692,12 +690,12 @@
 keyed-sha1	160		ah: 96bit ICV (no document)
 		160		ah-old: 128bit ICV (no document)
 null		0 to 2048	for debugging
-hmac-sha2-256	256		ah: 96bit ICV
+hmac-sha256	256		ah: 96bit ICV
 				(draft-ietf-ipsec-ciph-sha-256-00)
 		256		ah-old: 128bit ICV (no document)
-hmac-sha2-384	384		ah: 96bit ICV (no document)
+hmac-sha384	384		ah: 96bit ICV (no document)
 		384		ah-old: 128bit ICV (no document)
-hmac-sha2-512	512		ah: 96bit ICV (no document)
+hmac-sha512	512		ah: 96bit ICV (no document)
 		512		ah-old: 128bit ICV (no document)
 hmac-ripemd160	160		ah: 96bit ICV (RFC2857)
 				ah-old: 128bit ICV (no document)
--- a/crypto/dist/ipsec-tools/src/setkey/setkey.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/setkey.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,6 @@
-/* $NetBSD: setkey.c,v 1.3.2.1 2005/05/01 11:01:11 tron Exp $ /
+/*	$NetBSD: setkey.c,v 1.3.2.2 2005/09/03 07:03:56 snj Exp $	*/
 
-/*	KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp	*/
+/*	$KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@@ -70,6 +70,8 @@
 #include "config.h"
 #include "libpfkey.h"
 #include "package_version.h"
+#define extern /* so that variables in extern.h are not extern... */
+#include "extern.h"
 
 #define strlcpy(d,s,l) (strncpy(d,s,l), (d)[(l)-1] = '\0')
 
@@ -78,7 +80,6 @@
 int get_supported __P((void));
 void sendkeyshort __P((u_int));
 void promisc __P((void));
-int sendkeymsg __P((char *, size_t));
 int postproc __P((struct sadb_msg *, int));
 int verifypriority __P((struct sadb_msg *m));
 int fileproc __P((const char *));
@@ -89,8 +90,6 @@
 static int32_t gmt2local __P((time_t));
 void stdin_loop __P((void));
 
-extern void parse_init __P((void));
-
 #define MODE_SCRIPT	1
 #define MODE_CMDDUMP	2
 #define MODE_CMDFLUSH	3
@@ -115,8 +114,9 @@
 #else
 int f_rkwarn = 0;
 #define RK_OPTS ""
+static void rkwarn(void);
 static void
-rkwarn()
+rkwarn(void)
 {
 	if (!f_rkwarn) {
 		f_rkwarn = 1;
@@ -127,22 +127,6 @@
 #endif
 static time_t thiszone;
 
-extern int lineno;
-
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
-extern int last_msg_type;
-int last_msg_type = -1;
-
-extern u_int32_t last_priority;
-u_int32_t last_priority = 0;
-#endif
-
-extern int exit_now;
-int exit_now = 0;
-
-extern int parse __P((FILE **));
-extern int parse_string __P((char *));
-
 void
 usage(int only_version)
 {
@@ -166,8 +150,6 @@
 {
 	FILE *fp = stdin;
 	int c;
-	struct stat sb;
-	int error;
 
 	if (argc == 1) {
 		usage(0);
@@ -180,6 +162,10 @@
 		switch (c) {
 		case 'c':
 			f_mode = MODE_STDIN;
+#ifdef HAVE_READLINE
+			/* disable filename completion */
+			rl_bind_key('\t', rl_insert);
+#endif
 			break;
 		case 'f':
 			f_mode = MODE_SCRIPT;
@@ -325,28 +311,28 @@
 	parse_init();
 	while (1) {
 #ifdef HAVE_READLINE
-		char *read;
-		read = readline ("");
-		if (! read)
+		char *rbuf;
+		rbuf = readline ("");
+		if (! rbuf)
 			break;
 #else
-		char read[1024];
-		read[0] = '\0';
-		fgets (read, sizeof(read), stdin);
-		if (! read[0])
+		char rbuf[1024];
+		rbuf[0] = '\0';
+		fgets (rbuf, sizeof(rbuf), stdin);
+		if (!rbuf[0])
 			break;
-		if (read[strlen(read)-1] == '\n')
-			read[strlen(read)-1] = '\0';
+		if (rbuf[strlen(rbuf)-1] == '\n')
+			rbuf[strlen(rbuf)-1] = '\0';
 #endif
-		comment = strchr(read, '#');
+		comment = strchr(rbuf, '#');
 		if (comment)
 			*comment = '\0';
 
-		if (! read[0])
+		if (!rbuf[0])
 			continue;
 
 		linelen += snprintf (&line[linelen], sizeof(line) - linelen,
-				     "%s%s", linelen > 0 ? " " : "", read);
+				     "%s%s", linelen > 0 ? " " : "", rbuf);
 
 		semicolon = strchr(line, ';');
 		while (semicolon) {
--- a/crypto/dist/ipsec-tools/src/setkey/test-pfkey.c	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/test-pfkey.c	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: test-pfkey.c,v 1.1.1.2 2005/02/23 14:54:40 manu Exp $	*/
+/*	$NetBSD: test-pfkey.c,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $	*/
 
@@ -308,7 +308,11 @@
 	struct sadb_prop m_prop;
 	struct sadb_comb *m_comb;
 	u_char buf[256];
+#if defined(SADB_X_EALG_AESCBC) && defined(SADB_X_AALG_SHA2_256)
+	u_int len = sizeof(m_prop) + sizeof(m_comb) * 3;
+#else
 	u_int len = sizeof(m_prop) + sizeof(m_comb) * 2;
+#endif
 
 	/* make prop & comb */
 	m_prop.sadb_prop_len = PFKEY_UNIT64(len);
@@ -361,6 +365,36 @@
 			buf, sizeof(*m_comb) * 2);
 	m_len += len;
 
+ #if defined(SADB_X_EALG_AESCBC) && defined(SADB_X_AALG_SHA2_256)
+ 	/* the 3rd is ESP AES-CBC and AH HMAC-SHA256 */
+ 	m_comb = (struct sadb_comb *)(buf + sizeof(*m_comb));
+ 	m_comb->sadb_comb_auth = SADB_X_AALG_SHA2_256;
+ 	m_comb->sadb_comb_encrypt = SADB_X_EALG_AESCBC;
+ 	m_comb->sadb_comb_flags = 0;
+ 	m_comb->sadb_comb_auth_minbits = 8;
+ 	m_comb->sadb_comb_auth_maxbits = 96;
+ 	m_comb->sadb_comb_encrypt_minbits = 128;
+ 	m_comb->sadb_comb_encrypt_maxbits = 128;
+ 	m_comb->sadb_comb_reserved = 0;
+ 	m_comb->sadb_comb_soft_allocations = 0;
+ 	m_comb->sadb_comb_hard_allocations = 0;
+ 	m_comb->sadb_comb_soft_bytes = 0;
+ 	m_comb->sadb_comb_hard_bytes = 0;
+ 	m_comb->sadb_comb_soft_addtime = 0;
+ 	m_comb->sadb_comb_hard_addtime = 0;
+ 	m_comb->sadb_comb_soft_usetime = 0;
+ 	m_comb->sadb_comb_hard_usetime = 0;
+ 
+ 	key_setsadbextbuf(m_buf, m_len,
+ 			(caddr_t)&m_prop, sizeof(struct sadb_prop),
+ 			buf, sizeof(*m_comb) * 3);
+ 	m_len += len;
+#else
+	key_setsadbextbuf(m_buf, m_len,
+			(caddr_t)&m_prop, sizeof(struct sadb_prop),
+			buf, sizeof(*m_comb) * 2);
+ 	m_len += len;
+#endif
 	return;
 }
 
--- a/crypto/dist/ipsec-tools/src/setkey/token.l	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/token.l	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: token.l,v 1.1.1.2.2.2 2005/05/11 12:16:57 tron Exp $	*/
+/*	$NetBSD: token.l,v 1.1.1.2.2.3 2005/09/03 07:03:56 snj Exp $	*/
 
 /*	$KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $	*/
 
@@ -62,18 +62,7 @@
 #include "y.tab.h"
 #endif
 
-int lineno = 1;
-
-extern u_char m_buf[BUFSIZ];
-extern u_int m_len;
-extern int f_debug;
-
-int yylex __P((void));
-void yyfatal __P((const char *s));
-void yyerror __P((const char *s));
-extern void parse_init __P((void));
-int parse __P((FILE **));
-int yyparse __P((void));
+#include "extern.h"
 
 /* make the code compile on *BSD-current */
 #ifndef SADB_X_AALG_SHA2_256
@@ -178,9 +167,7 @@
 esp-udp		{ yylval.num = 0; return(PR_ESPUDP); }
 ipcomp		{ yylval.num = 0; return(PR_IPCOMP); }
 tcp		{ 
-#ifdef SADB_X_SATYPE_TCPSIGNATURE
 			yylval.num = 0; return(PR_TCP); 
-#endif
 		}
 
 	/* authentication alogorithm */
@@ -190,8 +177,11 @@
 <S_AUTHALG>keyed-md5	{ yylval.num = SADB_X_AALG_MD5; BEGIN INITIAL; return(ALG_AUTH); }
 <S_AUTHALG>keyed-sha1	{ yylval.num = SADB_X_AALG_SHA; BEGIN INITIAL; return(ALG_AUTH); }
 <S_AUTHALG>hmac-sha2-256 { yylval.num = SADB_X_AALG_SHA2_256; BEGIN INITIAL; return(ALG_AUTH); }
+<S_AUTHALG>hmac-sha256 { yylval.num = SADB_X_AALG_SHA2_256; BEGIN INITIAL; return(ALG_AUTH); }
 <S_AUTHALG>hmac-sha2-384 { yylval.num = SADB_X_AALG_SHA2_384; BEGIN INITIAL; return(ALG_AUTH); }
+<S_AUTHALG>hmac-sha384 { yylval.num = SADB_X_AALG_SHA2_384; BEGIN INITIAL; return(ALG_AUTH); }
 <S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
+<S_AUTHALG>hmac-sha512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
 <S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); }
 <S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); }
 <S_AUTHALG>tcp-md5	{ 
@@ -335,6 +325,7 @@
 {
 	yyin = *fp;
 
+	lineno = 1;
 	parse_init();
 
 	if (yyparse()) {
--- a/crypto/dist/ipsec-tools/src/setkey/vchar.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/vchar.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: vchar.h,v 1.1.1.2 2005/02/23 14:54:40 manu Exp $	*/
+/*	$NetBSD: vchar.h,v 1.1.1.2.2.1 2005/09/03 07:03:56 snj Exp $	*/
 
 /* Id: vchar.h,v 1.2 2004/06/07 09:18:47 ludvigm Exp */
 
--- a/doc/CHANGES	Sat Sep 03 06:56:04 2005 +0000
+++ b/doc/CHANGES	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-LIST OF CHANGES FROM PREVIOUS RELEASES:			<$Revision: 1.445.2.10 $>
+LIST OF CHANGES FROM PREVIOUS RELEASES:			<$Revision: 1.445.2.11 $>
 
 
 [Note: This file does not mention every change made to the NetBSD source tree.
@@ -268,3 +268,4 @@
 		Compressed disk images can be used with the vnd(4) driver when
 		compiled with VND_COMPRESSION and "vnconfig -z". 
 		Useful for creation of Live CDs/DVDs. [hubertf 20050725]
+	racoon(8): ipsec-tools updated to 0.6.1 [manu 20050820]
--- a/lib/libipsec/Makefile	Sat Sep 03 06:56:04 2005 +0000
+++ b/lib/libipsec/Makefile	Sat Sep 03 07:03:49 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.13 2005/02/24 13:45:08 manu Exp $
+# $NetBSD: Makefile,v 1.13.2.1 2005/09/03 07:03:57 snj Exp $
 
 USE_SHLIBDIR=	yes
 WARNS=	0	# Will be fixed later
@@ -10,6 +10,8 @@
 CPPFLAGS+= -I${DIST}/src/libipsec -I. -DHAVE_CONFIG_H
 CPPFLAGS+= -DIPSEC_DEBUG -I${.CURDIR} -I${NETBSDSRCDIR}/sys
 CPPFLAGS+= -DSADB_X_EALG_AESCBC=SADB_X_EALG_AES
+# Don't worry about argument promotion for now.
+LINTFLAGS+=     -X 58
 
 .if (${USE_INET6} != "no")
 CPPFLAGS+=-DINET6
--- a/lib/libipsec/config.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/lib/libipsec/config.h	Sat Sep 03 07:03:49 2005 +0000
@@ -17,19 +17,19 @@
 #define ENABLE_NATT 
 
 /* Enable NAT-Traversal draft 00 */
-#define ENABLE_NATT_00
+#define ENABLE_NATT_00 
 
 /* Enable NAT-Traversal draft 01 */
-#define ENABLE_NATT_01
+/* #undef ENABLE_NATT_01 */
 
 /* Enable NAT-Traversal draft 02 */
-#define ENABLE_NATT_02
+#define ENABLE_NATT_02 
 
 /* Enable NAT-Traversal draft 03 */
-#define ENABLE_NATT_03
+/* #undef ENABLE_NATT_03 */
 
 /* Enable NAT-Traversal draft 04 */
-#define ENABLE_NATT_04
+/* #undef ENABLE_NATT_04 */
 
 /* Enable NAT-Traversal draft 05 */
 /* #undef ENABLE_NATT_05 */
@@ -43,6 +43,9 @@
 /* Enable NAT-Traversal draft 08 */
 /* #undef ENABLE_NATT_08 */
 
+/* Enable NAT-Traversal RFC version */
+#define ENABLE_NATT_RFC 
+
 /* Enable samode-unspec */
 /* #undef ENABLE_SAMODE_UNSPECIFIED */
 
@@ -62,16 +65,25 @@
 #define HAVE_GETTIMEOFDAY 1
 
 /* Enable GSS API */
-/* #undef HAVE_GSSAPI */
+/* NetBSD build: -DHAVE_GSSAPI is already supplied on the command line */
+/* #define HAVE_GSSAPI */
+
+/* Have iconv using const */
+#define HAVE_ICONV_2ND_CONST 
 
 /* Define to 1 if you have the <inttypes.h> header file. */
 #define HAVE_INTTYPES_H 1
 
+/* Have ipsec_policy_t */
+#define HAVE_IPSEC_POLICY_T
+
 /* Hybrid authentication uses PAM */
-/* #undef HAVE_LIBPAM */
+/* NetBSD build: -DHAVE_LIBPAM is already supplied on the command line */
+/* #define HAVE_LIBPAM */
 
 /* Hybrid authentication uses RADIUS */
-/* #undef HAVE_LIBRADIUS */
+/* NetBSD build: -DHAVE_LIBRADIUS is already supplied on the command line */
+/* #define HAVE_LIBRADIUS */
 
 /* Define to 1 if you have the <limits.h> header file. */
 #define HAVE_LIMITS_H 1
@@ -88,6 +100,15 @@
 /* Define to 1 if you have the <openssl/engine.h> header file. */
 #define HAVE_OPENSSL_ENGINE_H 1
 
+/* Define to 1 if you have the <openssl/idea.h> header file. */
+/* #undef HAVE_OPENSSL_IDEA_H */
+
+/* Define to 1 if you have the <openssl/rc5.h> header file. */
+/* #undef HAVE_OPENSSL_RC5_H */
+
+/* Define to 1 if you have the `pam_start' function. */
+#define HAVE_PAM_START 1
+
 /* Are PF_KEY policy priorities supported? */
 /* #undef HAVE_PFKEY_POLICY_PRIORITY */
 
@@ -95,7 +116,7 @@
 /* #undef HAVE_POLICY_FWD */
 
 /* Define to 1 if you have the `rad_create_request' function. */
-/* #undef HAVE_RAD_CREATE_REQUEST */
+#define HAVE_RAD_CREATE_REQUEST 1
 
 /* Is readline available? */
 /* #undef HAVE_READLINE */
@@ -103,6 +124,12 @@
 /* Define to 1 if you have the `select' function. */
 #define HAVE_SELECT 1
 
+/* sha2 is defined in sha.h */
+/* #undef HAVE_SHA2_IN_SHA_H */
+
+/* Define to 1 if you have the <shadow.h> header file. */
+/* #undef HAVE_SHADOW_H */
+
 /* Define to 1 if you have the `socket' function. */
 #define HAVE_SOCKET 1
 
@@ -158,7 +185,8 @@
 #define HAVE_VPRINTF 1
 
 /* Support IPv6 */
-/* #undef INET6 */
+/* NetBSD build: -DINET6 is already supplied on the command line */
+/* #define INET6  */
 
 /* Use advanced IPv6 API */
 #define INET6_ADVAPI 
@@ -173,13 +201,13 @@
 #define PACKAGE_NAME "ipsec-tools"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "ipsec-tools 0.6-base"
+#define PACKAGE_STRING "ipsec-tools 0.6.1rc1"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "ipsec-tools"
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.6-base"
+#define PACKAGE_VERSION "0.6.1rc1"
 
 /* Define as the return type of signal handlers (`int' or `void'). */
 #define RETSIGTYPE void
@@ -197,7 +225,7 @@
 #define VA_COPY va_copy
 
 /* Version number of package */
-#define VERSION "0.6-base"
+#define VERSION "0.6.1rc1"
 
 /* SHA2 support */
 #define WITH_SHA2 
--- a/lib/libipsec/package_version.h	Sat Sep 03 06:56:04 2005 +0000
+++ b/lib/libipsec/package_version.h	Sat Sep 03 07:03:49 2005 +0000
@@ -1,5 +1,5 @@
 #define TOP_PACKAGE "ipsec-tools"
 #define TOP_PACKAGE_NAME "ipsec-tools"
-#define TOP_PACKAGE_VERSION  "0.6-nb20050513"
-#define TOP_PACKAGE_STRING  "ipsec-tools 0.6-nb20050513"
+#define TOP_PACKAGE_VERSION  "0.6.1"
+#define TOP_PACKAGE_STRING  "ipsec-tools 0.6.1"
 #define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"
--- a/sbin/setkey/Makefile	Sat Sep 03 06:56:04 2005 +0000
+++ b/sbin/setkey/Makefile	Sat Sep 03 07:03:49 2005 +0000
@@ -1,6 +1,4 @@
-# $NetBSD: Makefile,v 1.6 2005/02/24 13:45:08 manu Exp $
-
-WARNS=	0	# Will be fixed later
+# $NetBSD: Makefile,v 1.6.2.1 2005/09/03 07:03:57 snj Exp $
 
 .include <bsd.own.mk>